Datatilsynet – Court Ruling (Norway, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Norwegian DPA ruled that an employer could inspect an employee's mailbox due to suspicions of embezzlement, but the employer failed to inform the employee about this inspection. This is significant because it emphasizes the need for transparency when handling personal data in the workplace. Employers must communicate clearly with employees about how their data is being used.
What happened
An employer accessed an employee's mailbox without properly informing them during an investigation into suspected embezzlement.
Who was affected
The employee whose mailbox was accessed and who faced dismissal was affected.
What the authority found
The DPA found that while the employer had a legitimate reason to inspect the mailbox, they did not provide sufficient transparency about the data processing.
Why this matters
This ruling highlights the balance between legitimate workplace investigations and the need for clear communication with employees about their data. Companies should ensure they inform employees about data processing activities.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller, an employer, suspected that an employee had committed embezzlement and carried out an inspection of the employee’s mailbox. After discovering e-mail exchanges between the employee and another employee (the data subject), the controller also suspected that the data subject contributed to a possible embezzlement and accessed their mailbox as well. Access to the data subject’s mailbox was carried out by the controller with the assistance of a third party and a data processor. The inspection of the e-mails showed the data subject had breached their duty of loyalty in their employment by sharing insider information and other confidential information. The data subject was then dismissed. On 12 July 2020, the data subject lodged a complaint at the Norwegian DPA (“Datatilsynet”). The data subject argued that the controller had no legal basis for conducting an inspection and disclosing their personal data. The DPA found that the controller failed to comply with the accountability principle under Article 5(2) GDPR as the controller did not submit documentation of the legal basis for conducting the inspection of the data subject’s mailbox. The DPA held that the controller had a legitimate interest to inspect the data subject’s mailbox under Article 6(1) GDPR and Section 2 of the Norwegian E-mail Regulations (“[https://lovdata.no/dokument/LTI/forskrift/2018-07-02-1108 e-postforskriften]”). Under the E-mail Regulations, an employer has the right to access an employee’s mailbox in the event of "reasonable suspicion that the employee's use of a mailbox or other electronic equipment results in a serious breach of the obligations arising from the employment relationship or may provide grounds for termination or dismissal". However, the DPA found that the controller did not process the data subject’s personal data with sufficient transparency under Article 5(1)(a) GDPR and Article 14 GDPR, as the data subject was not informed about the processing. The DPA stated that
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (3)
Other cases involving Datatilsynet in NO
Court Ruling
Details
About this data
Cite as: Cookie Fines. Datatilsynet - Norway (2024). Retrieved from cookiefines.eu
Last updated: