Datatilsynet (Norway) - 20/02178: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=DT-20/02178...")
 
(→‎Dispute: removed)
 
(21 intermediate revisions by 3 users not shown)
Line 16: Line 16:


|Type=Complaint
|Type=Complaint
|Outcome=Rejected
|Outcome=Upheld
|Date_Decided=07.12.2020
|Date_Decided=07.12.2020
|Date_Published=13.01.2021
|Date_Published=13.01.2021
|Year=2020
|Year=2020
|Fine=400000
|Fine=250,000
|Currency=NOK
|Currency=NOK


Line 37: Line 37:




|National_Law_Name_1=§§2-3 Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale
|National_Law_Name_1=Regulation concerning employers' right of access to employees' e-mail inboxes and other electronically stored material §§2-3
|National_Law_Link_1=https://lovdata.no/dokument/SF/forskrift/2018-07-02-1108
|National_Law_Link_1=https://lovdata.no/dokument/SF/forskrift/2018-07-02-1108


Line 51: Line 51:
|Party_Link_5=
|Party_Link_5=


|Appeal_To_Body=
|Appeal_To_Body=Personvernnemnda (Norway)
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=PVN-2021-03
|Appeal_To_Status=
|Appeal_To_Status=Partly upheld
|Appeal_To_Link=
|Appeal_To_Link=https://gdprhub.eu/index.php?title=Personvernnemnda_(Norway)_-_PVN-2021-03


|Initial_Contributor=Rie Aleksandra Walle
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle]
|
|
}}
}}


The Norwegian DPA (Datatilsynet) fined a company NOK 400 000 (€38,800) for enabling automatic forwarding of an employee's emails during a sick leave, without informing the employee or accepting her objection.
The Norwegian DPA fined a company €38,800 (NOK 400,000) for enabling automatic forwarding of an employee's emails during a sick leave, without informing the employee or accepting her objection. The company appealed the fine and although the Privacy Appeals Board (Personvernnemnda) agreed with the DPA that the fine was correct, [[Personvernnemnda (Norway) - PVN-2021-03|they reduced it to NOK 250,000]] '''only''' because of the DPA's long case processing time.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In 2019, the general manager of a company enabled automatic forwarding of an employee's emails during a sick leave, because the employee had "failed to enable her out of office reply". The company admitted that they had breached §§2 and 3 of a national regulation concerning employers' access to employees' inboxes and other electronical material, that they had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee as per Article 13 GDPR, cf. the national regulation.
In 2019, a company enabled automatic forwarding of an employee's emails during a sick leave, because the employee had "failed to enable her out of office reply". The company admitted that they had breached §§2 and 3 of a national regulation concerning employers' access to employees' inboxes and other electronically stored material, that they had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee as per [[Article 13 GDPR|Article 13]] and the national regulation.


They argued, however, that because the employee had failed to enable her out of office reply, they had legitimate grounds to enable automatic forwarding of her emails. Despite objections from the employee, the company continued to forward her emails, as long as she didn't herself enable the out of office reply. In the end, the company did this on her behalf, but only after having monitored her emails for five weeks.
They argued, however, that because the employee had failed to enable her out of office reply, they had legitimate grounds to enable automatic forwarding of her emails. Despite objections from the employee, the company continued to forward her emails, as long as she didn't herself enable the out of office reply. In the end, the company did this on her behalf, but only after having monitored her emails for five weeks.
=== Dispute ===
Did the company breach Article 6(1)(f) GDPR for lack of legal basis, Article 21 for lack of considering an objection, Article 13 for lack of information and Article 24 for lack of internal controls?


=== Holding ===
=== Holding ===
Yes, the company was found to have breached Article 6(1)(f) GDPR for lack of legal basis, Article 21 for lack of considering an objection, Article 13 for lack of information and Article 24 for lack of internal controls concerning the company's access to employees' inboxes (emails). The DPA also found that the company had breached the fundamental principles as per the GDPR, specifically Article 5(1)(a) and 5(2).  
The DPA (Datatilsynet) held that the company had breached Article 6(1)(f) GDPR for lack of legal basis, [[Article 21 GDPR|Article 21]] for lack of considering an objection, [[Article 13 GDPR|Article 13]] for lack of information and [[Article 24 GDPR|Article 24]] for lack of internal controls concerning the company's access to employees' inboxes (emails). The DPA also found that the company had breached the fundamental principles as per the GDPR, specifically Article 5(1)(a) and 5(2).  


For this, they were fined NOK 400 000 (€38,800) and required to update their internal routines and submit a written confirmation of the latter, including documentation, to the DPA within four weeks (unless they appeal the decision).
For this, they were fined NOK 400 000 (€38,800) and required to update their internal routines and submit a written confirmation of the latter, including documentation, to the DPA within four weeks (unless they appeal the decision).
Line 81: Line 78:


The DPA firmly rejected all these arguments and referred to the fact that the GDPR has been in process for several years, it came into effect already in 2016 and the breaches would also have been determined as such also from the preceding laws. They also noted that the processing could have been done in a less invasive way and argue that the company realized this themselves as they did enable the out of office reply in the end.  
The DPA firmly rejected all these arguments and referred to the fact that the GDPR has been in process for several years, it came into effect already in 2016 and the breaches would also have been determined as such also from the preceding laws. They also noted that the processing could have been done in a less invasive way and argue that the company realized this themselves as they did enable the out of office reply in the end.  
The Privacy Appeals Board agreed with the DPA in their criticism. They also emphasized that the fact that the employee was in a conflict with her manager when she was went on sick leave, makes the employer's behaviour further reprehensible. In sum, they found that the employer had seriously violated privacy rules. It was only because of the DPA's long case processing time that they reduced the fine to NOK 250,000. A summary of the decision of the Privacy Appeals Board (Personvernnemnda) can be found here: [[Personvernnemnda (Norway) - PVN-2021-03]].


== Further Resources ==
== Further Resources ==
Line 89: Line 88:


<pre>
<pre>
<!doctype html><html class="no-js" lang="no"><head><meta charset="utf-8" /><title>Receives e-mail forwarding fee | The Data Inspectorate </title><meta content="The Norwegian Data Protection Authority has imposed an infringement fee on a company; NOK 400 &amp; nbsp; 000 for illegal automatic forwarding of an employee&#39;s e-mail box." name="description" /><meta property="og:title" content="Receives fee for forwarding e-mail" /><meta property="og:description" content="The Norwegian Data Protection Authority has imposed an infringement fee on a company; NOK 400 &amp; nbsp; 000 for illegal automatic forwarding of an employee&#39;s e-mail box." /><meta property="og:type" content="website" /><meta property="og:url" content="https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/far-gebyr-for-videresending-av-e-post/" /><meta property="og:image" content="https://www.datatilsynet.no/contentassets/bf72ee44cc114164a10b942ff3887566/epost_2.jpg" /><meta property="og:site_name" content="Datatilsynet" /><meta property="og:locale" content="nb_NO" /><meta name="twitter:card" content="summary" /><meta name="twitter:site" content="https://twitter.com/datatilsynet" /><link media="screen" rel="stylesheet" type="text/css" href="/Styles/main.css?bundle=637461298900000000" /><link media="print" rel="stylesheet" type="text/css" href="/Styles/print/print.css?bundle=637461298900000000" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="apple-touch-icon" sizes="57x57" href="/UI/Icons/apple-touch-icon-57x57.png"><link rel="apple-touch-icon" sizes="60x60" href="/UI/Icons/apple-touch-icon-60x60.png"><link rel="apple-touch-icon" sizes="72x72" href="/UI/Icons/apple-touch-icon-72x72.png"><link rel="apple-touch-icon" sizes="76x76" href="/UI/Icons/apple-touch-icon-76x76.png"><link rel="apple-touch-icon" sizes="114x114" href="/UI/Icons/apple-touch-icon-114x114.png"><link rel="apple-touch-icon" sizes="120x120" href="/UI/Icons/apple-touch-icon-120x120.png"><link rel="apple-touch-icon" sizes="144x144" href="/UI/Icons/apple-touch-icon-144x144.png"><link rel="apple-touch-icon" sizes="152x152" href="/UI/Icons/apple-touch-icon-152x152.png"><link rel="apple-touch-icon" sizes="180x180" href="/UI/Icons/apple-touch-icon-180x180.png"><link rel="icon" type="image/png" href="/UI/Icons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/UI/Icons/favicon-194x194.png" sizes="194x194"><link rel="icon" type="image/png" href="/UI/Icons/favicon-96x96.png" sizes="96x96"><link rel="icon" type="image/png" href="/UI/Icons/android-chrome-192x192.png" sizes="192x192"><link rel="icon" type="image/png" href="/UI/Icons/favicon-16x16.png" sizes="16x16"><link rel="manifest" href="/UI/Icons/manifest.json"><link rel="shortcut icon" href="/UI/Icons/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-TileImage" content="/UI/Icons/mstile-144x144.png"><meta name="theme-color" content="#585858"><script>
Receives fee for forwarding e-mail
    (function () {
 
