CyberBook AS – €17,400 Fine (Norway, 2021)

€17,400Datatilsynet (Norway)18 January 2021Norway
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Norway's data protection authority fined CyberBook AS for monitoring a former employee's email without a valid reason. The company failed to stop this surveillance even after the employee complained. This case highlights the importance of respecting employee privacy rights.

What happened

CyberBook AS was fined for unlawfully monitoring a former employee's email account.

Who was affected

The affected party was a former employee whose email was monitored by CyberBook AS.

What the authority found

The Norwegian DPA found that CyberBook AS lacked a legal basis for monitoring the email and failed to provide necessary information and respect the former employee's rights.

Why this matters

This case underscores the need for companies to have clear policies and legal grounds when accessing employee emails, especially after employment ends. It serves as a warning to businesses to respect privacy rights and establish proper data handling procedures.

GDPR Articles Cited

Art. 13 GDPR
Art. 21 GDPR
Art. 24 GDPR
Art. 6(1)(f) GDPR
Art. 17(1)(e) GDPR

National Law Articles

§§2-3 Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale
Norway enforcementDatatilsynet (Norway) actionsAll CyberBook AS actions
Full Legal Summary
Detailed

A company enabled automatic forwarding of a former employee's emails, to "uphold regular business operations", and argued that it was the complainant fault this was deemed necessary. Despite several objections from the complainant, the company continued to monitor the email account over several months. The unlawful monitoring did not stop until the complainant contacted the DPA. Did the company have a legal basis for monitoring the former employee's email account? The DPA held that the company did not have a legal basis for monitoring the former employee's email account, as per Article 6(1)(f) GDPR. The DPA further held that the company failed to: * provide the data subjects with required information, as per Article 13 * terminate the former employee's email account, as per Article 6(1)(f) * erase the content of the former employee's email account, as per Article 17(1)(e) * assess the former employee's objections, as per Article 21 For this, the company was fined NOK 200 000 (€19,600) and ordered to establish written internal controls and routines for access to current and former employees' email accounts and other electronic content, in line with Article 24.

Related Enforcement Actions (0)

No other enforcement actions found for CyberBook AS in NO

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

18 January 2021

Authority

Datatilsynet (Norway)

Fine Amount

€17,400

200,000 NOK

GDPRhub ID

gdprhub-3146

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. CyberBook AS - Norway (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: