Datatilsynet (Norway) - 20/01916: Difference between revisions
m (Fixed machine translation) |
m (Riealeksandra moved page Datatilsynet - DT-20/01916 to Datatilsynet (Norway) - 20/01916) |
||
(One intermediate revision by the same user not shown) | |||
Line 50: | Line 50: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor=Rie Aleksandra Walle | |Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle] | ||
| | | | ||
}} | }} |
Latest revision as of 18:57, 5 March 2022
Datatilsynet - DT-20/01916 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1)(f) GDPR Article 13 GDPR Article 24 GDPR §§2-3 Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 05.02.2021 |
Published: | 02.03.2021 |
Fine: | 250000 NOK |
Parties: | Excempt from public disclosure |
National Case Number/Name: | DT-20/01916 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined a company NOK 250 000 (€24,772) for requiring an employee to forward all emails to a shared inbox, on a continuous basis, despite her objections.
English Summary
Facts
The DPA reviewed two events where a company had obtained access to an employee's emails. In the first case, the company had accessed her inbox due to an acute situation where they needed to obtain crucial (business) information while the employee was on vacation (and couldn't be reached).
In the second case, however, the general manager had introduced a new policy, requiring the employee to continuously forward all her emails to a shared, common inbox at the company. After a month, she disabled this, however was instructed to enable it again.
Dispute
Did the company breach Article 6(1)(f) GDPR for lack of a legal basis?
Holding
In the first case, the DPA agreed that the company had a legal basis, due to an acute nature of the situation and the need for crucial (business) information. In the second case, however, the DPA held that the company had no legal basis for such processing, as it's highly invasive and not justified. The legal basis the company referred to, a national regulation concerning employers' access to employees' inboxes and other electronical material, was not applicable in this instance.
The DPA held that the company had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee sufficiently as per Article 13 GDPR. Consequently, they were fined NOK 250 000 (€24,772), and also have to improve their internal controls in line with Article 24 GDPR.
Comment
The company was initially fined NOK 400,000, however after they made a complaint and were able to demonstrate a decrease in revenue due to COVID-19, this was reduced.
Further Resources
In Norwegian only:
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Receives a fee for illegal forwarding of e-mail A company has received a decision on a fee of NOK 250,000 for illegal forwarding of the e-mail to an employee. The name of the company is exempt from publicity to protect the identity of the employees. Receives a fee for illegal forwarding of e-mail The background for the case is a complaint from a person who experienced that the employer used automatic forwarding of e-mail. The employer asked the employee to set up automatic forwarding from the e-mail box to a common e-mail box in the company. This must have been done out of consideration for operations. In violation of the rules After investigating the case, the Data Inspectorate concludes that the company lacks a legal basis for forwarding. It has taken place in violation of the rules in the regulations on the employer's access to e-mail boxes and other electronic material, in addition to the requirement for a legal basis under the Privacy Ordinance. The company had also not prepared routines for access to e-mail. The Norwegian Data Protection Authority pointed out that an improvement of the routines could have a preventive effect against illegal inspections being carried out at a later stage. On this basis, the Data Inspectorate has decided that the company must improve internal control and its own guidelines for access to employees' e-mail boxes. In addition, the company is ordered to pay 250,000 kroner for having monitored the complainant's e-mail box without any legal basis. The company has a three-week appeal period from the time they receive the decision.