Specifically, the complaint stated that the employer of the complainant’s handling of the email box, the file area and his user access at the end of his/her work had not been in accordance with Act No. 90/2018 on Data Protection and the Processing of Personal Data and the Data Protection Authority’s guidelines on handling of email, file areas and monitoring of internet usage.

The Data Protection Authority concluded that it was unproven that the complainant’s employer, or service providers, had examined the complainant’s personal data stored in the email box and his/her file area. From the Data Protection Authority’s review of existing action files, due to access to the mailbox, it was not apparent that anyone other than the complainant had logged into the mailbox, however, logs were limited to a long time. It was also known that logging was not in place in regard to the complainant’s file area and therefore it was not possible to determine whether the complainant’s personal data, which might have been stored there, was examined.

It was also concluded that the Data Protection Authority had treated the complainant’s employer in accordance with the fairness principle of the Data Protection Act. The complainant’s employer had intervened in closing the mailbox and blocking the complainant’s user access to the operator’s cloud and the institution’s computer system, thus preventing private email from being sent to the complainant’s mailbox. However, it was stated that the reception of email was not blocked until about a year after the complainant’s end of employment. The need to keep the complainant’s email address active for such a long period was not demonstrated and the employer’s treatment of the complainant’s emailbox, in this respect, was not considered in accordance with the preservation principle of Article 8(1)(5) of Act No. 90/2018 and Article 5(1)(e) of Regulation (EU) 2016/679.

The Data Protection Authority's ruling (in Icelandic)