Datatilsynet (Norway) - 20/01790
|Datatilsynet - 20/01790|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 6 GDPR
Article 6(1)(f) GDPR
|Fine:||400 000 NOK|
|Parties:||Coop Finnmark SA|
|National Case Number/Name:||20/01790|
|European Case Law Identifier:||n/a|
|Appeal:||Appealed - Overturned|
2021-09 and 2021-15
|Original Source:||Datatilsynet (in NO)|
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA fined a company €38,800 for unlawfully disclosing personal data from a surveillance footage, thus breaching Article 5(1)(a) GDPR and Article 6. The company appealed to the Norwegian Privacy Appeals Board, who first removed the fine in its entirety, then awarded the controller €6,959 to cover their legal costs.
English Summary[edit | edit source]
Facts[edit | edit source]
Coop Finnmark SA is part of a Norwegian cooperative selling groceries and more. The company submitted a data breach notification to the DPA after a store manager had filmed surveillance footage with his private mobile phone and shared this with a third party. He believed children were stealing, and his intention was to identify these. The woman he shared the footage with, sent it to her son, who sent it to someone else. The recording was, as such, shared with several people and reached, in the end, the child who was evidently stealing.
The store manager realized his mistake following the incident, notified the DPA and apologized to everyone involved.
Holding[edit | edit source]
The DPA notes that the company has legal grounds for using surveillance in their shop, in general, as per Article 6(1)(f). Filming and sharing a recording from the footage, however, is a new processing activity which also requires legal grounds as per the GDPR. The company has not determined legal grounds, as this processing activity shouldn't take place and is a breach of the company's internal routines.
The DPA notes that the purpose of the processing was to identify the children in the footage. Sharing the footage with third parties, however, was not necessary to achive the purpose. The company should have reported the incident to the police and waited for them to initiate a criminial investigation, including asking for surveillance footage.
Consequently, the DPA held that the company didn't have legal grounds for sharing the footage, as per Article 6. As the processing lacked legal basis, they were also in breach of Article 5(1)(a) GDPR. The company was fined €38,800.
Comment[edit | edit source]
The DPA underlines that the breach is particularly severe since children were involved. They also highlight the significant risk connected with sharing something with a personal mobile phone, and how easy it is to lose control of personal data in this way.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
ADVOKATFIRMAET BAHR AS PO Box 1524 VIKA Excluded from the public: 0117 OSLO Offl §13 cf. Fvl §13 no. 1 Their reference Our reference Date 9135764/1 20 / 01790-1 (19/01267) / EHN 22.12.2020 Decision on the imposition of infringement fines - COOP FINNMARK SA We refer to our notification of the decision on infringement fines of 28 February 2020, and comments to the forecast from BAHR dated 25 March 2020. We will in the following refer to the «business» when we write about the comments in the comment to the alert. We will continuously note which ones points in the final decision that deviate from the notification of decision. 1. Decision on infringement fines Based on the information in the case, the Data Inspectorate believes that COOP FINNMARK SA has violated the rules in the Personal Data Act, and sees reason to impose on the business a infringement fine. Pursuant to section 1 of the Personal Data Act, cf. the Privacy Ordinance, Article 58 no. 2 letter i, cf. article 83, is imposed on Coop Finnmark SA, org.nr. 981 397 568, to pay an infringement fee to the Treasury of 400,000 - four hundred thousand - kroner to have disclosed personal data in violation of the Privacy Ordinance Article 6 and Article 5 No. 1 letter a. The background and reasons for the decision follow below. 2. Details of the facts of the case On 10 April 2019, the Norwegian Data Protection Authority received a report of a breach of personal data security (deviation report) from Coop Finnmark SA (hereinafter «Coop Finnmark»). The message is described deviated as follows: "Store manager detects theft in self-scan via camera surveillance. There are two boys on the recording, these two are watching, while one of the boys is stealing. (There are four more together). The store manager films the recording from the camera surveillance and sends it to one he knows, with questions is "this" (her son). No face is shown, but you can see the hair, clothing, as well as footwear. She passes this on to her son where she asks about this Postal address: Office address: Telephone: Fax: Org.nr: Website: PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLO is he. It is not then, but her son then sends the video on, where it then comes to the person who was filmed on the recording. " As we understand the deviation report, there has been a delivery of camera footage from a surveillance camera in a store belonging to Coop Finnmark. The extradition took place by that the store manager in the store filmed a screen that showed footage from the camera in the store. In response to the notice of decision writes the company that the store manager used his mobile phone to film the film clip, which lasted about three seconds. The deviation report states that the recording that was handed out showed two or three children, with one estimated age of 15 or 16 years, who stole goods in the store. One or two of the children did it physical theft, while two of those pictured on the recording watched the others steal. According to the deviation message does not show the faces of those pictured, but it is possible to see and distinguish the people apart based on clothing, hair and footwear. The store manager then sent the recording, from his phone, on to what he assumed was the mother of one of those pictured. He asked the recipient if the person pictured was her son. The woman answered the question in the negative, and then passed the video on to her son. The son then forwarded the video. At one point, the video reached the person or persons who are depicted on the recording. It appears from the deviation report that the recordings were later handed over to the police. After the incident, the store manager contacted the HR / HSE manager, and an internal non-conformance report was made written the same day. The non-conformance report states that the store manager contacted those affected the parties he knew, and apologized for the incident. He also requested that the recordings as possible was on other devices was deleted. It is also stated that an apology was given directly to the people who were filmed on the video clip. The company submitted a report of a breach of personal data security on 10 April 2019 at 14.20. The Norwegian Data Protection Authority then asked Coop Finnmark for further information in a letter with a request for a statement, which was sent on 8 October 2019. The request was answered in statement dated 21 October 2019. Attached were the company's routines for camera surveillance and handling of discrepancies in the processing of personal data, as well as the company's data processor agreement with a technical service provider. Item 9 in Routine for Camera Surveillance - Stores in Coop Finnmark deals with delivery of personal information. The point in its entirety reads: «Personal information shall not be disclosed to outsiders unless it is available written basis for extradition. If the consent of those pictured is required, the confirmation is attached to the extradition request. If extradition is required in connection with investigation of a criminal act or accident, extradition to the police can take place, without it there is consent, if the basis for the extradition exists. 2 Delivery of photos / recordings is delivered in a separate format. The originals are retained by the company and is subject to deletion according to the rules for this. The image / recording shall never be used for anything other than the purpose, cf. section 2, for which it has been handed over. Responsibility for the practical handling of delivery is delegated to the security manager, store manager or to one they delegate this responsibility to. " The Data Inspectorate requested a copy of the camera recordings made in the store on 4 April 2019. We received the recordings by letter post in August 2020. There are two recordings, one of 19 seconds showing the entrance to the store, and a recording of 1 minute and 33 seconds showing the checkout area in the store. We assume that some of these recordings were filmed by the store manager with his private phone, and which was then shared further. We have not seen the recording that was done on the private phone and these must be deleted. One footage shows people entering the store. The second recording shows people who pay for goods at serviced and self-service checkouts in the checkout area. It's hard to deduce from the camera footage that a criminal act is taking place. It may seem that one of them the boys pictured do not pay for all the items he later takes out of the store. 3. Legal principles 3.1 More about the requirements of the Personal Data Act The Personal Data Act implements the European Privacy Regulation in Norwegian law. The rules in the law and the regulation apply to fully or partially automated processing of personal data, cf. the Personal Data Act § 2 and the Privacy Ordinance Article 2. The initial condition for the regulation to apply is that a processing takes place of personal information. Article 4 (1) of the Regulation defines personal data as follows: «Any information about an identified or identifiable natural person (« the registered »); An identifiable natural person is a person who directly or indirectly can be identified, in particular by means of an identifier, e.g. a name, a identification number, location information, a network identifier or one or several elements specific to the physical, physiological, genetic, psychological, economic, cultural or social identity ». The definition of personal data is broad. What is decisive for the application of the law is whether the relevant information can be linked to a natural person, who is either identified or is identifiable. It is sufficient that the natural person is indirectly identifiable, for example when using different «means», cf. the regulation's proposition point 26. The decisive factor is whether the information is suitable for identifying a person, with or without aids. All processing of personal data must be in accordance with the basic principles of Article 5 of the Regulation. The principles mean that the treatment must be lawful and equitable and transparent (letter a). The treatment should only take place for predetermined purposes, and 3Not reused for new purposes contrary to the original (letter b). The treatment must be adequate, relevant and limited to the specific purpose (letter c). The information should be correct (letter d), and they should only be stored for a limited period of time after what is necessary for the purpose (letter e). The treatment must be done in a way that ensures the integrity and confidentiality of personal data (letter f). This principle implies that the personal data shall be secured against outsiders gaining unauthorized access, through appropriate organizational and technical measures. It is the person in charge of treatment who is responsible for ensuring that these principles and the Regulation as a whole is complied with (Article 5 (2)). One of the requirements of the Privacy Ordinance for the processing to be considered legal is that there is a legal basis for it (basis for processing). The different forms of basis for treatment can be found in Article 6 of the Regulation. For camera surveillance performed by private companies and associated treatments, including extradition, are there the basis of treatment in Article 6 (1) (f) which is the most obvious. We point to that The Privacy Board has assumed that Article 6, paragraph 1, letter f is a relevant one basis for processing in the assessment of such cases. 1 The basis of treatment in Article 6, paragraph 1, letter f, provides guidance on a balance of interests. Personal data can be processed on this basis if it is necessary to safeguard a legitimate interest that outweighs the consideration of individual privacy. This implies that the business must have a legitimate interest, the processing must be necessary for to achieve the legitimate interest and that a concrete assessment is made of the weight of interests. This must then be weighed against the data subject's right to privacy. If a processing does not meet the basic requirements of the Privacy Regulation, will the treatment may be illegal. 3.2 The question of the application of regulations for camera surveillance in business The Norwegian Data Protection Authority has assessed the deviation report from Coop Finnmark SA in accordance with the general rules in 2 the regulation, and not the special rules in the regulations for camera surveillance in business. We will in the following justify the choice of law. Article 88 of the Privacy Regulation allows Member States to lay down detailed rules for the processing of employees' personal data in connection with employment relationships. The scope of the special rules on camera surveillance is therefore limited to the framework of employment conditions. This is also emphasized by the ministry in the preparations for a new one 3 Personal Data Act. The rules on camera surveillance in business are located in Chapter 9 of the Working Environment Act, which deals with the employer's right to implement 1See e.g. PVN 2019-09 2FOR-2018-07-02-1107. 3 Prop. 56 LS (2017-2018), point 220.127.116.11 4controlling measures in their business. Regulations on camera surveillance in working conditions are included authority in the Working Environment Act § 9-6. Neither the Working Environment Act § 9-6 nor the regulations contain any definition of the term "Camera surveillance in business". In the preparatory work for the new Personal Data Act writes Ministry in connection with this that camera surveillance carried out by others than employer, will fall outside, even if the camera also captures jobs ». Further they write: "On the other hand, it will not be crucial for the employer to set up himself and / or manages the monitoring itself. It will be sufficient that the monitoring takes place in understanding with the employer, is in the employer's interest and that the purpose (among other) is to monitor the employer's activities. A typical example would be monitoring of retail premises in a shopping center, where the monitoring is administered by the center company ». In assessing whether the regulations apply, the Ministry writes: "Secondly, it will be a condition that the monitoring can be regarded as a control measure in the meaning of the Working Environment Act. The Ministry therefore believes that camera surveillance as not, or to a very small extent, can be considered a burden on employees personal integrity, will fall outside the scope of the rules, ie even if it takes place «in business», cf. the purpose of the regulation in the Working Environment Act, Chapter 9 ». This means that the further processing of personal data collected through the camera surveillance, which in principle falls within the scope of the regulations, does not applies if the further processing (in this case extradition) only applies personal information about other than employees. On the basis that Article 88 of the Regulation only allows for more detailed rules for processing of employees' personal data in connection with employment relationships, the fact that The regulations are based on the Working Environment Act's chapter, which regulates the employer's access to implement control measures in operations, and the statements in the preparatory work, is the Data Inspectorate's assessment that the regulations are not the correct regulations to apply in this specific case. The disclosure of the photos made by Coop Finnmark does not include personal information about some of the company's employees. As there is no working relationship between them registered and the business, there are thus the general rules in the Personal Data Act and the applicable privacy regulation. 4. The Data Inspectorate's assessments and reasons for decisions 4.1 Introduction It is clear that there has been a processing of personal data that falls within the scope of the Personal Data Act and the Privacy Ordinance, cf. section 2 and Article 2 of the Ordinance 2. The Personal Data Act and the Privacy Ordinance are coming thus for use. It is stated in the definition in the Privacy Ordinance Article 4 No. 2 that a treatment is any operation or series of operations performed with personal data. We consider it is as if a processing of personal data has taken place in two stages. The first link in The treatment took place when the store manager filmed the recordings with his private mobile phone. The the second stage of the treatment took place when the store manager forwarded the recording he had made to an acquaintance. In the following, we will consider these actions as a collective treatment of personal information. The purpose of the processing of personal data was to identify the person depicted to solve a possible criminal act. The Data Inspectorate believes that Coop Finnmark did not have a processing basis for the processing of personal information. This will be justified in the following. 4.2 Assessment of treatment basis The routines of Coop Finnmark show that the company believes it has a basis for treatment in the article 6 no. 1 letter f for the camera surveillance in the shops. We refer to point 3 of the company's routine for camera surveillance. Delivery of camera footage is a new treatment that requires a new treatment basis. IN the company's routine for camera surveillance, it is stated that delivery can only take place by written basis for extradition. It is unclear what the company puts in this wording. If the basis for extradition is consent from the data subject, there are routines for the extradition. The routines seem to set an exception to the requirement for a written basis for extradition if the recipient is the police, and the extradition takes place in connection with an investigation of a criminal act or accident. The company has not itself emphasized that it has a processing basis for the extradition, but on the other hand, reported the disclosure as a deviation to the Norwegian Data Protection Authority. The delivery is described in the deviation report as a deviation from the company's internal routines. We assume that the company itself does not consider that it has a processing basis for the extradition. We will nevertheless make an independent assessment of this condition. We assume that The relevant basis for processing for extradition is Article 6, No. 1, letter f (see our presentation of the provision and the balance of interests that it provides, in section 3.1). This is in line with the Privacy Board's practice in similar cases. The interests of the business for the processing of personal data must here be weighed against the data subjects' right to privacy. Particular emphasis shall be placed on the wording of Article 6 (1) (f) the data subject's interests and fundamental rights if the data subject is a child. The law's requirement that the treatment must be necessary for purposes associated with it the legitimate interest of the data controller means that the interest pursued by it data controllers must be legal and genuinely motivated in the business. Both legal, 4 PVN-2019-09 6economic or non-material interests may be justified, cf. the Privacy Council «Guidelines 3/2019 on processing of personal data through video devices», section 18. The necessity condition further entails a requirement that the purpose cannot be achieved on a minor privacy intrusive way. The first question is whether the treatment is necessary for purposes associated with it the legitimate interest of the controller. The purpose of the extradition was to identify people who stole from the store. It is clear that it is in the store's interest to find out who who has committed thefts in the business. However, it is also clear that it is not necessary to hand out camera recordings to outsiders, all the time it will be possible to solve the theft and identify the persons by reporting the matter to the police. A review will could mean that the company must hand over the recordings to the police, to secure the police investigation of the relationship. It can therefore be questioned whether the extradition is necessary to pursue the business interest. The Norwegian Data Protection Authority believes that the data subjects' right to privacy in the present case, regardless of route heavier than the business interest. We have placed crucial emphasis on the fact that there are children personal data that was processed. The conditions in Article 6 (1) (f) are thus not fulfilled anyway. In this assessment, we emphasize the data subjects' reasonable expectations, in line with The Privacy Council's Guidelines 3/2019 on processing of personal data through video devices » section 35. We assume that there is a sign in the shops that there is camera surveillance, in in line with the company's internal routines for camera surveillance point 1. People who stay in the store thus have a reasonable expectation that they will stay filmed. In-store camera surveillance is not uncommon. It will also not be unusual for one camera surveillance shop that catches a theft or other illegal activity, hand over the recordings to the police. Most people, however, have no expectation of such recordings handed over to other persons who do not work for the police or have any other form of dealing with the prosecution of criminal offenses. As the deviation report from the company shows, it does not take long from the original disclosure to the information when it registered self. This shows the potential for damage when disclosing personal information between mobile phones. The Data Inspectorate refers to the Privacy Board's decision in PVN-2019-09. Fact i the tribunal decision and this case are somewhat different. In the tribunal decision published store a still image from a surveillance camera on Facebook, for the purpose of identifying one person who stole Christmas decorations outside the store. A publication on Facebook will quickly reach a large number of people. Sharing an image from one mobile phone to another will go through one step only now a person, and will not have the same function equivalent to a "public gape stick". At the same time, the sender quickly loses control of the personal information, and it is easy to share these further. What is described in the deviation report and the statement in the present case show exactly this. The potential for harm in the event of extradition, and the interference with the individual's privacy, will perceived as large. 7Datatilsynet places great emphasis on the fact that the people pictured are children. It follows Clause 38 of the Privacy Ordinance states that «children's personal data deserve a special protection, as children may be less aware of current risks, consequences and guarantees as well as on the rights they have with regard to the processing of personal data ». Also children who perform illegal acts, such as a minor theft from a store, are entitled to privacy. The Data Inspectorate further emphasizes that the data controller has assessed that it has not there is a basis for processing in accordance with the regulation. The company has in the deviation report also pointed out that the extradition has taken place in violation of the company's own routines for processing of personal data collected through camera surveillance. In this case, the data subjects' privacy interests outweigh the company's interests in to hand over the recordings. Nor can we see that there is any other basis for treatment that will be more obvious or suitable for the disclosure of personal data in this case. The extradition is thus in breach of Article 6, paragraph 1, letter f. 4.3 Assessment of the principle of legality in Article 5 (1) (a) The requirement that a treatment must be lawful means that it must have a legal basis in the Privacy Regulation. A processing of personal data without a basis for processing will without further ado be illegal, and thus be contrary to the fundamental requirement of the principle of Article 5 (1) (a). As shown above, we find that there was no basis for treatment for this extradition, such that the treatment is thus contrary to the principle of legality. 4.4 The company's comments on the assessment of treatment basis The company has no comments or responses to the assessment of whether there was one basis for processing the disclosure of personal data. The company admits itself that the incident violated Coop's current camera surveillance routines. The Data Inspectorate therefore assumes that there is no disagreement on this issue. 4.5 Infringement Fee 4.5.1 General information about the assessment Infringement fees are a tool to ensure effective compliance and enforcement of the personal data regulations. We believe it is necessary to respond to the violation, and imposes an infringement fee (cf. Article 83 of the Privacy Regulation). In accordance with the Supreme Court's practice (cf. Rt. 2012 p. 1556), we assume that infringement fines are to be regarded as penalties under the European Convention on Human Rights Article 6 Therefore, a clear preponderance of probabilities for offenses is required in order to be able to impose fee. When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account to the elements in the Privacy Ordinance Article 83 no. 2 letter a to k. The Norwegian Data Protection Authority may impose infringement fines after a discretionary overall assessment, but they listed the moments lay down guidelines for the exercise of discretion by highlighting moments that should special weight is given. In the following, we will review the terms that are relevant to the facts in this case. We will reproduce the comments from the company's representative continuously during the individual moments. 4.5.2 Article 83 (2) (a): «The nature, severity and duration of the infringement, taking into account the nature, extent or purpose of the treatment concerned as well as the number of data subjects affected, and the extent of the damage they have suffered » The company states that the video clip is short and that it does not show an offense. It is a limited scope of persons caught. The extradition was a one-time event, and it can it is not documented that the individual case has caused any damage. The Norwegian Data Protection Authority agrees with the company that the video clip that was the subject of further sharing does not automatically provide grounds for concluding that a criminal offense is being caught. However, will the context could leave an impression that something illegal has happened, in that the store manager films the video clip and asks questions to identify the person pictured. The Data Inspectorate considers the violation to be serious. The violation involves a violation of it basic requirement of legality of a treatment. The breach affects children, who are given a special protection in the privacy regulations. Information about the incident and why the clip has been spread can still spread quickly with the shared personal information. The very foundation for the division has been to identify persons to clear up a matter that was reported. The breach has affected a small number of registered persons, and it is unclear what the extent of the damage is follows from the infringement. At the same time, a breach such as this could lead to damage to its reputation the registered, rumors and public outcry. The extradition is in itself suitable to lead to serious consequences. For children, these consequences will be perceived as more harmful than for adults, who often have a more secure sense of identity and belonging. The treatment in question is also a violation of the company's internal guidelines for disclosure of personal information from camera surveillance, which increases the seriousness of the incident. The Data Inspectorate also emphasizes that the store manager used his own mobile phone to film the recording, which he then shared further. Private cell phones are often associated with cloud-based storage services, which can cause files to be stored on multiple devices. The person who owns the phone will therefore more easily lose track of where the file is located. This is increasing the risk of the dissemination of personal data, and thus also the severity of the infringement. 94.5.3 Article 83 (2) (b): 'Whether the infringement was committed intentionally or negligent » The company states that it cannot be demonstrated that there was intent with regard to both the act itself, and with respect to the act constituted an offense. Further writes the business that the store manager “spontaneously [sent] part of a video recording to another employee in The Coop system. » The company writes that even if this act is considered extradition of personal information, it can not be required that the store manager has had a conscious relationship with that sharing within the business constitutes a processing of personal data. The company also states that the store manager has not intended with regard to the consequences of the treatment, which meant that the recording was spread further. In conclusion, the company states that the store manager has expelled legal ignorance about a complicated set of rules, which points in the direction of negligence rather than continue. It is not a condition for the imposition of an infringement fee that there is subjective guilt violator. In this context, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. By an administrative sanction is meant a negative reaction that can imposed by an administrative body, which addresses a committed violation of law, regulations or individual decision, and which is considered a penalty under the European the Convention on Human Rights (ECHR). For companies, the debt assessment is unique. Section 46, first paragraph, of the Public Administration Act states: "When it is stipulated by law that an administrative sanction may be imposed on a company the sanction can be imposed even if no individual has shown guilt. " In Prop. 62 L (2015-2016) page 199 it is stated about § 46: «The wording that‘ none individual has shown guilt 'is taken from the section on corporate punishment in the Penal Code § 27 and shall be understood in the same way. The responsibility is therefore basically objective ». Legal persons as such cannot plead guilty. This point of Article 83 does however, it is clear that emphasis can be placed on how reprehensible the action is. According to it the current guideline from the European Privacy Council, the degree of guilt must be deduced from objective evidence related to the actions in the specific case. In cases where a person have acted on behalf of a business, the boundaries will be linked to intent and negligence is thus linked to how much guilt can be inferred from the trader the representative expelled in the acts that led to the violation. As a starting point, a boundary can be outlined between breaches of the regulations as a result of a accidents or a malicious intrusion, which, for example, could occur as a result of inherent weaknesses in a computer system. On the other side of the scale one will find planned violations, 5 17 / EN WP 253 pp. 12 10th people with leading positions in key parts of a business have consciously and planned violated the law. The Data Inspectorate believes that the actions that led to the breach are clearly reprehensible. The treatment was performed by a person in a leading position, through a deliberate act, and not as a result by accident. We find it, as mentioned above, reprehensible that the store manager filmed the recording with his private phone. This filming is in itself a stand-alone treatment of personal data, in which the recording from the original system is copied using an external unit. We will also note that even if this single action should not constitute one violation of the company's own routines, it constitutes a processing of personal data who must meet the requirements of the law to be legal. The business can not be heard with that there was error of law. Legal error is not excusable unless the legal error is careful, something it in our view is not in the case. According to the routines, a store manager holds the lead the responsibility for compliance with the regulations, which includes both the Personal Data Act and those internal routines in the business. Furthermore, we would like to point out that it appears as a clear consequence that a shared video clip will further divided, especially if the purpose of the original division is to identify one or more people. It cannot be concluded that there is intent with regard to the illegality of the act or the consequences of the action. However, this is not a criminal law concept of intent, but a categorization of the reprehensible behavior on a scale. Based on the objective the evidence that can be deduced from the actions, the Data Inspectorate believes that it has been expelled in any case gross negligence of a leading person in the business. This roughness pulls in aggravating direction. 4.5.4 Article 83 (2), letter c: «Any measures taken by it the controller or the data processor to limit the damage as they registered have suffered » In the non-conformance report, the company describes that all known involved were contacted and asked to delete any recordings. The store manager called all affected parties and apologized for the inconvenience. IN the statement, Coop Finnmark explains that they have contacted «the guardian of the person who stole ». We agree that the company has taken important and required measures following the deviation, and believes that this speaks in a mitigating direction. 