Datatilsynet (NO) – Court Ruling (Norway, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Norwegian employer accessed an employee's email without proper justification, suspecting fraud that was never committed. The case shows the importance of respecting employees' privacy rights. Although the employer was reprimanded, no fine was imposed, indicating a focus on compliance rather than punishment.
What happened
The employer accessed an employee's email based on unfounded suspicions of internal fraud.
Who was affected
The employee whose email was accessed without proper justification.
What the authority found
The DPA found that the employer violated several GDPR articles by improperly accessing the employee's data.
Why this matters
This ruling emphasizes the need for employers to have valid reasons before accessing employee data. It serves as a reminder for companies to establish clear policies around data access and privacy.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
An employer (the controller) accessed the email address of an employee (the data subject) over suspicions of internal fraud. It was later discovered that the data subject committed no fraud. The data subject filed a complaint with the DPA. She claimed that her right to data protection was violated and request the DPA to impose a fine. The DPA held that the controller violated Articles 5, 6, 13 and 14 GDPR. On these grounds, the DPA issued a reprimand against the controller and an order to bring internal processes into compliance. The DPA did not impose a fine. The data subject filed an internal appeal before the Personvernnemnda (the Privacy Appeals Board of the DPA). In her appeal, she challenged the DPA’s decision not to fine the controller. The Board held that the data subject had no standing for appealing the decision and dismissed the appeal on procedural grounds. In this regard, The Board considered that the DPA’s decision put an end to the controller’s violation. On this basis, the Board held that the DPA’s decision not to inflict a fine, did not produce tangible and factual effects for the data subject. This, in turn, led to the conclusion that she was not a party to the decision and could not bring an appeal. The data subject further challenged the Board’s decision before the Sivilombudet (the Norwegian Parliamentary Ombud). She claimed that the Board was wrong in finding that she had no right to challenge the merits of the DPA’s decision. The Sivilombudet held that the data subject could challenge the DPA’s decision, and that she had the right to challenge both its procedure and its merits. In particular, she had the right to a review of the correctness and proportionality of the corrective measures inflicted by the DPA. On these grounds, the Sivilombudet ordered the Board to re-examine the data subject’s appeal, ensuring a full review of the DPA’s decision. = The Sivilombudet observed that the domestic rules on internal appeals against the DPA were not
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Datatilsynet (NO) in NO
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
21 May 2025
Authority
DPA Personvernnemnda
About this data
Cite as: Cookie Fines. Datatilsynet (NO) - Norway (2025). Retrieved from cookiefines.eu
Last updated: