Unknown – €24,800 Fine (Norway, 2021)

€24,800Datatilsynet (Norway)22 June 2021Norway
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Norway's privacy authority fined a company EUR 24,800 for accessing a former employee's email without permission. The company failed to have a valid reason for this access and didn't inform the employee about it. This case shows the importance of respecting employee privacy even after they leave a company.

What happened

A company accessed a former employee's email account without a valid legal reason.

Who was affected

A former employee whose email account was accessed by the company's managing director.

What the authority found

The Norwegian DPA found the company lacked a valid legal basis for accessing the former employee's email, violating GDPR rules.

Why this matters

This ruling emphasizes the need for companies to respect privacy rights and have clear policies for accessing employee data. It serves as a warning to businesses to ensure they have legal grounds for accessing any personal data.

GDPR Articles Cited

Art. 5 GDPR
Art. 6 GDPR
Art. 13 GDPR
Art. 17 GDPR
Art. 21 GDPR
Norway enforcementDatatilsynet (Norway) actionsAll Unknown actions
Full Legal Summary
Detailed

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 14,800 on a company. The background to the case is a complaint by a former employee who learned that the company's managing director logged into the complainant's email inbox on a daily basis for a period of six weeks after the former employee's employment was terminated. In total, the managing director had access to the account for a period of five months. The process had been justified by business requirements (e.g., processing customer inquiries). However, the DPA found that the controller lacked a legal basis for such access to the data subject's e-mail account. In addition, the DPA concluded that the controller had breached its information obligations under Art. 13 GDPR, its obligation to delete the contents of the data subject's e-mail account under Art. 17 GDPR and its obligation to consider the complainant's objection under Art. 21 GDPR.

Related Enforcement Actions (1)

Other enforcement actions involving Unknown in NO

Fine
Jan 2021· Datatilsynet (Norway)

The Norwegian DPA (Datatilsynet) fined a company NOK 400,000 (EUR 38,600) for the illegal automatic forwarding of an employee's email inbox. The autom...

€39K
Current
Jun 2021

Fine

€25K

Details

Fine Date

22 June 2021

Authority

Datatilsynet (Norway)

Fine Amount

€24,800

Enforcement Tracker ID

ETid-735

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Unknown - Norway (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: