Datatilsynet - 20/02162

From GDPRhub
Datatilsynet - 20/02162
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 13 GDPR
Article 17(1)(e) GDPR
Article 21 GDPR
Article 24 GDPR
§§2-3 Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale
Type: Investigation
Outcome: Violation Found
Decided: 18.01.2021
Published: 03.02.2021
Fine: 200000 NOK
Parties: CyberBook AS
National Case Number/Name: 20/02162
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a company NOK 200 000 (€19,600) for enabling automatic forwarding of a former employee's emails without a legal basis and for lack of information, ignoring several objections, not terminating the email account and for not deleting the email account and its content.

English Summary[edit | edit source]

Facts[edit | edit source]

A company enabled automatic forwarding of a former employee's emails, to "uphold regular business operations", and argued that it was the complainant fault this was deemed necessary. Despite several objections from the complainant, the company continued to monitor the email account over several months. The unlawful monitoring did not stop until the complainant contacted the DPA.

Dispute[edit | edit source]

Did the company have a legal basis for monitoring the former employee's email account?

Holding[edit | edit source]

The DPA held that the company did not have a legal basis for monitoring the former employee's email account, as per Article 6(1)(f) GDPR. The DPA further held that the company failed to:

  • provide the data subjects with required information, as per Article 13
  • terminate the former employee's email account, as per Article 6(1)(f)
  • erase the content of the former employee's email account, as per Article 17(1)(e)
  • assess the former employee's objections, as per Article 21

For this, the company was fined NOK 200 000 (€19,600) and ordered to establish written internal controls and routines for access to current and former employees' email accounts and other electronic content, in line with Article 24.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Cyberbook AS receives a fee

The Data Inspectorate demanded a fee of NOK 200,000 from Cyberbook AS for illegal automatic forwarding of the e-mail to a former employee.
Cyberbook AS receives a fee

The background to the case is a complaint from a former employee of Cyberbook. The person experienced that the company had activated automatic forwarding of their personal e-mail box in the business.
In violation of the rules

The forwarding took place for several months without the former employee receiving information about this.

After investigating the case, the Data Inspectorate has concluded that the forwarding is a violation of the regulations on employers and access to e-mail boxes and other electronic material.
Must establish routines

In addition, our assessment is that the company has violated the Privacy Ordinance's requirement for a legal basis, information to the data subject and the duty to assess protests from the employee, in addition to the rules on deletion of personal data.

On the basis of this, the Data Inspectorate has decided that the company must establish written routines for access to the e-mail boxes of employees and former employees, together with an order to pay NOK 200,000 in fees for the illegal forwarding.

Cyberbook has a three-week appeal period from the company receiving our decision.