Datatilsynet (Norway) - 20/01916: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=DT-20/01916...")
 
m (Fixed machine translation)
Line 56: Line 56:
The Norwegian DPA fined a company NOK 250 000 (€24,772) for requiring an employee to forward all emails to a shared inbox, on a continuous basis, despite her objections.
The Norwegian DPA fined a company NOK 250 000 (€24,772) for requiring an employee to forward all emails to a shared inbox, on a continuous basis, despite her objections.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The DPA reviewed two events where a company had obtained access to an employee's emails. In the first case, the company had accessed her inbox due to an acute situation where they needed to obtain crucial (business) information while the employee was on vacation (and couldn't be reached).  
The DPA reviewed two events where a company had obtained access to an employee's emails. In the first case, the company had accessed her inbox due to an acute situation where they needed to obtain crucial (business) information while the employee was on vacation (and couldn't be reached).  


In the second case, however, the general manager had introduced a new policy, requiring the employee to continuously forward all her emails to a shared, common inbox at the company. After a month, she disabled this, however was instructed to enable it again.  
In the second case, however, the general manager had introduced a new policy, requiring the employee to continuously forward all her emails to a shared, common inbox at the company. After a month, she disabled this, however was instructed to enable it again.  


=== Dispute ===
===Dispute===
Did the company breach Article 6(1)(f) GDPR for lack of a legal basis?  
Did the company breach Article 6(1)(f) GDPR for lack of a legal basis?  


=== Holding ===
===Holding===
In the first case, the DPA agreed that the company had a legal basis, due to an acute nature of the situation and the need for crucial (business) information. In the second case, however, the DPA held that the company had no legal basis for such processing, as it's highly invasive and not justified. The legal basis the company referred to, a national regulation concerning employers' access to employees' inboxes and other electronical material, was not applicable in this instance.
In the first case, the DPA agreed that the company had a legal basis, due to an acute nature of the situation and the need for crucial (business) information. In the second case, however, the DPA held that the company had no legal basis for such processing, as it's highly invasive and not justified. The legal basis the company referred to, a national regulation concerning employers' access to employees' inboxes and other electronical material, was not applicable in this instance.


The DPA held that the company had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee sufficiently as per Article 13 GDPR. Consequently, they were fined NOK 250 000 (€24,772), and also have to improve their internal controls in line with Article 24 GDPR.
The DPA held that the company had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee sufficiently as per Article 13 GDPR. Consequently, they were fined NOK 250 000 (€24,772), and also have to improve their internal controls in line with Article 24 GDPR.


== Comment ==
==Comment==
The company was initially fined NOK 400,000, however after they made a complaint and were able to demonstrate a decrease in revenue due to COVID-19, this was reduced.
The company was initially fined NOK 400,000, however after they made a complaint and were able to demonstrate a decrease in revenue due to COVID-19, this was reduced.


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
In Norwegian only:


== English Machine Translation of the Decision ==
* [https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/ Utfyllande informasjon om verksemdenes plikter]
* [https://www.datatilsynet.no/personvern-pa-ulike-omrader/personvern-pa-arbeidsplassen/innsyn-epost-filer/ Innsyn i tilsettes e-post og private filer]
 
==English Machine Translation of the Decision==
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.


<pre>
<pre>
<!doctype html><html class="no-js" lang="no"><head><meta charset="utf-8" /><title>Receives fee for illegal forwarding of e-mail | The Data Inspectorate </title><meta content="A business has made a decision on a fee; $ 250,000 for illegally forwarding email to an employee. &amp; Nbsp; The name of &amp; nbsp; the business is exempt from publicity for &amp; aring; shield the identity of employees. &amp; nbsp;" name="description" /><meta property="og:title" content="Receives a fee for illegal forwarding of e-mail" /><meta property="og:description" content="A business has made a decision on a fee; $ 250,000 for illegally forwarding email to an employee. &amp; Nbsp; The name of &amp; nbsp; the business is exempt from publicity for &amp; aring; shield the identity of employees. &amp; nbsp;" /><meta property="og:type" content="website" /><meta property="og:url" content="https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/far-gebyr-for-ulovleg-vidaresending-av-e-post/" /><meta property="og:image" content="https://www.datatilsynet.no/contentassets/4156bc16048f4e3994c767bf9e93f3b9/epostsikkerhet_1b.jpg" /><meta property="og:site_name" content="Datatilsynet" /><meta property="og:locale" content="nb_NO" /><meta name="twitter:card" content="summary" /><meta name="twitter:site" content="https://twitter.com/datatilsynet" /><link media="screen" rel="stylesheet" type="text/css" href="/Styles/main.css?bundle=637483904340000000" /><link media="print" rel="stylesheet" type="text/css" href="/Styles/print/print.css?bundle=637483904340000000" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="apple-touch-icon" sizes="57x57" href="/UI/Icons/apple-touch-icon-57x57.png"><link rel="apple-touch-icon" sizes="60x60" href="/UI/Icons/apple-touch-icon-60x60.png"><link rel="apple-touch-icon" sizes="72x72" href="/UI/Icons/apple-touch-icon-72x72.png"><link rel="apple-touch-icon" sizes="76x76" href="/UI/Icons/apple-touch-icon-76x76.png"><link rel="apple-touch-icon" sizes="114x114" href="/UI/Icons/apple-touch-icon-114x114.png"><link rel="apple-touch-icon" sizes="120x120" href="/UI/Icons/apple-touch-icon-120x120.png"><link rel="apple-touch-icon" sizes="144x144" href="/UI/Icons/apple-touch-icon-144x144.png"><link rel="apple-touch-icon" sizes="152x152" href="/UI/Icons/apple-touch-icon-152x152.png"><link rel="apple-touch-icon" sizes="180x180" href="/UI/Icons/apple-touch-icon-180x180.png"><link rel="icon" type="image/png" href="/UI/Icons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/UI/Icons/favicon-194x194.png" sizes="194x194"><link rel="icon" type="image/png" href="/UI/Icons/favicon-96x96.png" sizes="96x96"><link rel="icon" type="image/png" href="/UI/Icons/android-chrome-192x192.png" sizes="192x192"><link rel="icon" type="image/png" href="/UI/Icons/favicon-16x16.png" sizes="16x16"><link rel="manifest" href="/UI/Icons/manifest.json"><link rel="shortcut icon" href="/UI/Icons/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-TileImage" content="/UI/Icons/mstile-144x144.png"><meta name="theme-color" content="#585858"><script>
Receives a fee for illegal forwarding of e-mail
    (function () {
 
        var docElement = document.documentElement;
A company has received a decision on a fee of NOK 250,000 for illegal forwarding of the e-mail to an employee. The name of the company is exempt from publicity to protect the identity of the employees.
        var className = docElement.className;
Receives a fee for illegal forwarding of e-mail
        className = className.replace(/\bno-js\b/, 'js');
 
        docElement.className = className;
The background for the case is a complaint from a person who experienced that the employer used automatic forwarding of e-mail.
    }())
 
</script><meta name='EPi.ID' content='14132'></head><body class="articlePage"><div class="page-wrapper"><header class="main-header"> <a href="#skiplinktarget" class="skiplink">To main content</a><div class="main-header__sticky"><div class="main-header__wrapper"><h2 class="sr-only"> Logo and auxiliary tools</h2><nav class="main-header__top" aria-label="Navigasjon og søk"><div class="logo"> <a href="/"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="Til startsiden til Datatilsynet" title="Logo"></a></div><div class="right mobile-buttons"> <button type="button" class="button--search" data-toggle-search><span class="sr-only">Show / hide search</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
The employer asked the employee to set up automatic forwarding from the e-mail box to a common e-mail box in the company. This must have been done out of consideration for operations.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg><div class="mobile-modal"><div class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-search>Hide</button> </div><form method="get" action="/sok/" autocomplete="off" class="quickSearch"><div class="quick-search"><div class="quick-search__wrapper"><div class="quick-search__input-wrapper"> <label for="searchText" id="sok" class="quick-search__label">What are you looking for?</label> <input class="quick-search__text _jsAutoCompleteSearch" id="searchText" type="search" name="q" data-search-url="/sok/AutoComplete" /><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
In violation of the rules
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg> <button class="button--search" type="submit" value="Søk"><span class="sr-only">Search</span></button></div><div class="autocomplete-container"></div></div></div></form></div> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span class="label desktop-only" data-label>Menu</span></button><p class="sr-only"> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk">Show / hide menu</button></p> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span></span></button></div></nav><div class="main-header__bottom container"><h2 class="sr-only"> Main menu </h2><nav class="main-menu" id="main-menu" aria-label="Hovedmeny"><div class="container"><div class="utility-menu"><ul><li class="header-linklist__element"> <a href="/om-datatilsynet/">About the Data Inspectorate</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/presse/">For press / media inquiries</a></li><li class="header-linklist__element"> <a href="/en/" rel="alternate" hreflang="en">English</a> </li></ul></div><div class="main-menu__root"><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-shield"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_1" data-toggle-sub-menu><span id="content_1-heading">Rights and duties</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
After investigating the case, the Data Inspectorate concludes that the company lacks a legal basis for forwarding. It has taken place in violation of the rules in the regulations on the employer's access to e-mail boxes and other electronic material, in addition to the requirement for a legal basis under the Privacy Ordinance.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_1" aria-labelledby="content_1-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/rettigheter-og-plikter/hva-er-personvern/">What is privacy?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personopplysninger/">What is personal information?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personvernprinsippene/">The privacy principles</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/den-registrertes-rettigheter/">The data subject&#39;s rights</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/virksomhetenes-plikter/">The companies&#39; duties</a> </li></ul></div></div></div><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-people"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_2" data-toggle-sub-menu><span id="content_2-heading">Privacy in various areas</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
The company had also not prepared routines for access to e-mail. The Norwegian Data Protection Authority pointed out that an improvement of the routines could have a preventive effect against illegal inspections being carried out at a later stage.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_2" aria-labelledby="content_2-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/korona/">Corona and privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/personvern-pa-arbeidsplassen/">Workplace privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/overvaking-og-sporing/">Monitoring and tracking</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/internett-og-apper/">Internet and apps</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/skole-barn-unge/">Children, young people and school</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/bil-og-transport/">Car and transport</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/politi-justis/">Police and justice</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/forskning-helse-og-velferd/">Research, health and welfare</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/kundehandtering-handel-og-medlemskap/">Customer management, trade and membership</a> </li></ul></div></div></div><div class="main-menu__tab selected"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-guide"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_3" data-toggle-sub-menu><span id="content_3-heading">Regulations and tools</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
On this basis, the Data Inspectorate has decided that the company must improve internal control and its own guidelines for access to employees' e-mail boxes. In addition, the company is ordered to pay 250,000 kroner for having monitored the complainant's e-mail box without any legal basis.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_3" aria-labelledby="content_3-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary up" href="/regelverk-og-verktoy/lover-og-regler/">Laws and regulations</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/internasjonalt/">International work and cooperation</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sandkasse-for-kunstig-intelligens/">Sandbox for artificial intelligence</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/atferdsnorm/">Behavioral norms</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/rapporter-og-utredninger/">Reports and reports</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/konsesjon-og-melding/">Concession and notification</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sporsmal-svar/">Questions and answers</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordbok/">Dictionary (Norwegian - English)</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/personvernpodden/">Privacy Pod</a></li></ul></div></div></div></div><div  class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-menu>Close</button> </div></div></nav></div></div></div><div class="container full-width"><nav class="breadcrumbs" aria-label="Brødsmulesti"><ul><li><a href="/regelverk-og-verktoy/lover-og-regler/">Laws and regulations</a></li><li> <a href="/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/">Key decisions</a></li><li> <a href="/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/">2021</a></li></ul></nav></div></header><script>
 
    document.consentCookie = '{"HaveRead":false,"FormCookies":false,"Expires":"\/Date(-62135596800000)\/"}';
The company has a three-week appeal period from the time they receive the decision.
    document.disableConsentPopup = false;
</script><div class="cookie-consent" v-bind:class="{ open: showCookieConsent }" tabindex="-1" role="dialog" aria-label="Samtykke for bruk av informasjonskapsler"><h2> We use cookies</h2><div class="user-content"><p> Our websites use cookies. If they are not necessary for our website to work, they will not be stored on your device unless you agree to this. Read about which ones we use and how we manage them at the bottom of the website.</p></div><div class="cookie-consent-section"><h3> Required cookies</h3><div class="user-content"><p> These support core functionality related to security. We have considered these to be necessary, and they are therefore stored without prior consent.</p></div></div><div class="cookie-consent-section"><h3> Form functions</h3><div class="user-content"><p> These are necessary if you want to use the form on our website. The other functionality on the website is not affected if you do not consent. The choice you make here is valid for up to 90 days. </p></div><div class="on-off"><input type="checkbox" name="on-off" id="chk-cookie-form" class="on-off-checkbox" v-model="consentCookie.FormCookies"/> <label class="on-off-label" for="chk-cookie-form"><span class="sr-only">Form functions on / off</span><span class="on-off-inner"></span><span class="on-off-switch"></span></label></div></div><div class="cookie-consent-section"><h3> Web analytics</h3><div class="user-content"><p> We are considering using an analysis tool based on cookies, but as of today we do not have this.</p></div></div><div class="cookie-consent-section"><div class="user-content"><p> You can withdraw your consent at any time by selecting &quot;manage cookies&quot; at the bottom of our pages.</p></div> <button type="button" v-on:click="save($event)" class="button cookie-consent-save">Save my selection</button></div> <button type="button" v-on:click="save($event)" class="cookie-consent-close">Close</button> </div><main><span id="skiplinktarget" tabindex="-1"></span><div class="article"><div class="container"><div class="article__content"><h1> Receives a fee for illegal forwarding of e-mail</h1><div class="user-content ingress"><p> A company has received a decision on a fee of NOK 250,000 for illegal forwarding of the e-mail to an employee. The name of the company is exempt from publicity to protect the identity of the employees. </p></div><div class="article__sidebar-main mobile-only"><div ><img alt="Receives a fee for illegal forwarding of e-mail" src="/contentassets/4156bc16048f4e3994c767bf9e93f3b9/epostsikkerhet_1b.jpg?width=400&amp;quality=80" /></div></div></div><div class="article__sidebar medium-up"><div class="article__sidebar-main no-margin"><div ><img alt="Receives a fee for illegal forwarding of e-mail" src="/contentassets/4156bc16048f4e3994c767bf9e93f3b9/epostsikkerhet_1b.jpg?width=400&amp;quality=80" /></div></div></div></div><div class="container"><div class="article__content"><div class="article__content-text"><div class="user-content"><p> The background for the case is a complaint from a person who experienced that the employer used automatic forwarding of e-mail.</p><p> The employer asked the employee to set up automatic forwarding from their e-mail box to a common e-mail box in the company. This must have been done out of consideration for operations.</p><h2> <strong>In violation of the rules</strong></h2><p> After investigating the case, the Data Inspectorate concludes that the company lacks a legal basis for forwarding. It has taken place in violation of the rules in the regulations on the employer&#39;s access to e-mail boxes and other electronic material, in addition to the requirement for a legal basis under the Privacy Ordinance.</p><p> The company had also not prepared routines for access to e-mail. The Norwegian Data Protection Authority pointed out that an improvement of the routines could have a preventive effect against illegal inspections being carried out at a later stage.</p><p> On this basis, the Data Inspectorate has decided that the company must improve internal control and its own guidelines for access to employees&#39; e-mail boxes. In addition, the company is ordered to pay 250,000 kroner for having monitored the complainant&#39;s e-mail box without any legal basis.</p><p> The company has a three-week appeal period from the time they receive the decision.</p><h2> <strong>Read more</strong></h2><ul><li> <a href="/rettigheter-og-plikter/virksomhetenes-plikter/">Supplementary information about the companies&#39; duties</a></li><li> <a href="https://lovdata.no/dokument/SF/forskrift/2018-07-02-1108" target="_blank" rel="noopener">Regulations on employers&#39; access to e-mail boxes and other electronic material (lovdata.no)</a></li><li> <a href="/personvern-pa-ulike-omrader/personvern-pa-arbeidsplassen/innsyn-epost-filer/">Access to added e-mail and private files</a></li></ul></div></div></div><aside class="article__sidebar"><h3> Contact person </h3><div><div><div class="person-contact-card"><div class="person-contact-card__inner"><div class="person-contact-card__image"><div class="profile-image"><div class="image-block Standard "><figure ><img alt="" src="/globalassets/global/bilder/ansatte-dt/ida.jpg?width=200&amp;quality=80" /></figure></div></div></div><div class="person-contact-card__info"><div><h2 class="person-contact-card__info-name"> Ida Småge Breidablikk</h2><p class="person-contact-card__info-title"> Legal senior advisor</p></div><dl class="person-contact-card__info-list"><dt class="describe"> Office: </dt><dd class="define"><span data-e="18267937243838383838383838383838383838383838383838383838381215282F38212E38212B382A2A382F2C33383838383838383838383838383838383838383838383838383838381215263A282F212E212B2A2A2F2C3322747D6C3A257E7D6A70383A3A256B6B79747B387924"></span></dd><dt class="describe"> Email: </dt><dd class="define"><span data-e="AC92CD83908C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8CA6A1C3C282D8C9C2D5DFC0C5D8CDD8CDC8ECCEDFC58C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8C8CA6A1928EC3C282D8C9C2D5DFC0C5D8CDD8CDC8ECCEDFC596C3D8C0C5CDC18E91CAC9DEC48C8E8E91DFDFCDC0CF8CCD90"></span></dd></dl></div></div></div></div></div><div class="article__sidebar-dates"><div > <span>Published:</span> <span>02.03.2021</span> </div></div></aside></div></div></main><footer class="main-footer"><div class="main-footer__wrapper"><div class="main-footer__upper"><div class="main-footer__content container"><div class="main-footer__content-column desktop-only" aria-hidden="true"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="The Data Inspectorate logo" class="main-footer__logo"></div><div class="main-footer__content-column"><p> The Data Inspectorate<br> PO Box 458 Center<br> 0105 Oslo</p><p> Org.nr 974 761 467</p><div class="user-content"><p> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></p></div><div > <a href="https://ext.mnm.as/s/2751/9366">Receive our newsletter</a></div><div class="main-footer__social"><div class="main-footer__social--twitter" > <a href="https://twitter.com/datatilsynet">The Data Inspectorate on twitter</a></div></div><div class="main-footer__personvernpodden_logo"> <a href="/regelverk-og-verktoy/personvernpodden/"><img src="/UI/personvernpodden-logo.svg" alt="The Privacy Podcast - A podcast from the Danish Data Protection Agency"></a></div></div><div class="main-footer__content-column"><ul class="clean-link-list"><li> <a href="/aktuelt/">Currently</a></li><li> <a href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a href="/regelverk-og-verktoy/sporsmal-svar/">Frequently Asked Questions</a></li><li> <a href="/om-datatilsynet/datatilsynets-personvernerklaring/">The Data Inspectorate&#39;s privacy statement</a></li><li> <a href="/om-datatilsynet/datatilsynets-cookie-erklaring/">The Danish Data Protection Agency&#39;s cookie statement</a></li><li> <a href="#" id="_jsManageCookies">Manage cookies</a> </li></ul></div></div></div><div class="main-footer__lower"><div class="main-footer__sponsors container"><p> Other sites</p> <a href="/om-datatilsynet/Andre-nettsteder/Personvernbloggen/"><img alt="The Privacy Blog" src="/globalassets/global/bilder/logoer/footer/personvernbloggennb.png?width=400&amp;quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Du-bestmmer/"><img alt="You decide" src="/globalassets/global/bilder/logoer/footer/dubestemmernb.png?width=400&amp;quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Slett-meg/"><img alt="slettmeg.no" src="/globalassets/global/bilder/logoer/footer/slettmegnb.png?width=400&amp;quality=80" /></a></div></div></div></footer></div><script src="/Scripts/libs/jquery/3.2.1.min.js"> </script><script src="/Scripts/libs/jquery/jquery-ui.min.js"> </script><script src="/Scripts/libs/svg4everybody.js"> </script><script src="/Scripts/libs/jquery.sticky-sidebar.min.js"> </script><script src="/Scripts/libs/vue.min.js"> </script><script src="/Scripts/global/common/jquery.aria.js"> </script><script> window.jQuery || document.write('<script src="/Scripts/libs/jquery/3.2.1.min.js"><\/script>') </script><script src="/Scripts/site.js?bundle=637483904340000000"></script><script src="/Scripts/global/common/jquery.unobtrusive-ajax.js" async defer></script><script>
    Datatilsynet.GlossaryHighlightedWords = 'adressemekling;akseptkriterium;algoritmer;artikkel 29-gruppen;atferdsnorm;autentisering;automatisk målesystem;avidentifisert personopplysning;avindeksere;avvik;behandling av personopplysningar;behandling av personopplysninger;behandlingsansvarleg;behandlingsansvarlig;behandlingsgrunnlag;berlingruppen;big data;biometri;bransjenorm;databehandlar;databehandlaravtale;databehandler;databehandleravtale;datakommunikasjon;dataminimering;datanettverk;dataportabilitet;den registrerte;dpia;ekstern datakommunikasjon;eksternt nettverk;european data protection board;filsluse;forhåndsdrøftelse;formålsbestemthet;forordning;fødselsnummer;gdpr;helseopplysning;humant biologisk materiale;informasjonssamfunnstjeneste;informasjonssikkerhet;informasjonstryggleik;innebygd personvern;integritet;intern sone;internkontroll;ip-adresse;konfidensialitet;konfigurasjon;konsesjon;konsesjonsplikt;kontrolltiltak;kredittopplysning;kredittsjekk;kredittvurdering;kryptering;meldeplikt;nettsky;nettverkssone;personnummer;personopplysning;personprofil;personregister;personvernforordningen;personvernfremjande teknologi;personvernfremmende teknologi;personvernkonsekvens;personvernombod;personvernombud;personvernrådet;profiler;profilering;pseudonymisering;radiofrekvensidentifikasjon;reidentifisering;rfid;risiko;samtykke;schengen informasjonssystem;sensitive personopplysninger;sikker sone;sikkerhetskopiering;sikkerhetsrevisjon;sikkerhetsstrategi;sporing;stordata;særlige kategorier;teknisk sikkerhetsbarriere;tilgangskontroll;tilgangsstyring;tilgjengelighet;tilsyn;tjenstlig behov;vurdere personvernkonsekvenser;ødeleggende programvare;';
    Datatilsynet.HasGlossary = true;
</script><script type="text/javascript" src="/Scripts/find/find.js"></script><script type="text/javascript">
if(FindApi){var api = new FindApi();api.setApplicationUrl('/');api.setServiceApiBaseUrl('/find_v2/');api.processEventFromCurrentUri();api.bindWindowEvents();api.bindAClickEvent();api.sendBufferedEvents();}
</script><script>(function(){function i(n){var t=n.charCodeAt(0);return(t>=65?t-7:t)-48}function e(n){for(var r=new String,u=i(n.substr(0,1))*16+i(n.substr(1,1)),t=n.length-2;t>1;t-=2)r+=String.fromCharCode(i(n.substr(t,1))*16+i(n.substr(t+1,1))^u);return r}var t=document.querySelectorAll("[data-e]"),n,u,r,f;if(t.length)for(n=0;n<t.length;n++)u=e(t[n].getAttribute("data-e")),r=document.createElement("div"),r.innerHTML=u,f=r.firstChild,t[n].parentNode.insertBefore(f,t[n]),t[n].parentNode.removeChild(t[n])})();</script></body></html>
</pre>
</pre>

Revision as of 06:29, 16 March 2021

Datatilsynet - DT-20/01916
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 13 GDPR
Article 24 GDPR
§§2-3 Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale
Type: Investigation
Outcome: Violation Found
Started:
Decided: 05.02.2021
Published: 02.03.2021
Fine: 250000 NOK
Parties: Excempt from public disclosure
National Case Number/Name: DT-20/01916
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a company NOK 250 000 (€24,772) for requiring an employee to forward all emails to a shared inbox, on a continuous basis, despite her objections.

English Summary

Facts

The DPA reviewed two events where a company had obtained access to an employee's emails. In the first case, the company had accessed her inbox due to an acute situation where they needed to obtain crucial (business) information while the employee was on vacation (and couldn't be reached).

In the second case, however, the general manager had introduced a new policy, requiring the employee to continuously forward all her emails to a shared, common inbox at the company. After a month, she disabled this, however was instructed to enable it again.

Dispute

Did the company breach Article 6(1)(f) GDPR for lack of a legal basis?

Holding

In the first case, the DPA agreed that the company had a legal basis, due to an acute nature of the situation and the need for crucial (business) information. In the second case, however, the DPA held that the company had no legal basis for such processing, as it's highly invasive and not justified. The legal basis the company referred to, a national regulation concerning employers' access to employees' inboxes and other electronical material, was not applicable in this instance.

The DPA held that the company had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee sufficiently as per Article 13 GDPR. Consequently, they were fined NOK 250 000 (€24,772), and also have to improve their internal controls in line with Article 24 GDPR.

Comment

The company was initially fined NOK 400,000, however after they made a complaint and were able to demonstrate a decrease in revenue due to COVID-19, this was reduced.

Further Resources

In Norwegian only:

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Receives a fee for illegal forwarding of e-mail

A company has received a decision on a fee of NOK 250,000 for illegal forwarding of the e-mail to an employee. The name of the company is exempt from publicity to protect the identity of the employees.
Receives a fee for illegal forwarding of e-mail

The background for the case is a complaint from a person who experienced that the employer used automatic forwarding of e-mail.

The employer asked the employee to set up automatic forwarding from the e-mail box to a common e-mail box in the company. This must have been done out of consideration for operations.
In violation of the rules

After investigating the case, the Data Inspectorate concludes that the company lacks a legal basis for forwarding. It has taken place in violation of the rules in the regulations on the employer's access to e-mail boxes and other electronic material, in addition to the requirement for a legal basis under the Privacy Ordinance.

The company had also not prepared routines for access to e-mail. The Norwegian Data Protection Authority pointed out that an improvement of the routines could have a preventive effect against illegal inspections being carried out at a later stage.

On this basis, the Data Inspectorate has decided that the company must improve internal control and its own guidelines for access to employees' e-mail boxes. In addition, the company is ordered to pay 250,000 kroner for having monitored the complainant's e-mail box without any legal basis.

The company has a three-week appeal period from the time they receive the decision.