Datatilsynet (Norway) - 20/01790

From GDPRhub
Datatilsynet - 20/01790
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 6(1)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 22.12.2020
Published: 14.01.2021
Fine: 400 000 NOK
Parties: Coop Finnmark SA
National Case Number/Name: 20/01790
European Case Law Identifier: n/a
Appeal: Appealed - Overturned
Personvernnemnda (Norway)
2021-09 and 2021-15
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a company €38,800 for unlawfully disclosing personal data from a surveillance footage, thus breaching Article 5(1)(a) GDPR and Article 6. The company appealed to the Norwegian Privacy Appeals Board, who first removed the fine in its entirety, then awarded the controller €6,959 to cover their legal costs.

English Summary

Facts

Coop Finnmark SA is part of a Norwegian cooperative selling groceries and more. The company submitted a data breach notification to the DPA after a store manager had filmed surveillance footage with his private mobile phone and shared this with a third party. He believed children were stealing, and his intention was to identify these. The woman he shared the footage with, sent it to her son, who sent it to someone else. The recording was, as such, shared with several people and reached, in the end, the child who was evidently stealing.

The store manager realized his mistake following the incident, notified the DPA and apologized to everyone involved.

Holding

The DPA notes that the company has legal grounds for using surveillance in their shop, in general, as per Article 6(1)(f). Filming and sharing a recording from the footage, however, is a new processing activity which also requires legal grounds as per the GDPR. The company has not determined legal grounds, as this processing activity shouldn't take place and is a breach of the company's internal routines.

The DPA notes that the purpose of the processing was to identify the children in the footage. Sharing the footage with third parties, however, was not necessary to achive the purpose. The company should have reported the incident to the police and waited for them to initiate a criminial investigation, including asking for surveillance footage.

Consequently, the DPA held that the company didn't have legal grounds for sharing the footage, as per Article 6. As the processing lacked legal basis, they were also in breach of Article 5(1)(a) GDPR. The company was fined €38,800.

Comment

The DPA underlines that the breach is particularly severe since children were involved. They also highlight the significant risk connected with sharing something with a personal mobile phone, and how easy it is to lose control of personal data in this way.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 ADVOKATFIRMAET BAHR AS
 PO Box 1524 VIKA Excluded from the public:
 0117 OSLO Offl §13 cf. Fvl §13 no. 1







Their reference Our reference Date
 9135764/1 20 / 01790-1 (19/01267) / EHN 22.12.2020



Decision on the imposition of infringement fines - COOP FINNMARK SA


We refer to our notification of the decision on infringement fines of 28 February 2020, and comments
to the forecast from BAHR dated 25 March 2020. We will in the following refer to the «business»
when we write about the comments in the comment to the alert. We will continuously note which ones

points in the final decision that deviate from the notification of decision.

1. Decision on infringement fines


Based on the information in the case, the Data Inspectorate believes that COOP FINNMARK SA has violated
the rules in the Personal Data Act, and sees reason to impose on the business a
infringement fine.


        Pursuant to section 1 of the Personal Data Act, cf. the Privacy Ordinance, Article 58 no.
        2 letter i, cf. article 83, is imposed on Coop Finnmark SA, org.nr. 981 397 568, to pay

        an infringement fee to the Treasury of 400,000 - four hundred thousand - kroner to have
        disclosed personal data in violation of the Privacy Ordinance Article 6 and Article
        5 No. 1 letter a.


The background and reasons for the decision follow below.


2. Details of the facts of the case

On 10 April 2019, the Norwegian Data Protection Authority received a report of a breach of personal data security
(deviation report) from Coop Finnmark SA (hereinafter «Coop Finnmark»). The message is described

deviated as follows:

        "Store manager detects theft in self-scan via camera surveillance. There are two boys

        on the recording, these two are watching, while one of the boys is stealing. (There are four more
        together). The store manager films the recording from the camera surveillance and sends it to one
        he knows, with questions

        is "this" (her son). No face is shown, but you can see the hair,
        clothing, as well as footwear. She passes this on to her son where she asks about this



Postal address: Office address: Telephone: Fax: Org.nr: Website:
PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no
0105 OSLO is he. It is not then, but her son then sends the video on, where it
        then comes to the person who was filmed on the recording. "

As we understand the deviation report, there has been a delivery of camera footage from a
surveillance camera in a store belonging to Coop Finnmark. The extradition took place by that
the store manager in the store filmed a screen that showed footage from the camera in the store. In response to
the notice of decision writes the company that the store manager used his mobile phone to film

the film clip, which lasted about three seconds.

The deviation report states that the recording that was handed out showed two or three children, with one
estimated age of 15 or 16 years, who stole goods in the store. One or two of the children did it
physical theft, while two of those pictured on the recording watched the others steal. According to
the deviation message does not show the faces of those pictured, but it is possible to see and distinguish
the people apart based on clothing, hair and footwear.


The store manager then sent the recording, from his phone, on to what he assumed was the mother of
one of those pictured. He asked the recipient if the person pictured was her son.
The woman answered the question in the negative, and then passed the video on to her son.
The son then forwarded the video. At one point, the video reached the person or persons who are
depicted on the recording.


It appears from the deviation report that the recordings were later handed over to the police.

After the incident, the store manager contacted the HR / HSE manager, and an internal non-conformance report was made
written the same day. The non-conformance report states that the store manager contacted those affected
the parties he knew, and apologized for the incident. He also requested that the recordings as possible
was on other devices was deleted. It is also stated that an apology was given directly to

the people who were filmed on the video clip.

The company submitted a report of a breach of personal data security on 10 April 2019 at
14.20. The Norwegian Data Protection Authority then asked Coop Finnmark for further information in a letter
with a request for a statement, which was sent on 8 October 2019. The request was answered in
statement dated 21 October 2019. Attached were the company's routines for camera surveillance
and handling of discrepancies in the processing of personal data, as well as the company's

data processor agreement with a technical service provider.

Item 9 in Routine for Camera Surveillance - Stores in Coop Finnmark deals with delivery of
personal information. The point in its entirety reads:

«Personal information shall not be disclosed to outsiders unless it is available
written basis for extradition. If the consent of those pictured is required,

the confirmation is attached to the extradition request. If extradition is required in connection with
investigation of a criminal act or accident, extradition to the police can take place, without it
there is consent, if the basis for the extradition exists.






                                                                                                2 Delivery of photos / recordings is delivered in a separate format. The originals are retained by the company and
is subject to deletion according to the rules for this.

The image / recording shall never be used for anything other than the purpose, cf. section 2, for which it has been handed over. Responsibility
for the practical handling of delivery is delegated to the security manager, store manager or to
one they delegate this responsibility to. "


The Data Inspectorate requested a copy of the camera recordings made in the store on 4 April 2019. We
received the recordings by letter post in August 2020. There are two recordings, one of 19 seconds showing
the entrance to the store, and a recording of 1 minute and 33 seconds showing the checkout area in
the store. We assume that some of these recordings were filmed by the store manager
with his private phone, and which was then shared further. We have not seen the recording that was
done on the private phone and these must be deleted.


One footage shows people entering the store. The second recording shows people
who pay for goods at serviced and self-service checkouts in the checkout area. It's hard to
deduce from the camera footage that a criminal act is taking place. It may seem that one of them
the boys pictured do not pay for all the items he later takes out of the store.

3. Legal principles
3.1 More about the requirements of the Personal Data Act


The Personal Data Act implements the European Privacy Regulation in Norwegian law.
The rules in the law and the regulation apply to fully or partially automated processing of
personal data, cf. the Personal Data Act § 2 and the Privacy Ordinance Article 2.
The initial condition for the regulation to apply is that a processing takes place
of personal information.


Article 4 (1) of the Regulation defines personal data as follows:

        «Any information about an identified or identifiable natural person (« the
        registered »); An identifiable natural person is a person who directly or indirectly
        can be identified, in particular by means of an identifier, e.g. a name, a
        identification number, location information, a network identifier or one or

        several elements specific to the physical, physiological,
        genetic, psychological, economic, cultural or social identity ».

The definition of personal data is broad. What is decisive for the application of the law is
whether the relevant information can be linked to a natural person, who is either identified or
is identifiable. It is sufficient that the natural person is indirectly identifiable, for
example when using different «means», cf. the regulation's proposition point 26. The decisive factor is whether

the information is suitable for identifying a person, with or without aids.

All processing of personal data must be in accordance with the basic principles of
Article 5 of the Regulation. The principles mean that the treatment must be lawful and equitable
and transparent (letter a). The treatment should only take place for predetermined purposes, and




                                                                                                 3Not reused for new purposes contrary to the original (letter b). The treatment

must be adequate, relevant and limited to the specific purpose (letter c). The information
should be correct (letter d), and they should only be stored for a limited period of time after what
is necessary for the purpose (letter e). The treatment must be done in a way that ensures
the integrity and confidentiality of personal data (letter f). This principle implies that
the personal data shall be secured against outsiders gaining unauthorized access, through

appropriate organizational and technical measures.

It is the person in charge of treatment who is responsible for ensuring that these principles and
the Regulation as a whole is complied with (Article 5 (2)).


One of the requirements of the Privacy Ordinance for the processing to be considered legal is that
there is a legal basis for it (basis for processing). The different forms of
basis for treatment can be found in Article 6 of the Regulation. For camera surveillance performed by

private companies and associated treatments, including extradition, are there
the basis of treatment in Article 6 (1) (f) which is the most obvious. We point to that
The Privacy Board has assumed that Article 6, paragraph 1, letter f is a relevant one
basis for processing in the assessment of such cases. 1


The basis of treatment in Article 6, paragraph 1, letter f, provides guidance on a balance of interests.
Personal data can be processed on this basis if it is necessary to safeguard
a legitimate interest that outweighs the consideration of individual privacy. This
implies that the business must have a legitimate interest, the processing must be necessary for

to achieve the legitimate interest and that a concrete assessment is made of the weight of
interests. This must then be weighed against the data subject's right to privacy.

If a processing does not meet the basic requirements of the Privacy Regulation, will

the treatment may be illegal.

3.2 The question of the application of regulations for camera surveillance in business

The Norwegian Data Protection Authority has assessed the deviation report from Coop Finnmark SA in accordance with the general rules in
                                                                                               2
the regulation, and not the special rules in the regulations for camera surveillance in business. We
will in the following justify the choice of law.

Article 88 of the Privacy Regulation allows Member States to lay down detailed rules

for the processing of employees' personal data in connection with employment relationships.

The scope of the special rules on camera surveillance is therefore limited to the framework of
employment conditions. This is also emphasized by the ministry in the preparations for a new one
                        3
Personal Data Act. The rules on camera surveillance in business are located in
Chapter 9 of the Working Environment Act, which deals with the employer's right to implement


1See e.g. PVN 2019-09
2FOR-2018-07-02-1107.
3
 Prop. 56 LS (2017-2018), point 31.3.3.3



                                                                                                    4controlling measures in their business. Regulations on camera surveillance in working conditions are included
authority in the Working Environment Act § 9-6.

Neither the Working Environment Act § 9-6 nor the regulations contain any definition of the term
"Camera surveillance in business". In the preparatory work for the new Personal Data Act writes
Ministry in connection with this that camera surveillance carried out by others than
employer, will fall outside, even if the camera also captures jobs ». Further

they write:

        "On the other hand, it will not be crucial for the employer to set up himself
        and / or manages the monitoring itself. It will be sufficient that the monitoring
        takes place in understanding with the employer, is in the employer's interest and that the purpose (among
        other) is to monitor the employer's activities. A typical example would be
        monitoring of retail premises in a shopping center, where the monitoring is administered by

        the center company ».

In assessing whether the regulations apply, the Ministry writes:

        "Secondly, it will be a condition that the monitoring can be regarded as a control measure in
        the meaning of the Working Environment Act. The Ministry therefore believes that camera surveillance as
        not, or to a very small extent, can be considered a burden on employees

        personal integrity, will fall outside the scope of the rules, ie even if it
        takes place «in business», cf. the purpose of the regulation in the Working Environment Act, Chapter 9 ».

This means that the further processing of personal data collected through
the camera surveillance, which in principle falls within the scope of the regulations, does not
applies if the further processing (in this case extradition) only applies

personal information about other than employees.

On the basis that Article 88 of the Regulation only allows for more detailed rules for processing
of employees' personal data in connection with employment relationships, the fact that
The regulations are based on the Working Environment Act's chapter, which regulates the employer's access to
implement control measures in operations, and the statements in the preparatory work, is the Data Inspectorate's assessment
that the regulations are not the correct regulations to apply in this specific case.

The disclosure of the photos made by Coop Finnmark does not include personal information

about some of the company's employees. As there is no working relationship between them
registered and the business, there are thus the general rules in the Personal Data Act and
the applicable privacy regulation.

4. The Data Inspectorate's assessments and reasons for decisions
4.1 Introduction


It is clear that there has been a processing of personal data that falls within
the scope of the Personal Data Act and the Privacy Ordinance, cf. section 2 and





                                                                                                Article 2 of the Ordinance 2. The Personal Data Act and the Privacy Ordinance are coming
thus for use.

It is stated in the definition in the Privacy Ordinance Article 4 No. 2 that a treatment is

any operation or series of operations performed with personal data. We consider
it is as if a processing of personal data has taken place in two stages. The first link in
The treatment took place when the store manager filmed the recordings with his private mobile phone. The
the second stage of the treatment took place when the store manager forwarded the recording he had made
to an acquaintance. In the following, we will consider these actions as a collective treatment of
personal information. The purpose of the processing of personal data was to identify

the person depicted to solve a possible criminal act.

The Data Inspectorate believes that Coop Finnmark did not have a processing basis for the processing of
personal information. This will be justified in the following.


4.2 Assessment of treatment basis
The routines of Coop Finnmark show that the company believes it has a basis for treatment in the article
6 no. 1 letter f for the camera surveillance in the shops. We refer to point 3 of the company's
routine for camera surveillance.

Delivery of camera footage is a new treatment that requires a new treatment basis. IN

the company's routine for camera surveillance, it is stated that delivery can only take place by
written basis for extradition. It is unclear what the company puts in this wording.
If the basis for extradition is consent from the data subject, there are routines for
the extradition. The routines seem to set an exception to the requirement for a written basis for
extradition if the recipient is the police, and the extradition takes place in connection with an investigation

of a criminal act or accident.

The company has not itself emphasized that it has a processing basis for the extradition, but
on the other hand, reported the disclosure as a deviation to the Norwegian Data Protection Authority. The delivery is described in
the deviation report as a deviation from the company's internal routines. We assume that
the company itself does not consider that it has a processing basis for the extradition.


We will nevertheless make an independent assessment of this condition. We assume that
The relevant basis for processing for extradition is Article 6, No. 1, letter f (see our presentation
of the provision and the balance of interests that it provides, in section 3.1).
This is in line with the Privacy Board's practice in similar cases. The interests of

the business for the processing of personal data must here be weighed against the data subjects' right to
privacy. Particular emphasis shall be placed on the wording of Article 6 (1) (f)
the data subject's interests and fundamental rights if the data subject is a child.

The law's requirement that the treatment must be necessary for purposes associated with it
the legitimate interest of the data controller means that the interest pursued by it

data controllers must be legal and genuinely motivated in the business. Both legal,

4
 PVN-2019-09



                                                                                                 6economic or non-material interests may be justified, cf. the Privacy Council
«Guidelines 3/2019 on processing of personal data through video devices», section 18.
The necessity condition further entails a requirement that the purpose cannot be achieved on a minor
privacy intrusive way.

The first question is whether the treatment is necessary for purposes associated with it
the legitimate interest of the controller. The purpose of the extradition was to identify

people who stole from the store. It is clear that it is in the store's interest to find out who
who has committed thefts in the business. However, it is also clear that it is not necessary to
hand out camera recordings to outsiders, all the time it will be possible to solve
the theft and identify the persons by reporting the matter to the police. A review will
could mean that the company must hand over the recordings to the police, to secure the police
investigation of the relationship. It can therefore be questioned whether the extradition is necessary
to pursue the business interest.


The Norwegian Data Protection Authority believes that the data subjects' right to privacy in the present case, regardless of route
heavier than the business interest. We have placed crucial emphasis on the fact that there are children
personal data that was processed. The conditions in Article 6 (1) (f) are thus
not fulfilled anyway.

In this assessment, we emphasize the data subjects' reasonable expectations, in line with

The Privacy Council's Guidelines 3/2019 on processing of personal data through video devices »
section 35. We assume that there is a sign in the shops that there is camera surveillance, in
in line with the company's internal routines for camera surveillance point 1.

People who stay in the store thus have a reasonable expectation that they will stay
filmed. In-store camera surveillance is not uncommon. It will also not be unusual for one

camera surveillance shop that catches a theft or other illegal activity,
hand over the recordings to the police. Most people, however, have no expectation of such recordings
handed over to other persons who do not work for the police or have any other form of
dealing with the prosecution of criminal offenses. As the deviation report from the company shows,
it does not take long from the original disclosure to the information when it registered
self. This shows the potential for damage when disclosing personal information between
mobile phones.


The Data Inspectorate refers to the Privacy Board's decision in PVN-2019-09. Fact i
the tribunal decision and this case are somewhat different. In the tribunal decision published
store a still image from a surveillance camera on Facebook, for the purpose of identifying one
person who stole Christmas decorations outside the store. A publication on Facebook will quickly reach a large
number of people. Sharing an image from one mobile phone to another will go through one step only
now a person, and will not have the same function equivalent to a "public gape stick".

At the same time, the sender quickly loses control of the personal information, and it is easy to share
these further. What is described in the deviation report and the statement in the present case show
exactly this. The potential for harm in the event of extradition, and the interference with the individual's privacy, will
perceived as large.





                                                                                                 7Datatilsynet places great emphasis on the fact that the people pictured are children. It follows
Clause 38 of the Privacy Ordinance states that «children's personal data deserve a special
protection, as children may be less aware of current risks, consequences and guarantees
as well as on the rights they have with regard to the processing of personal data ». Also children
who perform illegal acts, such as a minor theft from a store, are entitled to privacy.

The Data Inspectorate further emphasizes that the data controller has assessed that it has not

there is a basis for processing in accordance with the regulation. The company has in the deviation report
also pointed out that the extradition has taken place in violation of the company's own routines for
processing of personal data collected through camera surveillance.

In this case, the data subjects' privacy interests outweigh the company's interests in
to hand over the recordings.


Nor can we see that there is any other basis for treatment that will be more obvious
or suitable for the disclosure of personal data in this case.

The extradition is thus in breach of Article 6, paragraph 1, letter f.

4.3 Assessment of the principle of legality in Article 5 (1) (a)


The requirement that a treatment must be lawful means that it must have a legal basis in
the Privacy Regulation. A processing of personal data without a basis for processing will
without further ado be illegal, and thus be contrary to the fundamental requirement of the principle of
Article 5 (1) (a).

As shown above, we find that there was no basis for treatment for this extradition, such

that the treatment is thus contrary to the principle of legality.

4.4 The company's comments on the assessment of treatment basis

The company has no comments or responses to the assessment of whether there was one
basis for processing the disclosure of personal data. The company admits itself
that the incident violated Coop's current camera surveillance routines. The Data Inspectorate

therefore assumes that there is no disagreement on this issue.

4.5 Infringement Fee

4.5.1 General information about the assessment

Infringement fees are a tool to ensure effective compliance and enforcement of

the personal data regulations. We believe it is necessary to respond to the violation, and
imposes an infringement fee (cf. Article 83 of the Privacy Regulation).

In accordance with the Supreme Court's practice (cf. Rt. 2012 p. 1556), we assume that
infringement fines are to be regarded as penalties under the European Convention on Human Rights




                                                                                                Article 6 Therefore, a clear preponderance of probabilities for offenses is required in order to be able to impose
fee.

When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account
to the elements in the Privacy Ordinance Article 83 no. 2 letter a to k. The Norwegian Data Protection Authority may
impose infringement fines after a discretionary overall assessment, but they listed
the moments lay down guidelines for the exercise of discretion by highlighting moments that should

special weight is given.

In the following, we will review the terms that are relevant to the facts in this case. We
will reproduce the comments from the company's representative continuously during the individual moments.

4.5.2 Article 83 (2) (a): «The nature, severity and duration of
the infringement, taking into account the nature, extent or purpose of the treatment concerned

as well as the number of data subjects affected, and the extent of the damage they have suffered »

The company states that the video clip is short and that it does not show an offense. It is a
limited scope of persons caught. The extradition was a one-time event, and it can
it is not documented that the individual case has caused any damage.

The Norwegian Data Protection Authority agrees with the company that the video clip that was the subject of further sharing

does not automatically provide grounds for concluding that a criminal offense is being caught. However, will
the context could leave an impression that something illegal has happened, in that
the store manager films the video clip and asks questions to identify the person pictured.
The Data Inspectorate considers the violation to be serious. The violation involves a violation of it
basic requirement of legality of a treatment. The breach affects children, who are given a
special protection in the privacy regulations. Information about the incident and why the clip has been

spread can still spread quickly with the shared personal information. The very foundation
for the division has been to identify persons to clear up a matter that was reported.

The breach has affected a small number of registered persons, and it is unclear what the extent of the damage is
follows from the infringement. At the same time, a breach such as this could lead to damage to its reputation
the registered, rumors and public outcry. The extradition is in itself suitable to lead
to serious consequences. For children, these consequences will be perceived as more harmful than

for adults, who often have a more secure sense of identity and belonging.

The treatment in question is also a violation of the company's internal guidelines for
disclosure of personal information from camera surveillance, which increases the seriousness of
the incident.

The Data Inspectorate also emphasizes that the store manager used his own mobile phone to film

the recording, which he then shared further. Private cell phones are often associated with cloud-based
storage services, which can cause files to be stored on multiple devices. The person who owns
the phone will therefore more easily lose track of where the file is located. This is increasing
the risk of the dissemination of personal data, and thus also the severity of
the infringement.




                                                                                                94.5.3 Article 83 (2) (b): 'Whether the infringement was committed intentionally or
negligent »


The company states that it cannot be demonstrated that there was intent with regard to both
the act itself, and with respect to the act constituted an offense. Further writes
the business that the store manager “spontaneously [sent] part of a video recording to another employee in
The Coop system. »

The company writes that even if this act is considered extradition of

personal information, it can not be required that the store manager has had a conscious relationship with that sharing
within the business constitutes a processing of personal data. The company also states
that the store manager has not intended with regard to the consequences of the treatment, which meant that
the recording was spread further. In conclusion, the company states that the store manager has expelled
legal ignorance about a complicated set of rules, which points in the direction of negligence rather than

continue.

It is not a condition for the imposition of an infringement fee that there is subjective guilt
violator. In this context, reference is made to Chapter IX of the Public Administration Act on
administrative sanctions. By an administrative sanction is meant a negative reaction that can
imposed by an administrative body, which addresses a committed violation of law, regulations

or individual decision, and which is considered a penalty under the European
the Convention on Human Rights (ECHR).

For companies, the debt assessment is unique. Section 46, first paragraph, of the Public Administration Act states:


        "When it is stipulated by law that an administrative sanction may be imposed on a company
the sanction can be imposed even if no individual has shown guilt. "

In Prop. 62 L (2015-2016) page 199 it is stated about § 46: «The wording that‘ none
individual has shown guilt 'is taken from the section on corporate punishment in the Penal Code § 27 and
shall be understood in the same way. The responsibility is therefore basically objective ».


Legal persons as such cannot plead guilty. This point of Article 83 does
however, it is clear that emphasis can be placed on how reprehensible the action is. According to it
the current guideline from the European Privacy Council, the degree of guilt must be deduced from
objective evidence related to the actions in the specific case. In cases where a person

have acted on behalf of a business, the boundaries will be linked to intent and
negligence is thus linked to how much guilt can be inferred from the trader
the representative expelled in the acts that led to the violation.

As a starting point, a boundary can be outlined between breaches of the regulations as a result of a
accidents or a malicious intrusion, which, for example, could occur as a result of inherent

weaknesses in a computer system. On the other side of the scale one will find planned violations,

5
 17 / EN WP 253 pp. 12



                                                                                                10th people with leading positions in key parts of a business have consciously and planned
violated the law.

The Data Inspectorate believes that the actions that led to the breach are clearly reprehensible. The treatment
was performed by a person in a leading position, through a deliberate act, and not as a result
by accident. We find it, as mentioned above, reprehensible that the store manager filmed the recording with
his private phone. This filming is in itself a stand-alone treatment of

personal data, in which the recording from the original system is copied using an external
unit.

We will also note that even if this single action should not constitute one
violation of the company's own routines, it constitutes a processing of personal data
who must meet the requirements of the law to be legal. The business can not be heard with that
there was error of law. Legal error is not excusable unless the legal error is

careful, something it in our view is not in the case. According to the routines, a store manager holds the lead
the responsibility for compliance with the regulations, which includes both the Personal Data Act and those
internal routines in the business.

Furthermore, we would like to point out that it appears as a clear consequence that a shared video clip will
further divided, especially if the purpose of the original division is to identify one or
more people.


It cannot be concluded that there is intent with regard to the illegality of the act
or the consequences of the action. However, this is not a criminal law concept of intent,
but a categorization of the reprehensible behavior on a scale. Based on the objective
the evidence that can be deduced from the actions, the Data Inspectorate believes that it has been expelled in any case
gross negligence of a leading person in the business. This roughness pulls in aggravating

direction.

4.5.4 Article 83 (2), letter c: «Any measures taken by it
        the controller or the data processor to limit the damage as they
        registered have suffered »

In the non-conformance report, the company describes that all known involved were contacted and asked to
delete any recordings. The store manager called all affected parties and apologized for the inconvenience. IN

the statement, Coop Finnmark explains that they have contacted «the guardian of the person who
stole ».

We agree that the company has taken important and required measures following the deviation,
and believes that this speaks in a mitigating direction.

