Arbeids(retts)lunsj

Advokater fra Simonsen Vogt Wiigs arbeidsrettsavdeling med gjester tar i denne podcasten opp temaer som er aktuelle for mange arbeidsgivere, og gir praktiske råd som ledere kan ta med seg videre. Vi viser ingen slider, så få podcasten på øret og kom deg ut i dagslyset mens du fyller på med kompetansehevende stoff og får litt mosjon samtidig!

All Episodes

Arbeids(retts)lunsj

Arbeids(retts)lunsj episode 41: Can Your Boss Read Your Emails?

April 11, 2025

In this episode of Arbeids(retts)lunsj, Lill Egeland and Thomas Olsen dive into an important and complex topic: When and how can an employer access an employee’s email?

The discussion covers:

Relevant laws and regulations, including the Norwegian email access regulation, GDPR, and the Working Environment Act.
The conditions that must be met for an employer to legally open an employee’s email account.
Common scenarios where access may be justified, such as employee sick leave, business-critical information, or suspicion of disloyalty.

They also explore the necessary legal and procedural steps, including:

Pre-notification and documentation – ensuring a fair and lawful process.
How to conduct the email access process properly, balancing business needs with employee privacy.
Deleting emails after employment ends – an often-overlooked but crucial aspect.

This is an informative and practical episode for both employers and employees looking to understand the legal boundaries of email access in the workplace.

Disclaimer: This episode is machine translated from the transcript of the Norwegian episode of Arbeids(retts)lunsj. The voices are generated using AI-tools.

[00:00:04] Lill: Hi and welcome to a new episode of Arbeidsrettslunsj. My name is Lill Egeland and I am a lawyer at the law firm Simonsen Vogt Wiig. Today, I am fortunate to have my colleague Thomas Olsen in the studio. Hi Thomas.

[00:00:19] Thomas: Yes, hello Lill.

[00:00:20] Lill: This will be fun, Thomas. You're an expert on privacy. Not only are you an expert, but you also have a PhD in privacy and you're a practicing lawyer, which is a rare and great combination.

[00:00:32] Thomas: Yes, thank you for that.

[00:00:34] Lill: And the topic we are going to discuss today is access to emails. This is an area where our two fields intersect, labor law versus privacy. The situation we are facing today is that we have an employer who thinks, Darn it, I need to access the email inbox or the digital area of an employee and feel like doing it, and if so, what to do, what should one consider, what are the conditions, how should one proceed?

[00:01:00] Lill: So this will be exciting. And let me say this, and I always say this: Those who listen to this need to get out and take a walk. That's kind of the concept of this podcast, that if you get out and walk, you'll absorb more. That's also why it's called Arbeidsrettslunsj, because it started with the idea that people could go out on a work lunch and learn things.

[00:01:23] Lill: So go out and walk, and listen to us now. Okay, Thomas. So here we are. The employer wants to access the email. What should be done? What should be considered? Let's start with the conditions, of what is actually required to be allowed to access.

[00:01:38] Thomas: Yes, what we need to see is that there are several sets of rules to consider.

[00:01:43] Thomas: But in Norway, we have some specific rules, a special regulation regarding the employer's access to email accounts and so on. So, particular attention has been given to email access, but these rules also apply to other equipment that the employer provides to the employee. For use in work, such as PCs, mobile phones, iPads, and so on.

[00:02:04] Thomas: So we have specific rules, and we should note that there are particular conditions in that regulation, which we call the regulation on email access. But it also involves handling personal data. Therefore, we must adhere to the general privacy regulations, and we have the General Data Protection Regulation (GDPR) that applies in Norway. Additionally, we have specific rules on control measures in the Working Environment Act. A third set of regulations also imposes conditions for implementing control measures in the workplace. So, we essentially have three sets of regulations to navigate here.

[00:02:42] Lill: Here, it's layer upon layer. It's not just about contacting the IT manager and saying I want to look at the email, in other words.

[00:02:50] Thomas: That's correct.

[00:02:51] Lill: So if we start with the conditions outlined in the regulations, what is required there?

[00:02:57] Thomas: Yes, the regulation states that the employer can conduct an inspection. Firstly, when it is necessary to maintain daily operations, but also for other legitimate interests. This typically applies if an employee is on vacation, sick, or for some reason cannot follow up on, for example, critical correspondence.

[00:03:17] Thomas: So that can be a condition for conducting an inspection.

[00:03:21] Lill: And I have a case right now where that is exactly the situation. There's an employer with urgent matters, an employee who is out sick and neither can nor should go into their own email to search. And that's a typical situation where the condition might be met.

[00:03:38] Lill: Most likely, I think. Let's see, it's not straightforward after all, but at least we've checked that it looks okay. So that's one option.

[00:03:46] Thomas: Yes, and the other option is when there is a justified suspicion that the employee's use of the email account constitutes a serious breach of the duties that follow from the employment relationship or that it may provide grounds for dismissal or termination. So, there are several key words we should note here.

[00:04:07] Thomas: First of all, there must be a well-founded suspicion, so there should be something concrete to link this to. And then there's a fairly high threshold for using this; it must be a serious breach of duties related to the employment, or it must provide grounds for dismissal or termination.

[00:04:25] Thomas: Here we find examples of using email or equipment provided by the employer to do something illegal, or something that is very disloyal to the employer and the company. So, these are the types of examples, or perhaps engaging in competing business, so there can be several types of cases here.

[00:04:44] Lill: Right? And as an employment lawyer, I often see that the question of accessing emails typically arises in situations where there is suspicion of competing business. Often towards the end of the notice period, when it becomes clear that the person is moving on to something else, and there is some suspicion that, for example, customer lists or other information have been creatively borrowed. That's when the desire to check emails often arises.

[00:05:12] Lill: Otherwise, there are also situations where one suspects that employees have committed criminal acts, embezzlement, and so on. These are also typical situations where I think the conditions are met. And then we've had cases on the other end of the spectrum where the employer wants to find out who has reported something, and then it's blink, blink, red, red, no, no, there is absolutely no basis for checking the employee's email, quite the opposite, I would say.

[00:05:41] Lill: But it's a situation where an employer might get a bit worked up and want to find the whistleblower, but in that case, you should not go in and check the person's email and also not focus too much on that.

[00:05:54] Thomas: Right, but in the first two cases you mentioned, if there is a concrete justified suspicion, then the condition will generally be met.

[00:06:03] Lill: Yes. Okay, so daily operations with legitimate interests or situations where the email might have been used for something that could justify termination or dismissal. And just to mention, regarding the use of the email account leading to suspicion of dismissal or termination, it should be enough if, for example, emails have been exchanged where one plans a competing business, or if there are discussions that could lead to termination or dismissal, that should be sufficient to say that the use of the email account is relevant then?

[00:06:37] Thomas: Yes, I agree.

[00:06:39] Lill: Okay, then it's straightforward. We just need to talk to the IT manager and then open the email inbox.

[00:06:45] Thomas: Yes, so now we have pointed out the conditions according to the email regulations.

[00:06:51] Lill: Yes.

[00:06:52] Thomas: But if we already look at the conditions here, it is the case that, at least according to the Data Protection Authority, one must also adhere to the general data protection regulations. And that one must have a legal basis for processing personal data.

[00:07:07] Thomas: And the legal basis they rely on is typically that there is a legitimate interest. This legal basis is found in GDPR Article 6-1(f), which states that an employer must safeguard a legitimate interest, and that it outweighs the privacy disadvantages.

[00:07:23] Thomas: So the legitimate interest, then, would be one of these conditions, necessary for daily operations or this justified suspicion.

[00:07:31] Thomas: And then under GDPR, one must assess whether it is necessary to conduct an inspection. Can this be achieved in other ways? And thirdly, in that assessment, one should weigh the employer's interest against the privacy disadvantages.

[00:07:46] Thomas: So the recommendation is to both assess the conditions of the regulation and ensure that you have a legal basis under GDPR.

[00:07:54] Lill: And the last thing you mentioned, at least for my part, is something I've learned more recently, you could say. And I get the impression that this might be a development all of us lawyers who have been working on this have experienced. It hasn't been so crystal clear to many people I've talked to that there's a specific regulation about email access, and that alone isn't enough in a way. When you've checked that, it still isn't enough. You actually need to look at the general conditions. I think we've collectively learned this in recent years.

[00:08:28] Thomas: It's a bit challenging, right. We have the General Data Protection Regulation, which largely provides total harmonization regarding the processing of personal data, and then the regulation allows for some areas where you can have supplementary rules in national law, and we have chosen to continue these special rules.

[00:08:49] Thomas: But then it's also known that, yes, we can't completely disregard the privacy rules, so okay, we have to adhere to both sets of regulations. But at least in the past, we thought that, yes, we have special rules here, so we can just stick to those. So I agree with you that it's been a bit of a journey, and now there's more focus on complying with both sets of regulations.

[00:09:12] Lill: Right? So if we summarize what's in the general, that is GDPR, there's the legal basis, which quite often might coincide, given that you have that balancing of interests, it might often coincide with the regulation's conditions. But you still have to make that assessment. So that's one thing, and then what was the other, you said?

[00:09:34] Lill: It was the legal basis, and then what?

[00:09:37] Thomas: No, it was a legal basis. I mentioned this with legitimate interest.

[00:09:42] Lill: Yes, okay, so that's the legal basis, and that's where the proportionality assessment obviously comes in, because it's the legal basis, right? The employer's interests must outweigh the privacy challenges it poses for the employee.

[00:09:56] Thomas: Yes, so if you base it on the legal ground of legitimate interest, then it's this three-step assessment: identify the legitimate interest. And it should probably align with the two conditions in the regulation. Then it must be necessary. You can achieve that in other ways. And the third is this balancing of interests.

[00:10:17] Lill: Yes, very good. And what I think about that is that an employer who is going to do this should create a checklist. And when I say checklist, you might as well create a routine, which is essentially a checklist. And then we move from a question of conditions to what kind of systemic measures one should have.

[00:10:37] Lill: So if we take a detour into that, is it a requirement that employers have procedures describing how to access emails?

[00:10:44] Thomas: If you look at the guidance from the supervisory authority, the Data Protection Authority is the supervisory authority for both the regulation and the GDPR. So they do encourage having routines.

[00:10:57] Thomas: And now we can bring in this third set of regulations. We mentioned the Working Environment Act and Chapter 9 on control measures, and there, at least as I understand it, it seems to be more about systemic measures that the business implements. So the recommendation would probably be to have established routines in the workplace for conducting email inspections.

[00:11:20] Thomas: It ensures that those who are going to conduct the inspection know how to proceed. That they make the necessary assessments, and it provides predictability for the employees. So we think there are advantages to having routines and that they are carried out in accordance with the rules we find in Chapter 9 of the Working Environment Act.

[00:11:42] Thomas: But, and we can certainly talk more about the content there, but the question is, do you really need to have such routines?

[00:11:50] Thomas: And I don't think one would be prevented from conducting an inspection just because there are no routines. I'm not aware of any cases where an employer has been stopped from doing this due to a lack of routines.

[00:12:04] Thomas: But as I said, it would be recommended.

[00:12:07] Lill: I think that quite often you can find yourself in a situation where the employer needs to conduct an inspection, and then you start digging a bit and say, "Damn, I don't have any routines."

[00:12:19] Lill: So you dig a little deeper and realize, "Darn, I don't have any routines, nor have I discussed this concept of email monitoring, which is a control measure, with any union representatives." And then I think the practical answer is, okay, that was a mistake, but it doesn't stop you from conducting this individual inspection here. Because regarding the obligation to discuss with union representatives when something is a control measure under Chapter 9, I completely agree with you that it's a system rule. You should discuss the concept of email monitoring or the concept of access card control, and so on, with the union representatives.

[00:12:59] Lill: But the specific inspections that might be done don't have to be discussed each time. So, the takeaway is that if you find yourself without routines and without having discussed it, you should learn from it. You can conduct the inspection if the conditions are met and the next thing we will talk about, namely the process, is followed. But you absolutely must learn that point 1, it might be wise to have some routines, because it will help you next time with making the assessments you need to.

[00:13:30] Lill: Point two, when you're in this situation and need to do this, you must at least ensure that you discuss this control measure going forward, and you can include the new routines you create as well.

