Norway: Datatilsynet imposes NOK 100,000 fine on an unnamed company for automatic forwarding of employee emails
The Norwegian data protection authority ('Datatilsynet') published, on 24 May 2022, its decision in 20/02368-8, as issued on 15 March 2022, in which it issued a fine of NOK 100,000 (approx.€9,751) to an unnamed company, for the violations of Articles 6(1)(f), 13, 22, and 24 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint.
Background to the case
In particular, the Datatilsynet noted that it became involved in the case after receiving both a deviation report from the employer and a complaint from an employee in the company. Furthermore, the Datatilsynet outlined that the complainant left the employer, but was suppsoed to assist the employer with certain work tasks after the notice period. However, the Datatilsynet noted that due to disagreements, the employee's access to email and computer systems was closed and all emails sent to the employee's email box were automatically forwarded to an email address managed by the general manager, and the forwarding of emails took place for approximately six weeks. Moreover, the Datatilsynet stated that the purpose of said forwarding was to take care of customer relationships, and during the period the general manager handled both work-related and private emails that were sent to the employee's email box.
Findings of the Datatilsynet
In particular, the Datatilsynet found that the employer did not have a legal basis for the automatic forwarding of the employee's emails under the GDPR, and noted that this is also in conflict with the applicable rules on the employer's access to email boxes and other electronic material. In addition, the Datatilsynet stated that the unnamed company has also acted in violation of the rules on transparency to the data subject and the duty to assess the employee's complaint, in addition to having inadequate routines for access to email and other electronic material.
In light of the above, the Datatilsynet imposed a fine of NOK 100,000 (approx.€9,751) on the unnamed company and required the unnamed company to improve its own practices. Further, the Datatilsynet noted that the unnamed company has three weeks' time to appeal from the time they receive the decision.