Persónuvernd - 2020010702

From GDPRhub
Revision as of 10:01, 6 May 2021 by Msm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2020010702
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5 GDPR
Act no. 90/2018 on personal data protection and the processing of personal data
Rules no. 837/2006 on electronic monitoring and the processing of personal information that is created during electronic monitoring
Type: Complaint
Outcome: Upheld
Started:
Decided: 27.11.2020
Published: 15.12.2020
Fine: None
Parties: Skeljung hf.
National Case Number/Name: 2020010702
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

Icelandic DPA held that the treatment of an e-mail box by a company at the time of complainant's termination of employment did not comply with the provisions of the Icelandic Act on Data Protection and the Processing of Personal Data.

English Summary

Facts

A data subject complained to the DPA about the treatment of his e-mail account upon termination of employment with Skeljung hf. According to the complainant, his e-mail box was closed immediately after he accepted a new job offer. About a week later, he had received information that someone was replying to e-mails that had been sent to his e-mail address at Skeljungur.

Skeljungur hf. argued that the complainant was informed orally that he had the opportunity to review his personal e-mail during the notice period, as well as to delete or make a copy of a personal e-mail before leaving the company. An oral agreement had been made with the complainant that the company could forward e-mails from his mailbox to an employee in the sales department until it was ensured that all e-mails from his customers had reached the company smoothly. The complainant denied being informed orally about his rights and agreeing to such conditions.

Holding

The DPA pointed out that Article 9 (4) of Rules no. 837/2006 lays down the procedure to be followed by the employer in case of the termination of employment. The employee shall be given the opportunity to delete or make a copy of the e-mail that is not related to the employer's activities. He shall also be instructed to activate an automatic reply from his mailbox that he has resigned. No later than two weeks later, the mailbox should be closed. It is also stated that the employer is not permitted to forward to another employee the mail that arrives in the former employee's mailbox after leaving unless otherwise agreed. As it turned out during the investigation, none of these provisions were fulfilled.

In the opinion of the DPA, the company has not demonstrated that the aim of securing its business interests could not have been achieved by other and less severe measures, such as an automatic response that the complainant had resigned and a reference to another e-mail address.

The DPA concluded that the treatment of Skeljungs hf. of the e-mail box at the time of the complainant's termination of employment did not comply with Act no. 90/2018, on personal protection and processing of personal information, and rules no. 837/2006, on electronic monitoring and processing of personal information generated by electronic monitoring.


Comment


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details. 

Ruling

On November 27, 2020, the Data Protection Authority issued a ruling in case no. 2020010702:

I.

Procedure

1.

Outline of case

On December 3, 2019, the Data Protection Authority received a complaint from [A] (hereinafter referred to as the complainant) regarding the handling of his e-mail account upon termination of employment with Skeljung hf.

By letter dated March 17, 2020, Skeljung hf. offered to provide explanations for the complaint. The answer was by e-mail on April 21, 2020. By e-mail on April 27, 2020. The Data Protection Authority requested further information from Skeljung hf. The reply was sent by e-mail on 15 May 2020. By letter dated On 26 May this year, the complainant was given an opportunity to comment on the views of Skeljungs hf. The complainant's comments were received by e-mail on 15 June 2020. By e-mail on 16 June 2020. The Data Protection Authority requested further information from the complainant and received his reply by e-mail the same day.

In resolving the case, all of the above documents have been taken into account, although not all of them are specifically described in the following ruling.

2.

The complainant's views

The complaint states that the complainant had been dismissed from Skeljungur hf. in [...] but has been forced to work out a notice period of three months or until [...]. When the complainant had accepted a job offer in [...], he immediately sent information to that effect to the human resources manager of Skeljungs hf. along with information that he would start work in a new place [...]. [Later that month] the sales manager contacted the complainant and demanded that he leave the workplace immediately, leave a mobile phone and laptop in his possession and that he should not show up again. All his access to the mailbox and other systems of Skeljungs hf. has been closed. The complainant was thus unable to set an automatic response due to his retirement.About a week later, he had received information that he was replying to e-mails that had been sent to his e-mail address at Skeljungur, and therefore no automatic response had been received. Following this, the complainant himself investigated the case and sent an e-mail to his e-mail address at Skeljung hf. and received an answer from an employee of Skeljungs hf. The complainant states that he has repeatedly contacted Skeljung hf. due to the fact that he received the answers from the employee who replied to his e-mail that he could only forward e-mails containing orders from customers. It was the human resources manager and the director of information technology who had access to the complainant's e-mail.and received an answer from an employee of Skeljungs hf. The complainant states that he has repeatedly contacted Skeljung hf. due to the fact that he received the answers from the employee who replied to his e-mail that he could only forward e-mails that contained orders from customers. It was the human resources manager and the director of information technology who had access to the complainant's e-mail.and received an answer from an employee of Skeljungs hf. The complainant states that he has repeatedly contacted Skeljung hf. due to the fact that he received the answers from the employee who replied to his e-mail that he could only forward e-mails that contained orders from customers. It was the human resources manager and the director of information technology who had access to the complainant's e-mail.

The complainant rejects the cause of action of Skeljungs hf. that a verbal agreement had been made with him that his e-mail could be forwarded to one employee of the sales department until it had been ensured that all e-mails had been received by the company's customers. Furthermore, the complainant rejects what is stated in the answers of Skeljungs hf. that he himself had requested that a personal e-mail be forwarded to his personal e-mail address. Finally, the complainant denies that he was informed of his right to inspect his mailbox, that he was not given the opportunity to delete or make a copy of the e-mail that was not related to the operations of Skeljungs hf.

3.

The views of Skeljungs hf.

On behalf of Skeljungs hf. is based on the fact that the complainant has been dismissed from the company [...]. On the same day, the complainant was informed orally that he had the opportunity to review his personal e-mail during the notice period. When Skeljungur hf. had become aware that the complainant had accepted a job with [another company], he had been forced to resign on the same day [...] as he had a great deal of confidential information. On the same day, the complainant was informed orally that he had the opportunity to delete or make a copy of a personal e-mail before he had to return the assets of Skeljungs hf. at the end of the day, which he did. The complainant also took a copy of a work-related e-mail without permission, which was a breach of his confidentiality obligations. […]. His work has […] mainvolves obtaining and maintaining business relationships and handling confidential information for the company. Great business interests were at stake for Skeljung hf. as the complainant alone took care of all the company's orders in [certain] parts of the country and most of his customers only sent orders in the spring and summer. Therefore, an oral agreement had been made with the complainant that the company could forward e-mails from his mailbox to an employee in the sales department until it was ensured that all e-mails from his customers had reached the company smoothly. The complainant himself had requested that a personal e-mail be forwarded to his personal e-mail address, but employees are advised not to receive a personal e-mail to their work e-mail address.Great business interests were at stake for Skeljung hf. as the complainant alone handled all the company's orders in [a specific] part of the country and most of his customers only sent orders in the spring and summer. Therefore, a verbal agreement had been made with the complainant that the company could forward e-mails from his mailbox to an employee in the sales department until it was ensured that all e-mails from his customers had reached the company smoothly. The complainant himself had requested that a personal e-mail be forwarded to his personal e-mail address, but employees are advised not to receive a personal e-mail to their work e-mail address.Great business interests were at stake for Skeljung hf. as the complainant alone handled all the company's orders in [a specific] part of the country and most of his customers only sent orders in the spring and summer. Therefore, an oral agreement had been made with the complainant that the company could forward e-mails from his mailbox to an employee in the sales department until it was ensured that all e-mails from his customers had reached the company smoothly. The complainant himself had requested that a personal e-mail be forwarded to his personal e-mail address, but employees are advised not to receive a personal e-mail to their work e-mail address.Therefore, a verbal agreement had been made with the complainant that the company could forward e-mails from his mailbox to an employee in the sales department until it was ensured that all e-mails from his customers had reached the company smoothly. The complainant himself had requested that a personal e-mail be forwarded to his personal e-mail address, but employees are advised not to receive a personal e-mail to their work e-mail address.Therefore, a verbal agreement had been made with the complainant that the company could forward e-mails from his mailbox to an employee in the sales department until it was ensured that all e-mails from his customers had reached the company smoothly. The complainant himself had requested that a personal e-mail be forwarded to his personal e-mail address, but employees are advised not to receive a personal e-mail to their work e-mail address.The complainant himself had requested that a personal e-mail be forwarded to his personal e-mail address, but employees are advised not to receive a personal e-mail to their work e-mail address.The complainant himself had requested that a personal e-mail be forwarded to his personal e-mail address, but employees are advised not to receive a personal e-mail to their work e-mail address.

It is based on the fact that Skeljungur hf. follow the rules of procedure for how the personal information of the company's employees is processed. Furthermore, the rules of procedure for the retirement of employees are followed, which, among other things, provide for the handling of e-mails in accordance with rules no. 837/2006 on electronic monitoring and processing of personal information generated by electronic monitoring. In the complainant's case, it had been necessary to deviate to some extent from Skeljung's traditional procedures for handling e-mail upon retirement, but this was considered necessary to ensure the company's commercial interests. In addition, all decisions have been made in consultation with the complainant.

