Logo and page links

Main menu

Fined for unlawful storage and use of an employee’s IP addresses

The Norwegian Data Protection Authority has issued a fine in the amount of NOK 50,000.

The background for the case is a complaint filed by a former employee. The employee’s IP address was stored in an electronic communication system used by their employer, and the IP address was later used to investigate the employee for disloyal conduct.

The situation pre-dates 24 July 2018 and has been assessed in accordance with the previous regulations.

Breach of Personal Data Act

The employer had stored the IP addresses of employees in a communication system without this being required for any specific purpose. The data controller has a duty to specifically consider which types of personal data it is necessary to process for each individual purpose, and this scope must not be interpreted too broadly. The processing must not include unnecessary personal data, and storing the IP addresses was therefore unlawful.

After a while, the employer believed internal information had been leaked, and they suspected that a specific employee had engaged in disloyal conduct. As part of an effort to identify the person who had leaked the information, the employer processed the unlawfully stored IP addresses from the communication system. The Data Protection Authority found that this use of the stored IP addresses for the purpose of investigating the employee constituted a breach of Section 9-2 (2), cf. Section 7-11, of the Personal Data Regulations, in force at this time.

Fine

The Data Protection Authority has found that these offences constitute a clear breach of the employee’s privacy. Strong considerations of general deterrence also apply to situations where employers have breached personal data legislation to uncover unwanted conduct on the part of employees, with consequences for the employee’s employment. In particular, this is relevant because evidence collected by means of unlawful processing of personal data may still be admissible in legal disputes concerning the employment relationship.

On this basis, the Data Protection Authority has fined the employer NOK 50,000. The fine was calculated in accordance with the previous regulations, in force at the time.