        var docElement = document.documentElement;
The Norwegian Data Protection Authority has fined a company an infringement fee of NOK 400,000 for illegal automatic forwarding of an employee's e-mail box.
        var className = docElement.className;
 
        className = className.replace(/\bno-js\b/, 'js');
Receives fee for forwarding e-mail
        docElement.className = className;
The background to the case is a complaint from an employee who experienced that the employer had activated automatic forwarding of the person's e-mail box in the company.
    }())
 
</script><meta name='EPi.ID' content='13979'></head><body class="articlePage"><div class="page-wrapper"><header class="main-header"> <a href="#skiplinktarget" class="skiplink">To main content</a><div class="main-header__sticky"><div class="main-header__wrapper"><h2 class="sr-only"> Logo and auxiliary tools</h2><nav class="main-header__top" aria-label="Navigasjon og søk"><div class="logo"> <a href="/"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="Til startsiden til Datatilsynet" title="Logo"></a></div><div class="right mobile-buttons"> <button type="button" class="button--search" data-toggle-search><span class="sr-only">Show / hide search</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
Lacks legal basis
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg><div class="mobile-modal"><div class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-search>Hide</button> </div><form method="get" action="/sok/" autocomplete="off" class="quickSearch"><div class="quick-search"><div class="quick-search__wrapper"><div class="quick-search__input-wrapper"> <label for="searchText" id="sok" class="quick-search__label">What are you looking for?</label> <input class="quick-search__text _jsAutoCompleteSearch" id="searchText" type="search" name="q" data-search-url="/sok/AutoComplete" /><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg> <button class="button--search" type="submit" value="Søk"><span class="sr-only">Search</span></button></div><div class="autocomplete-container"></div></div></div></form></div> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span class="label desktop-only" data-label>Menu</span></button><p class="sr-only"> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk">Show / hide menu</button></p> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span></span></button></div></nav><div class="main-header__bottom container"><h2 class="sr-only"> Main menu </h2><nav class="main-menu" id="main-menu" aria-label="Hovedmeny"><div class="container"><div class="utility-menu"><ul><li class="header-linklist__element"> <a href="/om-datatilsynet/">About the Data Inspectorate</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/presse/">For press / media inquiries</a></li><li class="header-linklist__element"> <a href="/en/" rel="alternate" hreflang="en">English</a> </li></ul></div><div class="main-menu__root"><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
The automatic forwarding was activated in connection with the employee's sick leave, and lasted for more than a month. After investigating the case further, the Data Inspectorate has concluded that the forwarding has taken place in violation of the rules in the regulations on the employer's access to e-mail boxes and other electronic material, as well as the Privacy Ordinance's legal basis, information to the data subject and the duty to assess the employee's protest. .
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-shield"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_1" data-toggle-sub-menu><span id="content_1-heading">Rights and duties</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_1" aria-labelledby="content_1-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/rettigheter-og-plikter/hva-er-personvern/">What is privacy?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personopplysninger/">What is personal information?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personvernprinsippene/">The privacy principles</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/den-registrertes-rettigheter/">The data subject&#39;s rights</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/virksomhetenes-plikter/">The companies&#39; duties</a> </li></ul></div></div></div><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
