Datatilsynet - 20/01627
|Datatilsynet - 20/01627|
|Relevant Law:||Article 4(1) GDPR|
Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
|National Case Number/Name:||20/01627|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
The Norwegian DPA (Datatilsynet) fined Dragefossen AS €15,000 for live-streaming a camera feed to Youtube. The camera captured a public road, a parking space, various shops, and buildings such as the city hall without a sufficient legal basis from Article 6(1)(f) GDPR, relating to Article 5(1)(a) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The company had installed a camera on the roof of the building the company was located in. The camera rotated 360 degrees, stopping at four set angles for 15 seconds. The camera used around two minutes for each full rotation. The company's internal routine and answer's provided to the DPA highlighted that due to the quality and distance of the recording, the company deemed that that number plates or faces would not be recognisable. Recordings were saved on a dedicated server for 14 days until it was deleted. Recordings had been shared with the police on several occasions in relation to events in the city centre.
Dispute[edit | edit source]
Does the recordings capture personal data pursuant to Article 4(1) GDPR, and if so, is there a legal basis for the processing of personal data pursuant to Article 6(1)(f) GDPR?
Holding[edit | edit source]
Personal data[edit | edit source]
The DPA agreed that it was unlikely that number plates or faces of people would be recognisable due to the distance and the quality of the recording. The DPA highlighted however that it would be possible to recognise the type of car someone was driving, what type of clothes people were wearing, the colour of their hair and their approximate hair style. The DPA highlighted that prior knowledge about someones schedule, shopping patterns, their car or their look could identify the person being recorded, for example by friends, significant others, family or colleagues. This view was supported by the police requesting access to the recordings on several occasions concerning events in the city centre.
As such, the DPA held that the recordings captured personal data pursuant to Article 4(1) GDPR.
Legal basis[edit | edit source]
The DPA found that the controller had not assessed whether there was a legal basis for the processing of personal data pursuant to Article 6. The DPA assessed the controllers legitimate interests pursuant to Article 6(1)(f) on its own accord.
The DPA identified two processing operations with different purposes. The first processing operation was the live feed of the city centre, where the purpose was to provide an offer for customers and the local residents. The second processing operation was saving the video and retention of the recording for 14-days. The purpose of this processing operation was to provide security to the local residents by sharing the recordings with the police if needed.
Balancing of interests[edit | edit source]
For the second purpose, the DPA held that it could not be established for certain that there was a legitimate interest for saving the records. The DPA referenced EDPB guidelines which state that purposes connected to protection against theft, vandalism and criminal acts may be a legitimate interest, noting however that such a purpose must be connected to a specific event and not based entirely on speculation. The DPA questioned whether a real danger for criminal acts was established, finding however that it did not need to conclude as the rights and freedoms of the data subject clearly outweighed the controller's interest.
For the first purpose, the DPA also questioned whether the recording pursued a legitimate interest, finding that it did not need to conclude as the balancing of interest was in the data subjects favour. The DPA also noted that the placement of the camera could be positioned at an angle that would not be as invasive to the privacy of the data subjects.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
DRAGEFOSSEN AS PO Box 20 8251 ROGNAN Their reference Our reference Date / TP / 20 / 01627-3 08.03.2021 Decision on infringement fee - Live broadcast from camera surveillance of public area We refer to our notice of decision on order and infringement fee dated 1 October 2020, and comments on this in a letter from Dragefossen dated 19 October 2020. These comments dealt with in section 5.1 of the decision. You write that you have switched off the camera and stopped the live broadcasts after the warning from The Danish Data Protection Agency, and we register that the live broadcast has been removed from Youtube and the website for Dragon waterfalls. As the camera surveillance and live broadcast are completed, consider The Data Inspectorate states that it is not necessary to proceed with the order we notified on 1 October 2020 to end the processing of personal data through the camera surveillance of Rognan downtown. 1. Decision on infringement fines The Data Inspectorate makes the following decisions: Pursuant to Article 58 (2), letter i of the Privacy Ordinance is imposed Dragefossen AS, org.nr. 911 204 177, to pay an infringement fee to the treasury of 150,000 - one hundred and fifty thousand - kroner to have camera-monitored Rognan center and live footage on the internet without legal basis in violation of the Privacy Regulation Article 6 (1) and Article 5 (1) (a). Information on the right of appeal appears in section 6 of the decision. 2. Details of the facts of the case On 16 December 2019, the Danish Data Protection Agency received an inquiry from Kripos, informing them that they had received tips about a fixed webcam that was broadcast live from the center of Rognan Postal address: Office address: Telephone: Fax: Org.nr: Website: PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLOYoutube. Kripos informed that the camera was attached to the building of Dragefossen AS (hereafter Dragon Falls). The Data Inspectorate's investigations confirmed the information, and that the images from the webcam were live at the address: https://www.youtube.com/watch?v=GimxrnigQtEhttps. The Data Inspectorate surveys also showed that the same live broadcast was displayed on the URL https://www.dragefossen.no/webkamera. In the statement, Dragefossen wrote that you have had a camera that has been broadcast live on Youtube or the website since 2006, and that the last camera was set up in 2019. The Youtube channel to Dragefossen, which broadcast the live broadcast, had as of 26 May 2020 1,090 subscribers, and as of 1 October 2020 1,530 subscribers. The Norwegian Data Protection Authority is not aware of any figures on how many people have seen the last live broadcast that started on 19 August 2019. One previous live broadcast on Youtube, which started on January 28, 2019, received around 13,000 views in 140 days. The webcam that was broadcast live was mounted on the roof of Osevegen 6, which is the business address of Dragefossen. The webcam panned 360 degrees at a steady speed, and stopped at four fixed angles for about 15 seconds each. The camera spent about two minutes per round, and panned quickly past the southwest direction, so that in practice it was about 270 degrees that were captured. Until the Data Inspectorate sent a request for a report, it was possible to rewind up to 12 hours in the live broadcast. Areas captured by the camera surveillance included a public road, in addition to parking space and entrance to Rema 1000 Rognan, Extra Rognan, Apotek 1 Rognan, Rognan Toys and Yarn, Vinmonopolet, Sparebank 1 Nord-Norge, Saftdal municipality City Hall and a number of other buildings. The report and internal control for camera surveillance state that the recordings must have such a distance or be of such a quality that one can not recognize faces or car number. Recordings from the camera were stored on a separate camera server for 14 days before being written over, and the police have on several occasions gained access to the recordings in connection with events in the center. Dragefossen wrote that the company went out with information about the webcam on the company Facebook page, and that the camera surveillance was intended as a service offer for people who wanted it to get an overview of Rognan center in real time. 3. More about the requirements of the Personal Data Act The Personal Data Act implements the European Privacy Regulation in Norwegian law. The rules in the law and the regulation apply to fully or partially automated processing of personal data, cf. the Personal Data Act § 2 and the Privacy Ordinance Article 2. The initial condition for the regulation to apply is that a processing takes place of personal information. Article 4 (1) of the Regulation defines personal data as follows: 2 «any information about an identified or identifiable natural person (« the registered »); An identifiable natural person is a person who directly or indirectly can be identified, in particular by means of an identifier, e.g. a name, a identification number, location information, a network identifier or one or several elements specific to the physical, physiological, genetic, psychological, economic, cultural or social identity ». Camera surveillance that captures individuals who directly or indirectly can identified, thus constitutes a processing of personal data that falls under scope of the Privacy Regulation, cf. Article 2 (1). All processing of personal data must be in accordance with the basic principles of Article 5 of the Regulation, and the controller is responsible for ensuring that: these principles are complied with, cf. Article 5 (2). A basic principle for the processing of personal data is that the processing must take place in a lawful manner, cf. Article 5, paragraph 1, letter a. Before a company uses camera surveillance a specific, explicitly stated and justified purpose of the camera surveillance must be established; cf. the Privacy Ordinance, Article 5, paragraph 1, letter b. Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a legal basis. For camera surveillance from private companies, Article 6 no. 1 letter f the nearby legal basis. The legal basis of Article 6 (1) (f) provides instruction on a balance of interests. Personal data can be processed on this basis if it is necessary to safeguard a legitimate interest that outweighs consideration individual privacy. First, the relevant camera surveillance must be for a purpose associated with it the legitimate interest of the controller or a third party. The Privacy Board has in PVN-2019-09 assumed that the legitimate interest must be legal and genuinely justified, and both legal, financial or immaterial interests may be justified. Furthermore, camera surveillance must be a necessary measure to safeguard the person entitled interests. This means that there must be no other, less intrusive measures who can achieve the purpose. The legitimate interest must then be weighed against the data subject's rights interests and fundamental rights and freedoms. If the data subject's rights are considered to take precedence over and demand protection of personal data, the data subject's legitimate interest had to give way. In the European Privacy Council's guidelines for camera surveillance 1 it is assumed that a concrete assessment is made of the situation, and the specific the impact the processing has on the data subjects' rights. This involves a lens assessment of the data subjects' reasonable expectations; what a neutral third party with reasonableness can be expected from surveillance in a given situation. 1 Guidelines 3/2019 on processing of personal data through video devices, version 2.0, adapted 29 January 2020. 3Publishing camera recordings on the Internet, for example through live broadcasts, is a new one processing of personal data, and requires a separate legal basis. Although a business should be considered as having the authority in Article 6 (1) (f) to collect personal information when capturing a camera, the balance of interests may turn out differently when assesses access to publication on the Internet. 4. The Data Inspectorate's assessment 4.1. Assessment of whether the camera surveillance constitutes a processing of personal data The first question in the case is whether Dragefossen's camera surveillance of Rognan the center constituted a processing of personal data, cf. the Personal Data Act § 2 and Article 2 (1) of the Privacy Regulation. The key to this question is whether individuals were captured by the camera could be directly or indirectly identified, including through the use of aids or compilation with other information, cf. Article 4 (1) of the Privacy Regulation. In our request for a statement of 10 March 2020, we asked for answers to which assessments Dragefossen had done in connection with opportunities to identify individuals in the surveillance images. The report to Dragefossen stated that the company had assessed the quality so that it was not possible to identify faces or car numbers. The Data Inspectorate agrees that due to the quality and distance of the images from the camera, which clear main rule was not possible to see details on faces or read registration numbers on cars. However, we consider that, based on the image quality and distance, for example, one could Identify the type of car individuals are driving, the type of clothing they are wearing, hair color and rough type of hairstyle, in addition to other personal characteristics or characteristics. As the Privacy Board based on PVN-2019-09, it is with all pictures and video identification a prerequisite that one has prior knowledge of the person who is depicted. Such prior knowledge can include what they look like, what clothes they have, what car they are driving or the person's shopping patterns or schedule. By comparing the information in the pictures from the webcam with such prior knowledge, those who looked at the pictures would from the webcam, for example, be able to identify family, friends, girlfriends, colleagues, employees, or others you know. That it is possible to identify individuals is also supported by that the police have on several occasions requested access to recordings in connection with incidents in downtown. The Norwegian Data Protection Authority considers that individuals who were captured by the camera directly or indirectly could be identified, and the camera surveillance thus processed information about identified or identifiable natural persons, cf. cf. Article 4 (1) of the Privacy Regulation. 4Dragefossen's camera surveillance of Rognan center was a treatment of personal data, cf. the Personal Data Act § 2 and the Privacy Ordinance article 2 no. 1. 4.2. Assessment of legal basis The next question is whether Dragefossen had a legal basis for the camera surveillance of Rognan center and the live broadcast on Youtube and the website, cf. Article 6 of the Privacy Regulation. In our request for a statement of 10 March 2020, we asked for an answer on what legal basis Dragefossen had for the relevant camera surveillance and publication on the internet. Dragefossen replied in the statement that the images from the webcam were not used by Dragefossen in any way, and that the company therefore did not view this as camera surveillance. Dragefossen saw on camera as an offer to customers and the people of Saltdal in general. Dragefossen has thus not identified a legal basis for the person in question the camera surveillance of Rognan center in the report, and a legal basis appears nor of Dragefossen's routines for camera surveillance. We assume that the company itself has not assessed whether there is a legal basis for neither storage of recording or live broadcast on the Internet from the camera surveillance. The Data Inspectorate will nevertheless make an independent assessment of the legal basis, and bases it on the relevant legal basis for this type of treatment would be Article 6 (1) (f). We refer to the presentation of the provision in point 3. According to Dragefossen, the purpose of the camera surveillance was to show a live image of Rognan center as an offer to customers and Saltdal's population in general, in addition to the camera served as a security for the population since recordings could be handed over to the police. As there were two different processing of personal data related to the camera surveillance, both live broadcast on the internet and storage of recordings, adds The Data Inspectorate stated that the purpose of the live broadcast was to show a live image of Rognan center as an offer to customers and Saltdal's population in general, and that the storage had that purpose to act as a security for the population since recordings could be handed over to the police. The Data Inspectorate first considers the storage of the recordings from the camera surveillance of Rognan The center was necessary for a purpose related to Dragefossen's legitimate interest, and about this interest takes precedence over the interests of the data subjects and fundamental rights and freedoms, cf. the Privacy Ordinance, Article 6, No. 1, letter f. The guidelines for camera surveillance from the European Privacy Council have been added reason that the purpose of protection against theft, vandalism and criminal acts may constitute a legitimate interest, if it can be demonstrated that the danger is real, for example through 5 2 previous incidents. However, such a purpose will not be linked to a legitimate interest if it is based only on speculation. In the Data Inspectorate's assessment, it is unclear whether there is such a real danger to criminals actions here, and thus doubtful whether there was a legitimate interest in Dragefossen. The Data Inspectorate also considers that the camera surveillance could have been designed on a smaller scale privacy-intrusive ways to achieve this purpose, such as by monitoring could have been limited to times of the day when criminal acts typically take place. It is thus, it is also doubtful whether the actual camera surveillance was necessary for the purpose. However, the Data Inspectorate finds it unnecessary to conclude on the storage of the camera footage from the camera surveillance of Rognan Sentrum was necessary for a purpose related to Dragefossen's legitimate interest, as we find it clear that they the interests of the registered and fundamental rights and freedoms take precedence over Dragefossens any legitimate interests, and requires the protection of personal data. The Data Inspectorate considers that regardless of whether it is considered that the storage of the camera footage from Rognan center was necessary for a purpose related to Dragefossen's legitimate interest, so In all cases, Dragefossen's interest cannot be considered particularly important in this the context. The treatment in question involved constant monitoring of a significant public area in Rognan center. As the monitored area contained parking space and entrance to two grocery stores, a liquor store and a pharmacy, the Data Inspectorate assumes that significant parts of the population of Rognan were affected by the surveillance. The surveillance affected people who were going to and from work in the area, who were going to buy food, medication or alcohol, or who for other reasons stayed in the relevant public the area. These are activities where the data subjects do not expect to be monitored, and where one also will have a reasonable expectation of traveling without being tracked. This applies in the end larger degree when the company that monitors those who have no affiliation with either the registered or their current activities. The surveillance also affected children traveling in the area, which shall be given particular weight in the assessment of Article 6 (1) (f). The interests of the data subjects and fundamental rights and freedoms will thus clearly take precedence Dragefossen's interests, and demand the protection of personal data in the event of such a significant interference in the privacy of such a large number of registrants. Dragefossen's storage of camera footage from the monitoring of Rognan center thus had no legal basis in Article 6 (1) letter f. The Data Inspectorate then assesses whether live camera footage from the center of Rognan is on internet was necessary for a purpose related to Dragefossen's legitimate interest, and about 2Guidelines 3/2019 on processing of personal data through video devices, version 2.0, adapted 29 January 2020. Item 3.1.1. 6this interest takes precedence over the interests of the data subjects and fundamental rights and freedoms, cf. the Privacy Ordinance, Article 6, No. 1, letter f. The purpose of the live broadcast was to show a live image of Rognan center as an offer customers and the population of Saltdal in general. Here, too, the Data Inspectorate finds it doubtful about this the purpose can be linked to a legitimate interest in Dragefossen. The Data Inspectorate finds that there were other minor privacy interventions that could achieve the purpose, for example by changing the position, angle, distance and quality of the camera surveillance in such a way that individuals could not be identified. The processing of personal data was thus not necessary for the purpose. Also for the live broadcast, however, the Data Inspectorate finds it unnecessary to conclude whether the processing of personal data was necessary for a purpose related to Dragefossens legitimate interest, since in any case we find it clear that the data subject's rights interests and fundamental rights and freedoms take precedence over any of Dragefossen legitimate interests, and requires the protection of personal data. The Data Inspectorate considers that regardless of whether it is considered that the live broadcast from the camera surveillance of Rognan center was necessary for a purpose related to Dragefossen's legitimate interest, then in all cases Dragefossen's interest cannot be considered as particularly important in this context. As for the encroachment on the data subjects' fundamental rights and freedoms, they do the same the moments apply to the live broadcast on the internet as in the assessment related to storage of the camera footage above, and we refer to this review. In addition, do live broadcast the current camera surveillance available for anyone to potentially identify and follow employees, colleagues, friends, family, boyfriends and others. The camera surveillance could potentially be used for control purposes by those who watched live broadcasts. This means that the encroachment on the privacy of the data subjects increased considerably, and the data subjects would to an even lesser extent than at storage expect this type of processing of personal information. The data subjects' fundamental rights and freedoms will thus clearly take precedence over Dragefossens interests, and demand the protection of personal data in the event of such a significant interference with the privacy of such a large number of registered. Dragefossen's live broadcast on the internet from the camera surveillance of Rognan center thus had no legal basis in Article 6 no. 1 letter f. It follows from the Data Inspectorate's independent assessment of the legal basis that Dragefossen did not have a legal basis for the processing of personal data through the camera surveillance of Rognan center, cf. Article 6 of the Privacy Ordinance. 4.3. Assessment of the principle of legality in Article 5 (1) (a) The requirement that a treatment must be lawful means that it must have a legal basis in the Privacy Regulation. A processing of personal data without a legal basis will without Furthermore be illegal, and thus be contrary to the fundamental requirement of the principle of Article 5 (1) (a). As shown above, we find that there was no legal basis for the processing of personal information through the camera surveillance of Rognan center, so that the processing thus was contrary to the principle of legality. 5. Infringement fee 5.1. Assessment of whether an infringement fee is to be imposed Infringement fees are a tool to ensure effective compliance and enforcement of the personal data regulations. We believe it is necessary to respond to the violation and impose infringement fines, cf. Article 83 of the Privacy Regulation. In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that infringement fines are to be regarded as penalties under the European Convention on Human Rights Article 6. A clear preponderance of probabilities is therefore required for offenses in order to be able to impose a fee. The report to Dragefossen states that the company has had a camera that has live broadcast on Youtube or the website since 2006, and that the current camera was set up in 2019. As the Data Inspectorate is not aware of how the camera surveillance previously has been designed, and thus whether individuals who were caught by previously camera surveillance could be directly or indirectly identified, we have in the assessment of whether an infringement fine shall be imposed and only the latter shall be emphasized in the assessment the live broadcast that was launched on 19 August 2019. When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account to the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate can impose infringement fines after a discretionary overall assessment, but they listed the moments lay down guidelines for the exercise of discretion by highlighting moments that should special weight is given. Here we will assess the relevant aspects on an ongoing basis. (a) the nature, gravity and duration of the infringement, taking into account it; the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and the extent of the damage they have suffered The violation constitutes a violation of the basic requirement that all processing of personal data must have a legal basis to be legal. The current camera surveillance was initiated on 19 August 2019, and included an area of Rognan center, which includes a car park and entrance for two grocery stores, pharmacies, liquor stores and more jobs. According to Saltdal municipality websites, the municipality has just over 4,700 inhabitants, and about half of these live in or close to the center of Rognan. With the addition of visitors to the city, it must be assumed that 8camera surveillance has affected a significant number of registered in the relevant period, and that many of these have been monitored daily, weekly or repeatedly. The Data Inspectorate also adds due to the fact that the surveillance has affected children who have traveled in the relevant area during the period. Children is a vulnerable group, and we refer here to the Privacy Ordinance's advocacy point 38 where it is pointed out that children's personal data have a special right to protection. Although not all individuals which have been captured by the camera surveillance have been direct or indirect identifiable, the duration and number of data subjects affected by the surveillance speak for that the violation must be considered serious. As the pictures from the webcam were broadcast live on Youtube and the website of Dragefossen, the monitoring of the area has been available for anyone to potentially identify and follow employees, colleagues, friends, family, boyfriends and others. Live broadcasts from the camera surveillance has thus also potentially been used for control purposes. This means that the encroachment on the privacy of the registered and the severity of the violation is significantly higher than if the recordings were only stored. The fact that it was too possible rewinding up to 12 hours in the live broadcast made it further suitable for control purposes, and this constitutes an aggravating circumstance - even if this function does not was the intention of Dragefossen. As mentioned, the Data Inspectorate is not aware of figures on how many have seen the latter the live broadcast that started on 19 August 2019, but the live broadcast had as of 1 October 2020 over 1,700 likes. A user account on Youtube can only like each individual video one gang. In comparison, a previous live broadcast from Dragefossen on Youtube, which started on January 28, 2019 and lasted less than five months, over 13,000 views and only 45 likerklikk. Based on this, the Data Inspectorate assumes that the live broadcast has been watched thousands of times, and the Data Inspectorate considers this an aggravating circumstance. However, the Norwegian Data Protection Authority has not received any reports of material or non-material damage that is suffered as a result of the camera surveillance, and the possible extent of damage is thus unknown. Dragefossen writes in the report that information about the webcam has been given regularly Their Facebook page. The Facebook page of Dragefossen has 1,700 likes, and on the warning time 1 October 2020 was the previous post that mentioned the camera from 23. August 2019. The Norwegian Data Protection Authority assumes that only a small proportion of those registered who have have been affected by the camera surveillance have been aware that they have been monitored. The surveillance affects people who are going to and from work in the area, who are going to buy food, medicines or alcohol, or who for other reasons reside in the relevant public the area. These are activities where the data subjects do not expect to be monitored, and in yet to a lesser extent that the monitoring is broadcast live on the Internet. This is further reinforced by that the company that monitors them has no affiliation with either the data subjects or those the activities being monitored. The Norwegian Data Protection Authority also considers these conditions to be aggravating circumstances. b) whether the infringement was committed intentionally or negligently 9With the exception of the possibility to rewind 12 hours in the live broadcast, the Data Inspectorate adds due to the fact that the camera surveillance and its design has been a deliberate and willful act from Dragon waterfalls. The intent requirement follows from general basic legal principles, and these principles are codified in the Penal Code § 22. It follows from the provision: "Intention exists when someone commits an act that covers the description of the act in a penalty: a) with intent, b) with awareness that the action certainly or most likely covers the description of the act, or c) considers it possible that the action covers the description of the act, and