The Norwegian Data Protection Authority has fined a company EUR 40,000 for unlawfully setting up automatic forwarding of an employee’s e‑mails (cf. Media release). The employee had complained about this to the supervisory authority.
The forwarding was set up in connection with an absence of the employee due to illness and was active for more than one month. The data protection authority came to the conclusion that the forwarding violated provisions of Norwegian law on the employer’s access to e‑mail inboxes and the GDPR, the latter with regard to the legal basis and information of the data subject, among other things. However, as far as can be seen, no fundamental inadmissibility of the e‑mail forwarding was established.
Carlo Piltz has written a short comment on this decision (LinkedIn, in English).