Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
NORWEGIAN SUPERVISORY AUTHORITY: sanction for the access to the email boxes of ex-employees and a failure of non-completion of the email box

NORWEGIAN SUPERVISORY AUTHORITY: sanction for the access to the email boxes of ex-employees and a failure of non-completion of the email box

The background to the case is a complaint from a former employee who experienced that the employer made access to the former employee’s e-mail box.

Fee for access to a former employee’s e-mail box and failure of non-completion the e-mail box

The general manager of the company changed his password and logged in to the complainant’s e-mail box every day for a period of six weeks after the end of his employment. The manager also had access to the email account for a period of over five months. The e-mail account must have been kept open to take care of the company’s business needs to follow up customers, and to handle inquiries after the complainant left.

Lack of legal basis

After investigating the case, the Data Inspectorate concludes that the company lacked a legal basis for such access to e-mail. The takeover of the complainant’s e-mail account also bordered on monitoring the employee’s use of electronic equipment. The company had had access to the complainant’s e-mail box in violation of the rules in the regulations on the employer’s access to the e-mail box and other electronic material, as well as the requirement for a legal basis under the Privacy Ordinance.

The company had also breached its duty to provide information (Article 13 of the Privacy Ordinance), breached its duty to delete the contents of the complainant’s e-mail box (Article 17) and failed to fulfill its duty to assess the complainant’s protest (Article 21).

It must establish internal control and routines

The company had also not prepared routines for access to e-mail. The Norwegian Data Protection Authority points out that the establishment of routines will have an awareness-raising effect and contribute to compliance with the regulations.

On the basis of this, the Data Inspectorate has decided that the company must establish internal control and routines for access to employees ‘and former employees’ e-mail boxes, together with an order to pay an infringement fee of 150.000 NOK.

The company has a three-week appeal period from the time they receive our decision.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA NORVEGIA

Recommended to you

Advanced Research