Datatilsynet Complaint: Protecting Your Data Rights in Family and Child Welfare Cases

What it is: Datatilsynet is Norway’s independent Data Protection Authority (DPA). It supervises compliance with the GDPR and the Norwegian Personal Data Act (Personopplysningsloven).

Why this matters: In child welfare, custody, and related NAV/UDI processes, the state and private actors can process highly sensitive personal data (health, psychology, family life, allegations, contact restrictions). When the record becomes wrong—or the data is shared unlawfully—the harm can cascade into every later decision.

Why Datatilsynet matters in a Do Better Norge context

Many families experience that “the file” becomes stronger than reality. Common patterns include:

• Factual errors that are repeated until they look like proven truths.
• One‑way narratives where objections are not recorded properly.
• Over‑sharing of sensitive information between agencies or to third parties without necessity.
• Access barriers (slow or partial disclosure) that prevent you from defending yourself.

Datatilsynet is not a family court. But it can be a powerful route when the dispute is about data legality: what was collected, how it was used, who it was shared with, and whether your rights were respected.

Your core rights (GDPR + Norwegian law)

Under the GDPR and Personopplysningsloven, you typically have the right to:

• Access: to know what data is held and obtain a copy (subject access).
• Rectification: to correct inaccurate or incomplete personal data.
• Restriction: to limit processing while a dispute about accuracy/lawfulness is investigated.
• Erasure: in some circumstances (not always possible in public case files).
• Information: about the purpose, legal basis, recipients, and retention.

Important nuance: Public bodies may have legal duties to keep records. That does not excuse inaccuracy or unnecessary disclosure. “We must store it” is not the same as “we may store it wrongly or share it freely.”

Before you complain: do the “paper trail” steps

1. Identify the controller: Who is responsible? (Municipal child welfare, tribunal, court, NAV, school, health service, etc.).
2. Make a written request for access/correction/restriction. Keep dates.
3. Ask for the legal basis for processing and disclosure (GDPR article/legal ground).
4. Document harm and risk: How is the inaccurate/unlawful data affecting decisions?

How to file a complaint with Datatilsynet

Datatilsynet explains that formal complaints are normally submitted via a digital form that requires identification through BankID/ID‑porten. If you cannot use this, you can submit a written complaint by post.

• Digital complaint: Use Datatilsynet’s guidance and digital route.
• Postal complaint: Write a structured complaint with attachments and send it to Datatilsynet’s postal address.

What to include (complaint structure)

• Who you are and the case context (brief).
• What happened (timeline + evidence).
• Which rights were breached (access, accuracy, unlawful disclosure, etc.).
• What you asked the controller to fix and their response (or silence).
• What you want Datatilsynet to do (order correction, restrict processing, investigate disclosure, etc.).

Template paragraph you can reuse

I request that Datatilsynet investigates whether [controller] has processed my personal data lawfully under GDPR and the Personal Data Act. Specifically, I allege: (1) inaccurate data recorded as fact; (2) failure to rectify after documented corrections; and/or (3) disclosure of sensitive information without necessity or lawful basis. I have attempted to resolve this directly with the controller (see attachments). The ongoing processing is causing concrete harm in an active family/child welfare matter.

Related example: Datatilsynet oversight of large public bodies

Datatilsynet also issues decisions and enforcement actions against major public entities, including NAV, showing that the authority can impose orders and penalties when systemic privacy failures occur.

Sources & further reading

• Datatilsynet: How to complain to the Norwegian DPA
• Datatilsynet: About the Personal Data Act and when it applies
• Lovdata: Personal Data Act (Personopplysningsloven) + GDPR
• Datatilsynet: Decision on infringement penalty and orders to NAV (example)

Do Better Norge note: If your entire case is built on “the file,” then data rights are not abstract—they are a frontline defense.