Datatilsynet (Norway) - 20/02274

From GDPRhub
Revision as of 12:13, 7 July 2021 by SB (talk | contribs)
Datatilsynet (Norway) - DT-20/02274
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(e) GDPR
Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 13 GDPR
Article 17(1)(e) GDPR
Article 21 GDPR
Article 24 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 07.06.2021
Published: 22.06.2021
Fine: 150,000 NOK
Parties: n/a
National Case Number/Name: DT-20/02274
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a company approximately €14,700 (NOK 150,000) for taking over an employee's work email account during her notice period without warning her, without giving her the opportunity to delete personal content, and despite her objection, thereby violating Articles 6(1)(f), 13, 17(1)(e), and 21 GDPR.

English Summary

Facts

The Norwegian DPA (Datatilsynet) received a complaint from a data subject, stating that her former employer had changed the password of and taken over her work email account during her notice (resignation) period, without letting her know, thus not giving her an opportunity to delete personal content. Further, the email account was not deleted after she left the company.

The controller ignored her request to delete the email account and only set a vacation note. In his reply to the DPA, the controller argued that it was necessary to keep the inbox to uphold customer relations and ensure they received necessary operational information until the former employee had been replaced.

The controller did not agree that he had accessed "personal" emails. He had forwarded two emails he assumed to be personal, directly to the former employee, without opening them. In Norway, however, it is not relevant whether such emails are deemed personal or related to work - access to employees' inboxes is strictly regulated regardless.

The controller did not discontinue the former employee's email account until he received the first letter from the DPA. The DPA noted that the unlawful access to the complainant's email account was in breach of the fundamental principles of the GDPR, notably Article 5(1)(a) and (e) GDPR.

Holding

The DPA found violations of various provisions of the GDPR. It held that the controller violated Article 6(1)(f) GDPR when accessing the employee's email account and emails. Further, the Datatilsynet breached Article 21 GDPR since the controller insufficiently assessed the data subject's protest and nevertheless continued to process her personal data. Moreover, the controller did not inform the data subject and thereby violated Article 13 GDPR. The DPA found another breach of Article 6(1)(f) GDPR, as the controller did not discontinue the data subject's email. Finally, the right under Article 17(1)(e) GDPR was infringed as well, because the email content was not sufficiently erased.

For those violations, the controller was fined NOK 150,000 (~€14,700).

The controller was also required to update its internal practices and provide written confirmation, including documentation, to the DPA (unless the decision is appealed).

Comment

The DPA comments that the company also violated the privacy of third parties, who, in good faith, thought they sent emails to the complainant.

Further Resources

In Norwegian:

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Page 1
RADIO GRENLAND AS
PO Box 10
4301 SANDNES
Offl. § 13 cf. Popplyl. § 24 (1) 2.
pkt.
Their reference
Our reference
Date
20 / 02274-9
.2021
Decisions on orders and infringement fines - Access to employees' e-mail box and
lack of deletion etc. - Radio Grenland
1 Introduction
We refer to our notice of decision on order and infringement fee dated 12 November 2020.
We also refer to their comments on the forecast dated 9 December 2020 and 28 April 2021. These
the comments are dealt with in section 7.4 of the decision.
2. Decision on order
The Data Inspectorate makes the following decisions:
Pursuant to Article 58 (2) (2) of the Privacy Ordinance, Radio is imposed
Grenland AS, org.nr. 971 062 029, to pay an infringement fee to the Treasury on
NOK 150,000 for having accessed the complainant's e-mail box without a legal basis, cf.
Article 6 (1) (f) of the Privacy Regulation, for an inadequate assessment of
the protest and for continued treatment without referring to compelling justifiable reasons for
further processing which went beyond the interests of the data subject, cf. Article 21, for
missing information, cf. Article 13, and for failure to close the e-mail box, cf.
article 6 no. 1 letter f, and failure to delete the contents of the e-mail box, cf. article
17 No. 1 letter e.
2. Pursuant to Article 58 (2) (d) of the Privacy Regulation, this is imposed
Radio Grenland to establish written internal control and routines for access to employees and
former employees' e-mail boxes and other electronically stored material, cf.
Article 24 of the Privacy Regulation.
Postal address:
Office address:
Telephone:
Fax:
Company No:
Website:
PO Box 458 Sentrum Tollbugt 3
22 39 69 00
22 42 23 50
974 761 467
www.datatilsynet.no
0105 OSLO
06/07/21
Page 2
The deadline for implementing the order point 2 is 08.07.2021 . You must send us within this deadline
written confirmation that the order has been implemented.
Complainant's description of the facts
The Data Inspectorate received a complaint from
The complaint applies
insight into
mailbox,
at Radio Grenland AS («Radio
Grenland »).
Complainants write that
former employer Radio Grenland has accessed the e-mail box
.
This happened when the general manager at Radio Grenland changed his password
email account and took over
the use of this. Complainants write that this was done during the notice period without being notified and without that
was given the opportunity to delete private content.
Complainants also respond that the e-mail box was not deleted after the employment ended.
The employment relationship ended from
Complainants write that the email account was still active until
without a notice of absence having been submitted.
Complainants have submitted e-mails showing that the general manager of Radio Grenland has responded to an e-mail that was
arrived at the complainant's e-mail box after leaving the post. The email is answered from daily
manager's own email
In the email from the general manager, he writes that complaints have ended and therefore
has a new private email address.
Complainants pointed out in an email to the general manager
that has not received information about changed
access to the mailbox and that this has not been discussed
In the same email also poses
question that the email account is not terminated and deactivated. It appears from the answer from daily
leader dated
that the e-mail account is kept open to maintain customer contact. In the email
writes the general manager that they will post an absence report.
Complainants further write that the company does not have routines for access to and settlement of the employees' e-
mailbox.
4. Radio Grenland's statement
Radio Grenland writes in the report that the complainants were employed by the company until his resignation
It was the general manager's task to follow up on these
the work tasks until a possible replacement was engaged. The general manager therefore changed the password to e-
the postal account
to handle customer inquiries.
You write that complainants deleted all previous e-mail correspondence up to
and that daily manager
had access to all e-mail that came in to the e-mail box after this.
In the period
did the general manager lookup once a day to ensure
that operational e-mail was followed up. It is emphasized that the purpose has been to take care of the business
2
Page 3
business needs to follow up customers and inquiries after complaints resigned.
Incoming e-mails may have been forwarded to the general manager for follow-up.
It appears from the statement that you believe that no access has been made to private e-mail, and that there is no
correct that private e-mail is answered by Radio Grenland. You write that two inquiries were forwarded to
complaints without being opened, as they appeared in the headline to be private.
After complainants contacted and asked questions about access
it was implemented
automatic absence notification informing that the complainant was not employed by the company and that
Inquiries to the relevant email address would not be answered by
.
From
and until the e-mail box was deleted, there have been no active lookups or active
use of the account. The account has had an automatic absence notification for incoming correspondence. The
It appears that the e-mail box has been active until you received a letter from us in January 2020.
Furthermore, you write that Radio Grenland does not have written guidelines for access or settlement of e-
mailbox, and that you do not have written guidelines for using the company's e-mail box for private use
correspondence. You point out that you do not inspect the e-mail boxes of employees without special needs
based on the business' business operations, and that such circumstances were the basis for the complainant
mailbox was not immediately deleted.
5. Regulatory requirements
5.1 Regulations on the employer's access to the e-mail box, etc.
Regulations on the employer's access to e-mail boxes and other electronically stored material1 (e-
