Datatilsynet (Norway) - 20/02178

From GDPRhub
Datatilsynet - DT-20/02178
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
§§2-3 Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale
Type: Complaint
Outcome: Rejected
Started:
Decided: 07.12.2020
Published: 13.01.2021
Fine: 400000 NOK
Parties: Excempt from public disclosure
National Case Number/Name: DT-20/02178
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) fined a company NOK 400 000 (€38,800) for enabling automatic forwarding of an employee's emails during a sick leave, without informing the employee or accepting her objection.

English Summary

Facts

In 2019, the general manager of a company enabled automatic forwarding of an employee's emails during a sick leave, because the employee had "failed to enable her out of office reply". The company admitted that they had breached §§2 and 3 of a national regulation concerning employers' access to employees' inboxes and other electronical material, that they had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee as per Article 13 GDPR, cf. the national regulation.

They argued, however, that because the employee had failed to enable her out of office reply, they had legitimate grounds to enable automatic forwarding of her emails. Despite objections from the employee, the company continued to forward her emails, as long as she didn't herself enable the out of office reply. In the end, the company did this on her behalf, but only after having monitored her emails for five weeks.

Dispute

Did the company breach Article 6(1)(f) GDPR for lack of legal basis, Article 21 for lack of considering an objection, Article 13 for lack of information and Article 24 for lack of internal controls?

Holding

Yes, the company was found to have breached Article 6(1)(f) GDPR for lack of legal basis, Article 21 for lack of considering an objection, Article 13 for lack of information and Article 24 for lack of internal controls concerning the company's access to employees' inboxes (emails). The DPA also found that the company had breached the fundamental principles as per the GDPR, specifically Article 5(1)(a) and 5(2).

For this, they were fined NOK 400 000 (€38,800) and required to update their internal routines and submit a written confirmation of the latter, including documentation, to the DPA within four weeks (unless they appeal the decision).

Comment

Following the DPA's notification of a decision, the company argued that the penalty was too severe, due to the following reasons: the processing was "the employee's own fault" as she had failed to enable the out of office reply; the breach was an "isolated incident", which took place relatively shortly after "a new and very complex law was introduced" and that the rules concerning an employer's access to an employee's inbox "have been unclear".

The DPA firmly rejected all these arguments and referred to the fact that the GDPR has been in process for several years, it came into effect already in 2016 and the breaches would also have been determined as such also from the preceding laws. They also noted that the processing could have been done in a less invasive way and argue that the company realized this themselves as they did enable the out of office reply in the end.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Receives fee for forwarding e-mail

The Norwegian Data Protection Authority has fined a company an infringement fee of NOK 400,000 for illegal automatic forwarding of an employee's e-mail box.

Receives fee for forwarding e-mail
The background to the case is a complaint from an employee who experienced that the employer had activated automatic forwarding of the person's e-mail box in the company.

Lacks legal basis

The automatic forwarding was activated in connection with the employee's sick leave, and lasted for more than a month. After investigating the case further, the Data Inspectorate has concluded that the forwarding has taken place in violation of the rules in the regulations on the employer's access to e-mail boxes and other electronic material, as well as the Privacy Ordinance's legal basis, information to the data subject and the duty to assess the employee's protest. .

On the basis of this, the Data Inspectorate has decided that the company must improve the written routines for access to e-mail boxes, as well as an order to pay an infringement fee of NOK 400,000 for the illegal forwarding.

The company's name is exempt from publicity to protect the complainant's identity. The company has appealed the decision.