Excempt from public disclosure – €21,750 Fine (Norway, 2020)

In 2019, a company enabled automatic forwarding of an employee's emails during a sick leave, because the employee had "failed to enable her out of office reply". The company admitted that they had breached §§2 and 3 of a national regulation concerning employers' access to employees' inboxes and other electronically stored material, that they had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee as per Article 13 and the national regulation. They argued, however, that because the employee had failed to enable her out of office reply, they had legitimate grounds to enable automatic forwarding of her emails. Despite objections from the employee, the company continued to forward her emails, as long as she didn't herself enable the out of office reply. In the end, the company did this on her behalf, but only after having monitored her emails for five weeks. The DPA (Datatilsynet) held that the company had breached Article 6(1)(f) GDPR for lack of legal basis, Article 21 for lack of considering an objection, Article 13 for lack of information and Article 24 for lack of internal controls concerning the company's access to employees' inboxes (emails). The DPA also found that the company had breached the fundamental principles as per the GDPR, specifically Article 5(1)(a) and 5(2). For this, they were fined NOK 400 000 (€38,800) and required to update their internal routines and submit a written confirmation of the latter, including documentation, to the DPA within four weeks (unless they appeal the decision).