Datatilsynet (Norway) - 20/02368: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 71: | Line 71: | ||
}} | }} | ||
The Norwegian DPA fined a company €9,775 for unlawfully enabling automatic forwarding of an employee's emails in violation of [[Article 6 GDPR#1f|Article 6(1)(f) | The Norwegian DPA fined a company €9,775 for unlawfully enabling automatic forwarding of an employee's emails in violation of [[Article 6 GDPR#1f|Article 6(1)(f)]], for lack of information as per [[Article 13 GDPR|Article 13]], failure to assess their objection as per [[Article 21 GDPR|Article 21]], and required them to improve internals controls for employee emails as per [[Article 24 GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
An employee (data subject) had quit their job and was supposed to assist the employer (controller) during the notice period. However, due to disagreements, the controller blocked the data subject's access to email and business systems and enabled automatic forwarding of emails to the general manager of the company. | An employee (the data subject) had quit their job and was supposed to assist the employer (the controller) during the notice period. However, due to disagreements, the controller blocked the data subject's access to email and business systems and enabled automatic forwarding of emails to the general manager of the company. | ||
The data subject objected to this processing, but the controller upheld it for several weeks and only stopped it when the general manager realized it could be problematic. The DPA launched an investigation after receiving both a notification from the controller, as well as a complaint from the data subject. | The data subject objected to this processing, but the controller upheld it for several weeks and only stopped it when the general manager realized it could be problematic. The Norwegian DPA (Datatilsynet) launched an investigation after receiving both a notification from the controller, as well as a complaint from the data subject. | ||
The controller explained to the DPA that they had enabled automatic forwarding of the emails because the data subject had refused to enable an out of office reply. They further argued that this was necessary to uphold customer relations and daily operations, and because they had discovered that the data subject had violated work duties a few months earlier. | The controller explained to the DPA that they had enabled automatic forwarding of the emails because the data subject had refused to enable an out of office reply. They further argued that this was necessary to uphold customer relations and daily operations, and because they had discovered that the data subject had violated work duties a few months earlier. | ||
The controller also claimed that the data subject had consented to the processing, however this was denied by the data subject and the controller was unable to document their assertion. | The controller also claimed that the data subject had consented to the processing, however this was denied by the data subject and the controller was unable to document their assertion. | ||
=== Holding === | === Holding === | ||
The DPA held that the controller lacked a legal basis as per [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] for accessing and monitoring the data subject's email inbox, that they had failed to provide required information to the data subject as per [[Article 13 GDPR|Article 13 GDPR]] and for failure to assess the data subject's objection as per [[Article 21 GDPR|Article 21 GDPR]]. For this, the DPA fined the controller €9,775 and required them to improve internals controls for employee emails as per [[Article 24 GDPR|Article 24 GDPR]]. | The DPA held that the controller lacked a legal basis as per [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] for accessing and monitoring the data subject's email inbox, that they had failed to provide required information to the data subject as per [[Article 13 GDPR|Article 13 GDPR]] and for failure to assess the data subject's objection as per [[Article 21 GDPR|Article 21 GDPR]]. For this, the DPA fined the controller €9,775 and required them to improve internals controls for employee emails as per [[Article 24 GDPR|Article 24 GDPR]]. | ||
On legal basis | ==== On the legal basis ==== | ||
First, the DPA assessed if the controller had a legal basis as per a national (Norwegian) regulation concerning employers' access to employees' inboxes and other electronically stored material, which allows such processing if one of two possible conditions are fulfilled. First, the DPA found that "upholding customer relations and daily operations" and "suspicion of violations of work duties", as argued by the controller, are legitimate purposes as per the regulation §2(1). However, this only allows for single accesses for a specified purpose. Automatic enabling of forwarding is considered as continuous surveillance and the processing could therefore not be based on this condition. | First, the DPA assessed if the controller had a legal basis as per a national (Norwegian) [https://lovdata.no/dokument/SF/forskrift/2018-07-02-1108 regulation concerning employers' access to employees' inboxes and other electronically stored material], which allows such processing if one of two possible conditions are fulfilled. First, the DPA found that "upholding customer relations and daily operations" and "suspicion of violations of work duties", as argued by the controller, are legitimate purposes as per the regulation §2(1). However, this only allows for ''single accesses'' for ''a specified purpose''. Automatic enabling of forwarding is considered as ''continuous surveillance'' and the processing could therefore not be based on this condition. | ||
Continuous surveillance is regulated by §2(2), but solely for purposes of administrating the computer network or uncover or solve security breaches in the network. Consequently, the processing could not either be based on this condition. | Continuous surveillance is regulated by §2(2), but solely for purposes of administrating the computer network or to uncover or solve security breaches in the network. Consequently, the processing could not either be based on this condition. | ||
Further, the DPA found that the conditions in [[Article 6 GDPR#1|Article 6(1) GDPR]] was | Further, the DPA found that the conditions in [[Article 6 GDPR#1|Article 6(1) GDPR]] was not fulfilled. The only available legal ground for this type of processing is [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], where three conditions must be fulfilled: the processing must be necessary for legitimate interests, and these interests must outweigh the rights and freedoms of the data subject. | ||
The DPA had already concluded that the purposes were legitimate. However, they held that the purposes could have been achieved by less privacy-invasive measures, for example by deactivating the email inbox and/or enable automatic forwarding themselves. Consequently, the DPA held that the controller lacked a valid legal basis as per [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. | The DPA had already concluded that the purposes were legitimate. However, they held that the purposes could have been achieved by less privacy-invasive measures, for example by deactivating the email inbox and/or enable automatic forwarding themselves. Consequently, the DPA held that the controller lacked a valid legal basis as per [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. | ||
On the right to object | ==== On the right to object ==== | ||
The DPA found that the controller was unable to demonstrate that they had considered the data subject's objection, or that they had conducted a specific legitimate interest assessment in line with [[ | The DPA found that the controller was unable to demonstrate that they had considered the data subject's objection, or that they had conducted a specific legitimate interest assessment in line with [[Article 21 GDPR]]. | ||
On the obligation to inform data subjects | ==== On the obligation to inform data subjects ==== | ||
The DPA held that it is highly likely that the controller had violated the right to information as per [[ | The DPA held that it is highly likely that the controller had violated the right to information as per [[Article 13 GDPR]]. | ||
== Comment == | == Comment == | ||
Line 107: | Line 105: | ||
== Further Resources == | == Further Resources == | ||
'' | ''The DPA has shared the full decision, however the PDF is uneditable and therefore cannot be machine translated. The translation below is for the press release.'' | ||
== English Machine Translation of the Decision == | == English Machine Translation of the Decision == |
Latest revision as of 16:17, 1 June 2022
Datatilsynet - 20/02368 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1)(f) GDPR Article 13 GDPR Article 21 GDPR Article 24 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 20.11.2020 |
Decided: | 15.03.2022 |
Published: | 24.05.2022 |
Fine: | 100000 NOK |
Parties: | Redacted |
National Case Number/Name: | 20/02368 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (in NO) Datatilsynet (decision) (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined a company €9,775 for unlawfully enabling automatic forwarding of an employee's emails in violation of Article 6(1)(f), for lack of information as per Article 13, failure to assess their objection as per Article 21, and required them to improve internals controls for employee emails as per Article 24 GDPR.
English Summary
Facts
An employee (the data subject) had quit their job and was supposed to assist the employer (the controller) during the notice period. However, due to disagreements, the controller blocked the data subject's access to email and business systems and enabled automatic forwarding of emails to the general manager of the company.
The data subject objected to this processing, but the controller upheld it for several weeks and only stopped it when the general manager realized it could be problematic. The Norwegian DPA (Datatilsynet) launched an investigation after receiving both a notification from the controller, as well as a complaint from the data subject.