the Postal Regulations) regulates the employer's access to access or monitor the employee's e-mail
mailbox or other electronic stored material. The regulations are a special regulation of the requirement for
basis for processing in the Privacy Regulation, Article 6, paragraph 1, letter f, cf. Article 88.
It follows from the preparatory work for the Personal Data Act of 20182 that the e-mail regulation is intended to
continue the special rules for the employer's access to the employee's e-mail box, etc. which followed it now
repealed the Personal Data Regulations from 2000.3 This means that previous practices related to
the employer's access to the e-mail box in accordance with the Personal Data Regulations 2000 will be relevant for
the interpretation of the rules in the e-mail regulations. This applies, among other things, to the Data Inspectorate and the Privacy Board
practice. The Ministry of Local Government and Modernisation's comments on the Personal Data Regulations
2000 will also be relevant.4
The e-mail regulations specify which purposes the employer can access, and that access can only
done in individual cases for specific purposes. The regulations apply to both current and past
employees, cf. section 1, third paragraph.
1 FOR-2018-07-02-1108.
2 Prop.56 LS (2018-2018) section 31.3.4.2 «The Ministry's assessment».
3 FOR-2000-12-15-1265, chapter 9. «Access to e-mail box etc.».
4 Tidl. Ministry of Government Administration and Reform, see
https://www.regjeringen.no/globalassets/upload/fad/vedlegg/personvern/epostforskriften_merknader_rev.pdf?id=2176744
3
Page 4
For access to e-mail, § 2 first paragraph shows that a broad category of interests related to the employer
business can be legitimate. Both "the day-to-day running" and "other legitimate interests of
the business ”is mentioned as a legitimate purpose, after letter a. Another group of legitimate interests is
mentioned in letter b. This applies to "reasonable suspicion" that the use of e-mail or other electronic
equipment constitutes a gross breach of obligations in the employment relationship or provides grounds for dismissal or dismissal.
It follows from established practice that automatic forwarding of e-mails is considered access regardless of
whether the email is opened and read or not.5 The forwarding in itself means that access is made to
information about the sender and subject field, provided that the employer is inside the mailbox as the e-mails
has been forwarded to.
The Privacy Board has further determined that automatic forwarding of e-mails constitutes a continuous
monitoring of employee mailbox. Forwarding can therefore not be authorized in section 2 first of the regulations
paragraph, as the provision only allows for individual access for specific purposes, cf.
The Privacy Board's decision PVN-2018-16.
Automatic forwarding of e-mails is regulated in section 2, second paragraph, of the regulations. The provision stipulates that
the employer does not have the right to monitor the employee's use of electronic equipment, unless the purpose
with monitoring is to manage the company's computer network or to uncover or solve
network security breaches.
5.2 Basis for processing in accordance with the Privacy Ordinance
Forwarding and access to a former employee's e-mail box constitutes a processing of personal data,
and is therefore covered by the general rules in the Privacy Ordinance, cf. the Privacy Ordinance
Article 4 No. 2 and the Act on the processing of personal data of 15 June 2018 No. 38
(Personal Data Act) § 1.
Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a
basis for treatment. When a business should access the mailbox through forwarding is
Article 6 (1) (f) of the relevant basis of treatment, supplemented by the special regulation in
Postal Regulations § 2.
Article 6 (1) (f) of the Privacy Regulation provides that an undertaking may process
personal data if it is necessary to safeguard a legitimate interest that outweighs
consideration for the privacy of the individual.
The legitimate interest must be legal, clearly defined in advance, real, and objectively justified in
the business.
5.3 Duty to provide information
Pursuant to Article 13 of the Privacy Regulation, the controller shall provide the registered information
about the processing at the time of collection of the personal data.
The information that the data controller must provide follows from Article 13
letters a to f. The person responsible for processing is obliged, among other things, to provide information about the purpose
with the intended treatment and the legal basis for the treatment.
5 See PVN-2015-14 and PVN-2018-16.
4
Page 5
The duty to provide information is also regulated in the E-mail Regulations § 3. The provision lays down procedural rules
for access to the e-mail box and requires, among other things, that the employee be notified and received as far as possible
opportunity to comment before the employer carries out an inspection. In addition, the provision stipulates what a
such notice shall contain.
5.4. Closing of employee's e-mail box
It follows from the e-mail regulations § 4 first paragraph that the employee's e-mail box shall be terminated by
termination of employment, but unless there is a «special need to keep the e-mail account open in
a short period after the termination ».
5.5. Deletion of information upon termination of employment
Article 17 (1) of the Privacy Regulation stipulates when the data controller is to delete
personal information. The provisions that are relevant to our case are that the personal data must
deleted if they are no longer necessary for the purpose for which they were collected or processed, cf.
letter a, or when the information must be deleted in order to fulfill a legal obligation
persons responsible for processing are subject, cf. letter e.
The e-mail regulations § 4 second paragraph stipulates that information as mentioned in the regulations § 1 first paragraph
letters a and b, which are not necessary for the daily operation of the business, shall be deleted within a reasonable time
time after the end of the employment relationship.
The starting point according to the provision must be that the employer must delete the information in the employee's e-mail.
mailbox unless there are specific reasons for further storage. The employer has a certain
room to establish a deletion deadline as long as it appears to be adequate and reasonable, but which
as a general rule, deletion should take place within six months of resignation.
5.6. Internal control
According to Article 24 of the Privacy Ordinance, all companies are obliged to be able to demonstrate that they process
personal data in accordance with the law. If it stands in a reasonable relation to
the treatment activities, the enterprise shall establish appropriate guidelines for the protection of
personal information.
Access to an employee's or former employee's e-mail box is an intrusive treatment of
personal information, and constitutes a major interference with individuals' right to privacy. Businesses must
therefore be able to document their internal routines or processes, which meet the requirements for access to e-
mailboxes and other electronic material.
6. The Data Inspectorate's assessment
6.1 Legal basis for access to e-mail made available to the employee for use at work
You confirm in the statement that the general manager has logged in to the e-mail box
once a day during the period
You
writes that the background for the postings that were made was operational, and it is emphasized that it is not
posted in, or opened e-mail that the employer understood from the headline was of a private nature.
5
Page 6
The e-mail regulations apply to access to information stored in e-mail boxes provided to employees
disposition. All e-mail to the complainant's e-mail address
is thus covered by
the rules on access to the e-mail regulations. It does not matter if the emails are private emails or emails
to complaints by virtue of
score. The employer is therefore not free to take over such an e-mail address
when an employee leaves the company, but must comply with the terms of the e-mail regulations in order to
access to work-related emails.
We assume that you have accessed information stored in the complainant's e-mail box on a daily basis
The manager has changed the password on the email account and logged in every day for a period of 6 weeks. The question
becomes so if you had a legal basis in the e-mail regulations to access the complainant's e-mail box.
Section 2, first paragraph, letter a, of the E-mail Regulations refers to the fact that access can be justified in that it is necessary to
look after the day-to-day operations or other legitimate interests of the business. By necessary is meant
that transparency must be a proportionate tool to achieve the purpose, which is to take care of the daily
the operation or other legitimate interests of the business. This depends on a specific assessment.
Access to this condition can, for example, be made if you are waiting for a specific contract with a card
deadline and employee is not available due to illness.
In this case, you have made access for the purpose of taking care of the daily operation of the business and
to maintain customer contact. These are legitimate purposes that may justify transparency.
The inspection was made by the general manager changing the password and taking over the handling of the complainant's incoming
email in full. It appears from your statement that the general manager had access to the e-mail box
from
and until you received a letter from us in January 2020. This is a period of
You write, however, that the approach has only been used during the period
This is a period of 6 weeks. During this period, the general manager checked the e-
the mail account once a day.
There are other less intrusive measures that can serve the same purposes. To take care of
customer contact when an employee leaves, you can send an outgoing e-mail with information about new
contact person in the company before the person leaves. If you have a special need to keep
e-mail box open, an absence notice can be entered informing that the person
ends and who is the new contact person. Individual inspections every day for six weeks appear
comparison not as a proportional tool to achieve the purpose.
Based on this, it is our assessment that changing the password and logging in every day is not
necessary to maintain customer contact when an employee leaves. Our conclusion is therefore that you did not have
legal basis in the e-mail regulations § 2 first paragraph letter a to make access to the complainant's e-mail box.
We are further of the opinion that taking over the complainant's e-mail account borders on monitoring
workers' use of electronic equipment. The Privacy Board, for example, has determined that automatically
e-mail forwarding constitutes a continuous monitoring of the employee's e-mail box. That to possess
the password and log in every day can be similar to automatic forwarding. So continuously
monitoring may not be authorized in section 2, first paragraph, of the regulations on access, but must be authorized in the e-mail regulations
§ 2 second paragraph letter a or b, cf. PVN-2018-16.
6
Page 7
Monitoring a former employee's e-mail box to take care of day-to-day operations does not meet
the exceptions in the e-mail regulations § 2 second paragraph.
Our conclusion is therefore that Radio Grenland also had no authority in the e-mail regulations § 2 other
paragraph to take over the complainant's e-mail box.
Overall, Radio Grenland had no legal basis in the e-mail regulations for access or
monitoring the complainant's mailbox.
The e-mail regulations are a special regulation of the requirement for a basis for processing in the Privacy Ordinance
Article 6, paragraph 1, letter f (balancing of interests), cf. Article 88. When the regulations prohibit access and
monitoring is broken, this means that the company did not have a basis for treatment after
Article 6 (1) (f) of the Privacy Regulation.
