NORWAY Law and Practice Contributed by: Thomas Talén, Øyvind Clausen Bade, Marte Dahl and Marianne Viset, Ro Sommernes Advokatfirma AS
employees about the purpose of the control meas - ure, the practical consequences including how it will be implemented, and the expected duration; • ensure that the investigation is proportionate, not subjecting employees to unnecessary inconven - ience or loss; • ensure that the control measure is not degrading to the employee and cannot be achieved through other less intrusive means; • respect the purpose limitation principle – personal data collected for one purpose cannot be used for subsequent purposes that are incompatible with the original purpose without the employee’s consent; • exercise particular caution when collecting health information or other special categories of personal data, ensuring compliance with GDPR Article 9 and the WEA Section 9-3, and only requesting such information when strictly necessary; and • if data may be transferred outside the EEA, imple - ment adequate safeguards, such as conducting a data transfer impact assessment and entering into Standard Contractual Clauses (SCCs) with the data importer outside the EEA. It is highly recommended to include the requirements set out above in an employee privacy policy as well as in a whistle-blowing policy. 7.2 Specific Rules Specific rules apply to access to employee email accounts or the employee’s private areas in the employer’s data systems. • Access may only be gained if it is necessary for the legitimate interests of the employer or if the employer has reason to believe that the employee’s use of the email account constitutes a material breach of the employee’s duties. • Prior to gaining access, the employee must be informed and given the opportunity to object. The employee shall, as far as possible, be given the chance to participate while the email account or private area is accessed. 7.3 Access Subject to Article 15 of the GDPR, in principle anyone is entitled to information regarding the processing of
their personal data, including “a copy of the personal data undergoing processing”. However, this does not mean, for example, that the Respondent is automati - cally entitled to information on the Reporter’s identity. In accordance with case law (for example, LB-2024- 058268), the employer must balance the Respond - ent’s need for information and ability to exercise their right to object with the obligation to secure a fully sat - isfactory physical and psychosocial working environ - ment for the Reporter and other involved employees. Accordingly, the Respondent shall always have the right to know the specific allegations put forward so that they are able to defend themselves; however, the identity of a Reporter or witnesses should generally not be disclosed to a Respondent without the consent of the former. 7.4 AI Use of AI in HR Internal Investigations The use of AI in HR internal investigations is grow - ing. Some employers have started to use AI tools to handle internal investigations, particularly for sorting and reviewing large volumes of information. However, the extent of adoption varies significantly, with some organisations not using any AI in their internal investi - gations at all and others, particularly larger employers, using it extensively. Common uses of AI include: • automated review of emails, documents and inter - nal communications; • identification of relevant patterns and correlations when reviewing large volumes of documents; and • relevance-based filtering and prioritisation of infor - mation. Data Protection Considerations When Using AI Employers must carefully address a number of signifi - cant data protection considerations when using AI in HR internal investigations. It is critical that employers safeguard personal data when using AI tools. This necessitates ensuring that the consequences of using AI are thoroughly assessed. Employers should use data protection impact assessments where necessary and ensure that
298 CHAMBERS.COM
Powered by FlippingBook