Personvernnemnda - PVN-2024-01: Difference between revisions

From GDPRhub
mNo edit summary
Line 66: Line 66:
}}
}}


The DPA appeal board dismissed the data subject's complaint against the DPA's choice of reaction against the controller, stating that the fact that the DPA chose for a reprimand instead of a fine is not a decision that affects the data subject's rights.
The DPA’s appeal board held that the DPA’s decision which specific measure to take against a controller does not affect the data subject's rights and is therefore not appealable.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller, an employer, suspected that an employee had committed embezzlement and carried out an inspection of the employee’s e-mail. After discovering e-mail exchanges between the employee and another employee (the data subject), the controller also suspected that the data subject contributed to a possible embezzlement and accessed their e-mail as well.
The controller, an employer, suspected that an employee had committed embezzlement and carried out an inspection of the employee’s mailbox. After discovering e-mail exchanges between the employee and another employee (the data subject), the controller also suspected that the data subject contributed to a possible embezzlement and accessed their mailbox as well.


Access to the data subject’s e-mails was carried out by the controller with the assistance of a third party and a data processor.
Access to the data subject’s mailbox was carried out by the controller with the assistance of a third party and a data processor.


The inspection of the e-mails showed the data subject had breached their duty of loyalty in their employment by sharing insider information and other confidential information. The data subject was then dismissed.
The inspection of the e-mails showed the data subject had breached their duty of loyalty in their employment by sharing insider information and other confidential information. The data subject was then dismissed.
Line 79: Line 79:
On 12 July 2020, the data subject lodged a complaint at the Norwegian DPA (“''Datatilsynet''”). The data subject argued that the controller had no legal basis for conducting an inspection and disclosing their personal data.  
On 12 July 2020, the data subject lodged a complaint at the Norwegian DPA (“''Datatilsynet''”). The data subject argued that the controller had no legal basis for conducting an inspection and disclosing their personal data.  


The DPA found that the controller failed to comply with the accountability principle under [[Article 5 GDPR#2|Article 5(2) GDPR]] as the controller did not submit documentation of the legal basis for conducting the inspection of the data subject’s mailbox. The DPA held that the controller had a legitimate interest to inspect the data subject’s mailbox under [[Article 6 GDPR#1|Article 6(1) GDPR]] and Section 2 of the Norwegian E-mail Regulations. However, the DPA found that the controller did not process the data subject’s personal data with sufficient transparency under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 14 GDPR|Article 14 GDPR]], as the data subject was not informed about the processing. The DPA stated that the controller could have made a copy of the emails in advance before the inspection to safeguard their interests, so that the data subject could be notified of the inspection in advance. The DPA also found that the controller did not conduct the inspection in accordance with the data minimisation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The search terms used were likely to generate more personal data than was necessary for the purpose of clarifying any unfair conduct. The DPA thus issued a reprimand against the controller under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] as the infringements affected a limited number of people and the violations of the accountability and transparency principle only affected the data subject and they were notified of the inspection shortly after it was carried out.  
The DPA found that the controller failed to comply with the accountability principle under [[Article 5 GDPR#2|Article 5(2) GDPR]] as the controller did not submit documentation of the legal basis for conducting the inspection of the data subject’s mailbox. The DPA held that the controller had a legitimate interest to inspect the data subject’s mailbox under [[Article 6 GDPR#1|Article 6(1) GDPR]] and Section 2 of the Norwegian E-mail Regulations (“[https://lovdata.no/dokument/LTI/forskrift/2018-07-02-1108 e-postforskriften]”). Under the E-mail Regulations, an employer has the right to access an employee’s mailbox in the event of "reasonable suspicion that the employee's use of a mailbox or other electronic equipment results in a serious breach of the obligations arising from the employment relationship or may provide grounds for termination or dismissal". However, the DPA found that the controller did not process the data subject’s personal data with sufficient transparency under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 14 GDPR|Article 14 GDPR]], as the data subject was not informed about the processing. The DPA stated that the controller could have made a copy of the emails in advance before the inspection to safeguard their interests, so that the data subject could be notified of the inspection in advance. The DPA also found that the controller did not conduct the inspection in accordance with the data minimisation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The search terms used were likely to generate more personal data than was necessary for the purpose of clarifying any unfair conduct. The DPA thus issued a reprimand against the controller under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] as the infringements affected a limited number of people and the violations of the accountability and transparency principle only affected the data subject and they were notified of the inspection shortly after it was carried out.  


The data subject also filed a lawsuit with a district court, claiming that the termination was invalid and demanded compensation and redress. Both the district court and later the court of appeal concluded that the dismissal was valid and there were no grounds for compensation. However, they both held that the rules for access to employees' e-mails had been violated, so that there were grounds for compensation for damages under the Norwegian Personal Data Act. The controller was ordered to pay €1.741,50 (NOK 20,000) as compensation for damages.
The data subject also filed a lawsuit with a district court, claiming that the termination was invalid and demanded compensation and redress. Both the district court and later the court of appeal concluded that the dismissal was valid and there were no grounds for compensation. However, they both held that the rules for access to employees' mailbox had been violated, so that there were grounds for compensation for damages under the Norwegian Personal Data Act. The controller was ordered to pay €1.741,50 (NOK 20,000) as compensation for damages.


The data subject appealed the DPA’s decision to the Norwegian Privacy Appeals Board (“''Personvernnemnda''”), stating that the DPA failed to impose a fine against the controller. Moreover, the data subject argued that the DPA’s conclusion that the controller used a third party without a data processing agreement is incorrect and constitutes a breach of [[Article 28 GDPR#1|Article 28(1)]] and [[Article 28 GDPR#3|(3) GDPR]]. The data subject also argued that the DPA did not take into account the controller’s breach of [[Article 30 GDPR|Article 30 GDPR]] when issuing a reprimand against the controller. The data subject argued that the records of processing activities was not handed over by the controller to the DPA until more than a year after access to the data subject’s email box had ended, violating [[Article 30 GDPR|Article 30 GDPR]]. The data subject also argued that the DPA’s handling of the case was biased and subjective and therefore failed to uphold its obligation to investigate and deal with all cases in full independence, regardless of a legally enforceable judgement related to the termination case against the controller.
The data subject appealed the DPA’s decision to the Norwegian Privacy Appeals Board (“''Personvernnemnda''”), stating that the DPA failed to impose a fine against the controller. Moreover, the data subject argued that the third party was a processor and therefore the DPA's assessment that a data processing agreement was not necessary was incorrect. The data subject also argued that the DPA did not take into account the controller’s breach of [[Article 30 GDPR|Article 30 GDPR]] when issuing a reprimand against the controller. The data subject argued that the records of processing activities was not handed over by the controller to the DPA until more than a year after access to the data subject’s email box had ended, violating [[Article 30 GDPR|Article 30 GDPR]]. The data subject also argued that the DPA’s handling of the case was biased and subjective and therefore failed to uphold its obligation to investigate and deal with all cases in full independence, regardless of a legally enforceable judgement related to the termination case against the controller.


=== Holding ===
=== Holding ===
The Board held that access to an employee's mailbox constitutes processing of personal data, thus the GDPR applies. Under the Norwegian E-mail Regulations (“[https://lovdata.no/dokument/LTI/forskrift/2018-07-02-1108 e-postforskriften]”), an employer has the right to access an employee’s e-mail box in the event of "reasonable suspicion that the employee's use of a mailbox or other electronic equipment results in a serious breach of the obligations arising from the employment relationship or may provide grounds for termination or dismissal". In order for the inspection to be lawful, the employer must also follow the procedures set out in this law. The Board agreed with the DPA and the Court of Appeal that the controller had not proceeded in line with national law and the requirements of the GDPR when carrying out the inspection.
The Board held that access to an employee's mailbox constitutes processing of personal data, thus the GDPR applies. The Board also held that in order for the inspection to be lawful, the employer must also follow the procedures set out in the national E-Mail Regulations The Board agreed with the DPA and the Court of Appeal that the controller had not proceeded in line with national law and the requirements of the GDPR when carrying out the inspection.


The Board also agreed with the DPA’s and Court of Appeal’s assessment that the inspection of the data subject ’s mailbox was sufficiently justified under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] and [https://lovdata.no/dokument/LTI/forskrift/2018-07-02-1108 §2(b) of the Norwegian E-mail Regulations] (“e-postforskriften”). The Board agreed with the district court and appeal court that the data subject had shared insider information, as well as other confidential information, which constituted a breach of the duty of loyalty.
The Board also agreed with the DPA’s and Court of Appeal’s assessment that the inspection of the data subject ’s mailbox was sufficiently justified under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] and [https://lovdata.no/dokument/LTI/forskrift/2018-07-02-1108 §2(b) of the Norwegian E-mail Regulations]. The Board agreed with the district court and appeal court that the data subject had shared insider information, as well as other confidential information, which constituted a breach of the duty of loyalty.


The disclosure of personal data to a third party requires a legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]]. The Board agreed with the DPA that the controller had no legal basis for the disclosure of personal data to the third party under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The DPA rightly issued a reprimand against the controller under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. The Board rejected the data subject ’s argument that the third party was a data processor.
The disclosure of personal data to a third party requires a legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]]. The Board agreed with the DPA that the controller had no legal basis for the disclosure of personal data to the third party under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The DPA rightly issued a reprimand against the controller under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. The Board rejected the data subject ’s argument that the third party was a data processor.

Revision as of 08:02, 3 July 2024

Personvernnemnda - PVN-2024-01
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 58(2)(b) GDPR
§2(b) e-postforskriften
Decided: 28.05.2024
Published: 11.06.2024
Parties: Datatilsynet
National Case Number/Name: PVN-2024-01
European Case Law Identifier:
Appeal from: DPA
20/03083-93
Appeal to:
Original Language(s): Norwegian
Original Source: Personvernnemnda (in Norwegian)
Initial Contributor: ec

The DPA’s appeal board held that the DPA’s decision which specific measure to take against a controller does not affect the data subject's rights and is therefore not appealable.

English Summary

Facts

The controller, an employer, suspected that an employee had committed embezzlement and carried out an inspection of the employee’s mailbox. After discovering e-mail exchanges between the employee and another employee (the data subject), the controller also suspected that the data subject contributed to a possible embezzlement and accessed their mailbox as well.

Access to the data subject’s mailbox was carried out by the controller with the assistance of a third party and a data processor.

The inspection of the e-mails showed the data subject had breached their duty of loyalty in their employment by sharing insider information and other confidential information. The data subject was then dismissed.

On 12 July 2020, the data subject lodged a complaint at the Norwegian DPA (“Datatilsynet”). The data subject argued that the controller had no legal basis for conducting an inspection and disclosing their personal data.

The DPA found that the controller failed to comply with the accountability principle under Article 5(2) GDPR as the controller did not submit documentation of the legal basis for conducting the inspection of the data subject’s mailbox. The DPA held that the controller had a legitimate interest to inspect the data subject’s mailbox under Article 6(1) GDPR and Section 2 of the Norwegian E-mail Regulations (“e-postforskriften”). Under the E-mail Regulations, an employer has the right to access an employee’s mailbox in the event of "reasonable suspicion that the employee's use of a mailbox or other electronic equipment results in a serious breach of the obligations arising from the employment relationship or may provide grounds for termination or dismissal". However, the DPA found that the controller did not process the data subject’s personal data with sufficient transparency under Article 5(1)(a) GDPR and Article 14 GDPR, as the data subject was not informed about the processing. The DPA stated that the controller could have made a copy of the emails in advance before the inspection to safeguard their interests, so that the data subject could be notified of the inspection in advance. The DPA also found that the controller did not conduct the inspection in accordance with the data minimisation principle under Article 5(1)(c) GDPR. The search terms used were likely to generate more personal data than was necessary for the purpose of clarifying any unfair conduct. The DPA thus issued a reprimand against the controller under Article 58(2)(b) GDPR as the infringements affected a limited number of people and the violations of the accountability and transparency principle only affected the data subject and they were notified of the inspection shortly after it was carried out.

The data subject also filed a lawsuit with a district court, claiming that the termination was invalid and demanded compensation and redress. Both the district court and later the court of appeal concluded that the dismissal was valid and there were no grounds for compensation. However, they both held that the rules for access to employees' mailbox had been violated, so that there were grounds for compensation for damages under the Norwegian Personal Data Act. The controller was ordered to pay €1.741,50 (NOK 20,000) as compensation for damages.

The data subject appealed the DPA’s decision to the Norwegian Privacy Appeals Board (“Personvernnemnda”), stating that the DPA failed to impose a fine against the controller. Moreover, the data subject argued that the third party was a processor and therefore the DPA's assessment that a data processing agreement was not necessary was incorrect. The data subject also argued that the DPA did not take into account the controller’s breach of Article 30 GDPR when issuing a reprimand against the controller. The data subject argued that the records of processing activities was not handed over by the controller to the DPA until more than a year after access to the data subject’s email box had ended, violating Article 30 GDPR. The data subject also argued that the DPA’s handling of the case was biased and subjective and therefore failed to uphold its obligation to investigate and deal with all cases in full independence, regardless of a legally enforceable judgement related to the termination case against the controller.

Holding

The Board held that access to an employee's mailbox constitutes processing of personal data, thus the GDPR applies. The Board also held that in order for the inspection to be lawful, the employer must also follow the procedures set out in the national E-Mail Regulations The Board agreed with the DPA and the Court of Appeal that the controller had not proceeded in line with national law and the requirements of the GDPR when carrying out the inspection.

The Board also agreed with the DPA’s and Court of Appeal’s assessment that the inspection of the data subject ’s mailbox was sufficiently justified under Article 6(1)(f) GDPR and §2(b) of the Norwegian E-mail Regulations. The Board agreed with the district court and appeal court that the data subject had shared insider information, as well as other confidential information, which constituted a breach of the duty of loyalty.