Our conclusion is that Radio Grenland has had access to the complainant's e-mail box without any basis for processing,
cf. the Privacy Ordinance, Article 6, No. 1, letter f.
6.2 Duty to provide information
Pursuant to Article 13 of the Privacy Regulation, complainants should have received information about the takeover of
the mailbox at the time this processing of personal data started.
Pursuant to section 3 of the e-mail regulations, the employee shall, as far as possible, be notified and given the opportunity to comment.
before inspection. We do not see that the procedural rules in the e-mail regulations § 3 have been followed,
including that complaints have been given information that the employer changed the password and took over the account. This
happened when complaints were
and it appears that the complainants were informed that the employer still had
access to
e-mail then one of
contacts received a response from the general manager by e-mail that was addressed
to
.
On the basis of this, we find it clear that Radio Grenland has violated the duty to provide information pursuant to the article
13.
6.3 Closing of the employee's e-mail box
To be able to continue to process personal information by keeping the e-mail box open after
termination of employment, the employer must have a basis for treatment in accordance with the Privacy Ordinance
Article 6 and fulfill the additional conditions in the e-mail regulations § 4. The relevant processing basis in
the case is Article 6 No. 1 letter f.
Section 4 of the E-mail Regulations stipulates that the employee's e-mail box shall be terminated at the employment relationship
termination, unless there is a "special need" to keep the email account open for a short period
after the cessation.
The starting point is therefore that the e-mail account must be terminated upon termination of employment. That means that
the e-mail box must be deactivated so that it is no longer possible to send or receive e-mail. Whoever
sending an e-mail to the relevant address will then receive an error message stating that the e-mail cannot be delivered.
7
Page 8
Exceptionally, if there are special reasons, for example when an employee is fired or fired
other reasons must end at short notice, the account can be kept open with absence notice for a short period,
so that, for example, customers who make contact are informed that the person has left and that they must
turn to another. The prerequisite in such situations is that the incoming e-mail is not read
or sent to others in the business.
In the present case, Radio Grenland has kept the complainant's e-mail box open for a period of
You justify this with the fact that it was necessary to capture
inquiries from customers for whom complaints were responsible. However, it appears from the statement that
autoresponder was not activated before
resigned. You write in
the statement that the e-mail box was closed and the content deleted in January 2020, after the Data Inspectorate took
contact.
You have kept the complainant's e - mail box open
resigned, of which the first
the month was without auto-reply with information about
resigned. Our assessment is that you have held
the complainant's e-mail box is open beyond the short period for which section 4 of the e-mail regulations opens.
6.4 Deletion of the contents of the complainant's e-mail box
The e-mail regulations § 4 second paragraph stipulates that information in the employee's e-mail box that is not
necessary for the day-to-day running of the business, shall be deleted within a reasonable time after the employment relationship
end.
The starting point according to the provision is that the employer must delete the information in the e-mail box
unless there are specific reasons for further storage. What is a reasonable time must be considered specifically,
but it must be expected that the employer has made an assessment within a six month period
period after the termination of the employment relationship. The employer has a certain amount of leeway to establish one
deletion deadline as long as it appears adequate and reasonable, but as a general rule deletion should take place within
six months from resignation.
In our case, Radio Grenland has not established a separate deletion deadline for content in the employee's e-mail box, and
has kept the mailbox open
You state that the complainant deleted all e-mail in the e-mail box before leaving. You write that you used
the mailbox until
After this, the e-mail box was kept open with auto-reply, and
transparency was not made. At this time, incoming emails were handled by the general manager for more than
one month. You write that the e-mail account was closed when the Data Inspectorate contacted. We can not see that
there were specific reasons for further storage of the contents of the complainant's mailbox through the long
the period after the employment ended.
On this basis, we conclude that you have breached your obligation to delete the content of the complainant's e-mail.
mailbox according to the Privacy Ordinance Article 17 and the e-mail regulations § 4 second paragraph by storing
the contents of
e-mail box
6.5 Right to protest
It follows from Article 21 of the Privacy Ordinance that the data subject has a right to protest
processing of personal data based on Article 6 (1) (e) or (f).
8
Page 9
If the data subject protests, the data controller must make a specific balance of interests
where the special individual circumstances of the data subject are taken into account
protested. Only if the result of the sharpened balance of interests goes into it
in favor of the person responsible for treatment, the treatment can be initiated or continued.
The consequence of the data subject protesting is that the data controller can no longer
process the personal data. The treatment can still be initiated or continued if it
the person responsible for processing can prove that there are compelling justifiable reasons that precede it
the interests, rights and freedoms of the data subject, cf. art. 21 No. 1 second sentence.