On the basis of this, the Data Inspectorate has decided that the company must improve the written routines for access to e-mail boxes, as well as an order to pay an infringement fee of NOK 400,000 for the illegal forwarding.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-people"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_2" data-toggle-sub-menu><span id="content_2-heading">Privacy in various areas</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_2" aria-labelledby="content_2-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/korona/">Corona and privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/personvern-pa-arbeidsplassen/">Workplace privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/overvaking-og-sporing/">Monitoring and tracking</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/internett-og-apper/">Internet and apps</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/skole-barn-unge/">Children, young people and school</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/bil-og-transport/">Car and transport</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/politi-justis/">Police and justice</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/forskning-helse-og-velferd/">Research, health and welfare</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/kundehandtering-handel-og-medlemskap/">Customer management, trade and membership</a> </li></ul></div></div></div><div class="main-menu__tab selected"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
The company's name is exempt from publicity to protect the complainant's identity. The company has appealed the decision.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-guide"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_3" data-toggle-sub-menu><span id="content_3-heading">Regulations and tools</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_3" aria-labelledby="content_3-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary up" href="/regelverk-og-verktoy/lover-og-regler/">Laws and regulations</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/internasjonalt/">International work and cooperation</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sandkasse-for-kunstig-intelligens/">Sandbox for artificial intelligence</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/atferdsnorm/">Behavioral norms</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/rapporter-og-utredninger/">Reports and reports</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/konsesjon-og-melding/">Concession and notification</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sporsmal-svar/">Questions and answers</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordbok/">Dictionary (Norwegian - English)</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/personvernpodden/">Privacy Pod</a></li></ul></div></div></div></div><div  class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-menu>Close</button> </div></div></nav></div></div></div><div class="container full-width"><nav class="breadcrumbs" aria-label="Brødsmulesti"><ul><li><a href="/regelverk-og-verktoy/lover-og-regler/">Laws and regulations</a></li><li> <a href="/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/">Key decisions</a></li><li> <a href="/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/">2021</a></li></ul></nav></div></header><script>
    document.consentCookie = '{"HaveRead":false,"FormCookies":false,"Expires":"\/Date(-62135596800000)\/"}';
    document.disableConsentPopup = false;
</script><div class="cookie-consent" v-bind:class="{ open: showCookieConsent }" tabindex="-1" role="dialog" aria-label="Samtykke for bruk av informasjonskapsler"><h2> We use cookies</h2><div class="user-content"><p> Our websites use cookies. If they are not necessary for our website to work, they will not be stored on your device unless you agree to this. Read about which ones we use and how we manage them at the bottom of the website.</p></div><div class="cookie-consent-section"><h3> Required cookies</h3><div class="user-content"><p> These support core functionality related to security. We have considered these to be necessary, and they are therefore stored without prior consent.</p></div></div><div class="cookie-consent-section"><h3> Form functions</h3><div class="user-content"><p> These are necessary if you want to use the form on our website. The other functionality on the website is not affected if you do not consent. The choice you make here is valid for up to 90 days. </p></div><div class="on-off"><input type="checkbox" name="on-off" id="chk-cookie-form" class="on-off-checkbox" v-model="consentCookie.FormCookies"/> <label class="on-off-label" for="chk-cookie-form"><span class="sr-only">Form functions on / off</span><span class="on-off-inner"></span><span class="on-off-switch"></span></label></div></div><div class="cookie-consent-section"><h3> Web analytics</h3><div class="user-content"><p> We are considering using an analysis tool based on cookies, but as of today we do not have this.</p></div></div><div class="cookie-consent-section"><div class="user-content"><p> You can withdraw your consent at any time by selecting &quot;manage cookies&quot; at the bottom of our pages.</p></div> <button type="button" v-on:click="save($event)" class="button cookie-consent-save">Save my selection</button></div> <button type="button" v-on:click="save($event)" class="cookie-consent-close">Close</button> </div><main><span id="skiplinktarget" tabindex="-1"></span><div class="article"><div class="container"><div class="article__content"><h1> Receives fee for forwarding e-mail</h1><div class="user-content ingress"><p> The Norwegian Data Protection Authority has fined a company an infringement fee of NOK 400,000 for illegal automatic forwarding of an employee&#39;s e-mail box. </p></div><div class="article__sidebar-main mobile-only"><div ><img alt="Receives fee for forwarding e-mail" src="/contentassets/bf72ee44cc114164a10b942ff3887566/epost_2.jpg?width=400&amp;quality=80" /></div></div></div><div class="article__sidebar medium-up"><div class="article__sidebar-main no-margin"><div ><img alt="Receives fee for forwarding e-mail" src="/contentassets/bf72ee44cc114164a10b942ff3887566/epost_2.jpg?width=400&amp;quality=80" /></div></div></div></div><div class="container"><div class="article__content"><div class="article__content-text"><div class="user-content"><p> The background to the case is a complaint from an employee who experienced that the employer had activated automatic forwarding of the person&#39;s e-mail box in the company.</p><h2> Lacks legal basis</h2><p> The automatic forwarding was activated in connection with the employee&#39;s sick leave, and lasted for more than a month. After investigating the case further, the Data Inspectorate has concluded that the forwarding has taken place in violation of the rules in the regulations on the employer&#39;s access to e-mail boxes and other electronic material, as well as the Privacy Ordinance&#39;s legal basis, information to the data subject and the duty to assess the employee&#39;s protest. .</p><p> On the basis of this, the Data Inspectorate has decided that the company must improve the written routines for access to e-mail boxes, as well as an order to pay an infringement fee of NOK 400,000 for the illegal forwarding.</p><p> The company&#39;s name is exempt from publicity to protect the complainant&#39;s identity. The company has appealed the decision.</p><h2> read more</h2><ul><li> <a href="/rettigheter-og-plikter/virksomhetenes-plikter/">Supplementary information about the companies&#39; duties</a></li><li> <a href="https://lovdata.no/dokument/SF/forskrift/2018-07-02-1108" target="_blank" rel="noopener">Regulations on the employer&#39;s access to e-mail boxes and other electronic material (lovdata.no)</a></li><li> <a href="/personvern-pa-ulike-omrader/personvern-pa-arbeidsplassen/innsyn-epost-filer/">Access to employees&#39; emails and private files</a></li></ul></div></div></div><aside class="article__sidebar"><h3> Contact person </h3><div><div><div class="person-contact-card"><div class="person-contact-card__inner"><div class="person-contact-card__image"><div class="profile-image"><div class="image-block Standard "><figure ><img alt="Ole Martin Moe" src="/globalassets/global/bilder/ansatte-dt/ole_martin_moe3.jpg?width=200&amp;quality=80" /></figure></div></div></div><div class="person-contact-card__info"><div><h2 class="person-contact-card__info-name"> Ole Martin Moe</h2><p class="person-contact-card__info-title"> legal adviser</p></div><dl class="person-contact-card__info-list"><dt class="describe"> Office:</dt><dd class="define"> <a class="" href="tel:(+47)22396959">(+47) 22 39 69 59</a></dd><dt class="describe"> Email: </dt><dd class="define"><span data-e="043A652B382424242424242424242424242424242424242424242424240E096B6A2A70616A7D77686D70657065604469696B242424242424242424242424242424242424242424242424242424240E093A266B6A2A70616A7D77686D70657065604469696B3E6B70686D656926396261766C242626397777656867246538"></span></dd></dl></div></div></div></div></div><div class="article__sidebar-dates"><div > <span>Published:</span> <span>12.01.2021</span> </div></div></aside></div></div></main><footer class="main-footer"><div class="main-footer__wrapper"><div class="main-footer__upper"><div class="main-footer__content container"><div class="main-footer__content-column desktop-only" aria-hidden="true"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="The Data Inspectorate logo" class="main-footer__logo"></div><div class="main-footer__content-column"><p> The Data Inspectorate<br> PO Box 458 Center<br> 0105 Oslo</p><p> Org.nr 974 761 467</p><div class="user-content"><p> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></p></div><div > <a href="https://ext.mnm.as/s/2751/9366">Receive our newsletter</a></div><div class="main-footer__social"><div class="main-footer__social--twitter" > <a