4.5.5 Article 83 (2) (d): 'The controller or processor's

        degree of responsibility, taking into account the technical and organizational measures they
        has carried out in accordance with Articles 25 and 32 »






                                                                                                11The company has guidelines for the use of camera surveillance, including rules for extradition
of recordings. The routines indicate that the disclosure of personal information can take place when
"The basis for the extradition exists", or if there is a "written basis for extradition".
This is followed by two sentences dealing with written consent from the person pictured and extradition to
the police in connection with the investigation of a criminal act or accident.

The company itself believes that the routines are not unclear. It is stated that the understanding of «in writing

basis »must be put in context with the two subsequent sentences, which deal with
written consent and extradition to the police.

The Data Inspectorate believes that the language in the section of the routines is not clear enough, but rather is suitable for
confuse. It is not clear what is considered to be a written basis that provides
possibility of extradition. It must be clear what is a legal basis that gives reason for
to disclose the personal information. Pedagogically designed and coherent routines are important

for all employees to understand why the routines should be followed, and to ensure that they are actually adhered to.

However, there is no reason to place further emphasis on the ambiguity of the routines in the case, as it is not
basis for concluding that the routines in themselves are related to the illegal
the extradition. The Data Inspectorate therefore still believes that this factor does not add up
aggravating or mitigating direction.


The company states in the statement dated 21 October that a meeting has been held about
the incident, where the guidelines were reviewed. Furthermore, it states that «internal routines have passed
through in a meeting with all the store managers ».

It is not stated which training has been held prior to the deviation, and how
the management of the company has made sure that middle managers, such as the store manager, actually know

these. Uncertainties and failing training routines can easily lead to violations. It is
however, it is difficult to say whether training and other review have anything to do with it
the illegal extradition in this particular case. This moment therefore does not draw in
aggravating or mitigating direction.

4.5.6 Article 83 (2) (e): «Any relevant previous infringements committed

        by the data controller or data processor »

The company states that the extradition constitutes a first-time infringement, and that this must work
mitigating in the overall assessment.

The Data Inspectorate does not find that this aspect speaks in either aggravating or mitigating terms
direction.











                                                                                                124.5.7 Article 83 (2) (f): "Cooperation with the supervisory authority"


The guidelines from the Privacy Council state that it cannot be emphasized that a business
cooperates with the supervisory authority in accordance with applicable law.

The company writes that they have cooperated with the supervisory authority and reported on the case
to the best of our ability, both unsolicited and upon request for more information.


The Data Inspectorate does not find that this factor can speak in a mitigating direction, as
the business is required to answer the questions.


4.5.8 Article 83 (2) (g): "Category of information concerned"

The company states that it must be conciliatory that the faces of the persons are not shown, and that
it was only possible to identify the persons on the basis of hair, clothing and footwear. Further mean
the business that the accuracy of the information was low, as the person who first received

sent the video was not able to recognize his son on the video.

The Norwegian Data Protection Authority refers to the assessments given under the item in Article 83 no. 2 letter a. We believe
that it does not matter whether it is the face or the attire that makes it possible
to identify a person; the person is still identifiable based on the information provided.

There is no distinction between "immediately identifiable" persons and persons who
it will take a little longer to recognize in a camera recording.

4.5.9 Article 83 (2), letter h: 'How the supervisory authority became aware of

        to the infringement, in particular if and to what extent
        the controller or the data processor has notified of the infringement »

The company itself has reported the deviation to the Norwegian Data Protection Authority. The company believes that this can not
pull in the aggravating direction. It is stated that a strict sanction practice can weaken trust

between supervisory authorities and data controllers, and in the worst case result in deviations and
Violations are not reported as anticipated.

The guidelines point out that it can not be conciliatory for a company to comply with its own
obligations under the regulation to report deviations. We therefore believe that it can neither speak in

aggravating or mitigating direction that the company has reported the breach
the personal data security of the Norwegian Data Protection Authority. Both businesses and regulators will
be served with a low threshold for reporting deviations.


4.5.10 Article 83 (2) (k): 'Any other aggravating or mitigating factor
        in the case, e.g. economic benefits gained, or losses avoided,
        directly or indirectly, as a result of the infringement »



6
717 / EN WP 253 pp. 14
 17 / EN WP 253 pp. 14



                                                                                                13Datatilsynet has no knowledge of other aggravating or mitigating factors in the case such as
will affect the outcome of the assessment.

4.5.11 Practices of other supervisory authorities

In its comments, the company refers to three decisions on the imposition of infringement fines from
other supervisory authorities. Two of these have been issued by the Swedish Data Inspectorate; DI-2019-

2221 and DI-2018-22737. The latter is an infringement charge imposed by the supervisory authority in it
German state LfDI Baden-Württemberg. It is emphasized that the level of fees in these cases
indicates that the notified fee in the present case is too high.

The three cases listed deal with very different facts compared to the present case,
which means that the transfer value is small. The Data Inspectorate agrees that one should apply to
harmonize administrative practices across the supervisory authorities of the EEA countries. It is

however, it is clear that each case of infringement charge will be very different and therefore must
be justified in specific circumstances of the individual case. The Data Inspectorate finds no reason
to emphasize the listed cases for the determination of infringement fines in the present case
the case. The assessments in these cases do not govern our assessments of whether it should
a fee is imposed in this case, or by the size of the fee.


4.5.12 Summary and conclusion

After an overall assessment of the deviation's scope, character and severity, the Data Inspectorate has
concluded that an infringement fine should be imposed in accordance with Article 83 (2) of the Privacy Regulation and
5.

We point out that infringement fines have previously been imposed for similar cases of illegal
extradition, and that considerations of equality indicate that the violation should be sanctioned with
infringement fine. We have placed particular emphasis on the fact that it is children's privacy that has been violated

the extradition.

6. Assessment of the size of the fee

When measuring the size of the fee, emphasis shall be placed on the same assessment factors
which has been reviewed in section 4.5 of the decision. We therefore refer to the assessments made above.
The infringement fine shall be effective, proportionate and dissuasive

act as a deterrent. The fee should be experienced as an evil. This means that
the supervisory authority shall make a specific, discretionary assessment in each individual case. We
refers to point 148 of the Privacy Ordinance, which states that it should be imposed
sanctions, including infringement fines, for breach of the Regulation.

The extradition took place as a one-time incident, and the recording was made through the action

the store manager only shared with one person. Nevertheless, the recording was shared further, and eventually reached
the child himself. This shows the real danger of the information being spread further. It only takes a couple
click until personal information is spread to a large number of people through mobile phones.





                                                                                               14 The disclosure applies to children's personal data, which shall enjoy a particularly strong protection. We have
therefore placed considerable emphasis on this moment. There is further talk of a violation that
resulting from a negligent act performed by a person in a senior position. It is the business,
and the person acting on behalf of the company, responsibility to familiarize himself with the rules for

camera surveillance, including the rules of extradition.

The business's financial ability will also be important, even if it is not relevant to
take advantage of the range of the infringement fine provided for in Article 83 (5).
The business had operating revenues of NOK 1,033,257,000 in 2018. The result was NOK
52 489 000. 8


Similar cases, such as the previously mentioned PVN-2019-09, dealt with companies
significantly lower turnover. In PVN-2019-09, the company had an operating profit of NOK 1.5
millions. The fee was set at NOK 50,000.


Coop Finnmarks SA's financial situation is in a special position. For the fee to be experienced
as an evil, so that the preventive considerations behind the infringement charge as a form of reaction
taken care of, the fee must be higher than what has previously been the case in cases with similar
fact.

However, we believe that the fee has already been set at a low amount, where we have taken into account that

one violation has occurred. Compared to the company's turnover, the fee is low. The
must, however, be of a certain size in order to fulfill the purpose set out in
Article 83 of the Privacy Regulation.

After this, we have come to the conclusion that we maintain the notified fee of NOK 400,000.


7. Recovery of infringement fines

The infringement fee is due for payment four weeks after the decision is final, cf.
the Personal Data Act (2018) § 28. The decision is a coercive basis for disbursement. Recovery of
the claim will be implemented by the Central Government Collection Agency.


8. Right of appeal

You can appeal the decision. Any complaint must be sent to us by 28 January 2021, cf.
Sections 28 and 29 of the Public Administration Act. If we uphold our decision, we will send the case to

The Privacy Board for complaint processing, cf. the Personal Data Act § 22.

9. Transparency and publicity

You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform
that all documents are in principle public, cf. the Public Access to Information Act § 3, but



8
 The figures are taken from proff.no per 13.01.2020



                                                                                                15emphasizes at the same time that safety documentation as a general rule is exempt from public access, cf.
the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.



With best regards




Jørgen Skorstad
department director
                                                            Embla Helle Nerland
                                                            legal adviser





This letter has been approved electronically by the Norwegian Data Protection Authority and therefore has no signature.




































                                                                                           16