The Supreme Court clarifies the scope of the right of access

A boy with a congenital kidney condition attended a consultation at an emergency medical clinic in Norway, accompanied by his mother. The nurse who conducted the signed the medical record using only her initials. Subsequently, the emergency medical clinic submitted a report of concern to the child welfare services. The parents subsequently requested the full name, position, and professional qualifications of the healthcare professional responsible for the record entry, a request which the local authority refused. The Supreme Court, ruling unanimously, ultimately held that the patient had the right to be informed of the full name of the person who had made the entry in the medical record.

The District Court based its decision on the premise that the right of access to medical records is an important patient right, and that everyone has the right to access their own medical records under Section 5-1(1) of the Patient and User Rights Act (which explicitly refers to Article 15 of the General Data Protection Regulation). The District Court ruled in favour of the parents, but without grounding its decision in an independent assessment against either the GDPR or the case law of the Court of Justice of the European Union. The court based its decision on a purely national health law analysis.

The Court of Appeal, however, found in favour of the municipality, concluding that under Section 5-1 of the Norwegian Patient and User Rights Act, the patient was not entitled to know the identity of the healthcare professional who wrote the medical record. The majority thereby went further than the municipality’s original submissions would suggest. The Pankki S judgment (C-579/21) was addressed in a single sentence, in which the majority concluded (without further discussion), that

"(…) the right of access corresponds to the right under the Patient and User Rights Act and the Health Personnel Act", and further that there was "no conflict between Norwegian law and EU law", and that the question "falls outside the scope of this case". (Author's translation.)

As Eva wrote in the newsletter in June 2025 (find it here: Privacy Corner - Schjødt), this was a significant methodological weakness in the Court of Appeal’s reasoning.

This mirrors criticism that several committees have previously raised about Norwegian courts more generally. The EEA/EU dimension "ends up in the blind spot" even in cases where EU legal provisions are explicitly incorporated into national legislation. (See NOU 2020: 9 (The Blind Spot) and NOU 2024:7.) It states, among other things, that “EEA law appears to have been addressed to a limited extent, if at all”^[2] in the social security cases reviewed by the committee. The Supreme Court, in a seperate judgment from last year (HR-2025-490-S), also stressed the importance of considering the case law of the Court of Justice of the European Union:

“A consequence of the principle of homogeneity is therefore that if the Court of Justice of the European Union has ruled on the interpretation of EEA-relevant rules, this will carry considerable weight” and that national courts must take “due account” of judgments from the Court of Justice of the European Union (paragraph 52). (Author's translation.)

The EEA obligations this entails are by now well established. Yet it is precisely the same obligation that the Court of Appeal failed to discharge in the present case. The case shows that we have not yet achieved the desired level of awareness of EEA law in the lower courts, and that the challenge is just as pressing in data protection law as it is in social security law.

To understand the Supreme Court’s clarification, it is necessary to be familiar with Article 15 of the GDPR and the European Court of Justice’s two key rulings on the scope of the right of access, namely the Österreichische Post case (C-154/21) and the Pankki judgment (C-579/21).

Article 15 nr.1 of the GDPR gives the data subject the right to obtain confirmation from the controller as to whether personal data concerning them is being processed. Furthermore, the provision allows for access to the data and several specified categories of information, including "the recipients or categories of recipients" to whom the data has been or will be disclosed, cf. point (c). The alternative wording "or" has long created uncertainty as to whether the controller was free to choose to specify only categories rather than specific recipients.

In Österreichische Post, the Court of Justice of the European Union clarified this, ruling that the data subject has the right to be informed of the specific recipients to whom the personal data has been or will be disclosed. Categories are therefore only sufficient where the recipients cannot be individually identified at the time of the request. However, the judgment did not resolve a related question regarding access to this information for employees within the controller’s organisation, and whether they are considered ‘recipients’ at all under the GDPR. It was precisely this question that the Court of Justice of the European Union addressed in Pankki S.

Pankki S concerned a bank customer’s request to be informed of the identity of bank employees who had carried out searches on his personal data. The Court of Justice ruled that the data controller’s employees cannot automatically be regarded as "recipients" under Article 15 nr. 1 (c) when they process personal data under the data controller’s management and instructions.

"That provision does not, however, confer such a right in respect of information concerning the identity of the data controller’s employees who carried out the searches under the data controller’s supervision and on its instructions, unless that information is necessary for the data subject to effectively exercise his or her rights under this Regulation, and provided that the rights and freedoms of the employees are respected" (our emphasis, paragraph 83) (Author's translation.)

The right of access does not therefore automatically confer a right to know the identity of internal staff. The decisive factor is whether the data subject has a genuine and legitimate need to know the identity, and whether this need outweighs the interests of the staff member.

The Court of Justice of the European Union also clarified that, as a general rule, the data subject may be entitled to information about the searches themselves, i.e. the access logs (including date and purpose), even though the identity of the employee need not be disclosed.

Among other things, the case led the Danish Data Protection Agency to change its practice from not granting access to log files to allowing such access. Read more about this here, where they state that

"As a rule of thumb, if the data subject has merely requested access to the log without specifying a specific purpose, the interests of the person who carried out the search will often outweigh the interests of the person requesting access to the log. If, on the other hand, the data subject needs to know who has accessed the log in order to verify the lawfulness of an access, e.g. because the data subject has reason to suspect that an unauthorised access has taken place, the balance will in many cases tip in favour of the person requesting access. In such cases, therefore, one must, as a general rule, also disclose who carried out the search."

With the legal background now established, we can return to HR-2026-372-A and to the analysis of EU law that was lacking in both lower courts.

The legal question before the Supreme Court was whether the exemption in Section 16(1) (f) of the Norwegian Personal Data Act applied. The provision constitutes Norway’s exercise of the power under Article 23 nr.1 of the GDPR to restrict the right of access at national level. The threshold for exemption is high.

The Supreme Court began by noting that the wording of Section 16(f) itself shows that the conditions for an exception are strict; access may only be refused where it would be "contrary to manifest and overriding private or public interests". The municipality pointed out that the nurse had suffered stress and taken sick leave because of the case, but the Supreme Court found this clearly insufficient. There was no evidence that the information would be misused, and an exception was therefore ruled out.

The key question was whether the Pankki S judgment precluded this conclusion. It did not. The Supreme Court stated that the judgment provides "guidance on a detailed balancing of the privacy interests of the person requesting access and of the person whose name will become known to the person entitled to access", and clarified:

“I would add that I cannot see that the Pankki S judgment precludes, in such a balancing of interests, significant weight being given to a patient’s interest in knowing who has written a medical record entry, inter alia in order to be able to assess whether the healthcare provided has been appropriate” (paragraph 54).  (Author's translation.)

The Supreme Court's most significant contribution in this case lies here, in its interpretation of the balancing framework established in the Pankki S judgment. The Court of Justice of the European Union did not specify which factors are to be afforded weight when assessing whether the exception is satisfied. The Supreme Court avails itself of this interpretive discretion, establishing that the patient's interest in monitoring and verifying the healthcare received constitutes a sufficiently compelling consideration. Vague arguments regarding burdens on the employee’s part were therefore insufficient to overturn this balancing of interests. In this way, the Supreme Court demonstrates that the balancing model is not static but can be filled with content that varies depending on the sector and the rights at stake.

Prepare for requests for access to internal data

For businesses where employees regularly access sensitive personal data, such as banks, financial institutions, energy companies, insurance companies and private healthcare providers - this legal development means that they must be prepared to respond to requests for access concerning internal access. The fact that internal users are, generally, not "recipients" under the GDPR is not in itself sufficient to justify a refusal. A specific assessment is also required as to whether the data subject nevertheless needs the information to effectively exercise their rights, weighed against the interests of the employee.

The Norwegian supervisory practice over the last three years shows that this type of request is already a reality. In PVN-2023-28, a NAV (Norwegian Labour and Welfare Administration) user requested access to information on which NAV employees had accessed a specialist’s report concerning him, and in PVN-2024-7, a complainant requested access to a log of who had opened the case management system in their own complaint case with the Health Complaints Board. In both cases, the refusal was upheld, but not because internal users cannot be identified. The decisive factor was that the data subject did not have a sufficiently specific and legitimate need that was not already met through other information. As established in HR-2026-372-A, where such a need is sufficiently strong, the balancing test may fall in favour of the data subject.

The balancing test is sector specific – be aware of the relevant considerations in your industry

Any request for access to internal data therefore requires a specific balancing of interests. The factors involved will vary from sector to sector, and the outcome may differ accordingly.

In the patient case in HR-2026-372-A, the interest in identifying who had recorded information about the patient and in verifying that healthcare had been provided in a responsible manner carried considerable weight. In a judgment of the Gulating Court of Appeal from 2024 (LG-2024-036502), however, the balance of interests pointed in the opposite direction. The case concerned an individual who requested access to the identity of the police officer who had recorded information about him in the police registers. The Court of Appeal held that the Police Register Act is intended to comply with the GDPR and referred to the Court of Justice of the European Union's judgment in Pankki S, which established that the right of access does not extend to information concerning which individuals have processed the personal data. The Court of Appeal emphasised that disclosure of the recording officer's identity would risk the officer being sought out or contacted by the data subject, which in turn could influence both what is recorded and the assessments made. In this context, the data subject's interest in access did not carry sufficient weight to displace the countervailing considerations.

As reviewed above, the refusals in PVN-2023-28 and PVN-2024-7 were upheld, but for different reasons. In PVN-2023-28, the decisive factor was that the request for access was not sufficiently substantiated by a specific need to know the identity of the employees. In PVN-2024-7, the complainant had already been informed of the date and purpose of the entries, and the additional purpose of uncovering "how well prepared" the case handlers had been, went beyond what the right of access is intended to safeguard. Both cases illustrate that refusals may be upheld, but that in each instance a specific justification grounded in the data subject's actual needs was required.

Taken together, the legal landscape confirms that the balancing test in the Pankki S judgment constitutes the common legal starting point, but that the outcome depends on the specific interests at stake on both sides within the sector in question. Businesses should therefore identify which considerations are relevant in their industry and ensure that their procedures for handling requests for access are aligned accordingly. 

It is worth noting that the decisions referred to above were issued before the Supreme Court in this judgment explicitly ruled that the balancing test must be actively applied with sector-specific content. A complainant with a more specific and documented need, comparable to that of the patient in HR-2026-372-A, would not necessarily have faced the same outcome today.

Review internal procedures – practices without a legal basis are not sufficient

As was evident from the district court’s decision, the municipality did not have a general practice of withholding the names of staff in case files. A former unit manager at the emergency department nevertheless stated in his evidence to the district court that:

 "(... ) they do not generally withhold the names of staff who have kept medical records, but that this only applies in cases where a report of concern is sent to child welfare services – as is the case here" (our emphasis). (Author's translation.)

The District Court found that such sector-specific practice was contrary to the principles on which the legislation is based.

From a data protection perspective, this illustrates a risk faced by many organizations: internal practices for handling access requests often develop over time without being systematically grounded in a valid legal basis. This illustrates that organizations which do not review and legally anchor their access practices risk being left without a valid legal basis should a request eventually be taken to court. 

Access logs – a requirement for content, not just existence

The balancing of interests described in section 5.2 presupposes that the organization actually knows who has accessed what information, when and for what purpose. This makes the access log more than a technical measure; it is a prerequisite for being able to handle access requests in accordance with applicable law.

The Data Protection Authority’s decision in PVN-2024-23 illustrates a practical consequence that is directly relevant to organizations' system design. The case concerned the content of the electronic access log for a patient record at a hospital. The Authority held, with direct reference to Pankki S, paragraph 83, that the data subject has the right to 

"information regarding searches of a person’s personal data and regarding the dates and purposes of such searches" (Author's translation.)

A log that merely shows that someone has opened a file is therefore not sufficient. The log must also show the date and purpose of the access, and it must be accessible in a manner that allows for disclosure. 

The current legal framework on the rights of access thus creates not only a practical incentive, but a legal obligation for organisations to establish access logs with sufficient content. Whether a failure to maintain adequate logs may constitute an independent breach of Article 15 of the GDPR has not yet been resolved, but the direction of legal developments gives good reason to take this issue seriously.

^{[1] Privacy Corner - Schjødt}

^{[2] https://lovdata.no/pro/forarbeid/nou-2020-9/KAPITTEL_5-4}