Datatilsynet (Norway) - 20/01648

From GDPRhub
Revision as of 06:28, 6 March 2022 by Riealeksandra (talk | contribs) (Added link to appealed decision)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet (Norway) - 20/01648
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6 GDPR
Article 12(1) GDPR
Article 13 GDPR
Regulation on the use of camera surveillance in a business
Type: Investigation
Outcome: Violation Found
Decided: 14.07.2021
Published: 12.08.2021
Fine: 100000 NOK
Parties: n/a
National Case Number/Name: 20/01648
European Case Law Identifier: n/a
Appeal: Appealed - Confirmed
Personvernnemnda (Norway)
2021-20 (20/01648)
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a beauty salon approximately €9,473 (NOK 100,000) for unlawfully installing camera surveillance that gave the general manager constant live access to images and sound via a mobile app on her phone, without informing employees or customers. Following an appeal, the Norwegian Privacy Appeals Board upheld the DPA's decision.

English Summary


A trade union lodged a complaint about a controller for unlawful use of camera surveillance in the business. According to the complainant, the camera was put in place because they demanded a collective agreement for their members (i.e., the employees of the business). The camera, which was angled towards the reception area and the area towards the treatment room, had built-in microphone and speaker, motion sensor, full HD, 130 degrees view and comes with a mobile app with real-time access and access to recordings from the last seven days.

The general manager of the business had installed the mobile app on her phone and had not, according to the employees, discussed or informed the use of camera surveillance, with any of them. The general manager, however, claimed that she not only had discussed this with the employees, but they had requested her to install the camera because of violent incidences and other crime in the area. Despite this, she was not able to provide any documentation or proof of this discussion and agreement with the employees, which she considered unnecessary since the business is so small and verbal agreements should suffice.

The camera surveillance eventually stopped, but only because the camera itself stopped working.


The Norwegian DPA (Datatilsynet) held that the controller had breached Articles 5(1)(a) and (c), 6, 12(1) and 13 GDPR and for this fined the controller NOK 100,000 (approximately €9,473). The fine was reduced from NOK 150,000 because the business had a reduced turnover following the circumstances around COVID-19.

The DPA emphasized in particular that:

  • The camera had a wide-angle lens capable of capturing 130 degrees.
  • The camera was angled towards the reception area and the area towards the treatment room.
  • The camera was able to record sound.
  • The general manager had remote access through a mobile app on her mobile phone.
  • The camera was enabled and the surveillance was active at all times, including with motion sensor.

Further, the DPA commented that the controller should have conducted a Data Protection Impact Assessment (DPIA) before installing the camera and considered other, less invasive ways to achieve the claimed purpose.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Fee to Waxing Palace AS
The Data Inspectorate demanded a fee of NOK 100,000 from Waxing Palace AS. The business runs a growing salon, and there they have camera-monitored the reception area in violation of the privacy ordinance.

The Privacy Ordinance requires that all processing of personal data has a legal basis. After investigating a complaint about the use of a surveillance camera in the salon premises, the Data Inspectorate's assessment is that the company did not have a legal basis for the camera surveillance. The Data Inspectorate has also concluded that the company did not provide good enough information about the monitoring.

Illegal camera surveillance
- There are strict rules for what situations it is allowed to monitor with a camera. This is especially true in the workplace. The principle that the processing of personal data must be legal and open is absolutely fundamental. Violations of these principles are serious, explains legal adviser Liv Gramer.
- You must always be open with those you register personal information about. Good information should, among other things, ensure that there is no doubt about which area is captured by the camera. The clear main rule is that no one should experience being surprised that they are being monitored by cameras, says Gramer.

Responds with fee
The Data Inspectorate thinks the case is so serious that it is necessary to respond with a fee.
Everyone has the right to privacy, and this also applies in the workplace. Illegal camera surveillance can be very stressful for employees.
- In this case, we have emphasized that the illegal camera surveillance affects both employees and customers in the salon. The camera surveillance does not include areas in the salon where the treatments took place, but we have emphasized the type of business the company conducts. Many customers will experience a visit to a growing salon as a private matter, and not a situation where one expects to be filmed, Gramer concludes.

The fee is given after an overall assessment of, among other things, how serious the breach of the rules is, and the company's finances.

Waxing Palace AS has a deadline for complaints until 20 August 2021.