Datatilsynet (Norway) - 20/02368

From GDPRhub
Datatilsynet - 20/02368
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Type: Investigation
Outcome: Violation Found
Started: 20.11.2020
Decided: 15.03.2022
Published: 24.05.2022
Fine: 100000 NOK
Parties: Redacted
National Case Number/Name: 20/02368
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (decision) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a company €9,775 for unlawfully enabling automatic forwarding of an employee's emails in violation of Article 6(1)(f), for lack of information as per Article 13, failure to assess their objection as per Article 21, and required them to improve internals controls for employee emails as per Article 24 GDPR.

English Summary

Facts

An employee (the data subject) had quit their job and was supposed to assist the employer (the controller) during the notice period. However, due to disagreements, the controller blocked the data subject's access to email and business systems and enabled automatic forwarding of emails to the general manager of the company.

The data subject objected to this processing, but the controller upheld it for several weeks and only stopped it when the general manager realized it could be problematic. The Norwegian DPA (Datatilsynet) launched an investigation after receiving both a notification from the controller, as well as a complaint from the data subject.

The controller explained to the DPA that they had enabled automatic forwarding of the emails because the data subject had refused to enable an out of office reply. They further argued that this was necessary to uphold customer relations and daily operations, and because they had discovered that the data subject had violated work duties a few months earlier.

The controller also claimed that the data subject had consented to the processing, however this was denied by the data subject and the controller was unable to document their assertion.

Holding

The DPA held that the controller lacked a legal basis as per Article 6(1)(f) GDPR for accessing and monitoring the data subject's email inbox, that they had failed to provide required information to the data subject as per Article 13 GDPR and for failure to assess the data subject's objection as per Article 21 GDPR. For this, the DPA fined the controller €9,775 and required them to improve internals controls for employee emails as per Article 24 GDPR.

On the legal basis

First, the DPA assessed if the controller had a legal basis as per a national (Norwegian) regulation concerning employers' access to employees' inboxes and other electronically stored material, which allows such processing if one of two possible conditions are fulfilled. First, the DPA found that "upholding customer relations and daily operations" and "suspicion of violations of work duties", as argued by the controller, are legitimate purposes as per the regulation §2(1). However, this only allows for single accesses for a specified purpose. Automatic enabling of forwarding is considered as continuous surveillance and the processing could therefore not be based on this condition.

Continuous surveillance is regulated by §2(2), but solely for purposes of administrating the computer network or to uncover or solve security breaches in the network. Consequently, the processing could not either be based on this condition.

Further, the DPA found that the conditions in Article 6(1) GDPR was not fulfilled. The only available legal ground for this type of processing is Article 6(1)(f) GDPR, where three conditions must be fulfilled: the processing must be necessary for legitimate interests, and these interests must outweigh the rights and freedoms of the data subject.

The DPA had already concluded that the purposes were legitimate. However, they held that the purposes could have been achieved by less privacy-invasive measures, for example by deactivating the email inbox and/or enable automatic forwarding themselves. Consequently, the DPA held that the controller lacked a valid legal basis as per Article 6(1)(f) GDPR.

On the right to object

The DPA found that the controller was unable to demonstrate that they had considered the data subject's objection, or that they had conducted a specific legitimate interest assessment in line with Article 21 GDPR.

On the obligation to inform data subjects

The DPA held that it is highly likely that the controller had violated the right to information as per Article 13 GDPR.

Comment

Share your comments here!

Further Resources

The DPA has shared the full decision, however the PDF is uneditable and therefore cannot be machine translated. The translation below is for the press release.

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Fee for automatic forwarding of e-mail

The Norwegian Data Protection Authority has decided to impose an infringement fee of NOK 100,000 on a company for breach of the Labor Act's e-mail regulations on access to e-mail boxes and the Privacy Ordinance's requirements for a legal basis and a duty to provide information. The company is also required to improve its own routines.

The name of the company is exempt from publicity to protect the identity of the employees.

The Norwegian Data Protection Authority became involved in the case after receiving both a deviation report from an employer and a complaint from an employee in the company. The background for the case is that the complainant left the employer, and should assist the employer with certain work tasks after the notice period. Due to disagreements, employees' access to e-mail and computer systems was closed. All e-mails sent to the employee's e-mail box were automatically forwarded to an e-mail address managed by the general manager, and the forwarding took place for approximately six weeks.

The purpose of the forwarding was to take care of customer relationships, and during the period the general manager handled both work-related and private e-mails that were sent to the employee's e-mail box.

Several violations

We have concluded that the employer did not have a legal basis for the automatic forwarding under the Privacy Ordinance, and are in conflict with the rules in the regulations on the employer's access to e-mail boxes and other electronic material. The company has also acted in violation of the rules on information to the data subject and the duty to assess the employee's protest, in addition to having inadequate routines for access to e-mail and other electronic material.

On the basis of this, we have decided that the company must improve its written routines for access to e-mail, as well as an order to pay an infringement fee of NOK 100,000 for the illegal forwarding.

The company has a three-week appeal period from the time they receive the decision.

download

The Data Inspectorate provides a fee for automatic forwarding of e-mail (pdf).

Published: 24.05.2022