The background for this case is a complaint from a former board director, who discovered that the company accessed a personal e-mail account associated with the enterprise.
The name of the enterprise has been withheld from public access to protect the identity of the complainant.
Insufficient access and information
Having investigated the complaint, the Data Protection Authority concluded that the enterprise had a legal basis for accessing the account, but that the enterprise had failed to satisfactorily inform the complainant about the enterprise accessing the account. The Data Protection Authority also found that the enterprise waited too long to give the complainant access to their own personal data after the complainant had requested it.
On this basis, the Data Protection Authority has issued a formal reprimand, as well as to order for the enterprise to establish written procedures for accessing e-mail accounts.
A reprimand is a decision issued by the Data Protection Authority, stating that processing of personal data has taken place in breach of the GDPR, and the reprimand is an administrative corrective response whose purpose is to criticize the offence that has taken place.