Datatilsynet - DT-20/01916

From GDPRhub
Revision as of 07:35, 4 October 2021 by Riealeksandra (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - DT-20/01916
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 13 GDPR
Article 24 GDPR
§§2-3 Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale
Type: Investigation
Outcome: Violation Found
Decided: 05.02.2021
Published: 02.03.2021
Fine: 250000 NOK
Parties: Excempt from public disclosure
National Case Number/Name: DT-20/01916
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a company NOK 250 000 (€24,772) for requiring an employee to forward all emails to a shared inbox, on a continuous basis, despite her objections.

English Summary[edit | edit source]

Facts[edit | edit source]

The DPA reviewed two events where a company had obtained access to an employee's emails. In the first case, the company had accessed her inbox due to an acute situation where they needed to obtain crucial (business) information while the employee was on vacation (and couldn't be reached).

In the second case, however, the general manager had introduced a new policy, requiring the employee to continuously forward all her emails to a shared, common inbox at the company. After a month, she disabled this, however was instructed to enable it again.

Dispute[edit | edit source]

Did the company breach Article 6(1)(f) GDPR for lack of a legal basis?

Holding[edit | edit source]

In the first case, the DPA agreed that the company had a legal basis, due to an acute nature of the situation and the need for crucial (business) information. In the second case, however, the DPA held that the company had no legal basis for such processing, as it's highly invasive and not justified. The legal basis the company referred to, a national regulation concerning employers' access to employees' inboxes and other electronical material, was not applicable in this instance.

The DPA held that the company had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee sufficiently as per Article 13 GDPR. Consequently, they were fined NOK 250 000 (€24,772), and also have to improve their internal controls in line with Article 24 GDPR.

Comment[edit | edit source]

The company was initially fined NOK 400,000, however after they made a complaint and were able to demonstrate a decrease in revenue due to COVID-19, this was reduced.

Further Resources[edit | edit source]

In Norwegian only:

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Receives a fee for illegal forwarding of e-mail

A company has received a decision on a fee of NOK 250,000 for illegal forwarding of the e-mail to an employee. The name of the company is exempt from publicity to protect the identity of the employees.
Receives a fee for illegal forwarding of e-mail

The background for the case is a complaint from a person who experienced that the employer used automatic forwarding of e-mail.

The employer asked the employee to set up automatic forwarding from the e-mail box to a common e-mail box in the company. This must have been done out of consideration for operations.
In violation of the rules

After investigating the case, the Data Inspectorate concludes that the company lacks a legal basis for forwarding. It has taken place in violation of the rules in the regulations on the employer's access to e-mail boxes and other electronic material, in addition to the requirement for a legal basis under the Privacy Ordinance.

The company had also not prepared routines for access to e-mail. The Norwegian Data Protection Authority pointed out that an improvement of the routines could have a preventive effect against illegal inspections being carried out at a later stage.

On this basis, the Data Inspectorate has decided that the company must improve internal control and its own guidelines for access to employees' e-mail boxes. In addition, the company is ordered to pay 250,000 kroner for having monitored the complainant's e-mail box without any legal basis.

The company has a three-week appeal period from the time they receive the decision.