Court case PVN-2022-14 – Court Ruling (Norway, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Norwegian company was found to have illegally forwarded a former employee's emails without a valid reason, leading to a fine. This case is significant because it stresses the importance of respecting employee privacy and having proper procedures for handling emails.
What happened
The company automatically forwarded a former employee's emails without a valid legal basis.
Who was affected
A former employee whose emails were accessed and forwarded by the company.
What the authority found
The Norwegian DPA ruled that the company violated GDPR by forwarding emails without a legal basis and failing to inform the former employee, which was deemed a serious breach.
Why this matters
This ruling highlights the importance of respecting employee privacy and ensuring lawful handling of emails. Companies should review their internal policies to prevent unauthorized access to employee communications, as violations can lead to significant fines and reputational damage.
GDPR Articles Cited
A company (the controller) inspected the e-mail inbox and automatically forwarded an e-mail of its former employee (the data subject) after she had objected to processing of her personal data under Article 21 GDPR. The data subject filed a complaint with the Norwegian DPA, claiming that there was no legal basis for accessing and processing her e-mails in such a form. The DPA initiated proceedings and asked the controller for explanation. After not receiving any information past the deadline, it rendered a decision. The DPA held that automatic forwarding of the contents of the data subject's e-mail box could not be based on Article 6(1)(f) GDPR nor any other valid legal basis. The controller did not comply with its duty to carry out a balancing of interests after the data subject had objected to the processing, under Article 21 GDPR. Finally, the DPA held that the controller did not comply with its duty to inform the data subject of the forwarding of her e-mails, violating Article 13 GDPR. The DPA concluded that the infringements were intentional and serious. Hence, the DPA imposed a NOK 100,000 fine on the controller. It also ordered the controller improve internal control and routines for access to employees' and former employees' e-mail boxes. The controller appealed this decision to the Norwegian Privacy Appeals Board (Privacy Board). First, the Privacy Board considered whether the DPA had been correct in imposing a fine on the controller. It recalled that Article 83(1) GDPR obliges DPAs to ensure that the imposed fines are effective, proportionate and dissuasive. In this regard, the Privacy Board held that illegal forwarding of e-mails is a violation of the basic principles of lawfulness and transparency (Article 5(1)(a) GDPR). When basic rules for the protection of employees' privacy are disregarded as in this case, the violations must be regarded as serious. Therefore, the DPA was correct to impose a fine on the controller. Second, the Privacy Board conside
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case PVN-2022-14 in NO
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case PVN-2022-14 - Norway (2022). Retrieved from cookiefines.eu
Last updated: