Datatilsynet - 20/01627

From GDPRhub
Datatilsynet - 20/01627
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 4(1) GDPR
Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 08.03.2021
Published: 25.03.2021
Fine: 150000 NOK
Parties: Dragefossen AS
National Case Number/Name: 20/01627
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

The Norwegian DPA (Datatilsynet) fined Dragefossen AS €15,000 for live-streaming a camera feed to Youtube. The camera captured a public road, a parking space, various shops, and buildings such as the city hall without a sufficient legal basis from Article 6(1)(f) GDPR, relating to Article 5(1)(a) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The company had installed a camera on the roof of the building the company was located in. The camera rotated 360 degrees, stopping at four set angles for 15 seconds. The camera used around two minutes for each full rotation. The company's internal routine and answer's provided to the DPA highlighted that due to the quality and distance of the recording, the company deemed that that number plates or faces would not be recognisable. Recordings were saved on a dedicated server for 14 days until it was deleted. Recordings had been shared with the police on several occasions in relation to events in the city centre.

Dispute[edit | edit source]

Does the recordings capture personal data pursuant to Article 4(1) GDPR, and if so, is there a legal basis for the processing of personal data pursuant to Article 6(1)(f) GDPR?

Holding[edit | edit source]

Personal data[edit | edit source]

The DPA agreed that it was unlikely that number plates or faces of people would be recognisable due to the distance and the quality of the recording. The DPA highlighted however that it would be possible to recognise the type of car someone was driving, what type of clothes people were wearing, the colour of their hair and their approximate hair style. The DPA highlighted that prior knowledge about someones schedule, shopping patterns, their car or their look could identify the person being recorded, for example by friends, significant others, family or colleagues. This view was supported by the police requesting access to the recordings on several occasions concerning events in the city centre.

As such, the DPA held that the recordings captured personal data pursuant to Article 4(1) GDPR.

Legal basis[edit | edit source]

The DPA found that the controller had not assessed whether there was a legal basis for the processing of personal data pursuant to Article 6. The DPA assessed the controllers legitimate interests pursuant to Article 6(1)(f) on its own accord.

The DPA identified two processing operations with different purposes. The first processing operation was the live feed of the city centre, where the purpose was to provide an offer for customers and the local residents. The second processing operation was saving the video and retention of the recording for 14-days. The purpose of this processing operation was to provide security to the local residents by sharing the recordings with the police if needed.

Balancing of interests[edit | edit source]

For the second purpose, the DPA held that it could not be established for certain that there was a legitimate interest for saving the records. The DPA referenced EDPB guidelines which state that purposes connected to protection against theft, vandalism and criminal acts may be a legitimate interest, noting however that such a purpose must be connected to a specific event and not based entirely on speculation. The DPA questioned whether a real danger for criminal acts was established, finding however that it did not need to conclude as the rights and freedoms of the data subject clearly outweighed the controller's interest.

For the first purpose, the DPA also questioned whether the recording pursued a legitimate interest, finding that it did not need to conclude as the balancing of interest was in the data subjects favour. The DPA also noted that the placement of the camera could be positioned at an angle that would not be as invasive to the privacy of the data subjects.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 DRAGEFOSSEN AS
 PO Box 20

 8251 ROGNAN








Their reference Our reference Date
/ TP / 20 / 01627-3 08.03.2021



Decision on infringement fee - Live broadcast from camera surveillance of

public area


We refer to our notice of decision on order and infringement fee dated 1 October 2020, and

comments on this in a letter from Dragefossen dated 19 October 2020. These comments
dealt with in section 5.1 of the decision.


You write that you have switched off the camera and stopped the live broadcasts after the warning from
The Danish Data Protection Agency, and we register that the live broadcast has been removed from Youtube and the website for
Dragon waterfalls. As the camera surveillance and live broadcast are completed, consider

The Data Inspectorate states that it is not necessary to proceed with the order we notified on 1 October 2020
to end the processing of personal data through the camera surveillance of Rognan
downtown.


1. Decision on infringement fines

The Data Inspectorate makes the following decisions:


        Pursuant to Article 58 (2), letter i of the Privacy Ordinance is imposed
                Dragefossen AS, org.nr. 911 204 177, to pay an infringement fee to

                the treasury of 150,000 - one hundred and fifty thousand - kroner to have
                camera-monitored Rognan center and live footage on the internet without

                legal basis in violation of the Privacy Regulation Article 6 (1) and
                Article 5 (1) (a).

Information on the right of appeal appears in section 6 of the decision.


2. Details of the facts of the case


On 16 December 2019, the Danish Data Protection Agency received an inquiry from Kripos, informing them that
they had received tips about a fixed webcam that was broadcast live from the center of Rognan


Postal address: Office address: Telephone: Fax: Org.nr: Website:
PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no
0105 OSLOYoutube. Kripos informed that the camera was attached to the building of Dragefossen AS (hereafter
Dragon Falls).

The Data Inspectorate's investigations confirmed the information, and that the images from the webcam were
live at the address: https://www.youtube.com/watch?v=GimxrnigQtEhttps. The Data Inspectorate
surveys also showed that the same live broadcast was displayed on the URL
https://www.dragefossen.no/webkamera.


In the statement, Dragefossen wrote that you have had a camera that has been broadcast live on Youtube
or the website since 2006, and that the last camera was set up in 2019. The Youtube channel
to Dragefossen, which broadcast the live broadcast, had as of 26 May 2020
1,090 subscribers, and as of 1 October 2020 1,530 subscribers. The Norwegian Data Protection Authority is not aware of any figures
on how many people have seen the last live broadcast that started on 19 August 2019. One
previous live broadcast on Youtube, which started on January 28, 2019, received around 13,000 views

in 140 days.

The webcam that was broadcast live was mounted on the roof of Osevegen 6, which is
the business address of Dragefossen. The webcam panned 360 degrees at a steady speed, and
stopped at four fixed angles for about 15 seconds each. The camera spent about two minutes per
round, and panned quickly past the southwest direction, so that in practice it was about 270
degrees that were captured. Until the Data Inspectorate sent a request for a report, it was possible to

rewind up to 12 hours in the live broadcast.

Areas captured by the camera surveillance included a public road, in addition to
parking space and entrance to Rema 1000 Rognan, Extra Rognan, Apotek 1 Rognan, Rognan
Toys and Yarn, Vinmonopolet, Sparebank 1 Nord-Norge, Saftdal municipality City Hall and a
number of other buildings.


The report and internal control for camera surveillance state that the recordings must have
such a distance or be of such a quality that one can not recognize faces or
car number. Recordings from the camera were stored on a separate camera server for 14 days before being
written over, and the police have on several occasions gained access to the recordings in connection with
events in the center.


Dragefossen wrote that the company went out with information about the webcam on the company
Facebook page, and that the camera surveillance was intended as a service offer for people who wanted it
to get an overview of Rognan center in real time.

3. More about the requirements of the Personal Data Act


The Personal Data Act implements the European Privacy Regulation in Norwegian law.
The rules in the law and the regulation apply to fully or partially automated processing of
personal data, cf. the Personal Data Act § 2 and the Privacy Ordinance Article 2.
The initial condition for the regulation to apply is that a processing takes place
of personal information. Article 4 (1) of the Regulation defines personal data as follows:





                                                                                               2 «any information about an identified or identifiable natural person (« the
        registered »); An identifiable natural person is a person who directly or indirectly
        can be identified, in particular by means of an identifier, e.g. a name, a
        identification number, location information, a network identifier or one or

        several elements specific to the physical, physiological,
        genetic, psychological, economic, cultural or social identity ».

Camera surveillance that captures individuals who directly or indirectly can
identified, thus constitutes a processing of personal data that falls under
scope of the Privacy Regulation, cf. Article 2 (1).


All processing of personal data must be in accordance with the basic principles of
Article 5 of the Regulation, and the controller is responsible for ensuring that:
these principles are complied with, cf. Article 5 (2).


A basic principle for the processing of personal data is that the processing must take place
in a lawful manner, cf. Article 5, paragraph 1, letter a. Before a company uses camera surveillance
a specific, explicitly stated and justified purpose of the camera surveillance must be established;
cf. the Privacy Ordinance, Article 5, paragraph 1, letter b.

Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a

legal basis. For camera surveillance from private companies, Article 6 no. 1 letter f
the nearby legal basis. The legal basis of Article 6 (1) (f) provides
instruction on a balance of interests. Personal data can be processed on this basis
if it is necessary to safeguard a legitimate interest that outweighs consideration
individual privacy.


First, the relevant camera surveillance must be for a purpose associated with it
the legitimate interest of the controller or a third party. The Privacy Board has in
PVN-2019-09 assumed that the legitimate interest must be legal and genuinely justified,
and both legal, financial or immaterial interests may be justified.


Furthermore, camera surveillance must be a necessary measure to safeguard the person entitled
interests. This means that there must be no other, less intrusive measures
who can achieve the purpose.

The legitimate interest must then be weighed against the data subject's rights interests and

fundamental rights and freedoms. If the data subject's rights are considered to take precedence over and
demand protection of personal data, the data subject's legitimate interest
had to give way. In the European Privacy Council's guidelines for camera surveillance 1
it is assumed that a concrete assessment is made of the situation, and the specific
the impact the processing has on the data subjects' rights. This involves a lens
assessment of the data subjects' reasonable expectations; what a neutral third party with

reasonableness can be expected from surveillance in a given situation.

1
 Guidelines 3/2019 on processing of personal data through video devices, version 2.0, adapted 29 January 2020.



                                                                                                   3Publishing camera recordings on the Internet, for example through live broadcasts, is a new one
processing of personal data, and requires a separate legal basis. Although a business
should be considered as having the authority in Article 6 (1) (f) to collect
personal information when capturing a camera, the balance of interests may turn out differently when
assesses access to publication on the Internet.


4. The Data Inspectorate's assessment

4.1. Assessment of whether the camera surveillance constitutes a processing of personal data

The first question in the case is whether Dragefossen's camera surveillance of Rognan
the center constituted a processing of personal data, cf. the Personal Data Act § 2 and

Article 2 (1) of the Privacy Regulation.

The key to this question is whether individuals were captured by the camera
could be directly or indirectly identified, including through the use of aids or
compilation with other information, cf. Article 4 (1) of the Privacy Regulation.

In our request for a statement of 10 March 2020, we asked for answers to which assessments Dragefossen

had done in connection with opportunities to identify individuals in
the surveillance images. The report to Dragefossen stated that the company had
assessed the quality so that it was not possible to identify faces or car numbers.

The Data Inspectorate agrees that due to the quality and distance of the images from the camera, which
clear main rule was not possible to see details on faces or read registration numbers on cars.
However, we consider that, based on the image quality and distance, for example, one could

Identify the type of car individuals are driving, the type of clothing they are wearing, hair color and
rough type of hairstyle, in addition to other personal characteristics or characteristics.

As the Privacy Board based on PVN-2019-09, it is with all pictures and
video identification a prerequisite that one has prior knowledge of the person who is
depicted. Such prior knowledge can include what they look like, what clothes they have,

what car they are driving or the person's shopping patterns or schedule. By comparing
the information in the pictures from the webcam with such prior knowledge, those who looked at the pictures would
from the webcam, for example, be able to identify family, friends, girlfriends, colleagues, employees,
or others you know. That it is possible to identify individuals is also supported by that
the police have on several occasions requested access to recordings in connection with incidents in
downtown.


The Norwegian Data Protection Authority considers that individuals who were captured by the camera directly or indirectly
could be identified, and the camera surveillance thus processed information about identified
or identifiable natural persons, cf. cf. Article 4 (1) of the Privacy Regulation.







                                                                                                4Dragefossen's camera surveillance of Rognan center was a treatment of
personal data, cf. the Personal Data Act § 2 and the Privacy Ordinance article 2 no.
1.

4.2. Assessment of legal basis
The next question is whether Dragefossen had a legal basis for
the camera surveillance of Rognan center and the live broadcast on Youtube and the website,

cf. Article 6 of the Privacy Regulation.

In our request for a statement of 10 March 2020, we asked for an answer on what legal basis
Dragefossen had for the relevant camera surveillance and publication on the internet.
Dragefossen replied in the statement that the images from the webcam were not used by Dragefossen
in any way, and that the company therefore did not view this as camera surveillance. Dragefossen saw
on camera as an offer to customers and the people of Saltdal in general.


Dragefossen has thus not identified a legal basis for the person in question
the camera surveillance of Rognan center in the report, and a legal basis appears
nor of Dragefossen's routines for camera surveillance. We assume that
the company itself has not assessed whether there is a legal basis for neither storage of
recording or live broadcast on the Internet from the camera surveillance.


The Data Inspectorate will nevertheless make an independent assessment of the legal basis, and bases it on
the relevant legal basis for this type of treatment would be Article 6 (1) (f).
We refer to the presentation of the provision in point 3.

According to Dragefossen, the purpose of the camera surveillance was to show a live image of Rognan
center as an offer to customers and Saltdal's population in general, in addition to the camera

served as a security for the population since recordings could be handed over to the police.

As there were two different processing of personal data related to
the camera surveillance, both live broadcast on the internet and storage of recordings, adds
The Data Inspectorate stated that the purpose of the live broadcast was to show a live image of Rognan
center as an offer to customers and Saltdal's population in general, and that the storage had that
purpose to act as a security for the population since recordings could be handed over to the police.


The Data Inspectorate first considers the storage of the recordings from the camera surveillance of Rognan
The center was necessary for a purpose related to Dragefossen's legitimate interest, and about
this interest takes precedence over the interests of the data subjects and fundamental rights and freedoms,
cf. the Privacy Ordinance, Article 6, No. 1, letter f.

The guidelines for camera surveillance from the European Privacy Council have been added

reason that the purpose of protection against theft, vandalism and criminal acts may constitute
a legitimate interest, if it can be demonstrated that the danger is real, for example through







                                                                                                5 2
previous incidents. However, such a purpose will not be linked to a legitimate interest
if it is based only on speculation.

In the Data Inspectorate's assessment, it is unclear whether there is such a real danger to criminals

actions here, and thus doubtful whether there was a legitimate interest in Dragefossen.
The Data Inspectorate also considers that the camera surveillance could have been designed on a smaller scale
privacy-intrusive ways to achieve this purpose, such as by monitoring
could have been limited to times of the day when criminal acts typically take place. It is
thus, it is also doubtful whether the actual camera surveillance was necessary for the purpose.


However, the Data Inspectorate finds it unnecessary to conclude on the storage of
the camera footage from the camera surveillance of Rognan Sentrum was necessary for a purpose
related to Dragefossen's legitimate interest, as we find it clear that they
the interests of the registered and fundamental rights and freedoms take precedence over Dragefossens
any legitimate interests, and requires the protection of personal data.


The Data Inspectorate considers that regardless of whether it is considered that the storage of the camera footage from
Rognan center was necessary for a purpose related to Dragefossen's legitimate interest, so
In all cases, Dragefossen's interest cannot be considered particularly important in this
the context.


The treatment in question involved constant monitoring of a significant public area in
Rognan center. As the monitored area contained parking space and entrance to
two grocery stores, a liquor store and a pharmacy, the Data Inspectorate assumes that significant parts
of the population of Rognan were affected by the surveillance.


The surveillance affected people who were going to and from work in the area, who were going to buy food,
medication or alcohol, or who for other reasons stayed in the relevant public
the area. These are activities where the data subjects do not expect to be monitored, and where one
also will have a reasonable expectation of traveling without being tracked. This applies in the end larger
degree when the company that monitors those who have no affiliation with either the registered
or their current activities. The surveillance also affected children traveling in the area,

which shall be given particular weight in the assessment of Article 6 (1) (f).

The interests of the data subjects and fundamental rights and freedoms will thus clearly take precedence
Dragefossen's interests, and demand the protection of personal data in the event of such a significant interference in
the privacy of such a large number of registrants. Dragefossen's storage of camera footage from

the monitoring of Rognan center thus had no legal basis in Article 6 (1)
letter f.

The Data Inspectorate then assesses whether live camera footage from the center of Rognan is on
internet was necessary for a purpose related to Dragefossen's legitimate interest, and about



2Guidelines 3/2019 on processing of personal data through video devices, version 2.0, adapted 29 January 2020.
Item 3.1.1.




                                                                                                  6this interest takes precedence over the interests of the data subjects and fundamental rights and freedoms,
cf. the Privacy Ordinance, Article 6, No. 1, letter f.

The purpose of the live broadcast was to show a live image of Rognan center as an offer
customers and the population of Saltdal in general. Here, too, the Data Inspectorate finds it doubtful about this
the purpose can be linked to a legitimate interest in Dragefossen. The Data Inspectorate finds that
there were other minor privacy interventions that could achieve the purpose, for example

by changing the position, angle, distance and quality of the camera surveillance in such a way
that individuals could not be identified. The processing of personal data was thus
not necessary for the purpose.

Also for the live broadcast, however, the Data Inspectorate finds it unnecessary to conclude whether
the processing of personal data was necessary for a purpose related to Dragefossens
legitimate interest, since in any case we find it clear that the data subject's rights

interests and fundamental rights and freedoms take precedence over any of Dragefossen
legitimate interests, and requires the protection of personal data.

The Data Inspectorate considers that regardless of whether it is considered that the live broadcast from
the camera surveillance of Rognan center was necessary for a purpose related to
Dragefossen's legitimate interest, then in all cases Dragefossen's interest cannot be considered
as particularly important in this context.


As for the encroachment on the data subjects' fundamental rights and freedoms, they do the same
the moments apply to the live broadcast on the internet as in the assessment related to
storage of the camera footage above, and we refer to this review. In addition, do
live broadcast the current camera surveillance available for anyone to potentially
identify and follow employees, colleagues, friends, family, boyfriends and others.

The camera surveillance could potentially be used for control purposes by those who watched
live broadcasts. This means that the encroachment on the privacy of the data subjects increased considerably,
and the data subjects would to an even lesser extent than at storage expect this type of processing of
personal information.

The data subjects' fundamental rights and freedoms will thus clearly take precedence over Dragefossens
interests, and demand the protection of personal data in the event of such a significant interference with the privacy of

such a large number of registered. Dragefossen's live broadcast on the internet from
the camera surveillance of Rognan center thus had no legal basis in Article 6 no.
1 letter f.

It follows from the Data Inspectorate's independent assessment of the legal basis that Dragefossen
did not have a legal basis for the processing of personal data through
the camera surveillance of Rognan center, cf. Article 6 of the Privacy Ordinance.


4.3. Assessment of the principle of legality in Article 5 (1) (a)
The requirement that a treatment must be lawful means that it must have a legal basis in
the Privacy Regulation. A processing of personal data without a legal basis will without





                                                                                                Furthermore be illegal, and thus be contrary to the fundamental requirement of the principle of
Article 5 (1) (a).

As shown above, we find that there was no legal basis for the processing of
personal information through the camera surveillance of Rognan center, so that the processing
thus was contrary to the principle of legality.


5. Infringement fee
5.1. Assessment of whether an infringement fee is to be imposed

Infringement fees are a tool to ensure effective compliance and enforcement of
the personal data regulations. We believe it is necessary to respond to the violation and
impose infringement fines, cf. Article 83 of the Privacy Regulation.

In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that
infringement fines are to be regarded as penalties under the European Convention on Human Rights

Article 6. A clear preponderance of probabilities is therefore required for offenses in order to be able to impose a fee.

The report to Dragefossen states that the company has had a camera that has
live broadcast on Youtube or the website since 2006, and that the current camera was set
up in 2019. As the Data Inspectorate is not aware of how the camera surveillance previously
has been designed, and thus whether individuals who were caught by previously
camera surveillance could be directly or indirectly identified, we have in the assessment of whether

an infringement fine shall be imposed and only the latter shall be emphasized in the assessment
the live broadcast that was launched on 19 August 2019.

When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account
to the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate can
impose infringement fines after a discretionary overall assessment, but they listed
the moments lay down guidelines for the exercise of discretion by highlighting moments that should

special weight is given.

Here we will assess the relevant aspects on an ongoing basis.

(a) the nature, gravity and duration of the infringement, taking into account it;
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered


The violation constitutes a violation of the basic requirement that all processing of
personal data must have a legal basis to be legal.

The current camera surveillance was initiated on 19 August 2019, and included an area of
Rognan center, which includes a car park and entrance for two
grocery stores, pharmacies, liquor stores and more jobs. According to Saltdal municipality

websites, the municipality has just over 4,700 inhabitants, and about half of these live
in or close to the center of Rognan. With the addition of visitors to the city, it must be assumed that




                                                                                                8camera surveillance has affected a significant number of registered in the relevant period, and that
many of these have been monitored daily, weekly or repeatedly. The Data Inspectorate also adds
due to the fact that the surveillance has affected children who have traveled in the relevant area during the period. Children
is a vulnerable group, and we refer here to the Privacy Ordinance's advocacy point 38 where it is pointed out
that children's personal data have a special right to protection. Although not all individuals
which have been captured by the camera surveillance have been direct or indirect
identifiable, the duration and number of data subjects affected by the surveillance speak for that

the violation must be considered serious.

As the pictures from the webcam were broadcast live on Youtube and the website of
Dragefossen, the monitoring of the area has been available for anyone to potentially
identify and follow employees, colleagues, friends, family, boyfriends and others. Live broadcasts
from the camera surveillance has thus also potentially been used for control purposes.
This means that the encroachment on the privacy of the registered and the severity of

the violation is significantly higher than if the recordings were only stored. The fact that it was too
possible rewinding up to 12 hours in the live broadcast made it further suitable for
control purposes, and this constitutes an aggravating circumstance - even if this function does not
was the intention of Dragefossen.

As mentioned, the Data Inspectorate is not aware of figures on how many have seen the latter
the live broadcast that started on 19 August 2019, but the live broadcast had as of 1 October

2020 over 1,700 likes. A user account on Youtube can only like each individual video one
gang. In comparison, a previous live broadcast from Dragefossen on Youtube, which
started on January 28, 2019 and lasted less than five months, over 13,000 views and only 45
likerklikk. Based on this, the Data Inspectorate assumes that the live broadcast has been watched
thousands of times, and the Data Inspectorate considers this an aggravating circumstance.
However, the Norwegian Data Protection Authority has not received any reports of material or non-material

damage that is suffered as a result of the camera surveillance, and the possible extent of damage is
thus unknown.

Dragefossen writes in the report that information about the webcam has been given regularly
Their Facebook page. The Facebook page of Dragefossen has 1,700 likes, and on
the warning time 1 October 2020 was the previous post that mentioned the camera from 23.
August 2019. The Norwegian Data Protection Authority assumes that only a small proportion of those registered who have

have been affected by the camera surveillance have been aware that they have been monitored.
The surveillance affects people who are going to and from work in the area, who are going to buy food,
medicines or alcohol, or who for other reasons reside in the relevant public
the area. These are activities where the data subjects do not expect to be monitored, and in yet
to a lesser extent that the monitoring is broadcast live on the Internet. This is further reinforced by that
the company that monitors them has no affiliation with either the data subjects or those
the activities being monitored. The Norwegian Data Protection Authority also considers these conditions to be aggravating

circumstances.

b) whether the infringement was committed intentionally or negligently






                                                                                                9With the exception of the possibility to rewind 12 hours in the live broadcast, the Data Inspectorate adds
due to the fact that the camera surveillance and its design has been a deliberate and willful act from
Dragon waterfalls.

The intent requirement follows from general basic legal principles, and these principles are
codified in the Penal Code § 22. It follows from the provision:


        "Intention exists when someone commits an act that covers the description of the act in a
        penalty:

        a) with intent,
        b) with awareness that the action certainly or most likely covers
        the description of the act, or
        c) considers it possible that the action covers the description of the act, and chooses to act

        even if that were the case. "

It follows from the second paragraph of the provision, however, that «[t] he presumption exists even if the offender
is not aware that the act is illegal, cf. § 26 ». There is thus no requirement that one
knew that the act was against the law.

It follows from section 26 of the Penal Code that «[d] a as at the time of the action due to ignorance

if legal rules are unknown that the act is illegal, is punished when the ignorance is negligent. " IN
According to the requirement of diligence, companies must familiarize themselves with the applicable legislation
on the site, and organize the business in accordance with the framework that follows from the relevant
the regulations. In the assessment, emphasis must be placed on the regulations or the specific
the subsumption appears to be unclear, and what measures have been taken to ensure good
rule knowledge and insight.


What constitutes the processing of personal data is a very basic rule in
the privacy regulations that companies must familiarize themselves with, and the Norwegian Data Protection Authority considers that
the subsumption is not clear in this case. Dragefossen's lack of knowledge about
the privacy regulations and what constitutes a processing of personal data is thus
not careful, and thus does not affect the assessment of the degree of guilt.


The Data Inspectorate therefore assumes that the violation was committed intentionally by Dragefossen, and that
this is an aggravating circumstance.

c) any measures taken by the data controller or data processor to limit
the damage suffered by the data subjects

In addition to removing the possibility to rewind up to 12 hours in the live broadcast after you

was made aware of this by the Norwegian Data Protection Authority, we are not aware that Dragefossen has implemented
any measures to limit the consequence that has arisen through the infringement.

d) the degree of responsibility of the data controller or data processor, taking into account
the technical and organizational measures they have implemented in accordance with Articles 25 and 32




                                                                                               10Dragefossen had routines for camera surveillance and processing of recordings when the relevant
camera surveillance was started. These routines included guidelines for
image quality and distance on the camera, storage, access control and delivery.

However, the Data Inspectorate emphasizes that the routines for image quality were deficient, as they only
stated that quality and distance should be such that faces and car numbers can not be recognized.

These routines show that Dragefossen has had a lack of awareness of the regulations and what
constitutes a processing of personal data that is covered by the Personal Data Act.

e) any previous violations committed by the data controller or
the data processor

The Norwegian Data Protection Authority is not aware of any previous violations.


f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it

In the report, the company has answered the questions from the Data Inspectorate as they are required.
This therefore pulls neither in an aggravating nor mitigating direction.


g) the categories of personal data affected by the infringement

Special categories of personal data are not affected by the infringement in question.
However, the violation affects information about where individuals move and theirs
activities, including children.


There is a mitigating circumstance in the case that details in face and registration number on
cars as a clear main rule can not be interpreted by the surveillance images. Although it is possible to
identify individuals on the recordings from the camera surveillance, entails the quality and
the distance that such identification is more demanding, and this reduces the risk for the data subjects
rights and freedoms.

h) in what way the supervisory authority became aware of the infringement, in particular if and if so

the extent to which the data controller or data processor has notified
the infringement

The Norwegian Data Protection Authority became aware of the case through tips that Kripos passed on. It is available
hence no mitigating circumstances at this point.

(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned

data controller or data processor with respect to the same subject matter that mentioned
measures are complied with

No measures have previously been taken against Dragefossen with regard to the same subject matter.





                                                                                               11j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42

The Norwegian Data Protection Authority does not find this aspect relevant in the case.

k) and any other aggravating or mitigating factor in the case, e.g. economic benefits
which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement


The Data Inspectorate assumes that Dragefossen has not achieved any financial benefits such as
consequence of the infringement, neither directly nor indirectly.

It can also be seen in the company's financial situation. According to publicly available
documents, Dragefossen in 2019 is registered with operating revenues of NOK 113,088,000 and a
annual profit of NOK 13,304,000. The Norwegian Data Protection Authority finds that the company has the finances to support one

infringement fine.

In its comments, the company has pointed out that the only contact that has been between
The Data Inspectorate and Dragefossen before the decision was notified, have been the Data Inspectorate's requirements
statement. Dragefossen believes that the violation fee is too strong a reaction, and that their
always intend to abide by applicable laws and regulations. The company points out that
their camera surveillance could have been terminated in dialogue with the Norwegian Data Protection Authority at an earlier stage

time, and the fact that infringement fees are used and should act as a deterrent in such
matters, do not feel right on the part of the company.

In this connection, the Danish Data Protection Agency points out that the current camera surveillance and
the live broadcast had been going on for a long time before the Data Inspectorate was made aware of the case. After
Article 5 (2) of the Privacy Regulation (principle of liability) is

responsible for processing responsible for and must be able to demonstrate that the privacy principles
complied with. Furthermore, it follows from Article 24 that the person responsible for processing is obliged to
implement technical and organizational measures to ensure and demonstrate that the treatment of
personal information is in line with the Privacy Ordinance.

We also refer to point 148 of the Privacy Ordinance, where it follows:


        "In order to strengthen the enforcement of the provisions of this Regulation, it should:
        Violation of this Regulation shall be subject to sanctions, including infringement fines, in
        in addition to or instead of appropriate measures imposed by the supervisory authority in accordance with
        this Regulation. "

The Norwegian Data Protection Authority is not aware of other aggravating or mitigating factors in the case such as
will affect the outcome of the assessment.


Based on the assessments above, the Data Inspectorate concludes that an infringement fee should be imposed.

5.2. Assessment of the size of the fee





                                                                                                12In accordance with Article 83 (1), the infringement charge must be effective, reasonably
relation to the violation and act as a deterrent. This means that the supervisory authority must
make a concrete, discretionary assessment in each individual case.

When measuring the size of the fee, emphasis shall be placed on the same assessment factors
which has been reviewed in section 5.1 of the decision. The Data Inspectorate therefore refers to the assessments made
above, and that these collectively speak in favor of a fee of a certain size.


In an aggravating direction, we place particular emphasis on the fact that the violation has taken place over time, has affected one
significant number of registered, and that all personal data is illegally made available to
the general public through the live broadcast on the Internet.

In a mitigating direction, it is emphasized that the quality and distance of the recordings means that
identification is more demanding. The Data Inspectorate also emphasizes that Dragefossen has not achieved

some financial benefits as a result of the violation, and that it is not known that there is little
material or non-material damage as a result of the infringement.

The business's financial ability will also be important, even if it is not relevant to
take advantage of the range of the infringement fine provided for in Article 83 (5).
Article 83 (5) of the Privacy Regulation sets a higher maximum amount for fees when the case
deals with violations of the basic principles of treatment of

personal data in accordance with Articles 5 and 6 of the Privacy Regulation.

With operating revenues of NOK 113,088,000 and an annual profit of NOK 13,304,000 in 2019, has
Dragefossen has a significantly larger economy than is the case with previous decisions
illegal camera surveillance. Although there are no directly comparable decisions,
then it can be pointed out, for example, that in PVN-2019-09 the business had an operating profit of NOK

1.5 million, and the fee was set at NOK 50,000.

The violation on which the decision is based occurred after the Privacy Ordinance came into force
in force on 20 July 2018, and the Privacy Ordinance facilitates a higher level of fines than that
which applied under the Personal Data Act from 2000. In order for the fee to be perceived as an evil,
so that the preventive considerations behind the infringement fee as a form of reaction are taken into account, must
the fee is higher than what has previously been the case for decisions on illegal

camera surveillance.

After an overall assessment of the moments in the case that we have reviewed above and
the seriousness of the violation, we have come to the conclusion that a violation fee of NOK 150,000
considered correct.

6. Right of appeal and further proceedings

This is an individual decision that can be appealed according to the rules of the Public Administration Act, cf.
Section 28 of the Public Administration Act. Any complaint must be sent to us within three weeks after this

the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision accordingly
it is appealed, we will forward the case to the Privacy Board for processing complaints.




                                                                                                13If you do not appeal the decision on the infringement fee, the deadline for compliance is 4 weeks after
the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act.

7. Transparency and publicity

You have the right to access the case documents (cf. the Public Administration Act § 18). We will also inform
that all documents are in principle public (cf. the Public Access to Information Act § 3.)
If you believe there is a basis for exempting all or part of the document from public
insight, we ask you to justify this.



With best regards


Jørgen Skorstad

department director, law
                                                                 Anders Sæve Obrestad
                                                                 senior legal adviser

The document is electronically approved and therefore has no handwritten signatures

































                                                                                            14