The controller explained to the DPA that they had enabled automatic forwarding of the emails because the data subject had refused to enable an out of office reply. They further argued that this was necessary to uphold customer relations and daily operations, and because they had discovered that the data subject had violated work duties a few months earlier.
The controller also claimed that the data subject had consented to the processing, however this was denied by the data subject and the controller was unable to document their assertion.
Holding
The DPA held that the controller lacked a legal basis as per Article 6(1)(f) GDPR for accessing and monitoring the data subject's email inbox, that they had failed to provide required information to the data subject as per Article 13 GDPR and for failure to assess the data subject's objection as per Article 21 GDPR. For this, the DPA fined the controller €9,775 and required them to improve internals controls for employee emails as per Article 24 GDPR.
On the legal basis
First, the DPA assessed if the controller had a legal basis as per a national (Norwegian) regulation concerning employers' access to employees' inboxes and other electronically stored material, which allows such processing if one of two possible conditions are fulfilled. First, the DPA found that "upholding customer relations and daily operations" and "suspicion of violations of work duties", as argued by the controller, are legitimate purposes as per the regulation §2(1). However, this only allows for single accesses for a specified purpose. Automatic enabling of forwarding is considered as continuous surveillance and the processing could therefore not be based on this condition.
Continuous surveillance is regulated by §2(2), but solely for purposes of administrating the computer network or to uncover or solve security breaches in the network. Consequently, the processing could not either be based on this condition.
Further, the DPA found that the conditions in Article 6(1) GDPR was not fulfilled. The only available legal ground for this type of processing is Article 6(1)(f) GDPR, where three conditions must be fulfilled: the processing must be necessary for legitimate interests, and these interests must outweigh the rights and freedoms of the data subject.
The DPA had already concluded that the purposes were legitimate. However, they held that the purposes could have been achieved by less privacy-invasive measures, for example by deactivating the email inbox and/or enable automatic forwarding themselves. Consequently, the DPA held that the controller lacked a valid legal basis as per Article 6(1)(f) GDPR.
On the right to object
The DPA found that the controller was unable to demonstrate that they had considered the data subject's objection, or that they had conducted a specific legitimate interest assessment in line with Article 21 GDPR.
On the obligation to inform data subjects
The DPA held that it is highly likely that the controller had violated the right to information as per Article 13 GDPR.
Comment
Share your comments here!
Further Resources
The DPA has shared the full decision, however the PDF is uneditable and therefore cannot be machine translated. The translation below is for the press release.
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Fee for automatic forwarding of e-mail The Norwegian Data Protection Authority has decided to impose an infringement fee of NOK 100,000 on a company for breach of the Labor Act's e-mail regulations on access to e-mail boxes and the Privacy Ordinance's requirements for a legal basis and a duty to provide information. The company is also required to improve its own routines. The name of the company is exempt from publicity to protect the identity of the employees. The Norwegian Data Protection Authority became involved in the case after receiving both a deviation report from an employer and a complaint from an employee in the company. The background for the case is that the complainant left the employer, and should assist the employer with certain work tasks after the notice period. Due to disagreements, employees' access to e-mail and computer systems was closed. All e-mails sent to the employee's e-mail box were automatically forwarded to an e-mail address managed by the general manager, and the forwarding took place for approximately six weeks. The purpose of the forwarding was to take care of customer relationships, and during the period the general manager handled both work-related and private e-mails that were sent to the employee's e-mail box. Several violations We have concluded that the employer did not have a legal basis for the automatic forwarding under the Privacy Ordinance, and are in conflict with the rules in the regulations on the employer's access to e-mail boxes and other electronic material. The company has also acted in violation of the rules on information to the data subject and the duty to assess the employee's protest, in addition to having inadequate routines for access to e-mail and other electronic material. On the basis of this, we have decided that the company must improve its written routines for access to e-mail, as well as an order to pay an infringement fee of NOK 100,000 for the illegal forwarding. The company has a three-week appeal period from the time they receive the decision. download The Data Inspectorate provides a fee for automatic forwarding of e-mail (pdf). Published: 24.05.2022