According to the wording, it is up to the data controller to make this sharpened balance of interests.
It is the data controller who has the burden of proof, not just because it is weighty
reasons, but also because these reasons outweigh the interests of the data subject. If it
registered protesters and the conditions for further processing are not met, the processing must be interrupted
if it has already been initiated.
In our case, complainants have protested by contacting Radio Grenland by e-mail
with
questions about the legality of the access and questions about why the e-mail box was not closed. It was then
submitted an absence report, and the general manager has not logged in after the complainant got in touch. E-
the postal account was still kept open until Radio Grenland received a letter from us. In response to complaints writes
you that you are sorry
experience of the case, but that the e-mail was kept open in order to take care of it
customer contact.
As assessed above in sections 6.1, 6.3 and 6.4, the Data Inspectorate has assessed that there was no separate
need to keep the e-mail account open and that it was not necessary to process information in the complainant's e-mail
mailbox to take care of daily operations.
Our conclusion is that Radio Grenland cannot prove that there were compelling justifiable reasons for this
the processing that exceeded the data subject's interests and has not fulfilled its duty to assess the complainant
protest.
6.6 The duty of internal control
You state that you do not have written routines for accessing the e-mail box or for closing it
former employees' mailbox.
Our assessment is that you should create written routines for processing personal data in connection
with access to and deletion of employees or former employees' e-mail box.
We point out that Radio Grenland did not fulfill its duty to provide information and that the case shows a lack
knowledge of the regulations, including that the company believes that the takeover does not constitute access to e-
mailbox. A written routine will make the business more aware of its obligations
privacy regulations and contribute to compliance with the regulations.
9
Page 10
The takeover of the complainant's e-mail box was in breach of the duty to provide information, the requirement to
basis for processing, the rules on termination of e-mail box and the deletion obligation. This indicates that Radio
Grenland should establish written routines in accordance with Article 24.
Based on this, we conclude that Radio Grenland had not implemented sufficient
organizational measures to ensure and demonstrate that the treatment is carried out in accordance with
the Privacy Regulation at the time of the inspection, cf. Article 24.
Pursuant to Article 58 (2), letter d, we have the authority to order the person responsible for processing to
ensure that the treatment activities take place in accordance with the provisions of
the Privacy Regulation. The written routines must reflect the general requirements for processing
personal information in the Privacy Ordinance, as well as the special regulation in the e-mail regulations.
You will find more information about the requirement for internal control, as well as tools and templates on our websites:
www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/informasjonssikkerhet-
internal control.
7. Infringement fee
7.1 General information on infringement fines
Infringement fees are a tool to ensure effective compliance and enforcement of
the personal data regulations.
We believe it is necessary to respond to the violations, and hereby notify the imposition of
infringement fee, cf. Article 83 of the Privacy Ordinance. In accordance with the case law of the Supreme Court (cf. Rt.
2012 page 1556) we assume that the infringement fine is to be regarded as a penalty under the European
Article 6 of the Convention on Human Rights. A clear overriding probability is therefore required for offenses
to be able to charge a fee. The case and the question of imposing an infringement fee have been considered
starting point in this evidentiary requirement.
In this connection, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. With a
administrative sanction means a negative reaction that can be imposed by an administrative body, which corrects
against a committed violation of law, regulation or individual decision, and which is considered a punishment
under the European Convention on Human Rights (ECHR).
For companies, the guilt assessment is unique. Section 46, first paragraph, of the Public Administration Act states:
"When it is stipulated in law that an administrative sanction may be imposed on an enterprise,
the sanction is imposed even if no individual has shown guilt ».
In Prop. 62 L (2015-2016) page 199 it is stated about § 46:
"The wording that 'no individual has shown guilt' is taken from the section on
corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore
as a starting point objectively ».
10
Page 11
7.2 Assessment of whether an infringement fee is to be imposed
The right to impose infringement fines is provided as a tool to ensure effective compliance and
enforcement of the Personal Data Act. It follows from Article 83 (1) of the Regulation that each
the supervisory authority shall ensure that the imposition of infringement fines in each individual case is
"Effective, proportionate and dissuasive". This means that
a concrete, discretionary assessment must be made in each individual case.
The Data Inspectorate believes it is necessary to react to the violations. In the assessment, we have emphasized
the conditions of Article 83 (2) of the Regulation. The provision contains statutory elements for our
exercise of discretion.
In the following, we will review the terms that are relevant to the facts in this case.
a) the nature, severity and duration of the infringement, taking into account the person concerned
the nature, extent or purpose of the treatment as well as the number of data subjects affected, and the extent of the damage
