Persónuvernd (Island) - 2021051091
Persónuvernd - 2021051091 | |
---|---|
[[File:|center|250px]] | |
Authority: | Persónuvernd (Island) |
Jurisdiction: | Iceland |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 12 GDPR Article 13 GDPR Article 30 GDPR Article 58(2) GDPR Article 83 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 04.05.2021 |
Decided: | 12.03.2024 |
Published: | 20.03.2024 |
Fine: | 1,500,00 ISK |
Parties: | Stjörnuna ehf, the operator of Subway in Iceland |
National Case Number/Name: | 2021051091 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Icelandic |
Original Source: | Persónuvernd (in IS) |
Initial Contributor: | ec |
The Icelandic DPA imposed a fine of €10,059.92 (ISK 1,500,00) on Stjörnuna ehf, the operator of Subway in Iceland for unlawfully monitoring its employees.
English Summary
Facts
The data subject is an employee at Subway in Iceland.
The controller is Stjörnuna ehf, the operator of Subway in Iceland.
The data subject filed a complaint to the Icelandic DPA (Persónuvernd) on 4 May 2021.
The data subject claimed that the store manager monitored him in real time at home, and thus outside the workplace, and called the workplace to give comments on the data subject’s work style based on the footage. This was done without the data subject’s knowledge.
The controller argued in a letter to the DPA that it had installed the surveillance cameras for the sake of security and property protection. The purpose of the monitoring is factual, the surveillance camera system has been used in a reasonable manner and it has not been used for the control of workers or for monitoring work results. The controller claimed that the store manager went beyond the stated purpose of the monitoring and used the footage to monitor the work performance of the employees without the consent or knowledge of the company representatives. Immediate action was taken to prevent this from happening again.
However, in a following letter, the controller denied that the store manager regularly monitored staff in real time through the restaurant's surveillance camera system and commented on their work style and behaviour. The controller argued that the store manager was looking at the surveillance camera system on the day in question out of fear that bread was running out. However, the store manager noticed that there was a big queue which did not change after 5 minutes, and therefore called the data subject who was in the rest area to request that the data subject serves the customers.
Lastly, the controller argued that since there was no systematic collection of information, they had no obligation beyond the installation of signs about the surveillance cameras in the workplace to inform employees more about the monitoring.
Holding
Firstly, the DPA found the arguments of the controller conflicting as the purpose for processing was either in the interests of security and property protection or quality control. Regardless which argument should be taken into account, the DPA held that it is clear that the store manager’s use of the footage from the surveillance cameras does not fall under the stated purpose of the company’s monitoring for security and property protection. Moreover, the DPA held that monitoring for controlling the work of the employees is only possible if there are no other means available and it is necessary due to an agreement. The controller did not demonstrate this. Moreover, under Article 5(1)(b), monitoring must be carried out for specified, explicit and legitimate purpose. The DPA found that the controller did not demonstrate that quality control was the purpose of monitoring or that the objectives of quality control cannot be achieved with other and less intrusive measures. Therefore, the DPA found that there was no authorisation for processing under Article 6(1) GDPR.
Secondly, the DPA explained that personal data must be processed in a fair and transparent manner in relation to the data subject under Article 5(1)(a) GDPR. This means that data subjects should be aware when their personal data is collected, used, viewed or processed in another way. Moreover, in light of Article 13 GDPR, information must be provided to the data subject and must be given a clear picture of the monitoring, including its purpose, how it is carried out, how access to monitoring material arranged and how long the data is stored. The DPA found that the data subject was not adequately informed about the monitoring or what his rights were concerning the monitoring. Moreover, the DPA rejected the controller’s claim that the installation of signs about the monitoring was satisfactory as these signs do not state who is responsible for the monitoring.
Thirdly, the DPA found that the controller did not keep a record of the processing activities required under Article 30 GDPR.
Thus, the DPA ordered the controller under Article 58(2) GDPR to erase all screenshots of the data subject at work and to inform its data subject about the monitoring, including the purpose of the monitoring and their rights related to it, and to keep record of its processing activities. Moreover, the DPA imposed an administrative fine of €10,059.92 (ISK 1,500,00) on the controller under Article 83 GDPR due to the controller’s violations of Article 5(1) GDPR, Article 6 GDPR, Article 12 GDPR and Article 13 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.