Norway

Company

9,700 €

GDPR enforcement action by Norwegian Supervisory Authority (Datatilsynet) on 2022-03-15.

Rank · Sector

#97

of 213 in Employment

Rank · Norway

#47

of 53

Rank · All fines

#1,456

of 3,050

Case details

Authority: Norwegian Supervisory Authority (Datatilsynet)
Date: 2022-03-15
Controller / Processor: Company
Sector: Employment
Quoted Articles: Art. 6 (1) GDPR, Art. 13 GDPR, Art. 21 GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The Norwegian DPA has imposed a fine of EUR 9,700 on a company. The DPA had received a complaint from a former employee of the company. Background of the complaint is the fact that after the employee's termination, both professional and private e-mails from the employee's mailbox were automatically forwarded to an e-mail address administrated by the managing director. During its investigation, the DPA found that the controller had automatically forwarded the e-mails without a valid legal basis. Also, the controller did not inform the former employee about the processing of the data by forwarding the e-mails, contrary to its obligation under Art. 13 GDPR. Finally, the DPA found that the controller did not properly comply with a request of objection to the processing submitted by the former employee.

Open original source Links to the regulator's original publication or another source.