Datatilsynet (Norway) - DT-20/01777 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 17.03.2021 |
Published: | 09.04.2021 |
Fine: | 35000 NOK |
Parties: | Miljø- og Kvalitetsledelse AS |
National Case Number/Name: | DT-20/01777 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined a controller €3430 (NOK 35,000) for sharing a CCTV recording of a data subject vandalising its property with the data subject's employer, without a legal basis.
English Summary
Facts
The company Miljø- og Kvalitetsledelse operates a car wash facility, where a payment terminal was vandalised. Since the company had CCTV/camera surveillance, they were able to determine who the culprit was and, consequently, reported the incident to the police (and also to the culprit/data subject himself).
However, the company went on to disclose the footage to the data subject's employer, as they considered him to be "out of balance" because the data subject had also contacted a lawyer. The data subject was not notified of, nor consented to this disclosure.
Holding
The DPA held that the company lacked legal basis for the disclosure to the data subjects's employer and was therefore in violation of Articles 5(1)(a) and 6(1) GDPR. The recordings had already been handed over to the police and the further disclosure to the data subject’s employer was unnecessary for the (legitimate) purpose of preventing vandalism or resolving the case.
Comment
Aggravating circumstances:
- the personal data was concerning alleged or suspected criminal offences.
- sharing such personal data with the data subject’s employer would likely be experienced as extra distressing and could have an impact on the data subject’s employment relationship.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Miljø- og Kvalitetsledelse AS fined The Norwegian Data Protection Authority has fined the company Miljø- og Kvalitetsledelse AS EUR 3,500 (NOK 35,000) for illegal distribution of personal data from camera recordings. Miljø- og Kvalitetsledelse operates a car wash. When a payment terminal was vandalised, recordings and data from the cash wash’s CCTV camera system were sent to the employer of the person the company believed had committed the vandalism. Lacked legal basis The Data Protection Authority concluded that the disclosure lacked legal basis, and was in violation of Article 6(1) and Article 5(1)(a) of the GDPR. The recordings had already been handed over to the police, and their disclosure to the data subject’s employer was unnecessary for the purpose of preventing vandalism or resolving the case. We have given weight to the fact that the disclosure of personal data concerning alleged or suspected criminal offences to the data subject’s employer will often be experienced as personally distressing and could have an impact on the data subject’s employment relationship. Fined under previous legislation The infringement occurred before the GDPR went into effect on 20 July 2018. The fine was therefore imposed at the level practised under previous legislation. Les på norsk Miljø- og Kvalitetsledelse AS får gebyr Published: 5/10/2021 Miljø- og Kvalitetsledelse AS fined The Norwegian Data Protection Authority has fined the company Miljø- og Kvalitetsledelse AS EUR 3,500 (NOK 35,000) for illegal distribution of personal data from camera recordings. Miljø- og Kvalitetsledelse operates a car wash. When a payment terminal was vandalised, recordings and data from the cash wash’s CCTV camera system were sent to the employer of the person the company believed had committed the vandalism. Lacked legal basis The Data Protection Authority concluded that the disclosure lacked legal basis, and was in violation of Article 6(1) and Article 5(1)(a) of the GDPR. The recordings had already been handed over to the police, and their disclosure to the data subject’s employer was unnecessary for the purpose of preventing vandalism or resolving the case. We have given weight to the fact that the disclosure of personal data concerning alleged or suspected criminal offences to the data subject’s employer will often be experienced as personally distressing and could have an impact on the data subject’s employment relationship. Fined under previous legislation The infringement occurred before the GDPR went into effect on 20 July 2018. The fine was therefore imposed at the level practised under previous legislation. Les på norsk Miljø- og Kvalitetsledelse AS får gebyr Published: 5/10/2021