Unknown

Description

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 14,800 on a company. The background to the case is a complaint by a former employee who learned that the company's managing director logged into the complainant's email inbox on a daily basis for a period of six weeks after the former employee's employment was terminated. In total, the managing director had access to the account for a period of five months. The process had been justified by business requirements (e.g., processing customer inquiries). However, the DPA found that the controller lacked a legal basis for such access to the data subject's e-mail account. In addition, the DPA concluded that the controller had breached its information obligations under Art. 13 GDPR, its obligation to delete the contents of the data subject's e-mail account under Art. 17 GDPR and its obligation to consider the complainant's objection under Art. 21 GDPR.