chooses to act even if that were the case. " It follows from the second paragraph of the provision, however, that «[t] he presumption exists even if the offender is not aware that the act is illegal, cf. § 26 ». There is thus no requirement that one knew that the act was against the law. It follows from section 26 of the Penal Code that «[d] a as at the time of the action due to ignorance if legal rules are unknown that the act is illegal, is punished when the ignorance is negligent. " IN According to the requirement of diligence, companies must familiarize themselves with the applicable legislation on the site, and organize the business in accordance with the framework that follows from the relevant the regulations. In the assessment, emphasis must be placed on the regulations or the specific the subsumption appears to be unclear, and what measures have been taken to ensure good rule knowledge and insight. What constitutes the processing of personal data is a very basic rule in the privacy regulations that companies must familiarize themselves with, and the Norwegian Data Protection Authority considers that the subsumption is not clear in this case. Dragefossen's lack of knowledge about the privacy regulations and what constitutes a processing of personal data is thus not careful, and thus does not affect the assessment of the degree of guilt. The Data Inspectorate therefore assumes that the violation was committed intentionally by Dragefossen, and that this is an aggravating circumstance. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects In addition to removing the possibility to rewind up to 12 hours in the live broadcast after you was made aware of this by the Norwegian Data Protection Authority, we are not aware that Dragefossen has implemented any measures to limit the consequence that has arisen through the infringement. d) the degree of responsibility of the data controller or data processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32 10Dragefossen had routines for camera surveillance and processing of recordings when the relevant camera surveillance was started. These routines included guidelines for image quality and distance on the camera, storage, access control and delivery. However, the Data Inspectorate emphasizes that the routines for image quality were deficient, as they only stated that quality and distance should be such that faces and car numbers can not be recognized. These routines show that Dragefossen has had a lack of awareness of the regulations and what constitutes a processing of personal data that is covered by the Personal Data Act. e) any previous violations committed by the data controller or the data processor The Norwegian Data Protection Authority is not aware of any previous violations. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it In the report, the company has answered the questions from the Data Inspectorate as they are required. This therefore pulls neither in an aggravating nor mitigating direction. g) the categories of personal data affected by the infringement Special categories of personal data are not affected by the infringement in question. However, the violation affects information about where individuals move and theirs activities, including children. There is a mitigating circumstance in the case that details in face and registration number on cars as a clear main rule can not be interpreted by the surveillance images. Although it is possible to identify individuals on the recordings from the camera surveillance, entails the quality and the distance that such identification is more demanding, and this reduces the risk for the data subjects rights and freedoms. h) in what way the supervisory authority became aware of the infringement, in particular if and if so the extent to which the data controller or data processor has notified the infringement The Norwegian Data Protection Authority became aware of the case through tips that Kripos passed on. It is available hence no mitigating circumstances at this point. (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter that mentioned measures are complied with No measures have previously been taken against Dragefossen with regard to the same subject matter. 11j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 The Norwegian Data Protection Authority does not find this aspect relevant in the case. k) and any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement The Data Inspectorate assumes that Dragefossen has not achieved any financial benefits such as consequence of the infringement, neither directly nor indirectly. It can also be seen in the company's financial situation. According to publicly available documents, Dragefossen in 2019 is registered with operating revenues of NOK 113,088,000 and a annual profit of NOK 13,304,000. The Norwegian Data Protection Authority finds that the company has the finances to support one infringement fine. In its comments, the company has pointed out that the only contact that has been between The Data Inspectorate and Dragefossen before the decision was notified, have been the Data Inspectorate's requirements statement. Dragefossen believes that the violation fee is too strong a reaction, and that their always intend to abide by applicable laws and regulations. The company points out that their camera surveillance could have been terminated in dialogue with the Norwegian Data Protection Authority at an earlier stage time, and the fact that infringement fees are used and should act as a deterrent in such matters, do not feel right on the part of the company. In this connection, the Danish Data Protection Agency points out that the current camera surveillance and the live broadcast had been going on for a long time before the Data Inspectorate was made aware of the case. After Article 5 (2) of the Privacy Regulation (principle of liability) is responsible for processing responsible for and must be able to demonstrate that the privacy principles complied with. Furthermore, it follows from Article 24 that the person responsible for processing is obliged to implement technical and organizational measures to ensure and demonstrate that the treatment of personal information is in line with the Privacy Ordinance. We also refer to point 148 of the Privacy Ordinance, where it follows: "In order to strengthen the enforcement of the provisions of this Regulation, it should: Violation of this Regulation shall be subject to sanctions, including infringement fines, in in addition to or instead of appropriate measures imposed by the supervisory authority in accordance with this Regulation. " The Norwegian Data Protection Authority is not aware of other aggravating or mitigating factors in the case such as will affect the outcome of the assessment. Based on the assessments above, the Data Inspectorate concludes that an infringement fee should be imposed. 5.2. Assessment of the size of the fee 12In accordance with Article 83 (1), the infringement charge must be effective, reasonably relation to the violation and act as a deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in each individual case. When measuring the size of the fee, emphasis shall be placed on the same assessment factors which has been reviewed in section 5.1 of the decision. The Data Inspectorate therefore refers to the assessments made above, and that these collectively speak in favor of a fee of a certain size. In an aggravating direction, we place particular emphasis on the fact that the violation has taken place over time, has affected one significant number of registered, and that all personal data is illegally made available to the general public through the live broadcast on the Internet. In a mitigating direction, it is emphasized that the quality and distance of the recordings means that identification is more demanding. The Data Inspectorate also emphasizes that Dragefossen has not achieved some financial benefits as a result of the violation, and that it is not known that there is little material or non-material damage as a result of the infringement. The business's financial ability will also be important, even if it is not relevant to take advantage of the range of the infringement fine provided for in Article 83 (5). Article 83 (5) of the Privacy Regulation sets a higher maximum amount for fees when the case deals with violations of the basic principles of treatment of personal data in accordance with Articles 5 and 6 of the Privacy Regulation. With operating revenues of NOK 113,088,000 and an annual profit of NOK 13,304,000 in 2019, has Dragefossen has a significantly larger economy than is the case with previous decisions illegal camera surveillance. Although there are no directly comparable decisions, then it can be pointed out, for example, that in PVN-2019-09 the business had an operating profit of NOK 1.5 million, and the fee was set at NOK 50,000. The violation on which the decision is based occurred after the Privacy Ordinance came into force in force on 20 July 2018, and the Privacy Ordinance facilitates a higher level of fines than that which applied under the Personal Data Act from 2000. In order for the fee to be perceived as an evil, so that the preventive considerations behind the infringement fee as a form of reaction are taken into account, must the fee is higher than what has previously been the case for decisions on illegal camera surveillance. After an overall assessment of the moments in the case that we have reviewed above and the seriousness of the violation, we have come to the conclusion that a violation fee of NOK 150,000 considered correct. 6. Right of appeal and further proceedings This is an individual decision that can be appealed according to the rules of the Public Administration Act, cf. Section 28 of the Public Administration Act. Any complaint must be sent to us within three weeks after this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision accordingly it is appealed, we will forward the case to the Privacy Board for processing complaints. 13If you do not appeal the decision on the infringement fee, the deadline for compliance is 4 weeks after the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act. 7. Transparency and publicity You have the right to access the case documents (cf. the Public Administration Act § 18). We will also inform that all documents are in principle public (cf. the Public Access to Information Act § 3.) If you believe there is a basis for exempting all or part of the document from public insight, we ask you to justify this. With best regards Jørgen Skorstad department director, law Anders Sæve Obrestad senior legal adviser The document is electronically approved and therefore has no handwritten signatures 14