Date of final decision: 09.08.2021
Cross-border case or national case: National case
Legal Reference: Information (Article 14 GDPR), Right of access by the data subject (Article 15 GDPR)
Decision: Infringement of the GDPR, reprimand, and order to comply
Summary of the Decision
Origin of the case
The background for this case is a complaint from a former board director, who discovered that the company accessed a personal e-mail account associated with the enterprise.
The name of the enterprise has been withheld from public access to protect the identity of the complainant.
Having investigated the complaint, the Data Protection Authority concluded that the enterprise had a legal basis for accessing the account, but that the enterprise had failed to satisfactorily inform the complainant about the enterprise accessing the account. The Data Protection Authority also found that the enterprise waited too long to give the complainant access to the complainant’s personal data after the complainant had requested it.
On this basis, the Data Protection Authority has issued a formal reprimand, and ordered the enterprise to establish written procedures for accessing e-mail accounts.
The Norwegian Data Protection Authority has reprimanded an enterprise for breach of the General Data Protection Regulation’s (GDPR) requirements concerning information about and access to one’s own personal data and ordered the enterprise to establish written procedures for accessing email accounts.
In doing so, the SA exercised its corrective powers under Article 58(2)(b)(d) GDPR.
For further information: https://www.datatilsynet.no/en/news/2021/reprimanded-after-accessing-e-mail-account/
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.