In the answers of Skeljungs hf. states that the complainant's access to his e-mail account was blocked on [...]. In addition, all e-mails received were forwarded to one of the company's employees until [...] when the complainant's e-mail address was blocked and the automatic response was activated.

II.

Assumptions and conclusion

1.

Scope - Responsible party

Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.

Processing refers to an operation or series of operations where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.

This case concerns the treatment of the complainant's e-mail account after his retirement from Skeljung hf. and forwarding emails from it. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Skeljungur hf. be responsible for the processing in question.

2.

Legality of processing

Rules no. 837/2006, on electronic monitoring and the processing of personal information generated by electronic monitoring, was enacted in accordance with the authority in the older Personal Data Protection Act, no. 77/2000, and now apply for support in the 5th paragraph. Article 14 the current Act no. 90/2018. In Article 9 The rules contain special provisions on e-mail and Internet use.

In the 4th paragraph. Article 9 no. 837/2006 lays down the procedure to be followed by the employer when an employee resigns. The provision states, among other things, that upon termination of employment, the employee shall be given the opportunity to delete or make a copy of the e-mail that is not related to the employer's activities. He shall also be instructed to activate an automatic reply from his mailbox that he has resigned. No later than two weeks later, the mailbox should be closed. It is also stated that the employer is not permitted to forward to another employee the mail that arrives in the former employee's mailbox after retirement, unless otherwise agreed.

It is undisputed in this case that an e-mail received by the complainant's e-mail address at Skeljung hf. was forwarded to another employee of the company from the time the complainant resigned [...] until the mailbox was closed [just over five months later] and the automatic response was activated.

The guarantor relies on the fact that a verbal agreement was made with the complainant that the company could forward e-mails from his mailbox to one employee in the company's sales department until it was ensured that all e-mails from his customers had reached the company smoothly. Furthermore, the complainant himself had requested that a personal e-mail be forwarded to his personal e-mail address and therefore this was done. The above has been vehemently rejected by the complainant. On the part of the responsible party, it is based on compliance with the company's procedures for termination upon termination of employment. They stipulate, among other things, that the letter of resignation shall contain all information on retirement as well as information on the handling of e-mail upon retirement.The complainant's letter of resignation is available in this case but no such information can be found in it.

All processing of personal information must also meet all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (cf. point 1 of the first paragraph of Article 8 of the Act), it shall be obtained for clearly stated, lawful and objective purposes. and not further processed for other and incompatible purposes (point 2) and that they shall be sufficient, appropriate and not in excess of what is necessary in view of the purpose of the processing, cf. 3. tölul. of the provision. The liability of the responsible party is also provided for in the second paragraph. Article 8 of the Act, cf. Paragraph 2 Article 5 of the Regulation, which states that the responsible party is responsible for ensuring that the processing of personal data always complies with the provisions of the first paragraph. Article 8 of the Act, cf. Paragraph 1 Article 5of the Regulation, and shall be able to demonstrate this.

According to the above, word for word as to whether the guarantor and the complainant have entered into an agreement on the forwarding of e-mail from his e-mail box at Skeljung hf. With reference to para. Article 8 Act no. 90/2018, Coll. Paragraph 2 Article 5 of the Regulation, the responsible party will be deemed to have to bear the deficit for not being able to prove that the above agreement has been made.

It is also to be considered that according to the provisions of para. Article 9 rules no. 837/2006, the employee's mailbox shall be closed no later than two weeks after retirement. The guarantor has referred to the fact that due to the company's business interests it was necessary to keep the mailbox open longer. The aforementioned provision of rules no. 837/2006 does not specifically provide for exceptions to the rule that a mailbox shall be closed within two weeks of retirement. Furthermore, in the opinion of the Data Protection Authority, the responsible party has not demonstrated that the aim of securing the company's business interests could not have been achieved by other and less severe measures, such as an automatic response that the complainant had resigned and a reference to another e-mail address, such as was done when the mailbox was closed [...]. Was Skeljung hf.therefore, it is not permitted to keep the complainant's mailbox open after two weeks have elapsed since his retirement.

In view of all the above, the conclusion of the Data Protection Authority is that the treatment of Skeljungs hf. in e-mail box [A] at the time of his termination of employment with the company did not comply with Act no. 90/2018, on personal protection and processing of personal information, and rules no. 837/2006, on electronic monitoring and processing of personal information generated by electronic monitoring.

Ruling:

The treatment of Skeljungs hf. in e-mail box [A] at the time of his retirement from the company did not comply with Act no. 90/2018, on personal protection and processing of personal information, and rules no. 837/2006, on electronic monitoring and processing of personal information generated by electronic monitoring.

In Privacy, November 27, 2020
Retrieved from "https://gdprhub.eu/index.php?title=Persónuvernd_-_2020010702&oldid=15705"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki