Datatilsynet - DT-20/02178

From GDPRhub
Datatilsynet - DT-20/02178
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
§§2-3 Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale
Type: Complaint
Outcome: Upheld
Decided: 07.12.2020
Published: 13.01.2021
Fine: 250,000 NOK
Parties: Excempt from public disclosure
National Case Number/Name: DT-20/02178
European Case Law Identifier: n/a
Appeal: Partly upheld
Personvernnemnda (Norway)
PVN-2021-03
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a company NOK 400,000 (€38,800) for enabling automatic forwarding of an employee's emails during a sick leave, without informing the employee or accepting her objection. The company appealed the fine and although the Privacy Appeals Board (Personvernnemda) agreed with the DPA that the fine was correct, they reduced it to NOK 250,000 only because of the DPA's long case processing time.

English Summary[edit | edit source]

Facts[edit | edit source]

In 2019, a company enabled automatic forwarding of an employee's emails during a sick leave, because the employee had "failed to enable her out of office reply". The company admitted that they had breached §§2 and 3 of a national regulation concerning employers' access to employees' inboxes and other electronical material, that they had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee as per Article 13 GDPR, cf. the national regulation.

They argued, however, that because the employee had failed to enable her out of office reply, they had legitimate grounds to enable automatic forwarding of her emails. Despite objections from the employee, the company continued to forward her emails, as long as she didn't herself enable the out of office reply. In the end, the company did this on her behalf, but only after having monitored her emails for five weeks.

Dispute[edit | edit source]

Did the company breach Article 6(1)(f) GDPR for lack of legal basis, Article 21 for lack of considering an objection, Article 13 for lack of information and Article 24 for lack of internal controls?

Holding[edit | edit source]

Yes, the DPA (Datatilsynet) held that the company had breached Article 6(1)(f) GDPR for lack of legal basis, Article 21 for lack of considering an objection, Article 13 for lack of information and Article 24 for lack of internal controls concerning the company's access to employees' inboxes (emails). The DPA also found that the company had breached the fundamental principles as per the GDPR, specifically Article 5(1)(a) and 5(2).

For this, they were fined NOK 400 000 (€38,800) and required to update their internal routines and submit a written confirmation of the latter, including documentation, to the DPA within four weeks (unless they appeal the decision).

Comment[edit | edit source]

Following the DPA's notification of a decision, the company argued that the penalty was too severe, due to the following reasons: the processing was "the employee's own fault" as she had failed to enable the out of office reply; the breach was an "isolated incident", which took place relatively shortly after "a new and very complex law was introduced" and that the rules concerning an employer's access to an employee's inbox "have been unclear".

The DPA firmly rejected all these arguments and referred to the fact that the GDPR has been in process for several years, it came into effect already in 2016 and the breaches would also have been determined as such also from the preceding laws. They also noted that the processing could have been done in a less invasive way and argue that the company realized this themselves as they did enable the out of office reply in the end.

The Privacy Appeals Board agreed with the DPA in their criticism. They also emphasized that the fact that the employee was in a conflict with her manager when she was went on sick leave, makes the employer's behaviour further reprehensible. In sum, they found that the employer had seriously violated privacy rules. It was only because of the DPA's long case processing time that they reduced the fine to NOK 250 000. A summary of the decision of the Norwegian Data Protection Appeal Authority (Personvernnemnda) can be found here: Personvernnemnda (Norway) - PVN-2021-03.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Receives fee for forwarding e-mail

The Norwegian Data Protection Authority has fined a company an infringement fee of NOK 400,000 for illegal automatic forwarding of an employee's e-mail box.

Receives fee for forwarding e-mail
The background to the case is a complaint from an employee who experienced that the employer had activated automatic forwarding of the person's e-mail box in the company.

Lacks legal basis

The automatic forwarding was activated in connection with the employee's sick leave, and lasted for more than a month. After investigating the case further, the Data Inspectorate has concluded that the forwarding has taken place in violation of the rules in the regulations on the employer's access to e-mail boxes and other electronic material, as well as the Privacy Ordinance's legal basis, information to the data subject and the duty to assess the employee's protest. .

On the basis of this, the Data Inspectorate has decided that the company must improve the written routines for access to e-mail boxes, as well as an order to pay an infringement fee of NOK 400,000 for the illegal forwarding.

The company's name is exempt from publicity to protect the complainant's identity. The company has appealed the decision.