Details:
| Summary | The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 14,800 on a company. The background to the case is a complaint by a former employee who learned that the company’s managing director logged into the complainant’s email inbox on a daily basis for a period of six weeks after the former employee’s employment was terminated. In total, the managing director had access to the account for a period of five months. The process had been justified by business requirements (e.g., processing customer inquiries). However, the DPA found that the controller lacked a legal basis for such access to the data subject’s e-mail account. In addition, the DPA concluded that the controller had breached its information obligations under Art. 13 GDPR, its obligation to delete the contents of the data subject’s e-mail account under Art. 17 GDPR and its obligation to consider the complainant’s objection under Art. 21 GDPR. |
| Link: | link |
| Related articles: | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 17 GDPR, Art. 21 GDPR |
| Type: | Insufficient legal basis for data processing |
| Fine: | EUR 24,800 |
| Sector | Employment |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/