Monitoring via Anti-Spam and DLP Policies (Norway):
About:
This article outlines the legal and practical framework for monitoring through anti-spam and Data Loss Prevention (DLP) policies in organisations. Such monitoring is based on both legal requirements and IT security considerations.
Why we need it / What it is:
Anti-spam and DLP policies help prevent phishing, fraud, malware, and the leakage of sensitive information, such as personal data or trade secrets. They are particularly important in regulated sectors like banking, healthcare, and public services, ensuring compliance while protecting the organisation’s IT systems.
Anti-spam and DLP policies are lawful security measures if implemented proportionately, necessarily, and in compliance with privacy regulations.
Legal Basis:
1, Legitimate Interest (GDPR Art. 6(1)(f))
Necessary for IT security and operational protection, with a balancing test showing organisational needs outweigh employees’ privacy.
2, Legal Obligation (GDPR Art. 6(1)(c))
Required for compliance with laws or regulatory mandates to protect personal data or trade secrets.
3, Consent (GDPR Art. 6(1)(a)) – rarely used
Must be voluntary, specific, and informed, but often impractical due to the employer’s authority.
4, Email Regulations (§2)
Access to emails is allowed only when necessary for operations or security; general surveillance is not permitted.
Limitations and Considerations:
1, Monitoring must be proportional and necessary.
2, Private emails should not be accessed without justified suspicion of wrongdoing.
3, Automated monitoring (e.g., filtering suspicious content) is more acceptable than manual review.
Sources:
- https://www.datatilsynet.no/personvern-pa-ulike-omrader/personvern-pa-arbeidsplassen/innsyn-epost-filer/nar-er-innsyn-lovlig/
- https://www.regjeringen.no/no/dokumenter/nou-2019-9/id2639106/?ch=5
- https://lovdata.no/dokument/SF/forskrift/2018-07-02-1108
- https://www.advokatforeningen.no/horingsuttalelser/2024/november/etterkontroll-av-personopplysningsloven/
And you are done 😄