Datatilsynet (Norway) - 20/02274: Difference between revisions
No edit summary |
No edit summary |
||
Line 76: | Line 76: | ||
=== Holding === | === Holding === | ||
The DPA found violations of various provisions of the GDPR | The DPA found violations of various provisions of the GDPR. It held that the controller violated [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] when accessing the employee's email account and emails. Further, the Datatilsynet breached [[Article 21 GDPR]] since the controller insufficiently assessed the data subject's protest and nevertheless continued to process her personal data. Moreover, the controller did not inform the data subject and thereby violated [[Article 13 GDPR]]. The DPA found another breach of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], as the controller did not discontinue the data subject's email. Finally, the right under [[Article 17 GDPR|Article 17(1)(e) GDPR]] was infringed as well, because the email content was not sufficiently erased. | ||
For those violations, the controller was fined NOK 150,000 (~€14,700). | For those violations, the controller was fined NOK 150,000 (~€14,700). |
Revision as of 12:13, 7 July 2021
Datatilsynet (Norway) - DT-20/02274 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(e) GDPR Article 5(2) GDPR Article 6(1)(f) GDPR Article 13 GDPR Article 17(1)(e) GDPR Article 21 GDPR Article 24 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 07.06.2021 |
Published: | 22.06.2021 |
Fine: | 150,000 NOK |
Parties: | n/a |
National Case Number/Name: | DT-20/02274 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined a company approximately €14,700 (NOK 150,000) for taking over an employee's work email account during her notice period without warning her, without giving her the opportunity to delete personal content, and despite her objection, thereby violating Articles 6(1)(f), 13, 17(1)(e), and 21 GDPR.
English Summary
Facts
The Norwegian DPA (Datatilsynet) received a complaint from a data subject, stating that her former employer had changed the password of and taken over her work email account during her notice (resignation) period, without letting her know, thus not giving her an opportunity to delete personal content. Further, the email account was not deleted after she left the company.
The controller ignored her request to delete the email account and only set a vacation note. In his reply to the DPA, the controller argued that it was necessary to keep the inbox to uphold customer relations and ensure they received necessary operational information until the former employee had been replaced.
The controller did not agree that he had accessed "personal" emails. He had forwarded two emails he assumed to be personal, directly to the former employee, without opening them. In Norway, however, it is not relevant whether such emails are deemed personal or related to work - access to employees' inboxes is strictly regulated regardless.
The controller did not discontinue the former employee's email account until he received the first letter from the DPA. The DPA noted that the unlawful access to the complainant's email account was in breach of the fundamental principles of the GDPR, notably Article 5(1)(a) and (e) GDPR.
Holding
The DPA found violations of various provisions of the GDPR. It held that the controller violated Article 6(1)(f) GDPR when accessing the employee's email account and emails. Further, the Datatilsynet breached Article 21 GDPR since the controller insufficiently assessed the data subject's protest and nevertheless continued to process her personal data. Moreover, the controller did not inform the data subject and thereby violated Article 13 GDPR. The DPA found another breach of Article 6(1)(f) GDPR, as the controller did not discontinue the data subject's email. Finally, the right under Article 17(1)(e) GDPR was infringed as well, because the email content was not sufficiently erased.
For those violations, the controller was fined NOK 150,000 (~€14,700).
The controller was also required to update its internal practices and provide written confirmation, including documentation, to the DPA (unless the decision is appealed).
Comment
The DPA comments that the company also violated the privacy of third parties, who, in good faith, thought they sent emails to the complainant.
Further Resources
In Norwegian:
- Utfyllende informasjon om virksomhetenes plikter
- Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale (lovdata.no)
- Innsyn i e-post og private filer
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Page 1 RADIO GRENLAND AS PO Box 10 4301 SANDNES Offl. § 13 cf. Popplyl. § 24 (1) 2. pkt. Their reference Our reference Date 20 / 02274-9 .2021 Decisions on orders and infringement fines - Access to employees' e-mail box and lack of deletion etc. - Radio Grenland 1 Introduction We refer to our notice of decision on order and infringement fee dated 12 November 2020. We also refer to their comments on the forecast dated 9 December 2020 and 28 April 2021. These the comments are dealt with in section 7.4 of the decision. 2. Decision on order The Data Inspectorate makes the following decisions: Pursuant to Article 58 (2) (2) of the Privacy Ordinance, Radio is imposed Grenland AS, org.nr. 971 062 029, to pay an infringement fee to the Treasury on NOK 150,000 for having accessed the complainant's e-mail box without a legal basis, cf. Article 6 (1) (f) of the Privacy Regulation, for an inadequate assessment of the protest and for continued treatment without referring to compelling justifiable reasons for further processing which went beyond the interests of the data subject, cf. Article 21, for missing information, cf. Article 13, and for failure to close the e-mail box, cf. article 6 no. 1 letter f, and failure to delete the contents of the e-mail box, cf. article 17 No. 1 letter e. 2. Pursuant to Article 58 (2) (d) of the Privacy Regulation, this is imposed Radio Grenland to establish written internal control and routines for access to employees and former employees' e-mail boxes and other electronically stored material, cf. Article 24 of the Privacy Regulation. Postal address: Office address: Telephone: Fax: Company No: Website: PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLO 06/07/21 Page 2 The deadline for implementing the order point 2 is 08.07.2021 . You must send us within this deadline written confirmation that the order has been implemented. Complainant's description of the facts The Data Inspectorate received a complaint from The complaint applies insight into mailbox, at Radio Grenland AS («Radio Grenland »). Complainants write that former employer Radio Grenland has accessed the e-mail box . This happened when the general manager at Radio Grenland changed his password email account and took over the use of this. Complainants write that this was done during the notice period without being notified and without that was given the opportunity to delete private content. Complainants also respond that the e-mail box was not deleted after the employment ended. The employment relationship ended from Complainants write that the email account was still active until without a notice of absence having been submitted. Complainants have submitted e-mails showing that the general manager of Radio Grenland has responded to an e-mail that was arrived at the complainant's e-mail box after leaving the post. The email is answered from daily manager's own email In the email from the general manager, he writes that complaints have ended and therefore has a new private email address. Complainants pointed out in an email to the general manager that has not received information about changed access to the mailbox and that this has not been discussed In the same email also poses question that the email account is not terminated and deactivated. It appears from the answer from daily leader dated that the e-mail account is kept open to maintain customer contact. In the email writes the general manager that they will post an absence report. Complainants further write that the company does not have routines for access to and settlement of the employees' e- mailbox. 4. Radio Grenland's statement Radio Grenland writes in the report that the complainants were employed by the company until his resignation It was the general manager's task to follow up on these the work tasks until a possible replacement was engaged. The general manager therefore changed the password to e- the postal account to handle customer inquiries. You write that complainants deleted all previous e-mail correspondence up to and that daily manager had access to all e-mail that came in to the e-mail box after this. In the period did the general manager lookup once a day to ensure that operational e-mail was followed up. It is emphasized that the purpose has been to take care of the business 2 Page 3 business needs to follow up customers and inquiries after complaints resigned. Incoming e-mails may have been forwarded to the general manager for follow-up. It appears from the statement that you believe that no access has been made to private e-mail, and that there is no correct that private e-mail is answered by Radio Grenland. You write that two inquiries were forwarded to complaints without being opened, as they appeared in the headline to be private. After complainants contacted and asked questions about access it was implemented automatic absence notification informing that the complainant was not employed by the company and that Inquiries to the relevant email address would not be answered by . From and until the e-mail box was deleted, there have been no active lookups or active use of the account. The account has had an automatic absence notification for incoming correspondence. The It appears that the e-mail box has been active until you received a letter from us in January 2020. Furthermore, you write that Radio Grenland does not have written guidelines for access or settlement of e- mailbox, and that you do not have written guidelines for using the company's e-mail box for private use correspondence. You point out that you do not inspect the e-mail boxes of employees without special needs based on the business' business operations, and that such circumstances were the basis for the complainant mailbox was not immediately deleted. 