Norwegian DPA: Fine for accessing former employee’s e-mail inbox and failing to close e-mail inbox

1 July 2021 Norway

The background for this case is a complaint from a former employee who discovered that their former employer had accessed their e-mail account.

The manager of the enterprise had changed the password and logged on to the complainant’s e-mail account every day for a period of six weeks after the employment had ended. The manager also had access to the e-mail account for a period of more than five months. The e-mail account was allegedly kept open to meet the enterprise’s need to follow up on customers, and to handle enquiries after the complainant had left.

Lacks legal basis
After looking into the matter, the Norwegian Data Protection Authority found that the enterprise lacks a legal basis for accessing e-mail in this manner. The access to the complainant’s e-mail account also bordered on monitoring the employee’s usage of electronic equipment. The enterprise had gained access to the complainant’s e-mail address in violation of regulations on employee access to e-mail accounts and other electronic material, as well as of the legal basis requirement established by the General Data Protection Regulation (GDPR).

Furthermore, the enterprise had failed to fulfil its duty to provide information (Article 13 of the GDPR), its duty to delete the contents of the complainant’s e-mail account (Article 17) and its duty to consider the complainant’s objections (Article 21).

Ordered to establish internal control measures and implement procedures
Also, the organization had not established procedures for access to e-mails. The Data Protection Authority points out that establishing procedures would create awareness and promote compliance with regulations.

On this basis, the Data Protection Authority has ordered the enterprise to establish internal control measures and procedures for access to the e-mail accounts of employees and former employees, and fined the enterprise EUR 15,000 (NOK 150,000).

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The original press release is available in Norwegian here

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.