they have suffered,
The violation violates the basic requirements for legality, information and deletion
when processing personal data. A continuous view of incoming e-mail to a former
the employee's e-mail box is a serious intrusion on the person's privacy. Inspections have been made each
day for a period of 6 weeks. During this period and until January 2020, all incoming e-mail has been
available to the general manager. You confirm in the statement that e-mails have been read and answered. Plus
two emails have been forwarded to complainants.
The actions also appear to be a violation of the privacy of third parties who in good faith have sent e-
mail for complaints. Correspondence to a personal e-mail address contains information individuals
has a high expectation that others will not have access to it without further ado.
Radio Grenland has continued the illegal access despite protests from complainants
The access did not cease until you received a letter from the Norwegian Data Protection Authority asking questions
practice. You have also not been informed that the access was available. According to complainants, it was coincidental that
gained knowledge of the general manager's access via third parties who received replies by e-mail to complaints from daily
leader himself. These did
so note that the general manager had access to
e-mail.
The illegal access is a violation of the basic principles of legality, transparency and
storage restriction for the processing of personal data, cf. Article 5 (1) of the Privacy Regulation
letters a and e. When basic rules for the protection of former employees' privacy are
infringed as it is in this case, the violations must be considered serious.
b) whether the infringement was committed intentionally or negligently,
We also place great emphasis on the degree of guilt. It is clear that both ongoing access to the e-mail box and
failure to close and delete the mailbox has been a conscious choice on their part.
(d) the degree of responsibility of the controller or processor, taking into account the
technical and organizational measures they have implemented in accordance with Articles 25 and 32,
11
Page 12
On the basis of the report, it appears that you have little or no knowledge of the regulations and
the obligations arising therefrom.
The principle of accountability presupposes a strong anchoring of the regulations in companies' management, cf.
Article 5 (2) of the Privacy Ordinance therefore exacerbates the fact that the forwarding was
initiated by the general manager. Furthermore, we emphasize that you did not have organizational measures in the form of
routines to ensure compliance with the regulations.
f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible
negative effects of it,
The e-mail account was closed after you received the inquiry from us, but beyond this it appears as
that you think the access to the e-mail inbox was legal as one did not read, but only forwarded
e-mails of a private nature. In other respects, you have contributed to the enlightenment of the case through the report.
g) the categories of personal data affected by the infringement,
According to the information, special categories of personal data are not affected by the violations in the case.
Correspondence to a person's email address is, however, at the core of the right to privacy and
Incoming e-mails must be considered as information worthy of protection. This draws in aggravating
direction.
k) and any other aggravating or mitigating factor in the case, e.g. economic benefits that are
achieved, or losses that have been avoided, directly or indirectly, as a result of the violation
In the present case, you have chosen to satisfy the need to take care of the daily operations of one
very intrusive way, which goes far beyond what the regulations allow for. In the aggravating direction draws that
the violations continued despite protests from complaints and questions about why the general manager continued
had access to
e-mail box.
7.3 Conclusion
Following this, the Data Inspectorate has come to the conclusion that an infringement fee should be imposed, cf. the Privacy Ordinance
Article 83 (2) and (5).
7.4 Assessment of the size of the fee
When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in
the question of whether a fee should be imposed. We therefore refer to the assessments of the seriousness of the case
above. The violation fee must be effective, be in a reasonable proportion to the violation and work
deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in
each case.
The fee should be set so high that it also has an effect beyond the specific case, at the same time as the fee
size must be in a reasonable proportion to the infringement and the activity, cf. Article 83 no. 1.
12
Page 13
The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter
the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that an infringement fee
shall be determined concretely so that in each individual case is effective, is in a reasonable relation to
the violation and acts as a deterrent. The main purpose of the infringement fee is contraception, ie that
the risk of being charged a fee shall have a deterrent effect and thereby contribute to increased compliance with
the regulations.6
By Skullerud et al. (2019), page 347, it appears:
Contraceptive considerations dictate that the fee for a violation must be set so high that this is in fact
perceived as an evil by the offender. This means that the offender's financial capacity should
have significance in the measurement, so that the fee becomes higher the stronger the carrying capacity of the offender
hair. […] When assessing the financial sustainability of an enterprise, it may be relevant to look at
the enterprise's total global annual turnover in the preceding financial year, cf. art. 83 Nos. 4 and 5.
And further:
The consideration of ensuring an individual assessment in each individual case dictates that the supervisory authorities
should avoid establishing standardized fee rates. This applies even if national law allows for it
standardized rates, cf. the Public Administration Act § 43.
Article 83 (5) of the Privacy Ordinance sets a higher maximum amount for fees when the case concerns
violations of the basic principles of the processing of personal data in accordance with
Articles 5 and 6 of the Privacy Regulation.
Our case concerns a lack of basis for processing (the principle of legality), a breach of the duty to provide information
(the principle of transparency) and the obligation to delete (the principle of storage limitation), which constitute serious breaches
on the Privacy Regulation. In addition, the company lacked organizational measures for compliance
the regulations (the principle of accountability). This speaks for a fee of a certain size.
In an aggravating direction, we place particular emphasis on the fact that the takeover of the e-mail account was initiated by
the general manager of the company, that the access lasted for a long time despite objections from complaints, that e-
the items were answered from the complainant's account, and that the company's management lacked knowledge of the regulations.
The fee must be set so high that it is effective and achieves a sufficient deterrent effect. IN
In measuring the size of the fee, we therefore also place emphasis on the company's finances. Radio
Grenland's comments on the size of the notified infringement fee are therefore relevant
the measurement.
Radio Grenland has made several comments about the company's finances related to the ongoing one
changed the situation as a result of the Covid-19 pandemic. Radio Grenland informs that the business
has made layoffs of and in the last year to adapt to a challenging
market situation as a result of the ongoing pandemic. It is pointed out that Radio Grenland is a company
with only five employees in a competitive industry and that you are dependent on advertising revenue to have
6 Skullerud et al. (2019).
13
Page 14
basis of operation. Furthermore, you point out that the jobs at the company are threatened if a fee in one
the order of magnitude imposed on the business in the notification.
The notified infringement fee of NOK 200,000 has been measured according to the latest available accounting figures from
2019 at the time of the notice. In 2019, Radio Grenland had registered operating revenues of 6,554,000
kr.
Radio Grenland has submitted preliminary accounts for 2020 and so far in 2021, see document number
20 / 02274-12. The accounts show that Radio Grenland had registered revenues of 4,970,236 up to
period 12 2020. So far this year, the business has had revenues corresponding to approx. 65% of revenues in the same
period last year. In comparison, Radio Grenland had an operating income of NOK 6,554,000 in 2019 and a
annual profit of NOK 111,000 in 2019. The fall in turnover from 2019 to 2020 thus amounts to approx. 25%.
Based on the financial situation the company is in as a result of
coronary pandemic, our assessment is that a lower fee could have the preventive and deterrent
the effect Article 83 presupposes.
After taking into account the seriousness of the violations and Radio Grenland's comments, the Data Inspectorate sets it
the final fee to NOK 150,000. We have hereby reduced the notified fee of NOK 200,000 by approx.
25%, corresponding to Radio Grenland's revenue decline between 2019 and 2020.
We remind you that violations of Article 6 of the Privacy Regulation may result in sanctions in the form of
infringement fines of up to EUR 20 million, see Article 83 (5) (a) of the Privacy Regulation.
This corresponds to approx. NOK 214,000,000. The fee imposed in this case is thus at the very bottom
layer of what the regulation prescribes for such breaches of regulations.
8. Right of appeal
This is an individual decision that can be appealed in accordance with the rules of the Public Administration Act, cf. the Public Administration Act § 28.
Any complaint must be sent to us within three weeks after this letter has been received, cf. the Public Administration Act §
28 and 29. If we uphold our decision, we will send the case to the Privacy Board for
appeal processing, cf. the Personal Data Act § 22.
If you do not appeal the decision on the infringement fee, the deadline for fulfillment is 4 weeks after
the expiry of the appeal period, cf. the Personal Data Act § 27. Recovery of the claim will be carried out by
State Collection Agency.
9. Publicity, transparency and duty of confidentiality
We will inform you that all the documents are in principle public, cf. the Public Access to Information Act § 3.
If you believe there are grounds for exempting all or part of the document from public access, please
we you to justify this.
The Norwegian Data Protection Authority has a duty of confidentiality regarding who has complained to us, and about the complainant's personal circumstances.
The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and the Public Administration Act § 13. As a party
14
Page 15
in the case, you may nevertheless be made aware of such information by the Norwegian Data Protection Authority, cf. the Public Administration Act §
13 b first paragraph no. 1. You also have the right to access the case documents, cf. the Public Administration Act § 18.
We point out that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority about the complainant's
identity, personal circumstances and other identifying information, and that you can only use these
the information to the extent necessary to safeguard their interests in this case, cf.
Public Administration Act § 13 b second paragraph. We also point out that breach of this duty of confidentiality
can be punished according to the Penal Code § 209.
If you have any questions, you can contact legal adviser Anne Eidsaa Hamre on telephone 22 39
69 76.
With best regards
Jørgen Skorstad
department director
Anne Eidsaa Hamre
legal adviser
The document is electronically approved and therefore has no handwritten signatures
false
15