Zalaris ASA – Complaint Upheld (Norway, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's Datatilsynet upheld a complaint against Zalaris ASA for not responding promptly to a former employee's data access request. The company took too long to reply, citing a spam filter issue, but eventually provided the requested information. This case highlights the importance of having clear processes for handling data requests.
What happened
Zalaris ASA delayed responding to a former employee's request for personal data access.
Who was affected
A former employee of Zalaris ASA's German subsidiary who requested access to their personal data.
What the authority found
The Norwegian DPA found that Zalaris ASA should have responded more promptly to the data access request, despite the email being marked as spam.
Why this matters
This case underscores the need for companies to ensure they have effective systems in place to handle data requests, as delays can lead to regulatory scrutiny. Businesses should regularly check their communication channels to avoid missing important requests.
GDPR Articles Cited
The data subject was a former employee of a German subsidiary of the controller, a company offering human resources and payroll administration services. The controller had its headquarters in Norway. The data subject filed an access request two times. The first request was sent on 14 July to the CEO of the controller, who did not respond initially. The data subject filed a complaint with the Norwegian DPA (DPA) on 26 August 2021. The DPA recommended the data subject to send the request to the e-mail address the controller provided for requests. The data subject sent this second request on 28 September 2021. However, the controller only replied to this second request on 22 December 2021 after a reminder by the DPA. The controller also stated that the second request had mistakenly been marked as spam and had therefore not been answered. The controller apologised for the late reply and provided a copy of its privacy policy and a copy of personal data. According to the data subject, the controller did not provide all the information. The DPA stated that the GDPR was applicable, since the controller had multiple establishments in the EU and the EEA (European Economic Area). It also processed personal data of its employees in the context of the activities of these establishment (Article 3(1) GDPR). The DPA also determined that the controller had its main establishment (Article 4(16) GDPR) in Norway and that its processing of the data subject’s personal data was cross-border processing (Article 4(23) GDPR). Therefore, the cooperation mechanism was applicable (Articles 56(1) GDPR and 60 GDPR), with the Norwegian DPA as lead supervisory authority (Article 56(1) GDPR). The DPA stated that it was legitimate for the controller to expect that data subjects exercise their GDPR rights by using a communication channel specifically meant for such purpose. The CEO of a company could not be expected to be responsible for handling such requests. Therefore, the controller did n
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Zalaris ASA in NO
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Zalaris ASA - Norway (2022). Retrieved from cookiefines.eu
Last updated: