Datatilsynet (Norway) - 20/01751
| Datatilsynet - 20/01751 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 6 GDPR Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale (e-postforskriften) |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | |
| Published: | 19.09.2022 |
| Fine: | n/a |
| Parties: | Norwegian University of Science and Technology - NTNU |
| National Case Number/Name: | 20/01751 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Norwegian Norwegian |
| Original Source: | Datatilsynet (NO) (in NO) Datatilsynet (NO) (in NO) |
| Initial Contributor: | derhagen |
The Norwegian DPA notified a university that they will be fined €15,000 (NOK 150,000) for accessing an employee's e-mail account in lack of a legal basis and in violation of Norwegian e-mail-regulation. The DPA upheld its conclusion, but withdrew the fine, after the university cited mitigating circumstances.
English Summary
Facts
An employee lodged multiple complaints against his employer, the Norwegian University of Science and Technology (NTNU) for processing his personal data, including accessing his work-related e-mail account.
Holding
The DPA preliminarily concluded that when carrying out an inspection of the data subject's e-mail, the data controller did not meet the necessary condition of having a justified suspicion that the data subject had used the e-mail account for actions that lead to a gross breach of duty or could provide grounds for dismissal or dismissal. Therefore, the data controller acted in lack of a legal basis and in violation of Norwegian e-mail-regulation ("e-postforskriften"). In December 2021, the DPA notified the data controller that they will be issued a fine of €15,000 (NOK 150,000).
With respect to not further specified other complaints of the data subject, the DPA concluded that the data controller did not act unlawfully.
In September 2022, the DPA upheld their decision and concluded that the data controller's access to the data subject's e-mail violated Norwegian e-mail-regulation. The DPA withdrew the previously issued fine after the controller cited mitigating circumstances.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Notice of infringement fee to NTNU
The Norwegian Data Protection Authority has notified NTNU of an infringement fee of NOK 150,000 for illegal access to an employee's e-mail box.
The background for the notice is several complaints from the employee about NTNU's processing of his personal data, such as access to his e-mail box at the university.
Breach of the Personal Data Protection Regulation and the e-mail regulation
After carrying out further investigations into the matter, the Norwegian Data Protection Authority has come to the conclusion that NTNU did not meet the e-mail regulations' conditions for access. Our preliminary conclusion is that when the inspection was carried out, the university did not meet the condition of having a justified suspicion that the employee had used the e-mail box for actions that lead to a gross breach of duty or could provide grounds for dismissal or dismissal. The Personal Protection Regulation's requirement for a legal basis was thus not met.
Read more about access to e-mail and private files.
As regards the conditions in the other complaints, our assessment is that NTNU has not breached the regulations.
The matter is exempt from public disclosure in accordance with the rules on confidentiality for notifications to public authorities in the Working Environment Act. The Danish Data Protection Authority can therefore only release limited information on the matter.
Advance notice
This is an advance notice, and NTNU has four weeks to comment on the notice.
Contact person
Ylva Marrable
section manager, section for private services
Office: (+47) 22 39 69 18 E-mail:
Ole Martin Moe
legal adviser
Office: (+47) 22 39 69 59 E-mail:
Published: 07.12.2021
----------
Decision on breach of NTNU
The Danish Data Protection Authority has made a decision against NTNU in a case concerning illegal access to an employee's e-mail box. In the decision, the Norwegian Data Protection Authority states that NTNU has broken the e-mail regulations in connection with the access that was carried out in the complainant's e-mail box.
Decision on breach of NTNU
In December, the Norwegian Data Protection Authority announced a decision on infringement fees to the university. On the basis of NTNU's comments to the notice, we maintain our conclusion that the university had no legal basis for inspecting the complainant's e-mail box, but do not proceed with the infringement fee. This conclusion is based on several mitigating circumstances that appear from the comments we received from NTNU after we notified of the fee.
The background for the decision is several complaints from the employee about NTNU's processing of his personal data, such as access to his e-mail box at the university.
Violation of the e-mail regulations
After carrying out further investigations into the matter, the Norwegian Data Protection Authority has come to the conclusion that NTNU did not meet the e-mail regulations' conditions for access. Our conclusion is that the university did not fulfill the condition of having a justified suspicion that the employee had used the e-mail box for actions that lead to a serious breach of duty or could provide grounds for dismissal or dismissal at the time when the inspection was carried out. Furthermore, our assessment is that the inspection of the e-mail box also did not meet the requirement of being a suitable and necessary measure to achieve the purpose at the time when it was carried out.
As regards the conditions in the other complaints, our assessment is that NTNU has not breached the regulations.
The matter is exempt from public disclosure in accordance with the rules on confidentiality for notifications to public authorities in the Working Environment Act. The Danish Data Protection Authority can therefore only release limited information on the matter.
NTNU has a three-week appeal period against the decision on infringement.
Contact person
Ylva Marrable
section manager, section for private services
Office:
(+47) 22 39 69 18
Email:
yma@datatilsynet.no
Ole Martin Moe
Ole Martin Moe
legal adviser
Office:
(+47) 22 39 69 59
Email:
omm@datatilsynet.no
Published: 19/09/2022
