The name of the business has been withheld from the public to protect the identities of its employees.
The Data Protection Authority became involved in this case after receiving both a non-compliance notification from an employer and a complaint from an employee of the business. The background for the case is that the complainant had left the employer and was supposed to assist the employer with certain tasks after their period of notice had ended. Due to a disagreement, the employee’s access to e-mail and computer systems was terminated. All e-mails sent to the employee’s e-mail address were automatically forwarded to an e-mail address managed by the managing director, a situation that lasted for approximately six weeks.
The e-mails were forwarded for the purpose of managing customer relationships. However, during the period concerned, the managing director handled both job-related and personal e-mails sent to the employee’s e-mail address.
We have concluded that, pursuant to the General Data Protection Regulation, the employer had no legal basis for the automatic forwarding of e-mails, and that the forwarding was in violation of regulations concerning the right of employers to access e-mail inboxes and other electronic material. The business also acted in violation of the rules concerning notification of the data subject and the obligation to consider the employee’s objections, in addition to having a lack of appropriate procedures for access to e-mails and other electronic material.
On this basis, we have ordered the business to review its written procedures for access to e-mails and issued a fine in the amount of NOK 100,000 for the unlawful forwarding.