[00:13:42] Thomas: Agreed.

[00:13:43] Lill: That was a good overview of the regulations. If we then go back to looking at what is needed in this specific case where we want to gain access, we have concluded that you need to look at the conditions in the regulations, the conditions in the general rules. Now let's think, yes, they are fulfilled. That's how it is. Can we then go to the IT manager and say, can you just give me access to this mailbox?

[00:14:09] Thomas: Yes, these rules are structured so that first, the conditions must be met,

[00:14:14] Thomas: And then there are specific process or procedural rules for how to carry it out. And if we go back to the email regulations, they have their own rules on how to implement it.

[00:14:25] Thomas: Or what to do before practically carrying it out. But the main rule is that you must notify the employee and give them the opportunity to be present. There are also requirements for the notification, so we recommend having a template for it, routines that specify exactly what the notification should contain to ensure nothing is missed.

[00:14:47] Thomas: The notice should, among other things, justify why the conditions are considered to be met. This includes mentioning that it is necessary for daily operations or based on reasonable suspicion. The employee should be informed about their rights, including the right to be present during the implementation. They have the right to be assisted by a union representative or another representative, and they also have the right to object, as stated in the General Data Protection Regulation. It is possible that the employee may believe there is something specific about their situation that makes it inappropriate to conduct the inspection.

[00:15:27] Thomas: And the employer must assess this, but the rule to object under GDPR Article 21 states that the employer can still proceed if there are so-called compelling legitimate grounds for doing so. There is a certain threshold, but it is a valid reason to carry this out. It could also be related to a dispute, for example.

[00:15:47] Thomas: In other words, one can invoke the legal basis in GDPR, which is called establishing, exercising, or defending legal claims.

[00:15:55] Thomas: So if you have a dispute and believe that this is crucial evidence needed for the case, you would be able to proceed with it despite objections.

[00:16:05] Lill: And it's a very practical rule, I think, because, take the example where an employee goes to a competitor and you suspect that they have taken customer lists or sent emails to customers saying, "Hey, I'm starting at a new place."

[00:16:19] Lill: So it's precisely to ensure this in a dispute and to be able to present it to the court, for example, that makes you want this. So it's a very practical rule.

[00:16:30] Thomas: Yes, and the main rule is that you notify in advance and that the individual has the opportunity to be present. But sometimes it might be urgent, and you don't have time to notify or you can't reach the person.

[00:16:43] Thomas: Then, you should send a written notification as soon as the inspection has been completed. This is particularly practical for daily operations when we need to follow up on correspondence or agreements.

[00:16:56] Thomas: So in a subsequent written notification or notice, there is also a list of things that need to be disclosed, such as justifying why the conditions are considered met, informing about the rights of the individual, detailing the methods used, specifying which emails or other documents were accessed, and simply the overall result of the inspection.

[00:17:18] Lill: And as you say, a practical use of such subsequent notice is justified access, but very often employers don't particularly want to involve the employee or give prior notice, because they are very afraid that, no no no, we can't inform them in advance, then he or she will delete everything and we can't be there to monitor. The fear that the employee will tamper with the evidence, is that sufficient reason not to follow these rules about giving prior notice?

[00:17:47] Thomas: I don't think that's a good enough reason, because practically speaking, you can secure documentation or evidence. If it's about emails, for example, you can make a mirror copy. So, the risk of evidence tampering isn't present.

[00:18:01] Thomas: So you can secure this, make a mirror copy, and then plan accordingly, right?

[00:18:06] Thomas: That you give notice, so you should have checked that the conditions are met and so on.

[00:18:12] Lill: Yes, I completely agree, and it's a very practical thing, right? And you need to stay calm, it's not... It's good to follow these rules. We can come back to what happens if you don't. But okay, so the main rule is that you notify in advance and must state various things in that letter, and that the employee has the right to be present.

[00:18:33] Lill: The exception is that you can proceed and do it without the employee being present or notified, but then you must send a letter that meets certain requirements afterward. Is there anything specific to consider regarding the actual implementation of the inspection?

[00:18:50] Thomas: Yes, there are some requirements for this in the regulations as well. So regarding the actual implementation or what the regulations state, it is that it should be carried out in such a way that the information is not altered as much as possible, and that the obtained information can be verified.

[00:19:10] Thomas: So especially when this is to be used as evidence, you should consider how to carry it out. Therefore, it might be important to use a mirror copy, but also to involve relevant expertise that can assist with this, ensuring that you have verifiable evidence and documentation for any potential case. The regulations also state that when practically going through this, meaning opening emails, reviewing documents, or similar actions, if it turns out they are not necessary or relevant, they should be closed immediately. Practically speaking, if you have a case where the employee is present during the process, it is important to agree on what to search for, right?

[00:19:51] Thomas: So that you have prepared and agreed on relevant keywords and the specific period in question, for example, and the type of documentation, ensuring that the access is limited to what is strictly necessary. And then, perhaps, you have conducted some searches and made some limitations, and then it's about going through it together. If you immediately see that something is not relevant, you should close it, right?

[00:20:17] Lill: Yes, and that's really useful to think about because, at least in the old days, I think many employers thought, I don't need to prepare that much. I'll just open it, dump everything onto a hard drive, and read it later. That's definitely not the case anymore. And as you said, it's also important that in the letter sent out beforehand, you should, or perhaps must, also specify...

[00:20:41] Lill: Here are the keywords we plan to use, and you need to have an idea of what is relevant. We usually say that if we find something interesting during our search, we can expand the keywords. But this is what we are thinking initially, and we believe this particular time period is relevant to search in. So that's what we will do first, but if we find that something changes, we will expand it as well.

[00:21:07] Lill: And as you say, you document step by step what you do in that review. We started by searching for this, and then we opened x number of emails, and we downloaded or extracted the emails that were relevant, it was like this and that. So, you should be as precise as possible in describing what you are doing in that review, so that it can be verified later.

[00:21:29] Lill: Both in a potential dispute about how this was conducted and the value of the evidence. But also if there were to be a complaint to the Data Protection Authority, for example, because one might not have met the regulation's or law's requirements for access, it is super important to document what has been done and why it was done.

[00:21:50] Thomas: Agreed, and as we mentioned, the Data Protection Authority, and in general, there is increased awareness that one must also comply with the general data protection regulations.

[00:22:02] Thomas: And here we have some privacy principles that also set some guidelines, such as data minimization, not more than what is necessary, and so on.

[00:22:11] Thomas: That they are relevant. And that you delete it when it's no longer needed, and that there is secure handling in the information security around it.

[00:22:20] Thomas: So it could also be, if it's a case where there's concern that... It's very important to do everything correctly, or if there's a high level of conflict between the parties, then it's crucial to be meticulous with all those aspects.

[00:22:35] Lill: And all these assessments and actions taken might ideally end up in a report from that review, don't you agree?

[00:22:43] Thomas: Yes, documentation around it.

[00:22:45] Lill: Yes, that a report is prepared documenting everything that has been done, and to the extent that any assessments needed to be made during the review, those are also included in the report.

[00:22:57] Lill: Then we have discussed the conditions, and we have touched upon both the discussion of control measures and the need for guidelines.

[00:23:05] Lill: We have looked at the process beforehand, and now we have discussed what to consider during the actual inspection. Are we through then? If we think the topic is email inspection, or is there something we haven't mentioned to our large audience, our podcast listeners?

[00:23:22] Thomas: Yes, so if we take a step back, both employers and employees can take some measures to avoid getting into difficult situations regarding access. We talked about routines, and generally, it can be relevant for employers to provide some guidelines, have some internal instructions on the use of email and electronic equipment.

[00:23:43] Thomas: It could be that one says private use should be very limited, trying to avoid too much private content and so on. One can have clear routines for ongoing archiving of cases or correspondence, so that things don't get scattered and there's less need to access individual email accounts and so forth.

[00:24:02] Thomas: So there can be important perspectives from the employer's side, but also for employees who might have an interest, and if something is more private, that it is clearly marked, so there is no doubt that there should be no reason to conduct an inspection there.

[00:24:19] Lill: And that brings up an interesting topic, namely private emails.

[00:24:23] Lill: If we start with that, and let's imagine we're in the middle of an inspection, and then an email pops up marked "private" with an exclamation point. Is it forbidden to open it?

[00:24:34] Thomas: I think it's not forbidden, but if it's obvious that it is indeed private, then you shouldn't proceed. However, if you have a disloyal employee, they might have taken steps to try to fly under the radar.

[00:24:47] Lill: Yes, and that's what I think as well. Again, it's important to document the assessments you make, but if you see something marked as private, you should evaluate whether you trust that employee or not. I would open the first emails, citing the need to double-check that it's not a cover-up. And that's our assessment when we consider opening what appears to be private.

[00:25:11] Lill: If you've gone through some and seen that it's a false alarm, it seems our suspicion was incorrect. Then you can move on and not open what is clearly marked as private. But I think it's important to mention that it's not off-limits initially, but you should be cautious.

[00:25:28] Thomas: And another aspect that is also regulated in this regulation is the termination or deletion of content in email accounts and file areas, and so on. So these are also important rules where we see that many are not fully aware of them and end up in trouble.

[00:25:44] Lill: And then you're thinking about, and now we've jumped out of the topic of access and into, okay, because often these disputes end with someone leaving anyway, and you have to remember that there are rules about deleting email accounts when someone leaves.

[00:26:01] Thomas: Yes, exactly. So we can afford to mention them as well. The main rule in the email regulations, there's a specific provision about deletion, it's paragraph 4 in the regulations. The main rule is that when the employment relationship ends, the email account, if we take that as an example. This also applies to file areas and access rights, but the email account should be shut down immediately.

[00:26:26] Thomas: So it should not be possible to send and receive emails. The point is that emails should no longer flow into the mailbox. So the main rule is that it is shut down. Practically speaking, you should set up an automatic reply, for example, directing people to contact someone else, but in principle, no more emails should come in.

[00:26:47] Thomas: It is observed that, exceptionally, the Data Protection Authority has accepted that one can keep it open for a short period after termination, but this is entirely exceptional and only if there is a specific need. Regarding the content of the email account, the requirement is to determine whether it is necessary for daily operations. It is stated that content not necessary for daily operations should be deleted within a reasonable time, typically within six months or so.

[00:27:17] Thomas: What we often see in practice is that the employment relationship ends, and the employee moves on to new challenges without deciding whether there is a need to store this information or not. And then the basic rule is that if the employer is to... First of all, you have already violated the rules about making a decision and so on, but you also face the challenge that if the employer is to access this information, the same rules apply as we have discussed regarding conducting access. Basically, you should then notify the former employee and so on.

[00:27:52] Thomas: It's quite cumbersome. So, the best practice here is to have an internal routine where the employee, as part of the off-boarding process, also reviews their email inbox and file areas.

[00:28:04] Thomas: And that means deleting what is not business-related and not necessary for daily operations, while ensuring that what is necessary for daily operations is accessible to others or properly filed in the correct folders, and so on.

[00:28:19] Lill: Yes, right? No, it's important to think about, because even though there's a requirement to close it, many people don't handle it well, and then suddenly you need to go in and think, "Oh darn, there were some emails there," you know.

[00:28:33] Lill: And as you say, you have to follow the same conditions for both access and procedures.

[00:28:39] Lill: So it's useful.

[00:28:40] Thomas: And that cleanup job would be a bit easier if you have been archiving continuously and so on. Of course, employees have very different tasks, but in some workplaces, it can definitely be relevant.

[00:28:53] Lill: Yes, I absolutely think so. This has been very clear and enlightening, in my opinion. I think we've reached the end of this topic, and what strikes me is that there are many other exciting subjects here that I believe we need to bring you back to the studio to discuss. For example, the issue of access to communication logs and such. But I think that will have to be a cliffhanger for the next episode. Thank you so much for joining us, Thomas Olsen.

[00:29:21] Thomas: Yes, thank you very much for the invitation.

[00:29:24] Lill: And to you who have been listening, I hope you found something useful in this. I also hope you've been out and about. Thank you for today, and I look forward to welcoming you back to the next episode of Arbeidsrettslunsj.