Logo and page links

Main menu

NTNU found to be in violation

The Norwegian Data Protection Authority has reached a final decision in a case where the Norwegian University of Science and Technology (NTNU) was accused of unlawfully accessing an employee's email account. In its decision, the Norwegian Data Protection Authority found that NTNU has violated the Email Regulations by accessing the complainant’s email account.

In December 2021, the Norwegian Data Protection Authority notified the university of its decision to fine the institution for violation of privacy. On the basis of NTNU’s response to the notice, we uphold our conclusion that the university had no legal basis for accessing the complainant's email account, but have decided not to impose a fine for violation. This decision rests on several mitigating circumstances, set out in the response we received from NTNU after we gave notice of the fine.

The case relates to several complaints by the employee about NTNU’s processing of his personal data, such as accessing his university email account.

Violation of the Email Regulations

After further investigation of the case, the Norwegian Data Protection Authority finds that NTNU did not meet the Email Regulations’ conditions for lawful access. Our conclusion is that the university did not meet the condition of having a legitimate suspicion that the employee had used his email account to commit acts resulting in a serious breach of duty or which could constitute grounds for termination of employment or summary dismissal at the time when the email account was accessed. In our assessment, furthermore, accessing the email account did not meet the requirement of being a suitable and necessary measure to achieve the purpose for which it was implemented.

With regard to the other complaints, we do not find that NTNU has violated the regulations.

The case is exempt from public disclosure pursuant to the Working Environment Act's rules governing confidentiality for the reporting of censurable conditions to the authorities (whistleblowing). The Norwegian Data Protection Authority can therefore provide only limited information relating to this case.