5. Regulatory requirements 5.1 Regulations on the employer's access to the e-mail box, etc. Regulations on the employer's access to e-mail boxes and other electronically stored material1 (e- the Postal Regulations) regulates the employer's access to access or monitor the employee's e-mail mailbox or other electronic stored material. The regulations are a special regulation of the requirement for basis for processing in the Privacy Regulation, Article 6, paragraph 1, letter f, cf. Article 88. It follows from the preparatory work for the Personal Data Act of 20182 that the e-mail regulation is intended to continue the special rules for the employer's access to the employee's e-mail box, etc. which followed it now repealed the Personal Data Regulations from 2000.3 This means that previous practices related to the employer's access to the e-mail box in accordance with the Personal Data Regulations 2000 will be relevant for the interpretation of the rules in the e-mail regulations. This applies, among other things, to the Data Inspectorate and the Privacy Board practice. The Ministry of Local Government and Modernisation's comments on the Personal Data Regulations 2000 will also be relevant.4 The e-mail regulations specify which purposes the employer can access, and that access can only done in individual cases for specific purposes. The regulations apply to both current and past employees, cf. section 1, third paragraph. 1 FOR-2018-07-02-1108. 2 Prop.56 LS (2018-2018) section 31.3.4.2 «The Ministry's assessment». 3 FOR-2000-12-15-1265, chapter 9. «Access to e-mail box etc.». 4 Tidl. Ministry of Government Administration and Reform, see https://www.regjeringen.no/globalassets/upload/fad/vedlegg/personvern/epostforskriften_merknader_rev.pdf?id=2176744 3 Page 4 For access to e-mail, § 2 first paragraph shows that a broad category of interests related to the employer business can be legitimate. Both "the day-to-day running" and "other legitimate interests of the business ”is mentioned as a legitimate purpose, after letter a. Another group of legitimate interests is mentioned in letter b. This applies to "reasonable suspicion" that the use of e-mail or other electronic equipment constitutes a gross breach of obligations in the employment relationship or provides grounds for dismissal or dismissal. It follows from established practice that automatic forwarding of e-mails is considered access regardless of whether the email is opened and read or not.5 The forwarding in itself means that access is made to information about the sender and subject field, provided that the employer is inside the mailbox as the e-mails has been forwarded to. The Privacy Board has further determined that automatic forwarding of e-mails constitutes a continuous monitoring of employee mailbox. Forwarding can therefore not be authorized in section 2 first of the regulations paragraph, as the provision only allows for individual access for specific purposes, cf. The Privacy Board's decision PVN-2018-16. Automatic forwarding of e-mails is regulated in section 2, second paragraph, of the regulations. The provision stipulates that the employer does not have the right to monitor the employee's use of electronic equipment, unless the purpose with monitoring is to manage the company's computer network or to uncover or solve network security breaches. 5.2 Basis for processing in accordance with the Privacy Ordinance Forwarding and access to a former employee's e-mail box constitutes a processing of personal data, and is therefore covered by the general rules in the Privacy Ordinance, cf. the Privacy Ordinance Article 4 No. 2 and the Act on the processing of personal data of 15 June 2018 No. 38 (Personal Data Act) § 1. Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a basis for treatment. When a business should access the mailbox through forwarding is Article 6 (1) (f) of the relevant basis of treatment, supplemented by the special regulation in Postal Regulations § 2. Article 6 (1) (f) of the Privacy Regulation provides that an undertaking may process personal data if it is necessary to safeguard a legitimate interest that outweighs consideration for the privacy of the individual. The legitimate interest must be legal, clearly defined in advance, real, and objectively justified in the business. 5.3 Duty to provide information Pursuant to Article 13 of the Privacy Regulation, the controller shall provide the registered information about the processing at the time of collection of the personal data. The information that the data controller must provide follows from Article 13 letters a to f. The person responsible for processing is obliged, among other things, to provide information about the purpose with the intended treatment and the legal basis for the treatment. 5 See PVN-2015-14 and PVN-2018-16. 4 Page 5 The duty to provide information is also regulated in the E-mail Regulations § 3. The provision lays down procedural rules for access to the e-mail box and requires, among other things, that the employee be notified and received as far as possible opportunity to comment before the employer carries out an inspection. In addition, the provision stipulates what a such notice shall contain. 5.4. Closing of employee's e-mail box It follows from the e-mail regulations § 4 first paragraph that the employee's e-mail box shall be terminated by termination of employment, but unless there is a «special need to keep the e-mail account open in a short period after the termination ». 5.5. Deletion of information upon termination of employment Article 17 (1) of the Privacy Regulation stipulates when the data controller is to delete personal information. The provisions that are relevant to our case are that the personal data must deleted if they are no longer necessary for the purpose for which they were collected or processed, cf. letter a, or when the information must be deleted in order to fulfill a legal obligation persons responsible for processing are subject, cf. letter e. The e-mail regulations § 4 second paragraph stipulates that information as mentioned in the regulations § 1 first paragraph letters a and b, which are not necessary for the daily operation of the business, shall be deleted within a reasonable time time after the end of the employment relationship. The starting point according to the provision must be that the employer must delete the information in the employee's e-mail. mailbox unless there are specific reasons for further storage. The employer has a certain room to establish a deletion deadline as long as it appears to be adequate and reasonable, but which as a general rule, deletion should take place within six months of resignation. 5.6. Internal control According to Article 24 of the Privacy Ordinance, all companies are obliged to be able to demonstrate that they process personal data in accordance with the law. If it stands in a reasonable relation to the treatment activities, the enterprise shall establish appropriate guidelines for the protection of personal information. Access to an employee's or former employee's e-mail box is an intrusive treatment of personal information, and constitutes a major interference with individuals' right to privacy. Businesses must therefore be able to document their internal routines or processes, which meet the requirements for access to e- mailboxes and other electronic material. 6. The Data Inspectorate's assessment 6.1 Legal basis for access to e-mail made available to the employee for use at work You confirm in the statement that the general manager has logged in to the e-mail box once a day during the period You writes that the background for the postings that were made was operational, and it is emphasized that it is not posted in, or opened e-mail that the employer understood from the headline was of a private nature. 5 Page 6 The e-mail regulations apply to access to information stored in e-mail boxes provided to employees disposition. All e-mail to the complainant's e-mail address is thus covered by the rules on access to the e-mail regulations. It does not matter if the emails are private emails or emails to complaints by virtue of score. The employer is therefore not free to take over such an e-mail address when an employee leaves the company, but must comply with the terms of the e-mail regulations in order to access to work-related emails. We assume that you have accessed information stored in the complainant's e-mail box on a daily basis The manager has changed the password on the email account and logged in every day for a period of 6 weeks. The question becomes so if you had a legal basis in the e-mail regulations to access the complainant's e-mail box. Section 2, first paragraph, letter a, of the E-mail Regulations refers to the fact that access can be justified in that it is necessary to look after the day-to-day operations or other legitimate interests of the business. By necessary is meant that transparency must be a proportionate tool to achieve the purpose, which is to take care of the daily the operation or other legitimate interests of the business. This depends on a specific assessment. Access to this condition can, for example, be made if you are waiting for a specific contract with a card deadline and employee is not available due to illness. In this case, you have made access for the purpose of taking care of the daily operation of the business and to maintain customer contact. These are legitimate purposes that may justify transparency. The inspection was made by the general manager changing the password and taking over the handling of the complainant's incoming email in full. It appears from your statement that the general manager had access to the e-mail box from and until you received a letter from us in January 2020. This is a period of You write, however, that the approach has only been used during the period This is a period of 6 weeks. During this period, the general manager checked the e- the mail account once a day. There are other less intrusive measures that can serve the same purposes. To take care of customer contact when an employee leaves, you can send an outgoing e-mail with information about new contact person in the company before the person leaves. If you have a special need to keep e-mail box open, an absence notice can be entered informing that the person ends and who is the new contact person. Individual inspections every day for six weeks appear comparison not as a proportional tool to achieve the purpose. Based on this, it is our assessment that changing the password and logging in every day is not necessary to maintain customer contact when an employee leaves. Our conclusion is therefore that you did not have legal basis in the e-mail regulations § 2 first paragraph letter a to make access to the complainant's e-mail box. We are further of the opinion that taking over the complainant's e-mail account borders on monitoring workers' use of electronic equipment. The Privacy Board, for example, has determined that automatically e-mail forwarding constitutes a continuous monitoring of the employee's e-mail box. That to possess the password and log in every day can be similar to automatic forwarding. So continuously monitoring may not be authorized in section 2, first paragraph, of the regulations on access, but must be authorized in the e-mail regulations § 2 second paragraph letter a or b, cf. PVN-2018-16. 