Datatilsynet (Norway) - 20/01777

From GDPRhub
Revision as of 09:54, 26 May 2021 by RRA (talk | contribs)
Datatilsynet (Norway) - DT-20/01777
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 17.03.2021
Published: 09.04.2021
Fine: 35000 NOK
Parties: Miljø- og Kvalitetsledelse AS
National Case Number/Name: DT-20/01777
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a controller €3,430 (NOK 35,000) for disclosing a CCTV recording of a data subject vandalising its property to the data subject's employer, without a legal basis.

English Summary

Facts

The company Miljø- og Kvalitetsledelse operates a car wash facility, where a payment terminal was vandalised. Since the company had CCTV/camera surveillance, they were able to determine who the culprit was and, consequently, reported the incident to the police (and also to the culprit/data subject himself).

However, the company went on to disclose the footage to the data subject's employer, as they considered him to be "out of balance" because the data subject had also contacted a lawyer. The data subject was not notified of, nor consented to this disclosure.

Dispute

Did the company disclose personal data from camera recordings illegally?

Holding

The DPA held that the company lacked legal basis for the disclosure to the data subjects's employer and was therefore in violation of Articles 5(1)(a) and 6(1) GDPR. The recordings had already been handed over to the police and the further disclosure to the data subject’s employer was unnecessary for the (legitimate) purpose of preventing vandalism or resolving the case.

Comment

Aggravating circumstances:

  • the personal data was concerning alleged or suspected criminal offences.
  • sharing such personal data with the data subject’s employer would likely be experienced as extra distressing and could have an impact on the data subject’s employment relationship.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.


    
    


    
    
        
            
                Miljø- og Kvalitetsledelse AS fined

            



The Norwegian Data Protection Authority has fined the company Miljø- og Kvalitetsledelse AS EUR 3,500 (NOK 35,000) for illegal distribution of personal data from camera recordings.

                        
            
                    
                        
                    
                        
        
            
                
                        
                            
                        
                
            
    
    
        
            
            
                



Miljø- og Kvalitetsledelse operates a car wash. When a payment terminal was vandalised, recordings and data from the cash wash’s CCTV camera system were sent to the employer of the person the company believed had committed the vandalism.
Lacked legal basis
The Data Protection Authority concluded that the disclosure lacked legal basis, and was in violation of Article 6(1) and Article 5(1)(a) of the GDPR. The recordings had already been handed over to the police, and their disclosure to the data subject’s employer was unnecessary for the purpose of preventing vandalism or resolving the case.
We have given weight to the fact that the disclosure of personal data concerning alleged or suspected criminal offences to the data subject’s employer will often be experienced as personally distressing and could have an impact on the data subject’s employment relationship.
Fined under previous legislation
The infringement occurred before the GDPR went into effect on 20 July 2018. The fine was therefore imposed at the level practised under previous legislation.

            
        

        
        


                
                    Les på norsk
                    
                            
            
                Miljø- og Kvalitetsledelse AS får gebyr
            
    

                    
                






            
            

                
                    
                        Published:
                        5/10/2021
                    
                


            
        
    

















    
    
        
            
                Miljø- og Kvalitetsledelse AS fined

            



The Norwegian Data Protection Authority has fined the company Miljø- og Kvalitetsledelse AS EUR 3,500 (NOK 35,000) for illegal distribution of personal data from camera recordings.

                        
            
                    
                        
                    
                        
        
            
                
                        
                            
                        
                
            
    
    
        
            
            
                



Miljø- og Kvalitetsledelse operates a car wash. When a payment terminal was vandalised, recordings and data from the cash wash’s CCTV camera system were sent to the employer of the person the company believed had committed the vandalism.
Lacked legal basis
The Data Protection Authority concluded that the disclosure lacked legal basis, and was in violation of Article 6(1) and Article 5(1)(a) of the GDPR. The recordings had already been handed over to the police, and their disclosure to the data subject’s employer was unnecessary for the purpose of preventing vandalism or resolving the case.
We have given weight to the fact that the disclosure of personal data concerning alleged or suspected criminal offences to the data subject’s employer will often be experienced as personally distressing and could have an impact on the data subject’s employment relationship.
Fined under previous legislation
The infringement occurred before the GDPR went into effect on 20 July 2018. The fine was therefore imposed at the level practised under previous legislation.

            
        

        
        


                
                    Les på norsk
                    
                            
            
                Miljø- og Kvalitetsledelse AS får gebyr
            
    

                    
                






            
            

                
                    
                        Published:
                        5/10/2021