Fined for accessing former employee’s e-mail inbox and failing to close e-mail inbox

The manager of the enterprise had changed the password and logged on to the complainant’s e-mail account every day for a period of six weeks after the employment had ended. The manager also had access to the e-mail account for a period of more than five months. The e-mail account was allegedly kept open to meet the enterprise’s need to follow up on customers, and to handle enquiries after the complainant had left.

Lacks legal basis

After looking into the matter, the Norwegian Data Protection Authority found that the enterprise lacks a legal basis for accessing e-mail in this manner. The access to the complainant’s e-mail account also bordered on monitoring the employee’s usage of electronic equipment. The enterprise had gained access to the complainant’s e-mail address in violation of regulations on employee access to e-mail accounts and other electronic material, as well as of the legal basis requirement established by the General Data Protection Regulation (GDPR).

Furthermore, the enterprise had failed to fulfil its duty to provide information (Article 13 of the GDPR), its duty to delete the contents of the complainant’s e-mail account (Article 17) and its duty to consider the complainant’s objections (Article 21).

Ordered to establish internal control measures and implement procedures

Also, the organization had not established procedures for access to e-mails. The Data Protection Authority points out that establishing procedures would create awareness and promote compliance with regulations.

On this basis, the Data Protection Authority has ordered the enterprise to establish internal control measures and procedures for access to the e-mail accounts of employees and former employees, and fined the enterprise EUR 15,000 (NOK 150,000).