6 Page 7 Monitoring a former employee's e-mail box to take care of day-to-day operations does not meet the exceptions in the e-mail regulations § 2 second paragraph. Our conclusion is therefore that Radio Grenland also had no authority in the e-mail regulations § 2 other paragraph to take over the complainant's e-mail box. Overall, Radio Grenland had no legal basis in the e-mail regulations for access or monitoring the complainant's mailbox. The e-mail regulations are a special regulation of the requirement for a basis for processing in the Privacy Ordinance Article 6, paragraph 1, letter f (balancing of interests), cf. Article 88. When the regulations prohibit access and monitoring is broken, this means that the company did not have a basis for treatment after Article 6 (1) (f) of the Privacy Regulation. Our conclusion is that Radio Grenland has had access to the complainant's e-mail box without any basis for processing, cf. the Privacy Ordinance, Article 6, No. 1, letter f. 6.2 Duty to provide information Pursuant to Article 13 of the Privacy Regulation, complainants should have received information about the takeover of the mailbox at the time this processing of personal data started. Pursuant to section 3 of the e-mail regulations, the employee shall, as far as possible, be notified and given the opportunity to comment. before inspection. We do not see that the procedural rules in the e-mail regulations § 3 have been followed, including that complaints have been given information that the employer changed the password and took over the account. This happened when complaints were and it appears that the complainants were informed that the employer still had access to e-mail then one of contacts received a response from the general manager by e-mail that was addressed to . On the basis of this, we find it clear that Radio Grenland has violated the duty to provide information pursuant to the article 13. 6.3 Closing of the employee's e-mail box To be able to continue to process personal information by keeping the e-mail box open after termination of employment, the employer must have a basis for treatment in accordance with the Privacy Ordinance Article 6 and fulfill the additional conditions in the e-mail regulations § 4. The relevant processing basis in the case is Article 6 No. 1 letter f. Section 4 of the E-mail Regulations stipulates that the employee's e-mail box shall be terminated at the employment relationship termination, unless there is a "special need" to keep the email account open for a short period after the cessation. The starting point is therefore that the e-mail account must be terminated upon termination of employment. That means that the e-mail box must be deactivated so that it is no longer possible to send or receive e-mail. Whoever sending an e-mail to the relevant address will then receive an error message stating that the e-mail cannot be delivered. 7 Page 8 Exceptionally, if there are special reasons, for example when an employee is fired or fired other reasons must end at short notice, the account can be kept open with absence notice for a short period, so that, for example, customers who make contact are informed that the person has left and that they must turn to another. The prerequisite in such situations is that the incoming e-mail is not read or sent to others in the business. In the present case, Radio Grenland has kept the complainant's e-mail box open for a period of You justify this with the fact that it was necessary to capture inquiries from customers for whom complaints were responsible. However, it appears from the statement that autoresponder was not activated before resigned. You write in the statement that the e-mail box was closed and the content deleted in January 2020, after the Data Inspectorate took contact. You have kept the complainant's e - mail box open resigned, of which the first the month was without auto-reply with information about resigned. Our assessment is that you have held the complainant's e-mail box is open beyond the short period for which section 4 of the e-mail regulations opens. 6.4 Deletion of the contents of the complainant's e-mail box The e-mail regulations § 4 second paragraph stipulates that information in the employee's e-mail box that is not necessary for the day-to-day running of the business, shall be deleted within a reasonable time after the employment relationship end. The starting point according to the provision is that the employer must delete the information in the e-mail box unless there are specific reasons for further storage. What is a reasonable time must be considered specifically, but it must be expected that the employer has made an assessment within a six month period period after the termination of the employment relationship. The employer has a certain amount of leeway to establish one deletion deadline as long as it appears adequate and reasonable, but as a general rule deletion should take place within six months from resignation. In our case, Radio Grenland has not established a separate deletion deadline for content in the employee's e-mail box, and has kept the mailbox open You state that the complainant deleted all e-mail in the e-mail box before leaving. You write that you used the mailbox until After this, the e-mail box was kept open with auto-reply, and transparency was not made. At this time, incoming emails were handled by the general manager for more than one month. You write that the e-mail account was closed when the Data Inspectorate contacted. We can not see that there were specific reasons for further storage of the contents of the complainant's mailbox through the long the period after the employment ended. On this basis, we conclude that you have breached your obligation to delete the content of the complainant's e-mail. mailbox according to the Privacy Ordinance Article 17 and the e-mail regulations § 4 second paragraph by storing the contents of e-mail box 6.5 Right to protest It follows from Article 21 of the Privacy Ordinance that the data subject has a right to protest processing of personal data based on Article 6 (1) (e) or (f). 