The disclosure of personal data to a third party requires a legal basis under Article 6(1) GDPR. The Board agreed with the DPA that the controller had no legal basis for the disclosure of personal data to the third party under Article 6(1)(f) GDPR. The DPA rightly issued a reprimand against the controller under Article 58(2)(b) GDPR. The Board rejected the data subject ’s argument that the third party was a data processor.

Under Article 30 GDPR, the controller is obliged to keep a record of processing activities. It also follows from Article 30(3) GDPR and Article 30(4) GDPR that these records must be in writing and must make them available to the DPA on request.

Although the data subject had the right to lodge a complaint with a DPA under Article 77 GDPR, this right does not extend to separate complaints about possible non-compliance with the controller's general obligations under Chapter IV of the GDPR, including the obligation to keep records under Article 30 GDPR. It is up to the DPA to assess whether or not this is a matter to be pursued against a controller. Therefore, the Board rejected the data subject's argument.

The Board held that the fact that the DPA chose to impose a reprimand, but did not find it necessary to impose a fine, is not a decision directed at the data subject and does not affect their rights and obligations. The Board refers to their cases PVN-2019-12 and PVN-2020-07, in which the Board took a similar legal view.

The Board therefore dismissed the data subject’s appeal about the DPA’s choice of measures taken against the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Norwegian Privacy Board's decision on 28 May 2024 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin, Malin Tønseth)
The case concerns a complaint from A on 18 September 2023 about the Norwegian Data Protection Authority's decision on 5 September 2023 regarding a reprimand to the employer for breaching the Personal Protection Regulation's procedural rules relating to the implementation of access to the employee's email box. The Norwegian Data Protection Authority assumed that the employer had a legal basis for the access.
Background of the case
In 2020, the employer suspected that an employee of the company had committed embezzlement and carried out access to the relevant employee's e-mail box. Following the discovery of e-mail exchanges between the employee in question and A, the employer suspected that A could have contributed to any embezzlement, and that she had spread classified information. Access to her e-mail box was therefore also carried out.
The inspection of A's e-mail box was carried out by the employer with assistance from B, as external partner, and C, as data processor for the employer.
A was dismissed. The dismissal was based, among other things, on the fact that A had breached the duty of loyalty in employment by sharing inside information and other confidential information. This was revealed in the inspection carried out in A's e-mail box.
A complained to the Norwegian Data Protection Authority on 12 July 2020 about the employer's access to her e-mail box. She complained about the lack of a legal basis for the inspection, the implementation of the inspection and the employer's disclosure of personal data.
In the autumn of 2020, A also filed a lawsuit in the courts alleging that the dismissal was invalid, as well as demanding compensation and restitution. While the complaint was still being processed by the Norwegian Data Protection Authority, a judgment was handed down in the district court and the court of appeal and the case was refused to be brought before the Supreme Court […] 2022.
Like the District Court, the Court of Appeal in a judgment handed down […] 2022 concluded that the dismissal was valid, and that there was therefore no basis for compensation under the Working Environment Act, but that the rules for access to employees' e-mails had been broken, so that there was a basis for compensation under the Personal Data Act. The compensation according to Section 30 of the Personal Information Act was set at NOK 20,000.
The Danish Data Protection Authority then made a decision in the case on 28 November 2022. The Danish Data Protection Authority assumed that the conditions for carrying out inspection according to the e-mail regulations § 2 first paragraph letter b were met. The Norwegian Data Protection Authority showed Borgarting the Court of Appeal's conclusion about a breach of the e-mail regulations and ordered the employer to establish "internal controls and routines for access to employees' and former employees' e-mail boxes and other electronically stored material, cf. Article 24 of the Personal Data Protection Regulation."
After A complained about the decision on 18 December 2022, the Norwegian Data Protection Authority issued a new, amended decision on 5 September 2023, where the employer was also reprimanded. The Norwegian Data Protection Authority made the following decision:
"1. The Norwegian Data Protection Authority decides on a reprimand against [employer] for breach of:
a. The Personal Protection Regulation article 5 no. 2 (principle of responsibility), in case of failure to assess the legal basis when processing the complainant's personal data,
b. The Personal Protection Regulation article 5 no. 1 letter c (data minimization principle), by processing more personal data about complaints than was necessary for the purpose, and
c. The Personal Protection Regulation article 5 no. 1 letter a (the principle of openness), articles 13 and 14 (the duty to provide information), and the e-mail regulation section 3, in the event of a lack of information, advance notice and inadequate subsequent briefing.
d. The Personal Protection Regulation article 6 no. 1 letter f, by handing over the complainant's personal data to an external party without a legal basis.
