Persónuvernd (Island) - 2021051091

From GDPRhub
Revision as of 09:35, 27 March 2024 by Ec (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2021051091
Authority: Persónuvernd (Island)
Jurisdiction: Iceland
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 12 GDPR
Article 13 GDPR
Article 30 GDPR
Article 58(2) GDPR
Article 83 GDPR
Type: Complaint
Outcome: Upheld
Started: 04.05.2021
Decided: 12.03.2024
Published: 20.03.2024
Fine: 1,500,00 ISK
Parties: Stjörnuna ehf, the operator of Subway in Iceland
National Case Number/Name: 2021051091
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: ec

The DPA imposed a fine of €10,059.92 (ISK 1,500,00) on Stjörnuna ehf, the operator of Subway in Iceland, for unlawfully monitoring its employees without adequately informing them.

English Summary


The data subject is an employee at Subway in Iceland.

The controller is Stjörnuna ehf, the operator of Subway in Iceland.

The data subject filed a complaint to the Icelandic DPA (Persónu­vernd) on 4 May 2021.

The data subject claimed that the store manager was at home monitoring the data subject in real time and called the workplace to give comments on the data subject’s work style based on the footage. This was done without the data subject’s knowledge.

The controller argued in a letter to the DPA that it had installed the surveillance cameras for the sake of security and property protection. The surveillance camera system was used in a reasonable manner and it was been used for the control of workers or for monitoring work results. The controller claimed that the store manager went beyond the stated purpose of the monitoring and used the footage to monitor the work performance of the employees without the consent or knowledge of the company representatives. Immediate action was taken to prevent this from happening again.

However, in a following letter, the controller denied that the store manager regularly monitored staff in real time through the restaurant's surveillance camera system and commented on their work style and behaviour. The controller argued that the store manager was looking at the surveillance camera system on the day in question out of fear that bread was running out. However, the store manager noticed that there was a big queue which did not change after 5 minutes, and therefore called the data subject who was in the rest area to request that the data subject serves the customers.

Lastly, the controller argued that since there was no systematic collection of information, they had no obligation beyond the installation of signs about the surveillance cameras in the workplace to inform employees more about the monitoring.


Firstly, the DPA found the arguments of the controller conflicting as the purpose for processing was either (1) in the interests of security and property protection or (2) quality control. The DPA explained that under Article 5(1)(b) GDPR, monitoring must be carried out for specified, explicit and legitimate purpose.

Regarding the first potential purpose, the DPA held that it is clear that the store manager’s use of the footage from the surveillance cameras did not fall under the purpose of security and property protection. Moreover, the DPA held that monitoring of employees for this purpose is only possible if there are no other means available and is necessary due to an agreement. The controller did not demonstrate this necessity.

Regarding the second potential purpose, the DPA found that the controller did not demonstrate that quality control was the purpose of monitoring or that the objectives of quality control cannot be achieved with other and less intrusive measures. Therefore, the DPA found that there was no legal basis for processing under Article 6(1) GDPR.

Secondly, the DPA explained that personal data must be processed in a fair and transparent manner in relation to the data subject under Article 5(1)(a) GDPR. This means that data subjects should be aware when their personal data is collected, used, viewed or processed in another way. Moreover, in light of Article 13 GDPR, information must be provided to the data subject and must be given a clear picture of the monitoring, including its purpose, how it is carried out, how access to monitoring material arranged and how long the data is stored. The DPA found that the data subject was not adequately informed about the monitoring or what his rights were concerning the monitoring. Moreover, the DPA rejected the controller’s claim that the installation of signs about the monitoring was satisfactory as these signs did not state who is responsible for the monitoring.

Thirdly, the DPA found that the controller did not keep a record of the processing activities required under Article 30 GDPR.

Thus, the DPA ordered the controller under Article 58(2) GDPR to erase all screenshots of the data subject at work and to inform its employees about the monitoring, including the purpose of the monitoring and their rights related to it, and to keep record of its processing activities. Moreover, the DPA imposed an administrative fine of €10,059.92 (ISK 1,500,00) on the controller under Article 83 GDPR due to the controller’s violations of Article 5(1) GDPR, Article 6 GDPR, Article 12 GDPR and Article 13 GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.