4.5.5 Article 83 (2) (d): 'The controller or processor's degree of responsibility, taking into account the technical and organizational measures they has carried out in accordance with Articles 25 and 32 » 11The company has guidelines for the use of camera surveillance, including rules for extradition of recordings. The routines indicate that the disclosure of personal information can take place when "The basis for the extradition exists", or if there is a "written basis for extradition". This is followed by two sentences dealing with written consent from the person pictured and extradition to the police in connection with the investigation of a criminal act or accident. The company itself believes that the routines are not unclear. It is stated that the understanding of «in writing basis »must be put in context with the two subsequent sentences, which deal with written consent and extradition to the police. The Data Inspectorate believes that the language in the section of the routines is not clear enough, but rather is suitable for confuse. It is not clear what is considered to be a written basis that provides possibility of extradition. It must be clear what is a legal basis that gives reason for to disclose the personal information. Pedagogically designed and coherent routines are important for all employees to understand why the routines should be followed, and to ensure that they are actually adhered to. However, there is no reason to place further emphasis on the ambiguity of the routines in the case, as it is not basis for concluding that the routines in themselves are related to the illegal the extradition. The Data Inspectorate therefore still believes that this factor does not add up aggravating or mitigating direction. The company states in the statement dated 21 October that a meeting has been held about the incident, where the guidelines were reviewed. Furthermore, it states that «internal routines have passed through in a meeting with all the store managers ». It is not stated which training has been held prior to the deviation, and how the management of the company has made sure that middle managers, such as the store manager, actually know these. Uncertainties and failing training routines can easily lead to violations. It is however, it is difficult to say whether training and other review have anything to do with it the illegal extradition in this particular case. This moment therefore does not draw in aggravating or mitigating direction. 4.5.6 Article 83 (2) (e): «Any relevant previous infringements committed by the data controller or data processor » The company states that the extradition constitutes a first-time infringement, and that this must work mitigating in the overall assessment. The Data Inspectorate does not find that this aspect speaks in either aggravating or mitigating terms direction. 124.5.7 Article 83 (2) (f): "Cooperation with the supervisory authority" The guidelines from the Privacy Council state that it cannot be emphasized that a business cooperates with the supervisory authority in accordance with applicable law. The company writes that they have cooperated with the supervisory authority and reported on the case to the best of our ability, both unsolicited and upon request for more information. The Data Inspectorate does not find that this factor can speak in a mitigating direction, as the business is required to answer the questions. 4.5.8 Article 83 (2) (g): "Category of information concerned" The company states that it must be conciliatory that the faces of the persons are not shown, and that it was only possible to identify the persons on the basis of hair, clothing and footwear. Further mean the business that the accuracy of the information was low, as the person who first received sent the video was not able to recognize his son on the video. The Norwegian Data Protection Authority refers to the assessments given under the item in Article 83 no. 2 letter a. We believe that it does not matter whether it is the face or the attire that makes it possible to identify a person; the person is still identifiable based on the information provided. There is no distinction between "immediately identifiable" persons and persons who it will take a little longer to recognize in a camera recording. 4.5.9 Article 83 (2), letter h: 'How the supervisory authority became aware of to the infringement, in particular if and to what extent the controller or the data processor has notified of the infringement » The company itself has reported the deviation to the Norwegian Data Protection Authority. The company believes that this can not pull in the aggravating direction. It is stated that a strict sanction practice can weaken trust between supervisory authorities and data controllers, and in the worst case result in deviations and Violations are not reported as anticipated. The guidelines point out that it can not be conciliatory for a company to comply with its own obligations under the regulation to report deviations. We therefore believe that it can neither speak in aggravating or mitigating direction that the company has reported the breach the personal data security of the Norwegian Data Protection Authority. Both businesses and regulators will be served with a low threshold for reporting deviations. 4.5.10 Article 83 (2) (k): 'Any other aggravating or mitigating factor in the case, e.g. economic benefits gained, or losses avoided, directly or indirectly, as a result of the infringement » 6 717 / EN WP 253 pp. 14 17 / EN WP 253 pp. 14 13Datatilsynet has no knowledge of other aggravating or mitigating factors in the case such as will affect the outcome of the assessment. 