8 Page 9 If the data subject protests, the data controller must make a specific balance of interests where the special individual circumstances of the data subject are taken into account protested. Only if the result of the sharpened balance of interests goes into it in favor of the person responsible for treatment, the treatment can be initiated or continued. The consequence of the data subject protesting is that the data controller can no longer process the personal data. The treatment can still be initiated or continued if it the person responsible for processing can prove that there are compelling justifiable reasons that precede it the interests, rights and freedoms of the data subject, cf. art. 21 No. 1 second sentence. According to the wording, it is up to the data controller to make this sharpened balance of interests. It is the data controller who has the burden of proof, not just because it is weighty reasons, but also because these reasons outweigh the interests of the data subject. If it registered protesters and the conditions for further processing are not met, the processing must be interrupted if it has already been initiated. In our case, complainants have protested by contacting Radio Grenland by e-mail with questions about the legality of the access and questions about why the e-mail box was not closed. It was then submitted an absence report, and the general manager has not logged in after the complainant got in touch. E- the postal account was still kept open until Radio Grenland received a letter from us. In response to complaints writes you that you are sorry experience of the case, but that the e-mail was kept open in order to take care of it customer contact. As assessed above in sections 6.1, 6.3 and 6.4, the Data Inspectorate has assessed that there was no separate need to keep the e-mail account open and that it was not necessary to process information in the complainant's e-mail mailbox to take care of daily operations. Our conclusion is that Radio Grenland cannot prove that there were compelling justifiable reasons for this the processing that exceeded the data subject's interests and has not fulfilled its duty to assess the complainant protest. 6.6 The duty of internal control You state that you do not have written routines for accessing the e-mail box or for closing it former employees' mailbox. Our assessment is that you should create written routines for processing personal data in connection with access to and deletion of employees or former employees' e-mail box. We point out that Radio Grenland did not fulfill its duty to provide information and that the case shows a lack knowledge of the regulations, including that the company believes that the takeover does not constitute access to e- mailbox. A written routine will make the business more aware of its obligations privacy regulations and contribute to compliance with the regulations. 9 Page 10 The takeover of the complainant's e-mail box was in breach of the duty to provide information, the requirement to basis for processing, the rules on termination of e-mail box and the deletion obligation. This indicates that Radio Grenland should establish written routines in accordance with Article 24. Based on this, we conclude that Radio Grenland had not implemented sufficient organizational measures to ensure and demonstrate that the treatment is carried out in accordance with the Privacy Regulation at the time of the inspection, cf. Article 24. Pursuant to Article 58 (2), letter d, we have the authority to order the person responsible for processing to ensure that the treatment activities take place in accordance with the provisions of the Privacy Regulation. The written routines must reflect the general requirements for processing personal information in the Privacy Ordinance, as well as the special regulation in the e-mail regulations. You will find more information about the requirement for internal control, as well as tools and templates on our websites: www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/informasjonssikkerhet- internal control. 7. Infringement fee 7.1 General information on infringement fines Infringement fees are a tool to ensure effective compliance and enforcement of the personal data regulations. We believe it is necessary to respond to the violations, and hereby notify the imposition of infringement fee, cf. Article 83 of the Privacy Ordinance. In accordance with the case law of the Supreme Court (cf. Rt. 2012 page 1556) we assume that the infringement fine is to be regarded as a penalty under the European Article 6 of the Convention on Human Rights. A clear overriding probability is therefore required for offenses to be able to charge a fee. The case and the question of imposing an infringement fee have been considered starting point in this evidentiary requirement. In this connection, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. With a administrative sanction means a negative reaction that can be imposed by an administrative body, which corrects against a committed violation of law, regulation or individual decision, and which is considered a punishment under the European Convention on Human Rights (ECHR). For companies, the guilt assessment is unique. Section 46, first paragraph, of the Public Administration Act states: "When it is stipulated in law that an administrative sanction may be imposed on an enterprise, the sanction is imposed even if no individual has shown guilt ». In Prop. 62 L (2015-2016) page 199 it is stated about § 46: "The wording that 'no individual has shown guilt' is taken from the section on corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore as a starting point objectively ». 