Xz:
|Jurisdiction=Norway
|Court-BG-Color=
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=Ombudsman
|Court_Original_Name=Ombudsman
|Court_English_Name=Ombudsman
|Court_With_Country=Ombudsman (Norway)
|Case_Number_Name=25/12378
|ECLI=
|Original_Source_Name_1=SIVILOMBUDET
|Original_Source_Link_1=https://gdprhub.eu/images/7/7d/2026.01.21_Sivilombudet_Oppf%25C3%25B8lging_av_uttalelse_-_sp%25C3%25B8rsmal_om_klagerett_over_Datatilsynets_vedtak_i_sak_om_brudd_pa_GDPR_-_Redacted.pdf
|Original_Source_Language_1=Norwegian
|Original_Source_Language__Code_1=NO
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Date_Decided=21.01.2026
|Date_Published=21.01.2026
|Year=2026
|GDPR_Article_1=Article 78 GDPR
|GDPR_Article_Link_1=Article 78 GDPR
|GDPR_Article_2=
|GDPR_Article_Link_2=
|GDPR_Article_3=
|GDPR_Article_Link_3=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Appeal_From_Body=
|Appeal_From_Case_Number_Name=
|Appeal_From_Status=
|Appeal_From_Link=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Initial_Contributor=
|
}}
The Ombudsman held that under [[Article 78 GDPR]], data subjects have a right to an effective judicial remedy against all aspects of a data protection authority’s decision, including the choice of corrective measures.
== English Summary ==
=== Facts ===
The data subject had lodged a complaint against a former employer for GDPR violations. While the DPA found an infringement and issued a reprimand against the employer, it rejected the complaint insofar as the data subject sought further corrective measures.
The Data Protection Board of Appeal subsequently held that the data subject lacked a legal interest in appealing the DPA’s decision, arguing that the right to an effective remedy under [[Article 78 GDPR]] primarily protects persons on whom the decision has direct legal effects, and that national procedural law may limit who has standing to seek judicial review.
The Ombudsman disagreed and challenged this restrictive interpretation, relying on CJEU case law, including [[CJEU – C‑26/22 and C‑64/22 – SCHUFA Holding and Others (Discharge from remaining debts) (Joined Cases)|Schufa cases]] and [[CJEU – C-768/21 – Land Hessen (Obligation to act by the data protection authority)|Land Hessen]].
=== Holding ===
The Ombudsman argued that [[Article 78 GDPR#1|Article 78(1) GDPR]] grants both data subjects and controllers the right to an effective remedy against supervisory authority decisions, including review of the authority’s choice of corrective measures under [[Article 58 GDPR#2|Article 58(2) GDPR]]. The Ombudsman also referred to [https://www.privacy-regulation.eu/en/recital-141-GDPR.htm Recital 141 GDPR] and [https://fra.europa.eu/en/eu-charter/article/47-right-effective-remedy-and-fair-trial Article 47 of the EU Charter], emphasizing the need for full judicial review where a supervisory authority fails to intervene adequately to protect a data subject’s rights. Restricting data subjects to cases of ongoing violations, risks undermining uniform enforcement of the GDPR and lowering the level of data protection.
The data subject must have the right to an effective judicial remedy under [[Article 78 GDPR#1|Article 78(1) GDPR]] against all aspects of a supervisory authority’s decision, including the selection and adequacy of corrective measures. This right is not limited to situations where the decision has binding legal effects on the data subject, nor may it be excluded by national procedural rules.
== Comment ==
That is the second complaint from the Ombudsman to the Board of Appeal. As a solution, questions could be referred to the EFTA Court to clarify whether the Board’s practice ensures an effective remedy. While workload concerns may motivate limiting judicial review, there is no legal basis for national procedural rules to restrict the data subject’s right to challenge decisions.
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Follow-up to statement – question regarding right of appeal against the Data Protection
Authority’s decision in a case concerning violation of the GDPR
1. Introduction
Reference is made to previous correspondence in the case, most recently the Privacy Board’s letter of
November 11, 2025, including the decision of November 10, 2025, on a reassessment of the question
of the right to appeal.
The Ombudsman has some comments on the Board’s assessment. Beyond this, reference is made to the
statement
May 21, 2025
, which continues to cover the Ombudsman’s view of the case.
2. Whether the data subject has the right to an effective remedy
The Data Protection Authority upheld its view that
(hereinafter
referred to as the complainant) does not have a legal interest in appealing the Data Protection Authority’s
decision to reprimand the former employer and that it was correct to reject the complaint. It is therefore
assumed that the Board does not agree with the Ombudsman’s conclusions.
The Ombudsman understands the Board to mean that if Article 78 of the General Data Protection
Regulation gives the complainant the right to bring legal action, the Board considers that the person
concerned has, as a starting point, the right to complain under Section 28 of the Public Administration
Act. However, the Board concludes that the complainant in this case does not have the right to bring
legal action under the Regulation and therefore does not have the right to complain. The Board seems to
believe that the decisions of the Court of Justice of the European Union, to which the Ombudsman has
referred in his statement, only clarify the scope of
civilombudet.no
judicial review, but do not clarify who has the right to judicial review. As the Ombudsman understands
the Board’s view, it is therefore up to national procedural law to determine whether the data subject has
the right to bring legal action against the supervisory authority’s enforcement (use of corrective
measures) in a complaint case. The Board further refers to certain new arguments that the right to an
effective remedy can in principle only be invoked by the person or persons on whom the decision is
binding (“who have legal effect on the person concerned”).
