Datatilsynet (Norway) - 20/01751: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=20/01751 |EC...")
 
mNo edit summary
Line 75: Line 75:


=== Holding ===
=== Holding ===
The DPA preliminarily concluded that when carrying out an inspection of the data subject's e-mail, the data controller did not meet the necessary condition of having a justified suspicion that the data subject had used the e-mail account for actions that lead to a gross breach of duty or could provide grounds for dismissal or dismissal. Therefore, the data controller acted in lack of a legal basis and in violation of Norwegian e-mail-regulation ("e-postforskriften"). In December 2021, the DPA reprimanded the data controller and issued a preliminary fine of €15,000 (NOK 150,000). With respect not further specified other complaints of the data subject, the DPA concluded that the data controller did not act unlawfully.
The DPA preliminarily concluded that when carrying out an inspection of the data subject's e-mail, the data controller did not meet the necessary condition of having a justified suspicion that the data subject had used the e-mail account for actions that lead to a gross breach of duty or could provide grounds for dismissal or dismissal. Therefore, the data controller acted in lack of a legal basis and in violation of Norwegian e-mail-regulation ("e-postforskriften"). In December 2021, the DPA reprimanded the data controller and issued a preliminary fine of €15,000 (NOK 150,000). With respect to not further specified other complaints of the data subject, the DPA concluded that the data controller did not act unlawfully.


In September 2022, the DPA upheld their decision and concluded that the data controller's access to the data subject's e-mail violated Norwegian e-mail-regulation. The DPA withdrew the previously issued fine after the controller cited mitigating circumstances.
In September 2022, the DPA upheld their decision and concluded that the data controller's access to the data subject's e-mail violated Norwegian e-mail-regulation. The DPA withdrew the previously issued fine after the controller cited mitigating circumstances.

Revision as of 11:56, 7 November 2022

Datatilsynet - 20/01751
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6 GDPR
Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale (e-postforskriften)
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published: 19.09.2022
Fine: n/a
Parties: Norwegian University of Science and Technology - NTNU
National Case Number/Name: 20/01751
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (NO) (in NO)
Datatilsynet (NO) (in NO)
Initial Contributor: derhagen

The DPA upheld that a university had accessed an employee's e-mail account in lack of a legal base and in violation of Norwegian e-mail-regulation. The university was reprimanded and the DPA withdrew a preliminarily issued fine of €15,000 (NOK 150,000).

English Summary

Facts

A employee lodged multiple complaints against his employer, the Norwegian University of Science and Technology (NTNU) for processing his personal data, including accessing his work-related e-mail account.

Holding

The DPA preliminarily concluded that when carrying out an inspection of the data subject's e-mail, the data controller did not meet the necessary condition of having a justified suspicion that the data subject had used the e-mail account for actions that lead to a gross breach of duty or could provide grounds for dismissal or dismissal. Therefore, the data controller acted in lack of a legal basis and in violation of Norwegian e-mail-regulation ("e-postforskriften"). In December 2021, the DPA reprimanded the data controller and issued a preliminary fine of €15,000 (NOK 150,000). With respect to not further specified other complaints of the data subject, the DPA concluded that the data controller did not act unlawfully.

In September 2022, the DPA upheld their decision and concluded that the data controller's access to the data subject's e-mail violated Norwegian e-mail-regulation. The DPA withdrew the previously issued fine after the controller cited mitigating circumstances.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Notice of infringement fee to NTNU

The Danish Data Protection Authority has notified NTNU of an infringement fee of NOK 150,000 for illegal access to an employee's e-mail box.

The background for the notice is several complaints from the employee about NTNU's processing of his personal data, such as access to his e-mail box at the university.

Breach of the Personal Data Protection Regulation and the e-mail regulation

After carrying out further investigations into the matter, the Norwegian Data Protection Authority has come to the conclusion that NTNU did not meet the e-mail regulations' conditions for access. Our preliminary conclusion is that when the inspection was carried out, the university did not meet the condition of having a justified suspicion that the employee had used the e-mail box for actions that lead to a gross breach of duty or could provide grounds for dismissal or dismissal. The Personal Protection Regulation's requirement for a legal basis was thus not met.

Read more about access to e-mail and private files.

As regards the conditions in the other complaints, our assessment is that NTNU has not breached the regulations.

The matter is exempt from public disclosure in accordance with the rules on confidentiality for notifications to public authorities in the Working Environment Act. The Danish Data Protection Authority can therefore only release limited information on the matter.

Advance notice

This is an advance notice, and NTNU has four weeks to comment on the notice.

Contact person

Ylva Marrable

section manager, section for private services

Office: (+47) 22 39 69 18 E-mail:

Ole Martin Moe

legal adviser

Office: (+47) 22 39 69 59 E-mail:

Published: 07.12.2021

----------


Decision on breach of NTNU

The Danish Data Protection Authority has made a decision against NTNU in a case concerning illegal access to an employee's e-mail box. In the decision, the Norwegian Data Protection Authority states that NTNU has broken the e-mail regulations in connection with the access that was carried out in the complainant's e-mail box.
Decision on breach of NTNU

In December, the Norwegian Data Protection Authority announced a decision on infringement fees to the university. On the basis of NTNU's comments to the notice, we maintain our conclusion that the university had no legal basis for inspecting the complainant's e-mail box, but do not proceed with the infringement fee. This conclusion is based on several mitigating circumstances that appear from the comments we received from NTNU after we notified of the fee.

The background for the decision is several complaints from the employee about NTNU's processing of his personal data, such as access to his e-mail box at the university.
Violation of the e-mail regulations

After carrying out further investigations into the matter, the Norwegian Data Protection Authority has come to the conclusion that NTNU did not meet the e-mail regulations' conditions for access. Our conclusion is that the university did not fulfill the condition of having a justified suspicion that the employee had used the e-mail box for actions that lead to a serious breach of duty or could provide grounds for dismissal or dismissal at the time when the inspection was carried out. Furthermore, our assessment is that the inspection of the e-mail box also did not meet the requirement of being a suitable and necessary measure to achieve the purpose at the time when it was carried out.

As regards the conditions in the other complaints, our assessment is that NTNU has not breached the regulations.

The matter is exempt from public disclosure in accordance with the rules on confidentiality for notifications to public authorities in the Working Environment Act. The Danish Data Protection Authority can therefore only release limited information on the matter.

NTNU has a three-week appeal period against the decision on infringement.


Contact person
Ylva Marrable

section manager, section for private services

Office:
    (+47) 22 39 69 18
Email:
    yma@datatilsynet.no

Ole Martin Moe
Ole Martin Moe

legal adviser

Office:
    (+47) 22 39 69 59
Email:
    omm@datatilsynet.no

Published: 19/09/2022