href="https://twitter.com/datatilsynet">The Data Inspectorate on twitter</a></div></div><div class="main-footer__personvernpodden_logo"> <a href="/regelverk-og-verktoy/personvernpodden/"><img src="/UI/personvernpodden-logo.svg" alt="The Privacy Podcast - A podcast from the Danish Data Protection Agency"></a></div></div><div class="main-footer__content-column"><ul class="clean-link-list"><li> <a href="/aktuelt/">Currently</a></li><li> <a href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a href="/regelverk-og-verktoy/sporsmal-svar/">Frequently Asked Questions</a></li><li> <a href="/om-datatilsynet/datatilsynets-personvernerklaring/">The Data Inspectorate&#39;s privacy statement</a></li><li> <a href="/om-datatilsynet/datatilsynets-cookie-erklaring/">The Danish Data Protection Agency&#39;s cookie statement</a></li><li> <a href="#" id="_jsManageCookies">Manage cookies</a> </li></ul></div></div></div><div class="main-footer__lower"><div class="main-footer__sponsors container"><p> Other sites</p> <a href="/om-datatilsynet/Andre-nettsteder/Personvernbloggen/"><img alt="The Privacy Blog" src="/globalassets/global/bilder/logoer/footer/personvernbloggennb.png?width=400&amp;quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Du-bestmmer/"><img alt="You decide" src="/globalassets/global/bilder/logoer/footer/dubestemmernb.png?width=400&amp;quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Slett-meg/"><img alt="slettmeg.no" src="/globalassets/global/bilder/logoer/footer/slettmegnb.png?width=400&amp;quality=80" /></a></div></div></div></footer></div><script src="/Scripts/libs/jquery/3.2.1.min.js"> </script><script src="/Scripts/libs/jquery/jquery-ui.min.js"> </script><script src="/Scripts/libs/svg4everybody.js"> </script><script src="/Scripts/libs/jquery.sticky-sidebar.min.js"> </script><script src="/Scripts/libs/vue.min.js"> </script><script src="/Scripts/global/common/jquery.aria.js"> </script><script> window.jQuery || document.write('<script src="/Scripts/libs/jquery/3.2.1.min.js"><\/script>') </script><script src="/Scripts/site.js?bundle=637461298900000000"></script><script src="/Scripts/global/common/jquery.unobtrusive-ajax.js" async defer></script><script>
    Datatilsynet.GlossaryHighlightedWords = 'adressemekling;akseptkriterium;algoritmer;artikkel 29-gruppen;atferdsnorm;autentisering;automatisk målesystem;avidentifisert personopplysning;avindeksere;avvik;behandling av personopplysningar;behandling av personopplysninger;behandlingsansvarleg;behandlingsansvarlig;behandlingsgrunnlag;berlingruppen;big data;biometri;bransjenorm;databehandlar;databehandlaravtale;databehandler;databehandleravtale;datakommunikasjon;dataminimering;datanettverk;dataportabilitet;den registrerte;dpia;ekstern datakommunikasjon;eksternt nettverk;european data protection board;filsluse;forhåndsdrøftelse;formålsbestemthet;forordning;fødselsnummer;gdpr;helseopplysning;humant biologisk materiale;informasjonssamfunnstjeneste;informasjonssikkerhet;informasjonstryggleik;innebygd personvern;integritet;intern sone;internkontroll;ip-adresse;konfidensialitet;konfigurasjon;konsesjon;konsesjonsplikt;kontrolltiltak;kredittopplysning;kredittsjekk;kredittvurdering;kryptering;meldeplikt;nettsky;nettverkssone;personnummer;personopplysning;personprofil;personregister;personvernforordningen;personvernfremjande teknologi;personvernfremmende teknologi;personvernkonsekvens;personvernombod;personvernombud;personvernrådet;profiler;profilering;pseudonymisering;radiofrekvensidentifikasjon;reidentifisering;rfid;risiko;samtykke;schengen informasjonssystem;sensitive personopplysninger;sikker sone;sikkerhetskopiering;sikkerhetsrevisjon;sikkerhetsstrategi;sporing;stordata;særlige kategorier;teknisk sikkerhetsbarriere;tilgangskontroll;tilgangsstyring;tilgjengelighet;tilsyn;tjenstlig behov;vurdere personvernkonsekvenser;ødeleggende programvare;';
    Datatilsynet.HasGlossary = true;
</script><script type="text/javascript" src="/Scripts/find/find.js"></script><script type="text/javascript">
if(FindApi){var api = new FindApi();api.setApplicationUrl('/');api.setServiceApiBaseUrl('/find_v2/');api.processEventFromCurrentUri();api.bindWindowEvents();api.bindAClickEvent();api.sendBufferedEvents();}
</script><script>(function(){function i(n){var t=n.charCodeAt(0);return(t>=65?t-7:t)-48}function e(n){for(var r=new String,u=i(n.substr(0,1))*16+i(n.substr(1,1)),t=n.length-2;t>1;t-=2)r+=String.fromCharCode(i(n.substr(t,1))*16+i(n.substr(t+1,1))^u);return r}var t=document.querySelectorAll("[data-e]"),n,u,r,f;if(t.length)for(n=0;n<t.length;n++)u=e(t[n].getAttribute("data-e")),r=document.createElement("div"),r.innerHTML=u,f=r.firstChild,t[n].parentNode.insertBefore(f,t[n]),t[n].parentNode.removeChild(t[n])})();</script></body></html>
</pre>
</pre>

