Norway: Datatilsynet issues a reprimand after enterprise accesses e-mail account
The European Data Protection Board ('EDPB') published, on 23 September 2021, an English summary of the Norwegian data protection authority's ('Datatilsynet') decision, issued on 9 August 2021, referring to Articles 14 and 15 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the decision highlights that the enterprise had a legal basis for accessing the account, but that the enterprise had failed to satisfactorily inform the complainant about the enterprise accessing the account. In addition, the decision found that the enterprise waited too long to give the complainant access to the complainant's personal data after the complainant had requested it. As a result, Datatilsynet issued a formal reprimand, and ordered the enterprise to establish written procedures for accessing e-mail accounts.
You can read the summary of the decision here.