Norway

Unknown

24,800 €

GDPR enforcement action by Norwegian Supervisory Authority (Datatilsynet) on 2021-06-22.

Rank · Sector

#53

of 213 in Employment

Rank · Norway

#28

of 52

Rank · All fines

#977

of 3,042

Case details

Authority: Norwegian Supervisory Authority (Datatilsynet)
Date: 2021-06-22
Controller / Processor: Unknown
Sector: Employment
Quoted Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 17 GDPR, Art. 21 GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 14,800 on a company. The background to the case is a complaint by a former employee who learned that the company's managing director logged into the complainant's email inbox on a daily basis for a period of six weeks after the former employee's employment was terminated. In total, the managing director had access to the account for a period of five months. The process had been justified by business requirements (e.g., processing customer inquiries). However, the DPA found that the controller lacked a legal basis for such access to the data subject's e-mail account. In addition, the DPA concluded that the controller had breached its information obligations under Art. 13 GDPR, its obligation to delete the contents of the data subject's e-mail account under Art. 17 GDPR and its obligation to consider the complainant's objection under Art. 21 GDPR.

Open original source Links to the regulator's original publication or another source.