Thu, Aug
52 New Articles

What If an Authority for Personal Data Protection Violates Personal Data?

What If an Authority for Personal Data Protection Violates Personal Data?

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

An interesting case occurred before a while in Norway, when the authority competent for personal data protection was subject to complaint for infringement of the EU General Data Protection Regulation 2016/679 (“GDPR”).


According to the complaint, which was decided by the third, i.e., impartial body, upon the decision of the competent ministry, the infringement of GDPR provisions was perpetrated in relation to the manner of keeping, i.e., administering of the website of the respective authority, in terms of the following GDPR articles:

  • Article 6(1), since in this particular case the competent authority based personal data processing – in relation to visits and searches on the subject website – on Article 6(1)(f) of GDPR, under which the processing is necessary for the purposes of legitimate interests pursued by a controller or by a third party, whereas second paragraph of Article 6(1) explicitly stipulates that the basis of processing established by 6(1)(f) of GDPR shall not apply to processing carried out by public authorities in performance of their tasks;
  • Article 13(1)(d), since the privacy notice contained on the said website did not specify the previously mentioned legitimate interest;
  • Article 5(1)(b), given that there was no appropriate notice on the purpose of the processing concerned;
  • Article 57(2), as the responsible authority disabled the electronic submission of complaints, and made the process of finding the information about possible ways of complaint submission unnecessarily complicated; and
  • Article 77, for the reason that the responsible authority requested from complainants to refer to a controller regarding an infringement of personal data prior to addressing to the said authority.


In accordance with the decision enacted in the stated procedure, it was established that the competent authority infringed the above stated provisions of Article 13(1)(d) and 77 of GDPR, since:

  • It failed to specify legitimate interest under which the processing is necessary; and
  • It requested from complainants to refer to a controller of personal data in relation to their complaints for personal data violation prior to addressing to the authority.

As regards other statements of the complaint, i.e., infringement of other provisions of GDPR that it refers to, no liability of the competent authority was established.

Since the specification of the legitimate interest was done during the very procedure, and thus partially aligned operations of the authority with relevant GDPR provisions, the party deciding upon the complaint established that it expected other irregularities to be eliminated by undertaking of appropriate measures as well.

Finally, it is important to note the part of the rationale of the subject decision, pursuant to which “(…) the only personal data used upon the stated processing is IP address, which is considered anonymous information, available only to few persons, wherefore the risk in this sense is minimal to the extent in which it enables the prevailing of legitimate interest of processor over the rights and freedoms of data subjects“.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.

By Lara Maksimovic, Senior Associate, PR Legal

PR Legal at a Glance

PR Legal is a Serbian business law firm which renders advice on a full range of corporate matters, from day-to-day legal issues to large M&A and capital-raising transactions. We provide high-quality legal services to companies, entrepreneurs, private entities, and public institutions, in a modern and pro-active manner, based on unique professional experience in high-profile transactions and disputes.

Always aiming for practical feasibility, and when necessary, dig deep in order to secure our clients’ best interests, either before the court, state authorities or counterparties. In any case, commitment is omnipresent in all our work.

We distinguish ourselves from our competitors through understanding of commercial interests considering present legal framework, by providing smart and cost-effective business solutions, and most of all by our passion for doing business.

In PR Legal we believe that exceptional results can be achieved only when talented and reliable people work together in the appropriate environment. With such approach and commitment, our focus is on teamwork and encouraging of relationships based on trust and cooperation. Investment in our people is investment in our future, which allows us to provide comprehensive and top-quality assistance to our clients.

We care about our clients, while the building of strong relationships and a culture of excellent client service remains our main compass.
Firm's website.