Datatilsynet (Norway) - 21/01164

From GDPRhub
Datatilsynet - 21/01164
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Article 24(2) GDPR
Regulation concerning employers' right of access to employees' e-mail inboxes and other electronically stored material §§2-3
Type: Investigation
Outcome: Violation Found
Started: 15.03.2021
Decided: 24.02.2022
Published:
Fine: 300000 NOK
Parties: Elit Elektro AS
National Case Number/Name: 21/01164
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Not published (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA intends to fine a company €29,376 for monitoring and accessing a prior employee's emails without a legal basis in Article 6(1)(f) GDPR, for lack of information as per Article 13, failure to assess their objection as per Article 21, and lack of technical and organisational measures as per Article 24.

English Summary[edit | edit source]

Facts[edit | edit source]

A former employee lodged a complaint with the Norwegian DPA (Datatilsynet) about the unlawful forwarding of and access to their email inbox after they had left a company. The data subject had objected to the processing, but the controller had declined to sufficiently assess their objection, or to stop the processing.

The DPA's investigation revealed that the controller had not actually enabled automatic forwarding of the data subject's particular email address. They had also deleted the data subject's inbox shortly after they had left the company. Thus, the controller argued that they had not accessed the data subject's emails in any way.

However, in 2018 the company had enabled functionality that would retrieve and forward emails with certain keywords sent to non-registered email addresses belonging to their domain, to one collective inbox. The reason for this was evidently that a customer had once sent an email to an incorrect address and this functionality could mitigate the risk of not receiving customer emails. This also meant that even though the controller had deleted the data subject's inbox, emails sent to their address could still be routed to the company's collective inbox. This had happened once, according to the controller.

Holding[edit | edit source]

The DPA noted that for automatic forwarding of emails to take place, it is not a condition that the email address must exist, as long as emails are actually being forwarded, which had happened in this case. They also referred to practice from the Norwegian Privacy Appeals Board (Personvernnemnda) concluding that automatic forwarding of employee emails is equivalent to continuously monitoring their inbox. As per the Norwegian regulation concerning employers' right of access to employees' e-mail inboxes and other electronically stored material, this is only allowed under certain circumstances such as finding and solving data breaches.

Thus, the DPA held that the company had enabled automatic forwarding of the prior employee's emails without a legal basis as per Article 6(1)(f) GDPR and the national regulation § 2 second sentence. The DPA further held that the company had failed to inform the data subject about this processing, thus violating Article 13 GDPR and the national regulation § 3. As per the national regulation, the correct legal basis for this processing would have been Article 6(1)(f) GDPR, where a controller is required to allow for objections as per Article 21 GDPR. Since the controller in this case had ignored the data subject's objection, the DPA also held that they had violated Article 21 GDPR. Finally, the DPA held that the controller had violated Article 24 GDPR for lack of technical and organisational measures, including conducting a risk assessment, and for the lack of internal policies and procedures (internal controls).

For these violations, the DPA intends to fine the controller €29,376 (NOK 300,000) and requires them to improve the company's policies and procedures for accessing current and prior employees' email inboxes, in line with Article 24(2) GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

.