10 Page 11 7.2 Assessment of whether an infringement fee is to be imposed The right to impose infringement fines is provided as a tool to ensure effective compliance and enforcement of the Personal Data Act. It follows from Article 83 (1) of the Regulation that each the supervisory authority shall ensure that the imposition of infringement fines in each individual case is "Effective, proportionate and dissuasive". This means that a concrete, discretionary assessment must be made in each individual case. The Data Inspectorate believes it is necessary to react to the violations. In the assessment, we have emphasized the conditions of Article 83 (2) of the Regulation. The provision contains statutory elements for our exercise of discretion. In the following, we will review the terms that are relevant to the facts in this case. a) the nature, severity and duration of the infringement, taking into account the person concerned the nature, extent or purpose of the treatment as well as the number of data subjects affected, and the extent of the damage they have suffered, The violation violates the basic requirements for legality, information and deletion when processing personal data. A continuous view of incoming e-mail to a former the employee's e-mail box is a serious intrusion on the person's privacy. Inspections have been made each day for a period of 6 weeks. During this period and until January 2020, all incoming e-mail has been available to the general manager. You confirm in the statement that e-mails have been read and answered. Plus two emails have been forwarded to complainants. The actions also appear to be a violation of the privacy of third parties who in good faith have sent e- mail for complaints. Correspondence to a personal e-mail address contains information individuals has a high expectation that others will not have access to it without further ado. Radio Grenland has continued the illegal access despite protests from complainants The access did not cease until you received a letter from the Norwegian Data Protection Authority asking questions practice. You have also not been informed that the access was available. According to complainants, it was coincidental that gained knowledge of the general manager's access via third parties who received replies by e-mail to complaints from daily leader himself. These did so note that the general manager had access to e-mail. The illegal access is a violation of the basic principles of legality, transparency and storage restriction for the processing of personal data, cf. Article 5 (1) of the Privacy Regulation letters a and e. When basic rules for the protection of former employees' privacy are infringed as it is in this case, the violations must be considered serious. b) whether the infringement was committed intentionally or negligently, We also place great emphasis on the degree of guilt. It is clear that both ongoing access to the e-mail box and failure to close and delete the mailbox has been a conscious choice on their part. (d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32, 11 Page 12 On the basis of the report, it appears that you have little or no knowledge of the regulations and the obligations arising therefrom. The principle of accountability presupposes a strong anchoring of the regulations in companies' management, cf. Article 5 (2) of the Privacy Ordinance therefore exacerbates the fact that the forwarding was initiated by the general manager. Furthermore, we emphasize that you did not have organizational measures in the form of routines to ensure compliance with the regulations. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible negative effects of it, The e-mail account was closed after you received the inquiry from us, but beyond this it appears as that you think the access to the e-mail inbox was legal as one did not read, but only forwarded e-mails of a private nature. In other respects, you have contributed to the enlightenment of the case through the report. g) the categories of personal data affected by the infringement, According to the information, special categories of personal data are not affected by the violations in the case. Correspondence to a person's email address is, however, at the core of the right to privacy and Incoming e-mails must be considered as information worthy of protection. This draws in aggravating direction. k) and any other aggravating or mitigating factor in the case, e.g. economic benefits that are achieved, or losses that have been avoided, directly or indirectly, as a result of the violation In the present case, you have chosen to satisfy the need to take care of the daily operations of one very intrusive way, which goes far beyond what the regulations allow for. In the aggravating direction draws that the violations continued despite protests from complaints and questions about why the general manager continued had access to e-mail box. 7.3 Conclusion Following this, the Data Inspectorate has come to the conclusion that an infringement fee should be imposed, cf. the Privacy Ordinance Article 83 (2) and (5). 7.4 Assessment of the size of the fee When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in the question of whether a fee should be imposed. We therefore refer to the assessments of the seriousness of the case above. The violation fee must be effective, be in a reasonable proportion to the violation and work deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in each case. The fee should be set so high that it also has an effect beyond the specific case, at the same time as the fee size must be in a reasonable proportion to the infringement and the activity, cf. Article 83 no. 1. 12 Page 13 The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that an infringement fee shall be determined concretely so that in each individual case is effective, is in a reasonable relation to the violation and acts as a deterrent. The main purpose of the infringement fee is contraception, ie that the risk of being charged a fee shall have a deterrent effect and thereby contribute to increased compliance with the regulations.6 By Skullerud et al. (2019), page 347, it appears: Contraceptive considerations dictate that the fee for a violation must be set so high that this is in fact perceived as an evil by the offender. This means that the offender's financial capacity should have significance in the measurement, so that the fee becomes higher the stronger the carrying capacity of the offender hair. […] When assessing the financial sustainability of an enterprise, it may be relevant to look at the enterprise's total global annual turnover in the preceding financial year, cf. art. 83 Nos. 4 and 5. And further: The consideration of ensuring an individual assessment in each individual case dictates that the supervisory authorities should