Banner1.png
Banner3.png

Datatilsynet (Norway) - DT-20/01777

From GDPRhub
Datatilsynet (Norway) - DT-20/01777
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 17.03.2021
Published: 09.04.2021
Fine: 35000 NOK
Parties: Miljø- og Kvalitetsledelse AS
National Case Number/Name: DT-20/01777
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a controller €3430 (NOK 35,000) for sharing a CCTV recording of a data subject vandalising its property with the data subject's employer, without a legal basis.

English Summary[edit | edit source]

Facts[edit | edit source]

The company Miljø- og Kvalitetsledelse operates a car wash facility, where a payment terminal was vandalised. Since the company had CCTV/camera surveillance, they were able to determine who the culprit was and, consequently, reported the incident to the police (and also to the culprit/data subject himself).

However, the company went on to disclose the footage to the data subject's employer, as they considered him to be "out of balance" because the data subject had also contacted a lawyer. The data subject was not notified of, nor consented to this disclosure.

Holding[edit | edit source]

The DPA held that the company lacked legal basis for the disclosure to the data subjects's employer and was therefore in violation of Articles 5(1)(a) and 6(1) GDPR. The recordings had already been handed over to the police and the further disclosure to the data subject’s employer was unnecessary for the (legitimate) purpose of preventing vandalism or resolving the case.

Comment[edit | edit source]

Aggravating circumstances:

  • the personal data was concerning alleged or suspected criminal offences.
  • sharing such personal data with the data subject’s employer would likely be experienced as extra distressing and could have an impact on the data subject’s employment relationship.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.


    
    


    
    
        
            
                Miljø- og Kvalitetsledelse AS fined

            



The Norwegian Data Protection Authority has fined the company Miljø- og Kvalitetsledelse AS EUR 3,500 (NOK 35,000) for illegal distribution of personal data from camera recordings.

                        
            
                    
                        
                    
                        
        
            
                
                        
                            
                        
                
            
    
    
        
            
            
                



Miljø- og Kvalitetsledelse operates a car wash. When a payment terminal was vandalised, recordings and data from the cash wash’s CCTV camera system were sent to the employer of the person the company believed had committed the vandalism.
Lacked legal basis
The Data Protection Authority concluded that the disclosure lacked legal basis, and was in violation of Article 6(1) and Article 5(1)(a) of the GDPR. The recordings had already been handed over to the police, and their disclosure to the data subject’s employer was unnecessary for the purpose of preventing vandalism or resolving the case.
We have given weight to the fact that the disclosure of personal data concerning alleged or suspected criminal offences to the data subject’s employer will often be experienced as personally distressing and could have an impact on the data subject’s employment relationship.
Fined under previous legislation
The infringement occurred before the GDPR went into effect on 20 July 2018. The fine was therefore imposed at the level practised under previous legislation.

            
        

        
        


                
                    Les på norsk
                    
                            
            
                Miljø- og Kvalitetsledelse AS får gebyr
            
    

                    
                






            
            

                
                    
                        Published:
                        5/10/2021
                    
                


            
        
    

















    
    
        
            
                Miljø- og Kvalitetsledelse AS fined

            



The Norwegian Data Protection Authority has fined the company Miljø- og Kvalitetsledelse AS EUR 3,500 (NOK 35,000) for illegal distribution of personal data from camera recordings.

                        
            
                    
                        
                    
                        
        
            
                
                        
                            
                        
                
            
    
    
        
            
            
                



Miljø- og Kvalitetsledelse operates a car wash. When a payment terminal was vandalised, recordings and data from the cash wash’s CCTV camera system were sent to the employer of the person the company believed had committed the vandalism.
Lacked legal basis
The Data Protection Authority concluded that the disclosure lacked legal basis, and was in violation of Article 6(1) and Article 5(1)(a) of the GDPR. The recordings had already been handed over to the police, and their disclosure to the data subject’s employer was unnecessary for the purpose of preventing vandalism or resolving the case.
We have given weight to the fact that the disclosure of personal data concerning alleged or suspected criminal offences to the data subject’s employer will often be experienced as personally distressing and could have an impact on the data subject’s employment relationship.
Fined under previous legislation
The infringement occurred before the GDPR went into effect on 20 July 2018. The fine was therefore imposed at the level practised under previous legislation.

            
        

        
        


                
                    Les på norsk
                    
                            
            
                Miljø- og Kvalitetsledelse AS får gebyr
            
    

                    
                






            
            

                
                    
                        Published:
                        5/10/2021