4.5.11 Practices of other supervisory authorities In its comments, the company refers to three decisions on the imposition of infringement fines from other supervisory authorities. Two of these have been issued by the Swedish Data Inspectorate; DI-2019- 2221 and DI-2018-22737. The latter is an infringement charge imposed by the supervisory authority in it German state LfDI Baden-Württemberg. It is emphasized that the level of fees in these cases indicates that the notified fee in the present case is too high. The three cases listed deal with very different facts compared to the present case, which means that the transfer value is small. The Data Inspectorate agrees that one should apply to harmonize administrative practices across the supervisory authorities of the EEA countries. It is however, it is clear that each case of infringement charge will be very different and therefore must be justified in specific circumstances of the individual case. The Data Inspectorate finds no reason to emphasize the listed cases for the determination of infringement fines in the present case the case. The assessments in these cases do not govern our assessments of whether it should a fee is imposed in this case, or by the size of the fee. 4.5.12 Summary and conclusion After an overall assessment of the deviation's scope, character and severity, the Data Inspectorate has concluded that an infringement fine should be imposed in accordance with Article 83 (2) of the Privacy Regulation and 5. We point out that infringement fines have previously been imposed for similar cases of illegal extradition, and that considerations of equality indicate that the violation should be sanctioned with infringement fine. We have placed particular emphasis on the fact that it is children's privacy that has been violated the extradition. 6. Assessment of the size of the fee When measuring the size of the fee, emphasis shall be placed on the same assessment factors which has been reviewed in section 4.5 of the decision. We therefore refer to the assessments made above. The infringement fine shall be effective, proportionate and dissuasive act as a deterrent. The fee should be experienced as an evil. This means that the supervisory authority shall make a specific, discretionary assessment in each individual case. We refers to point 148 of the Privacy Ordinance, which states that it should be imposed sanctions, including infringement fines, for breach of the Regulation. The extradition took place as a one-time incident, and the recording was made through the action the store manager only shared with one person. Nevertheless, the recording was shared further, and eventually reached the child himself. This shows the real danger of the information being spread further. It only takes a couple click until personal information is spread to a large number of people through mobile phones. 14 The disclosure applies to children's personal data, which shall enjoy a particularly strong protection. We have therefore placed considerable emphasis on this moment. There is further talk of a violation that resulting from a negligent act performed by a person in a senior position. It is the business, and the person acting on behalf of the company, responsibility to familiarize himself with the rules for camera surveillance, including the rules of extradition. The business's financial ability will also be important, even if it is not relevant to take advantage of the range of the infringement fine provided for in Article 83 (5). The business had operating revenues of NOK 1,033,257,000 in 2018. The result was NOK 52 489 000. 8 Similar cases, such as the previously mentioned PVN-2019-09, dealt with companies significantly lower turnover. In PVN-2019-09, the company had an operating profit of NOK 1.5 millions. The fee was set at NOK 50,000. Coop Finnmarks SA's financial situation is in a special position. For the fee to be experienced as an evil, so that the preventive considerations behind the infringement charge as a form of reaction taken care of, the fee must be higher than what has previously been the case in cases with similar fact. However, we believe that the fee has already been set at a low amount, where we have taken into account that one violation has occurred. Compared to the company's turnover, the fee is low. The must, however, be of a certain size in order to fulfill the purpose set out in Article 83 of the Privacy Regulation. After this, we have come to the conclusion that we maintain the notified fee of NOK 400,000. 7. Recovery of infringement fines The infringement fee is due for payment four weeks after the decision is final, cf. the Personal Data Act (2018) § 28. The decision is a coercive basis for disbursement. Recovery of the claim will be implemented by the Central Government Collection Agency. 8. Right of appeal You can appeal the decision. Any complaint must be sent to us by 28 January 2021, cf. Sections 28 and 29 of the Public Administration Act. If we uphold our decision, we will send the case to The Privacy Board for complaint processing, cf. the Personal Data Act § 22. 9. Transparency and publicity You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform that all documents are in principle public, cf. the Public Access to Information Act § 3, but 8 The figures are taken from proff.no per 13.01.2020 15emphasizes at the same time that safety documentation as a general rule is exempt from public access, cf. the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2. With best regards Jørgen Skorstad department director Embla Helle Nerland legal adviser This letter has been approved electronically by the Norwegian Data Protection Authority and therefore has no signature. 16