avoid establishing standardized fee rates. This applies even if national law allows for it standardized rates, cf. the Public Administration Act § 43. Article 83 (5) of the Privacy Ordinance sets a higher maximum amount for fees when the case concerns violations of the basic principles of the processing of personal data in accordance with Articles 5 and 6 of the Privacy Regulation. Our case concerns a lack of basis for processing (the principle of legality), a breach of the duty to provide information (the principle of transparency) and the obligation to delete (the principle of storage limitation), which constitute serious breaches on the Privacy Regulation. In addition, the company lacked organizational measures for compliance the regulations (the principle of accountability). This speaks for a fee of a certain size. In an aggravating direction, we place particular emphasis on the fact that the takeover of the e-mail account was initiated by the general manager of the company, that the access lasted for a long time despite objections from complaints, that e- the items were answered from the complainant's account, and that the company's management lacked knowledge of the regulations. The fee must be set so high that it is effective and achieves a sufficient deterrent effect. IN In measuring the size of the fee, we therefore also place emphasis on the company's finances. Radio Grenland's comments on the size of the notified infringement fee are therefore relevant the measurement. Radio Grenland has made several comments about the company's finances related to the ongoing one changed the situation as a result of the Covid-19 pandemic. Radio Grenland informs that the business has made layoffs of and in the last year to adapt to a challenging market situation as a result of the ongoing pandemic. It is pointed out that Radio Grenland is a company with only five employees in a competitive industry and that you are dependent on advertising revenue to have 6 Skullerud et al. (2019). 13 Page 14 basis of operation. Furthermore, you point out that the jobs at the company are threatened if a fee in one the order of magnitude imposed on the business in the notification. The notified infringement fee of NOK 200,000 has been measured according to the latest available accounting figures from 2019 at the time of the notice. In 2019, Radio Grenland had registered operating revenues of 6,554,000 kr. Radio Grenland has submitted preliminary accounts for 2020 and so far in 2021, see document number 20 / 02274-12. The accounts show that Radio Grenland had registered revenues of 4,970,236 up to period 12 2020. So far this year, the business has had revenues corresponding to approx. 65% of revenues in the same period last year. In comparison, Radio Grenland had an operating income of NOK 6,554,000 in 2019 and a annual profit of NOK 111,000 in 2019. The fall in turnover from 2019 to 2020 thus amounts to approx. 25%. Based on the financial situation the company is in as a result of coronary pandemic, our assessment is that a lower fee could have the preventive and deterrent the effect Article 83 presupposes. After taking into account the seriousness of the violations and Radio Grenland's comments, the Data Inspectorate sets it the final fee to NOK 150,000. We have hereby reduced the notified fee of NOK 200,000 by approx. 25%, corresponding to Radio Grenland's revenue decline between 2019 and 2020. We remind you that violations of Article 6 of the Privacy Regulation may result in sanctions in the form of infringement fines of up to EUR 20 million, see Article 83 (5) (a) of the Privacy Regulation. This corresponds to approx. NOK 214,000,000. The fee imposed in this case is thus at the very bottom layer of what the regulation prescribes for such breaches of regulations. 8. Right of appeal This is an individual decision that can be appealed in accordance with the rules of the Public Administration Act, cf. the Public Administration Act § 28. Any complaint must be sent to us within three weeks after this letter has been received, cf. the Public Administration Act § 28 and 29. If we uphold our decision, we will send the case to the Privacy Board for appeal processing, cf. the Personal Data Act § 22. If you do not appeal the decision on the infringement fee, the deadline for fulfillment is 4 weeks after the expiry of the appeal period, cf. the Personal Data Act § 27. Recovery of the claim will be carried out by State Collection Agency. 9. Publicity, transparency and duty of confidentiality We will inform you that all the documents are in principle public, cf. the Public Access to Information Act § 3. If you believe there are grounds for exempting all or part of the document from public access, please we you to justify this. The Norwegian Data Protection Authority has a duty of confidentiality regarding who has complained to us, and about the complainant's personal circumstances. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and the Public Administration Act § 13. As a party 14 Page 15 in the case, you may nevertheless be made aware of such information by the Norwegian Data Protection Authority, cf. the Public Administration Act § 13 b first paragraph no. 1. You also have the right to access the case documents, cf. the Public Administration Act § 18. We point out that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority about the complainant's identity, personal circumstances and other identifying information, and that you can only use these the information to the extent necessary to safeguard their interests in this case, cf. Public Administration Act § 13 b second paragraph. We also point out that breach of this duty of confidentiality can be punished according to the Penal Code § 209. If you have any questions, you can contact legal adviser Anne Eidsaa Hamre on telephone 22 39 69 76. With best regards Jørgen Skorstad department director Anne Eidsaa Hamre legal adviser The document is electronically approved and therefore has no handwritten signatures false 15