The Ombudsman has reviewed the Board’s renewed assessment, but still cannot see that the
argumentation is sufficient to justify such a limited review of the Data Protection Authority’s decision as
practiced by the Board. Reference is made here to our assessments in
In its statement, the Ombudsman based its opinion on the decisions of the European
Court of Justice in cases C-26/22 and C-64/22 (Schufa) and case C-768/21 Land Hessen, that Article 78(1)
of the GDPR must be understood to mean that both the data subject and the controller have the right to
an effective remedy against the supervisory authority’s decision. Judicial review must then cover all
aspects of the Data Protection Authority’s decision, including the choice of corrective measures.
The Ombudsman would also refer here to recital 141, which reads:
“Every data subject should have the right to lodge a complaint with a single supervisory
authority, in particular in the Member State of his or her habitual residence, and have the right to
an effective remedy in accordance with Article 47 of the Charter if they consider their rights
under this Regulation to have been infringed, or if the supervisory authority does not respond to
a complaint, partially or wholly rejects or dismisses a complaint, or does not intervene when
necessary to protect the rights of the data subject. (…)”
Recital 141 mentions various situations in which the right to an effective remedy applies to the data
subject. One of these is if the supervisory authority fails to intervene when necessary to protect the rights
of the data subject. In the Ombudsman’s view, this supports the view that the right to an effective remedy
includes a right to review how the supervisory authority chooses to exercise its powers.
The Ombudsman would further reiterate that the Board’s interpretation implies a bias in the possibility of
judicial review of the Data Protection Authority’s exercise of authority in complaint cases, and thus also
the possibility of ensuring effective enforcement of the GDPR. In the Ombudsman’s view, this is not just a
question of whether the right to an effective remedy should be the same “for everyone who is affected to
a greater or lesser extent by a decision,” as the Board writes. It must also be relevant whether the review
sufficiently ensures uniform practice and a sufficiently high level of protection.
When choosing corrective measures, it is difficult to imagine that there will be complaints that the level of
protection is too low. On the contrary, it will only be when the measure is perceived as too strict that the
person against whom the measure is directed will complain about it. The Data Protection Authority has
indeed pointed out that there will be a legal interest in bringing a complaint if “the breach constitutes an
ongoing violation of the complainant’s privacy interests, and where the choice of corrective measures is
relevant to whether – and, if so, when – the violation will cease.” In the Ombudsman’s view, however, this
is not
2
civilombudet.no
sufficient to remedy the imbalance that such a practice may lead to, and is also inconsistent with the
decisions of the Court of Justice of the European Union on the interpretation of Article 78(1) of the GDPR.
If, in reality, there is no possibility for the data subject to raise objections to the choice of corrective
measures, with the exception of ongoing privacy violations, there is a risk that, over time, the level of
protection will be insufficient to safeguard the considerations behind the regulation.
On the basis of our statement of May 21, 2025, and the above comments, the Ombudsman maintains
that both the company and the complainant have the right to request a judicial review of all aspects of
the Data Protection Authority’s decision in the case, including the exercise of authority under Article
58(2). As a result, the Ombudsman cannot see that Norway or other countries are entitled to have
national procedural rules that prevent the data subject from bringing the Authority’s decision in the
appeal case before a court for full judicial review. Any such procedural obstacle does not appear to be
compatible with the GDPR. Whether more detailed national provisions may be laid down on how such an
action should be brought, for example with requirements for time limits or for the exhaustion of appeal
options first, is another question.
3. In conclusion
We ask the Data Protection Board to take note of the Ombudsman’s view on the Board’s practice
regarding the data subject’s right to appeal the supervisory authority’s choice of corrective measures,
including the risk that the Board will set the level of protection too low and thus not sufficiently ensure
the data subject’s right to an effective remedy under Article 78 of the General Data Protection Regulation.
The Ombudsman also notes that the data subject’s ability to challenge the supervisory authority’s choice
of measures appears to be a practical problem for the Data Protection Authority, see, among other things
The Ombudsman would therefore like to point out the
possibility of referring questions to the EFTA Court, cf. Article 34 of the ODA. Based on the practice of the
EFTA Court, it appears that the Privacy Board may also be included among the boards that can refer
questions to the Court, see, inter alia, E-23/24. This may therefore be a possible alternative for clarifying
whether the Board’s practice is in line with the requirements of the data protection regime to ensure an
effective remedy for the data subject.
Although not expressly stated in the case by the Data Protection Authority, the Ombudsman assumes that
the Authority is concerned that the workload may become excessive if every complaint case is subject to
full judicial review by the Authority. In the Ombudsman’s view, as mentioned above, there does not
appear to be any legal basis for the position that there is national discretion (procedural autonomy)
regarding the right of the data subject to judicial review.
However, the Data Protection Board’s handling of complaints can be regulated in more detail in national
law. This must, however, be put forward as a proposal to the legislature.
3
civilombudet.no
The Civil Ombudsman requests that the Data Protection Authority keep the Ombudsman updated on how
the Authority will follow up on the Ombudsman’s statement.
This letter has been approved electronically and therefore does not have a handwritten signatu