Redacted – €8,700 Fine (Norway, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Norwegian company was fined 8,700 euros for improperly accessing and forwarding an ex-employee's emails without consent. The company failed to provide necessary information and ignored the employee's objections. This case emphasizes the importance of respecting employees' privacy rights, even after they leave the company.
What happened
A company forwarded an ex-employee's emails to a manager without consent, violating GDPR rules.
Who was affected
The former employee whose emails were accessed and forwarded without permission.
What the authority found
The Norwegian Data Protection Authority found that the company lacked a valid legal basis for accessing and forwarding the emails, and failed to inform the employee properly.
Why this matters
This ruling highlights the need for businesses to ensure they have a legal basis for accessing employee communications and to respect privacy rights. It serves as a reminder to review internal policies on handling employee data.
GDPR Articles Cited
An employee (the data subject) had quit their job and was supposed to assist the employer (the controller) during the notice period. However, due to disagreements, the controller blocked the data subject's access to email and business systems and enabled automatic forwarding of emails to the general manager of the company. The data subject objected to this processing, but the controller upheld it for several weeks and only stopped it when the general manager realized it could be problematic. The Norwegian DPA (Datatilsynet) launched an investigation after receiving both a notification from the controller, as well as a complaint from the data subject. The controller explained to the DPA that they had enabled automatic forwarding of the emails because the data subject had refused to enable an out of office reply. They further argued that this was necessary to uphold customer relations and daily operations, and because they had discovered that the data subject had violated work duties a few months earlier. The controller also claimed that the data subject had consented to the processing, however this was denied by the data subject and the controller was unable to document their assertion. The DPA held that the controller lacked a legal basis as per Article 6(1)(f) GDPR for accessing and monitoring the data subject's email inbox, that they had failed to provide required information to the data subject as per Article 13 GDPR and for failure to assess the data subject's objection as per Article 21 GDPR. For this, the DPA fined the controller €9,775 and required them to improve internals controls for employee emails as per Article 24 GDPR. = First, the DPA assessed if the controller had a legal basis as per a national (Norwegian) [https://lovdata.no/dokument/SF/forskrift/2018-07-02-1108 regulation concerning employers' access to employees' inboxes and other electronically stored material], which allows such processing if one of two possible conditions are fulfilled. Fi
Related Enforcement Actions (1)
Other enforcement actions involving Redacted in NO
Details
Fine Date
15 March 2022
Authority
Datatilsynet (Norway)
Fine Amount
€8,700
100,000 NOK
GDPRhub ID
gdprhub-4949About this data
Cite as: Cookie Fines. Redacted - Norway (2022). Retrieved from cookiefines.eu
Last updated: