Personvernnemnda (Norway) - 2022-14 (20/02368)

From GDPRhub
PVN - PVN-2022-14
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Article 58(2) GDPR
Article 83(1) GDPR
Decided: 13.12.2022
Published: 19.12.2022
Parties:
National Case Number/Name: PVN-2022-14
European Case Law Identifier:
Appeal from: Datatilsynet (Norway)
Appeal to:
Original Language(s): Norwegian
Original Source: PVN (in Norwegian)
Initial Contributor: n/a

The Norwegian Privacy Appeals Board dismissed an appeal against the DPA's decision to fine a controller €9,600 for unlawfully inspecting the e-mail inbox of a former employee.

English Summary

Facts

A company (the controller) inspected the e-mail inbox and automatically forwarded an e-mail of its former employee (the data subject) after she had objected to processing of her personal data under Article 21 GDPR. The data subject filed a complaint with the Norwegian DPA, claiming that there was no legal basis for accessing and processing her e-mails in such a form. The DPA initiated proceedings and asked the controller for explanation. After not receiving any information past the deadline, it rendered a decision.

The DPA held that automatic forwarding of the contents of the data subject's e-mail box could not be based on Article 6(1)(f) GDPR nor any other valid legal basis. The controller did not comply with its duty to carry out a balancing of interests after the data subject had objected to the processing, under Article 21 GDPR. Finally, the DPA held that the controller did not comply with its duty to inform the data subject of the forwarding of her e-mails, violating Article 13 GDPR. The DPA concluded that the infringements were intentional and serious. Hence, the DPA imposed a NOK 100,000 fine on the controller. It also ordered the controller improve internal control and routines for access to employees' and former employees' e-mail boxes.

The controller appealed this decision to the Norwegian Privacy Appeals Board (Privacy Board).

Holding

First, the Privacy Board considered whether the DPA had been correct in imposing a fine on the controller. It recalled that Article 83(1) GDPR obliges DPAs to ensure that the imposed fines are effective, proportionate and dissuasive. In this regard, the Privacy Board held that illegal forwarding of e-mails is a violation of the basic principles of lawfulness and transparency (Article 5(1)(a) GDPR). When basic rules for the protection of employees' privacy are disregarded as in this case, the violations must be regarded as serious. Therefore, the DPA was correct to impose a fine on the controller.

Second, the Privacy Board considered whether the DPA correctly assessed the amount of the fine. The Privacy Board took into account the fact that the infringement lasted for a number of weeks despite the data subject's objections. The Privacy Board did not agree with the argument of the controller that the DPA had taken the turnover from the wrong year into account. It held that the calculation of the fine based on the aggravating circumstances and the controller's turnover was correct and there was no reason to reduce the fine.

Thirdly, the Privacy Board held that the DPA correctly ordered the controller to review and improve its routines for access to employees' e-mail inboxes, with the aim of ensuring compliance with data protection regulations. Among others, the controller should implement a consent form, where employees and former employees can decide to which checks of their inbox they consent. Implementing these organisational and technical measures belongs to the responsibilities of the controller under Article 24 GDPR.

In conclusion, the DPA was correct in imposing the fine of NOK 100,000 and ordering the controller to improve its practices with regard to controlling employees' mailboxes. The Privacy Board dismissed the appeal.

Comment

The summary of the DPA's decision can be found here.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Norwegian Data Protection Authority's reference:
20/02368-8
The Privacy Board's decision on 13 December 2022 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Heidi Talsethagen, Hans Marius Tessem, Morten Goodwin, Malin Tønseth)
The case concerns a complaint from X AS about the Norwegian Data Protection Authority's assessment of an infringement fee of NOK 100,000 for having monitored an employee's e-mail box without a legal basis, cf. the personal protection regulation article 6 no. 1 letter f, for failure to assess protests, cf. article 21 and for missing information, cf. Article 13.

X AS has also complained about the Norwegian Data Protection Authority's order to prepare internal routines for access to employees' and former employees' e-mail boxes and other electronically stored material, cf. article 24.

Background of the case
On 3 October 2019, X AS sent a notice of non-conformity to the Norwegian Data Protection Authority stating that the company had inspected a former employee's e-mail box without having a legal basis for this. The notice of deviation was sent after a former employee had made the business aware that viewing and automatically forwarding e-mails was illegal.

On 10 October 2019, the Norwegian Data Protection Authority subsequently received a complaint from A that her former employer, X AS, had unlawfully accessed and automatically forwarded her e-mail after she left the company.

On 20 November 2020, the Norwegian Data Protection Authority asked for the employer's explanation, which, after a postponed response deadline, was given on 14 January 2021.

The Norwegian Data Protection Authority notified the employer on 1 July 2021 that the Norwegian Data Protection Authority would make the following decision:

"1. Pursuant to the personal data protection regulation article 58 no. 2 letter i, XAS, org. no. […], to pay an infringement fee to the Treasury of NOK 100,000 for automatic forwarding of the complainant's e-mail box, cf. the personal protection regulation article 6 no. 1 letter f, for failure to assess protests, cf. article 21, and for failure to information, cf. Article 13.

2. X AS is ordered to improve internal control and routines for access to employees' and former employees' e-mail boxes and other electronically stored material, cf. Article 24 of the Personal Protection Ordinance."

The employer gave its comments on the notice on 13 September 2021 and attached the company's checklist for safeguarding privacy when employees leave, as well as the company's consent form for viewing/forwarding of e-mails after termination of employment.

On 15 March 2022, the Norwegian Data Protection Authority decided on orders and infringement fees in line with the notice sent out.

The employer lodged a timely complaint against the Norwegian Data Protection Authority's decision on 28 March 2022. The complaint concerns the amount of the infringement fee and the order to draw up internal routines for access to employees' email inboxes.

The Norwegian Data Protection Authority considered the complaint, but found no reason to change its decision. The Norwegian Data Protection Authority forwarded the case to the Personal Data Protection Board on 24 June 2022. The employer was informed of the case in a letter from the board on 29 June 2022, and was given the opportunity to make comments. No comments have been submitted.

The case was dealt with at the board's meeting on 13 December 2022. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Hans Marius Graasvold, Heidi Talsethagen, Hans Marius Tessem, Morten Goodwin and Malin Tønseth. Secretariat manager Anette Klem Funderud was also present.

The Norwegian Data Protection Authority's assessment in brief
Assessment of whether there is a breach of the rules on access to employee e-mail
In its decision, the Norwegian Data Protection Authority concludes that the employer's automatic forwarding of the contents of the employee's e-mail box does not meet the conditions in the e-mail regulations § 2 second paragraph and that the processing lacked processing grounds in the Personal Protection Regulation Article 6 no. 1 letter f. The Authority further concludes that the employer does not has complied with its duty to carry out a concrete balancing of interests after the employee on 24 August and 3 September 2019 objected to the processing, cf. article 21. Finally, the supervisory authority concludes that the employer has also not complied with its duty to inform the employee that the forwarding of e-mails started, cf. Article 13.

Assessment of subjective conditions
It was the general manager who acted on behalf of the company when she initiated the forwarding of the employee's e-mail, and the forwarding was a deliberate and deliberate act. The Danish Data Protection Authority considers the infringement to be intentional and believes that the culpability requirement for imposing an infringement fee has been met, cf. HR-2021-797-A.

Assessment of whether an infringement fee should be imposed
It follows from the regulation article 83 no. 1 that each supervisory authority must ensure that the imposition of an infringement fee in each individual case is "effective, proportionate to the infringement and acts as a deterrent".

The illegal forwarding is a violation of the basic principles of legality and transparency in the processing of personal data, cf. the data protection regulation article 5 no. 1 letter a. When basic rules for the protection of employee privacy are disregarded as in this case, the violations must be regarded as serious.

