Datatilsynet (Norway) - 20/02162
|Datatilsynet - 20/02162|
|Relevant Law:||Article 6(1)(f) GDPR|
Article 13 GDPR
Article 17(1)(e) GDPR
Article 21 GDPR
Article 24 GDPR
§§2-3 Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale
|National Case Number/Name:||20/02162|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA fined a company NOK 200 000 (€19,600) for enabling automatic forwarding of a former employee's emails without a legal basis and for lack of information, ignoring several objections, not terminating the email account and for not deleting the email account and its content.
English Summary[edit | edit source]
Facts[edit | edit source]
A company enabled automatic forwarding of a former employee's emails, to "uphold regular business operations", and argued that it was the complainant fault this was deemed necessary. Despite several objections from the complainant, the company continued to monitor the email account over several months. The unlawful monitoring did not stop until the complainant contacted the DPA.
Dispute[edit | edit source]
Did the company have a legal basis for monitoring the former employee's email account?
Holding[edit | edit source]
The DPA held that the company did not have a legal basis for monitoring the former employee's email account, as per Article 6(1)(f) GDPR. The DPA further held that the company failed to:
- provide the data subjects with required information, as per Article 13
- terminate the former employee's email account, as per Article 6(1)(f)
- erase the content of the former employee's email account, as per Article 17(1)(e)
- assess the former employee's objections, as per Article 21
For this, the company was fined NOK 200 000 (€19,600) and ordered to establish written internal controls and routines for access to current and former employees' email accounts and other electronic content, in line with Article 24.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Cyberbook AS receives a fee The Data Inspectorate demanded a fee of NOK 200,000 from Cyberbook AS for illegal automatic forwarding of the e-mail to a former employee. Cyberbook AS receives a fee The background to the case is a complaint from a former employee of Cyberbook. The person experienced that the company had activated automatic forwarding of their personal e-mail box in the business. In violation of the rules The forwarding took place for several months without the former employee receiving information about this. After investigating the case, the Data Inspectorate has concluded that the forwarding is a violation of the regulations on employers and access to e-mail boxes and other electronic material. Must establish routines In addition, our assessment is that the company has violated the Privacy Ordinance's requirement for a legal basis, information to the data subject and the duty to assess protests from the employee, in addition to the rules on deletion of personal data. On the basis of this, the Data Inspectorate has decided that the company must establish written routines for access to the e-mail boxes of employees and former employees, together with an order to pay NOK 200,000 in fees for the illegal forwarding. Cyberbook has a three-week appeal period from the company receiving our decision.