Latest revision as of 18:53, 17 May 2022

Datatilsynet - DT-20/02178
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Regulation concerning employers' right of access to employees' e-mail inboxes and other electronically stored material §§2-3
Type: Complaint
Outcome: Upheld
Started:
Decided: 07.12.2020
Published: 13.01.2021
Fine: 250,000 NOK
Parties: Excempt from public disclosure
National Case Number/Name: DT-20/02178
European Case Law Identifier: n/a
Appeal: Partly upheld
Personvernnemnda (Norway)
PVN-2021-03
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a company €38,800 (NOK 400,000) for enabling automatic forwarding of an employee's emails during a sick leave, without informing the employee or accepting her objection. The company appealed the fine and although the Privacy Appeals Board (Personvernnemnda) agreed with the DPA that the fine was correct, they reduced it to NOK 250,000 only because of the DPA's long case processing time.

English Summary

Facts

In 2019, a company enabled automatic forwarding of an employee's emails during a sick leave, because the employee had "failed to enable her out of office reply". The company admitted that they had breached §§2 and 3 of a national regulation concerning employers' access to employees' inboxes and other electronically stored material, that they had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee as per Article 13 and the national regulation.

They argued, however, that because the employee had failed to enable her out of office reply, they had legitimate grounds to enable automatic forwarding of her emails. Despite objections from the employee, the company continued to forward her emails, as long as she didn't herself enable the out of office reply. In the end, the company did this on her behalf, but only after having monitored her emails for five weeks.

Holding

The DPA (Datatilsynet) held that the company had breached Article 6(1)(f) GDPR for lack of legal basis, Article 21 for lack of considering an objection, Article 13 for lack of information and Article 24 for lack of internal controls concerning the company's access to employees' inboxes (emails). The DPA also found that the company had breached the fundamental principles as per the GDPR, specifically Article 5(1)(a) and 5(2).

For this, they were fined NOK 400 000 (€38,800) and required to update their internal routines and submit a written confirmation of the latter, including documentation, to the DPA within four weeks (unless they appeal the decision).

Comment

Following the DPA's notification of a decision, the company argued that the penalty was too severe, due to the following reasons: the processing was "the employee's own fault" as she had failed to enable the out of office reply; the breach was an "isolated incident", which took place relatively shortly after "a new and very complex law was introduced" and that the rules concerning an employer's access to an employee's inbox "have been unclear".

The DPA firmly rejected all these arguments and referred to the fact that the GDPR has been in process for several years, it came into effect already in 2016 and the breaches would also have been determined as such also from the preceding laws. They also noted that the processing could have been done in a less invasive way and argue that the company realized this themselves as they did enable the out of office reply in the end.

The Privacy Appeals Board agreed with the DPA in their criticism. They also emphasized that the fact that the employee was in a conflict with her manager when she was went on sick leave, makes the employer's behaviour further reprehensible. In sum, they found that the employer had seriously violated privacy rules. It was only because of the DPA's long case processing time that they reduced the fine to NOK 250,000. A summary of the decision of the Privacy Appeals Board (Personvernnemnda) can be found here: Personvernnemnda (Norway) - PVN-2021-03.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Receives fee for forwarding e-mail

The Norwegian Data Protection Authority has fined a company an infringement fee of NOK 400,000 for illegal automatic forwarding of an employee's e-mail box.

Receives fee for forwarding e-mail
The background to the case is a complaint from an employee who experienced that the employer had activated automatic forwarding of the person's e-mail box in the company.

Lacks legal basis

The automatic forwarding was activated in connection with the employee's sick leave, and lasted for more than a month. After investigating the case further, the Data Inspectorate has concluded that the forwarding has taken place in violation of the rules in the regulations on the employer's access to e-mail boxes and other electronic material, as well as the Privacy Ordinance's legal basis, information to the data subject and the duty to assess the employee's protest. .

On the basis of this, the Data Inspectorate has decided that the company must improve the written routines for access to e-mail boxes, as well as an order to pay an infringement fee of NOK 400,000 for the illegal forwarding.

The company's name is exempt from publicity to protect the complainant's identity. The company has appealed the decision.