In this case, it is about continuous monitoring of incoming e-mail to an employee's e-mail box, which the supervisory authority considers to be a serious interference with the employee's right to correspond freely. The violations are also a violation of the privacy of third parties who have sent e-mails to the employee in good faith.

The Authority believes that the infringement should be sanctioned with an infringement fee. When imposing and measuring the size of the fee, the Norwegian Data Protection Authority takes as its starting point the various points in the Personal Protection Regulation article 83 no. 2 letters a to k.

In a stricter direction, the inspectorate has placed particular emphasis on the fact that the automatic forwarding was initiated by the company's general manager, that the forwarding continued over a period of almost six weeks despite the employee's objections, that the e-mails were forwarded to an e-mail box managed by daily manager, and that the management lacked knowledge of the regulations.

The Norwegian Data Protection Authority, after a concrete review of the various points, comes to the conclusion that X AS should be charged an infringement fee of NOK 100,000. The supervisory authority considers, after a discretionary assessment, that a fee of this size will be sufficiently effective, be in a reasonable relationship to the infringement and act as a deterrent, cf. the personal protection regulation article 83 no. 1. The supervisory authority has then taken into account the company's finances in 2020 and believes that the size of the fee must be set so high that the fee is actually perceived as an evil by the violator, cf. Skullerud et al; Commentary edition to the Personal Data Act and the Personal Protection Ordinance, Universitetsforlaget 2019, page 347.

The authority has based the company's finances at the time of the decision and indicates that the annual turnover from 2020 was the latest available figures at the time of the decision. In 2020, X AS had a turnover of NOK 4,579,000, an annual profit of NOK 101,000 and a registered equity of NOK 26,000. The fee amounts to approx. 2.2% of the company's turnover in 2020. X AS has not provided documentation that a fee of NOK 100,000 affects the company's viability.

When submitting the complaint to the tribunal, the Norwegian Data Protection Authority has assessed the importance of the processing time for the assessment of fees, cf. article 83 no. 2 letter k and PVN-2021-03. The inspectorate concludes that neither the processing time nor the time of total inactivity constitutes a breach of the European Convention on Human Rights (ECHR) in this case and finds no reason to reduce the fee for that reason.

Routines for access to e-mail boxes
The Norwegian Data Protection Authority orders employers to improve their routines for access to employees' email inboxes. The employer's submission of a checklist for cases where employees quit and a consent form for viewing/forwarding e-mails are, in the inspector's assessment, deficient. The consent form contains, among other things, several points that may be problematic according to the e-mail regulations, and refers to regulations that have been repealed.

X AS' view on the matter in brief
The Norwegian Data Protection Authority has been too strict when calculating the fee. The supervisory authority must use the financial year 2019 as the basis for the determination of fees, not 2020.

X AS made a loss in 2019 of NOK 63,000 due to costs for lawyers and a lot of internal work. The auditor could terminate the agreement with the company due to negative equity, which was supposed to be a minimum of NOK 35,000, but this was now negative with NOK 109,000.

In 2020, the company made a profit of NOK 101,000 and had to cover the loss from the previous year, when employees were not paid wages for overtime. The goal was for the company to manage and regain its equity. Equity then rose to NOK 26,000, but it was still NOK 9,000 too little.

The company made a profit of NOK 11,000 in 2021 and had positive equity, but the infringement fee is still far too high. If the fee is NOK 100,000, it could mean the hook on the door for the company. It is the first letter from the Norwegian Data Protection Authority in 2019 that should have been the starting point for the fee. It is not the company's fault that the inspectorate has used a long processing time.

The employer submitted routines for viewing and forwarding employees' e-mails to the Norwegian Data Protection Authority on 13 September 2021. The routines show that X AS has carried out the order on internal control.

The Norwegian Privacy Board's assessment
The question for the tribunal is whether, according to the Personal Protection Ordinance, Article 83 No. 5, cf. Article 83 No. 2, an infringement fee must be imposed for a breach of the Personal Protection Ordinance as a result of the employer's unlawful access to the employee's e-mail. If a fee is to be imposed, the tribunal must also assess how large the fee should be.

Statement of fact
Even if the case before the tribunal concerns whether a fee should be imposed and possibly the measurement of the size of the fee, the tribunal must decide on the facts. This is because, among other things, the nature, severity and duration of the infringement will be key elements in the assessment of whether an infringement fee should be imposed and, if necessary, the measurement of the fee, cf. Article 83 of the Personal Protection Regulation.

Violation fee according to the Personal Data Act is to be regarded as an administrative sanction that has the character of a penalty according to Article 6 of the ECHR. According to case law, there is then a requirement for a clear preponderance of probability that the requirement of guilt has been met, both in subjective and objective terms, cf. Rt-2008-1409 and Rt-2012-1556. In practice, this means that it is the fact that the business itself describes that must be used as a basis, unless there is clear evidence in the available evidence that the situation is different. In other words, there is not a sufficient preponderance of probability to base a fact other than what the company itself explains, unless the preponderance is "clearly" more than 50%. It also means that where there is uncertainty about the fact, the fact that is most favorable to the company must be used as a basis.

The tribunal bases its assessment on the following facts:

A resigned from his position in the company on 26 April 2019, with an agreed resignation from and including 1 August 2019. In connection with the resignation, the parties agreed that A would continue to assist the employer somewhat in the autumn of 2019 after the resignation date on 31 July 2019. Following the resignation, there is a conflict between A and the employer regarding the work tasks she had performed and work tasks that remained after the termination of the employment relationship. As a result, the employer wanted the remaining agreed work tasks, after the resignation, to be carried out at the workplace, not from the home office. As a result, A's access to his work area from his home office was blocked from 1 August. This meant that she also lost access to her e-mail […] via PC, but she retained access to her e-mail via her mobile phone until August. All e-mails sent to A's e-mail box [...] were, however, from 1 August automatically forwarded to post@x.no, where the general manager of the business had access.

The employer and employee disagree about whether the employee was informed of this and had consented to the forwarding. The employer has not been able to document that such information has been provided and, based on the documentation provided, the tribunal therefore assumes that A was not informed of the forwarding, but only became aware of this on 24 August 2019 after a conversation with the company's data provider and a subsequent e-mail exchange with general manager of the company. A objected to the scheme, cf. the Personal Protection Regulation Article 21, with a letter from her lawyer on 3 September 2019. The employer then entered an absence notice on A's e-mail account on 4 September and on 10 September her e-mail account was terminated.

After A, via his lawyer, wrote to the employer on 3 October 2019 and, among other things, raised unrestricted access to e-mails, the employer sent a notice of non-compliance to the Norwegian Data Protection Authority on the same day. The total number of e-mails that were forwarded is stated by the employer to be 10-15 and the tribunal takes this as its basis. Among these e-mails there were also some e-mails that were not work-related. Among other things, there were some e-mails related to salary in A's new job, as well as two e-mails that were sent to A in his role as FAU representative at his son's school.

The right to protest - Article 21 of the Personal Data Protection Regulation
As the tribunal considers the facts of the case, there is no breach of the Personal Protection Regulation Article 21. When A objected to the processing via her lawyer on 3 September 2019, a notice of absence was entered the following day and her e-mail account was then closed within a week. The tribunal understands this to mean that A's protest was decided upon - and complied with. There is then no additional requirement that the employer must document the balance of interests that has been made.

The tribunal returns to the meaning of this below.

Violation fee
Access to the employee's e-mail box is processing of personal data. The processing is covered by the rules in the Personal Data Act and the Personal Protection Ordinance, and is supplemented by regulations on employer access to e-mail boxes and other electronically stored material (e-mail regulations, FOR-2018-07-02-1108) issued pursuant to the Working Environment Act § 9-5.

In the case of processing personal data without a basis for processing, as well as in the event of a breach of the provisions of the Personal Protection Regulation Article 13 (the right to information), which this case applies to, the supervisory authority may, pursuant to Article 83 no. 5, cf. no. 2, impose on the controller a breach fee of up to 20,000 000 euros or, if it concerns an enterprise, of up to 4% of the total global annual turnover in the preceding financial year, where the highest amount is used. It follows from Article 83 no. 1 that the supervisory authority must, in its assessment, ensure that the imposition of an infringement fee is effective, is in a reasonable relationship to the infringement and acts as a deterrent.

Both when assessing whether a fee should be imposed and when calculating the fee, account must be taken in each individual case of the points in the Personal Protection Regulation article 83 no. 2 letters a to k.

According to letter a, emphasis must be placed, among other things, on the nature, severity and duration of the infringement. In this case, the infringement consisted of illegal access by automatic forwarding of e-mails over a period of six weeks. In the first four weeks, the employee also had access to the e-mail, without being aware that it was forwarded at the same time.

It concerns relatively few e-mails in total (estimated at 10-15) and only a small number that were not work-related. None of the e-mails dealt with information of special categories, cf. article 9. The absence of such information or the number of e-mails is nevertheless not decisive, as the employer cannot know anything about this in advance.

The employee was not notified of the forwarding and was not given the opportunity to comment. Although it has been explained that the employer discovered major deficiencies in the work that had been carried out by the employee before she resigned from her position, there has been no explanation of circumstances that could justify the employer's need for immediate access.

There is no doubt that the employer in this case has acted deliberately. The employer is obliged to familiarize himself with the rules that apply in the area and any ignorance of the rules is only excusable if he is diligent, cf. the principle in the Criminal Code § 26. In this case, there is no diligent delusion.

The tribunal then agrees with the Norwegian Data Protection Authority that an infringement fee should be imposed for the infringement and agrees with the Norwegian Data Protection Authority when the fee is set at NOK 100,000. The tribunal assumes that the company's finances are then sufficiently taken into account. The fee of NOK 100,000 constitutes 2.0% of the company's turnover in 2019 and 2.1% of the company's turnover in 2020 and 1.8% of the company's turnover in 2021, and are all well within the outer framework for the fee stated in article 83 no. 5. The tribunal believes that a fee of NOK 100,000 in this case is in a reasonable proportion to the infringement and acts as a sufficient deterrent in view of the company's finances in recent years.

X AS is not successful in its appeal on the amount of the infringement fee.

Routines for access to e-mail boxes
On 14 January 2021, X AS first submitted to the Norwegian Data Protection Authority the company's "[routines/guidelines for privacy in the company" dated 10 October 2019. After receiving notification from the Norwegian Data Protection Authority about decisions and orders to improve routines, X AS presented 13. September 2021 a "[checklist employee ends" and a consent form "[in] view/forwarding of e-mail in case of absence and termination of employment". The tribunal agrees with the Norwegian Data Protection Authority's assessment that the submitted routines are still deficient and not in line with the law. The tribunal refers in particular to the submitted consent form, as well as § 5 of the e-mail regulations, where it appears that it is not permitted to set instructions or enter into an agreement that deviates from the provisions of the regulations to the disadvantage of the employee. The consent form also refers to repealed provisions.

The tribunal therefore agrees with the Norwegian Data Protection Authority that there is still reason to maintain the order to improve internal control and routines for access to employees' and former employees' e-mail boxes and other electronically stored material, cf. Article 24 of the Personal Data Protection Regulation.

After this, X is also not successful in his appeal on this point.

Conclusion
The Norwegian Data Protection Authority's decision to impose an infringement fee of NOK 100,000 on X AS is upheld.

The Norwegian Data Protection Authority's order to improve internal control and routines for access to employees' and former employees' e-mail boxes and other electronically stored material is maintained.

The decision is unanimous.