2. Pursuant to the personal data protection regulation art. 58 no. 2 letter d, the [employer] is required to improve internal control and routines for access to employees' and former employees' e-mail boxes and other electronically stored material, cf. Article 24 of the Personal Protection Ordinance."
The external party referred to in point 1 d of the decision is B.
The Norwegian Data Protection Authority maintained its assessment from the first decision, made on 28 November 2022, that the employer had a legal basis for inspecting A's e-mail box.
A complained on 18 September 2023 about the Norwegian Data Protection Authority's decision. The complaint concerned the Norwegian Authority's assessment of the facts, the question of whether the employer had legal grounds to inspect her e-mail box, B's role during the inspection, the employer's lack of a processing protocol, as well as the Norwegian Data Protection Authority's choice of reaction/corrective measures (reprimand) towards the employer.
The Norwegian Data Protection Authority processed the complaint and upheld its decision. The case was forwarded to the Personal Protection Board on 4 January 2024. The parties were informed about the case in a letter from the board and were given the opportunity to make comments. A has given his comments by email on 4 March 2024. The employer has given his comments in a letter to the tribunal on 1 March 2024.
The case was dealt with in the board's meeting on 28 May 2024. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Hans Marius Tessem and Malin Tønseth. Investigation leader Anette Klem Funderud and first consultant Emilie Winther Løvli were also present.
The Norwegian Data Protection Authority's assessment in brief
The Norwegian Data Protection Authority pointed out that the employer has not submitted documentation showing that the employer assessed the legal basis for carrying out investigations aimed at A. The Norwegian Data Protection Authority concluded that the employer cannot demonstrate compliance with the principles of purpose limitation and legality according to the Personal Protection Regulation Article 5 No. 1 letter a and b Based on this, the inspection concluded that the employer has not complied with the principle of responsibility, cf. Article 5 no. 2.
The Norwegian Data Protection Authority pointed out that the data subject must, among other things, receive information about the purpose of the processing and the legal basis, cf. article 14 no. 1 letter c, and that it follows from the principle of transparency that personal data must be processed in an open manner, cf. article 5 no. 1 letter a. In this case, a search was made for information in the colleague's e-mail box without A receiving information in advance. The Norwegian Data Protection Authority considered that this means that the employer did not process A's personal data with sufficient transparency, cf. article 5 no. 1 letter a and article 14.
The Norwegian Data Protection Authority assumed that the employer, during the inspection of the colleague's e-mail box, came across e-mails that gave "reasonable suspicion" that A could have contributed to embezzlement and leaked confidential information. The inspectorate found no basis for establishing a breach of the requirements in the e-mail regulations § 2 first paragraph letter b and concluded that the condition of "legitimate interests" had been met. The Norwegian Data Protection Authority further assumed that the inspection appeared to be a suitable measure to investigate whether A had disclosed confidential information, and found that the necessity condition was met. The Norwegian Data Protection Authority also carried out a balancing of interests and concluded that there was no breach of the conditions for providing access to the complainant's e-mail box in accordance with section 2 and article 6 no. 1 of the e-mail regulations.
The Norwegian Data Protection Authority assumed that the employer had breached the e-mail regulation § 3 first paragraph, the personal protection regulation article 5 no. 1 letter a (the principle of openness), and article 13 by failing to give advance notice. The employer's interests in the matter would have been safeguarded by taking a mirror copy, so that A could be notified in advance about the access to her e-mail box. The inspectorate further believed that the subsequent notification to A was deficient and involved a breach of the e-mail regulations § 3 fourth paragraph.
The Norwegian Data Protection Authority further assumed that B, who was the person who carried out the inspection of A's e-mail box, cannot be considered the employer's data processor according to Article 28, but is assessed as an external actor who carried out the inspection and was given A's personal information. The Norwegian Data Protection Authority considered that the employer had "legitimate interests" in handing over the personal data to B, but that such handing over was not necessary and that consideration of A's interests outweighed the employer's legitimate interests. The Norwegian Data Protection Authority concluded that the employer provided A's personal data to B without a legal basis in Article 6 no. 1 letter f.
The inspectorate determined that the employer did not carry out the inspection in accordance with the data minimization principle in Article 5 no. 1 letter c. The keywords used were suitable for generating more personal data than was necessary for the purpose of clarifying any unfair behaviour.
For these violations, the Norwegian Data Protection Authority found that a reprimand to the employer was an appropriate response in the case, cf. article 58 no. 2 letter b. The supervisory authority showed that the violations affected a limited number of people, that the observed violations of the principle of accountability and the principle of transparency mainly only affected A and that she was notified of the inspection shortly after it had been carried out.
The Norwegian Data Protection Authority stated that the Norwegian Data Protection Authority's choice of corrective measures against the data controller is not a single decision that can be appealed by the data subject, cf. the Administrative Act § 28. Such a decision is not "determining the rights and duties" of the data subject, cf. the Administrative Act § 2 first subsection letter a, cf. letter b, or "directs towards" or "directly applies" to the registered person according to § 2 first subsection letter e of the Public Administration Act.
As's view of the case in brief
The employer had no legal basis for the access to her e-mail box, cf. the e-mail regulations section 2 and article 6 no. 1. The employer must be charged an infringement fee for the infringement.
She has the right to appeal against the Norwegian Data Protection Authority's failure to impose an infringement fee. The Personal Data Protection Council has drawn up guidelines relating to the form of response - "Guidelines 04/2022 on the calculation of administrative fines under the GDPR". These have great weight in terms of legal sources and must be practiced equally throughout the EEA. The Norwegian Data Protection Authority does not comply with the requirements of the guidelines from the Norwegian Data Protection Authority. The GDPR regulations and the EEA Act take precedence over the Public Administration Act and there is nothing in these that can be interpreted as meaning that she does not have the right to appeal in relation to the Data Protection Authority's breach of the Personal Data Protection Council's guidelines, the GDPR regulations and the EEA Act relating to the failure to impose a breach fee, rather the opposite.
If she does not have a right of appeal related to the failure to impose an infringement fee, the Norwegian Data Protection Authority can subjectively and intentionally discriminate against breaches of the Personal Protection Regulation with regard to the imposition of an infringement fee, as they have done in this case.
In the decision, the Norwegian Data Protection Authority misrepresents the facts of the case, despite the fact that this is a documented error. The Norwegian Data Protection Authority's failure to pay an infringement fee appears to be an attempt to whitewash the extensive and serious breaches of the Personal Data Protection Regulation, and the use of incorrect statements, which have been documented in this case. As can be seen from her complaint, there is also a factual, legal and natural causal connection between the Norwegian Data Protection Authority's extensive and documentable misrepresentation of the facts of the case and the failure to impose an infringement fee. This alone provides a right of appeal independent of Section 2 of the EEA Act.
The Norwegian Data Protection Authority's conclusion that the employer used a subcontractor without a data processing agreement is wrong and involves a breach of Article 28 (1) and (3).
The protocol/memo was only handed over by the employer more than a year after access to her e-mail box ended. There is no record of the inspection that satisfies the requirements for keeping records and who can prepare a record. This represents a breach of GDPR article 30, but this is not included in the Data Protection Authority's decision on reprimand.
The Norwegian Data Protection Authority's treatment of the case is biased and subjective. The supervisory authority violates the requirements of several of the provisions of the Personal Protection Regulation, including articles 52, 57 no. 1 letter f, 58 no. 1 letters a and e, 58 no. 5, 77 and 83. The Norwegian Data Protection Authority is, in accordance with the above articles 52, 57, 58, 77 and 78 obliged to investigate and process all cases in full independence, regardless of a final judgment relating to the dismissal case against the employer. That has not happened in this case.
The employer's view of the matter in brief
In the decision, the Norwegian Data Protection Authority states that there was authority for the employer's access to A's e-mail box and that the way in which the access was carried out essentially complied with the requirements of the privacy regulations. The employer has taken note of the violations that were ascertained and the Norwegian Data Protection Authority's reprimand in that connection.
The company has also complied with the orders from the supervisory authority to improve internal control and routines for access.
The employer agrees with the Norwegian Data Protection Authority's assessment in the letter of transmission to the tribunal that the decision is not affected by any deficiencies or grounds for invalidity, that the decision should not be overturned and that the complainant does not have a right of appeal related to the choice of reaction from the Norwegian Data Protection Authority towards the employer. The company therefore assumes that the complaint is rejected as regards the choice of response, and that it is not accepted otherwise.
The Norwegian Privacy Board's assessment
The complaint concerns the Norwegian Authority's assessment of the facts, the question of whether the employer had a legal basis to inspect her e-mail box, B's role during the inspection, the employer's lack of a processing protocol, as well as the Norwegian Data Protection Authority's choice of reaction/corrective measures (reprimand) towards the employer.
Fact - the tribunal's assessment of evidence
As far as the facts are concerned, the Personal Protection Board has based the fact that the Borgarting Court of Appeal found proven during the appeal proceedings there, which corresponds to the assessment of evidence in the Oslo District Court. The appeal proceedings lasted over four days and the Court of Appeal's assessment of the evidence is based on the immediate presentation of evidence to the court. The presentation of evidence during appeal proceedings is therefore more thorough and comprehensive than is the case with a written administrative complaint.
Both Oslo District Court and Borgarting Court of Appeal found it proved that A had shared inside information, as well as other confidential information, which involved a breach of the duty of loyalty. The tribunal also uses this as a basis for its assessment of this case.
Did the employer have a legal basis for accessing A's e-mail box?
The employer's access to access to employees' e-mail boxes is regulated in regulations on employers' access to e-mail boxes and other electronic material (the e-mail regulations), issued on the basis of the Working Environment Act § 9-5.
Access to an employee's e-mail box is the processing of personal data and the Personal Data Act and the Personal Data Protection Ordinance apply. The e-mail regulation was adopted in connection with the implementation of the data protection regulation and, according to the preparatory work, is within the framework of the data protection regulation, cf. Prop. 56 LS (2017-2018) pages 182-183.
It follows from the regulation § 2 letter b that the employer has the right to inspect the employee's e-mail box or other electronic equipment if there is a "reasonable suspicion that the employee's use of an e-mail box or other electronic equipment results in a serious breach of the duties arising from the employment relationship or may provide grounds for termination or dismissal" employee's email box. In order for the access to be legal, the employer must also follow the procedures according to section 3 of the regulation. The Norwegian Data Protection Authority has, like the Borgarting Court of Appeal, concluded that the employer has not proceeded in line with the e-mail regulations and the requirements of the Personal Data Protection Regulation when carrying out the access. The Borgarting Court of Appeal sentenced the employer to pay restitution compensation of NOK 20,000 to A for breach of these procedural rules, cf. Personal Data Act § 30. For this, the Data Protection Authority has also imposed a reprimand on the employer, cf. the Personal Protection Ordinance Article 58 no. 2 letter b. The employer has accepted the reprimand and the violations of the rules of procedure are not part of this complaint.
The Privacy Board agrees with the Data Protection Authority's assessment, which is also supported by the Court of Appeal's assessment, which again refers to the District Court's reasoning, that the access to As's e-mail box was sufficiently justified, cf. the Personal Protection Regulation Article 6 no. 1 letter f and the E-mail Regulation § 2 letter b .
B's role during the implementation insight
The tribunal, like the Norwegian Data Protection Authority, assumes that there is no data processing agreement with B or with the company where B was employed. He must therefore be assessed as an external actor.
A disclosure of personal data to an external actor represents a processing of personal data, and requires a legal basis according to Article 6 no. 1. The Norwegian Data Protection Authority has assessed whether the employer had a legal basis for its disclosure of personal data according to Article 6 no. 1 letter f and has a balancing of interests concluded that the employer lacked a legal basis. For this, the employer is subject to a reprimand, cf. article 58 no. 2 letter b.
The tribunal has found no evidence in the case documents that B or the company where B was employed should instead have been considered a data processor, as A states. The Norwegian Data Protection Authority's decision is upheld.
Whether the employer had a treatment protocol
A has complained about the lack of a protocol for access, cf. Article 30. It follows from Article 30 of the Personal Data Protection Regulation that the controller, and if relevant, the controller's representative, are obliged to keep a protocol of processing activities carried out under their responsibility. It also follows from the provision nos. 3 and 4 that the protocols must be in writing and that the data controller must, on request, "make the protocol available to the supervisory authority".
According to Article 77, a data subject has the right to complain to a supervisory authority if she "considers that the processing of personal data concerning the person concerned is in breach of this regulation". This right to complain to a supervisory authority does not include separate complaints about possible non-compliance with the data controller's general obligations under Chapter IV, including the duty to keep records under Article 30. It will be up to the supervisory authority to assess whether this is a situation that grounds for prosecution against a data controller or not.
This part of the complaint must therefore be rejected.
The Norwegian Data Protection Authority's choice of reaction
The Danish Data Protection Authority has concluded that the employer did not carry out the inspection in line with the rules of the Personal Protection Regulation when they carried out inspection of A's e-mail box. For this, the supervisory authority has imposed a reprimand on the employer, cf. the personal protection regulation article 58 no. 2 letter b.
The Personal Protection Regulation Article 78 No. 1 gives every natural or legal person the right to an effective legal remedy against a binding decision "that concerns them" and that has been made by a supervisory authority, and leaves it to national law to lay down rules on handling the complaint. It is the general case management rules in the Public Administration Act that apply to the Data Protection Authority's and the tribunal's handling of complaints, cf. Prop. 56 LS (2017-2018) points 26.5 and 27.5. Section 28, first paragraph of the Administration Act states that individual decisions can be appealed by a party or other with a legal appeal interest in the matter. A party is a "person to whom a decision is directed or to whom the case otherwise directly applies", cf. section 2 letter e of the Public Administration Act.
According to section 2 first paragraph letter a of the Public Administration Act, "decision" is defined as follows:
"a decision which is made in the exercise of public authority and which generally or concretely determines the rights or obligations of private persons (individuals or other private legal entities)".
The Administration Act divides the decisions into two subgroups – individual decisions and regulations, cf. the Administration Act § 2 first paragraph letter b and c. The individual decisions are decisions that "apply to the rights or duties of one or more specific persons", cf. § 2 first paragraph letter b. as can be seen, the concept of decision in the Public Administration Act has a narrower content than the more general term "decision", which is also used in the Public Administration Act, cf. for example § 6 of the Act on competency requirements.
The distinction between individual decisions and other decisions has great significance for which procedural rights the parties and others affected in the administrative case have, and for which rules public administrative bodies must follow when processing the case. The case management rules in the Administration Act, Chapters IV-VI on, among other things, advance notice, duty to investigate and provide information, inspection of documents, justification and appeal, can only be applied in cases concerning individual decisions, cf. section 3 first paragraph of the Administration Act.
Regarding the more detailed demarcation between individual decisions and other decisions, the Civil Ombudsman says in SOM-2010-2482:
"The more detailed demarcation between individual decisions and other decisions must be made after a concrete assessment. The starting point must be taken in the wording, but the assessment cannot be limited to a discussion of whether the decision, after a linguistic interpretation, falls under the legal definition in Section 2 of the Act. Real considerations will also be central. It must be asked whether the decision is of such a nature that the Public Administration Act's rules on individual decisions should be applied. Consideration of the parties' legal security, the administration's workload and other practical matters will have to be given significant weight.
There must therefore be a 'decision' which is 'determining rights or obligations'. These two conditions are closely related. There is no right of appeal against process leading decisions. The traditional starting point is that the administration's failure to use its expertise to intervene is not a decision that determines rights and obligations, unless the law states otherwise. However, the starting point is challenged in certain cases. In Graver, Alminnelig forvaltningsrett (3rd edition 2007) p. 401 et seq., it is advocated that 'the question is best resolved through legislation in connection with the individual administrative area, i.a. based on a legislative assessment of whether the competence to intervene is primarily justified in more general societal considerations, or whether it is also justified in the consideration of third parties, so that this latter should be given concrete rights in the proceedings.' Furthermore, it is argued that '[w]hether it is a decision in the sense of the Public Administration Act when an administrative body fails to use a competence to intervene at the request of someone who considers himself affected, depends on a concrete interpretation of the relevant competence to intervene'.
In its practice, the tribunal has assumed that a data subject whose personal data is processed by a data controller is to be considered a party to a case where the Data Protection Authority assesses whether the data controller has processed the personal data about the data subject in accordance with the law. The Personal Data Protection Board has further assumed that the Data Protection Authority's decision that the data controller's processing of personal data about the data subject is not illegal and contrary to the Personal Data Act, is a decision that determines the rights and obligations of the data subject and thus a single decision that can be appealed.
In the present case, the Norwegian Data Protection Authority concluded that the employer had breached the Personal Data Protection Regulation when they inspected the employee's e-mail box. A has thus been upheld that the employer has broken the rules when processing her personal data.
The fact that the Norwegian Data Protection Authority chose to impose a reprimand, but did not find it necessary to impose an infringement fee, is not a decision directed at A nor is it decisive for her rights and obligations, cf. the Administrative Procedure Act section 2 first paragraph letter a, or a decision which "directs itself against" A, cf. § 2 first paragraph letter e. The Data Protection Authority's choice of reaction is therefore not a single decision that gives A the right to appeal. The tribunal refers to PVN-2019-12 and PVN-2020-07 where the tribunal has based a similar legal opinion.
As a complaint about the Norwegian Data Protection Authority's choice of reaction against the employer must therefore be rejected.
In summary, the Personal Protection Board has concluded:
1. The employer's access to As's e-mail box was authorized in the personal protection regulation article 6 no. 1 letter f and the e-mail regulations section 2 letter b.
2. The Norwegian Data Protection Authority's decision that it was not necessary for the employer to enter into a data processing agreement with B is upheld.
3. A's complaint about the employer's lack of a protocol on processing activities is rejected.
4. As's complaint about the Norwegian Data Protection Authority's failure to impose an infringement fee is rejected.
A is not successful in his appeal.
The Privacy Board's decision is unanimous.
Conclusion
A's complaint about the employer's lack of a protocol on processing activities and A's complaint about the Norwegian Data Protection Authority's failure to impose an infringement fee are rejected, otherwise the Norwegian Data Protection Authority's decision is upheld.
Oslo, 28 May 2024
Mari Bø Haugstad
Manager