Personvernnemnda (Norway) - 2021-20 (20/01648)
PVN - 2021-20 (20/01648) | |
---|---|
Court: | Personvernnemnda (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6 GDPR Article 12(1) GDPR Article 13 GDPR Regulation on the use of camera surveillance in a business |
Decided: | 15.02.2022 |
Published: | 22.02.2022 |
Parties: | Redacted |
National Case Number/Name: | 2021-20 (20/01648) |
European Case Law Identifier: | |
Appeal from: | Datatilsynet (Norway) 20/01648 |
Appeal to: | |
Original Language(s): | Norwegian |
Original Source: | Personvernnemnda (Norway) (in Norwegian) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian Privacy Appeals Board upheld a DPA decision fining a beauty salon about €10,000 for unlawful camera surveilling that gave the general manager constant live access to images and sound via a mobile app on her phone, without informing the employees or customers.
English Summary
Facts
This case is an appeal of the decision 20/01648 by the Norwegian DPA (Datatilsynet), in which it imposed a fine of NOK 100,000 (approx. €10,000). The defendant asked for the fine to be overturned or reduced significantly, due to the company's "critical financial state".
The Privacy Appeals Board assessed if a fine could be imposed as per Article 83(5) GDPR, cf. Article 83(2) GDPR, and in which case, how large it should be.
Holding
The Board agreed with the DPA that the installation of the camera was not discussed with the employees in advance, as claimed by the defendant, since there were no evidence of such discussions.
The Board noted that continuously surveilling a workplace is very intrusive for the employees, and also for the customers since there were no proper signage or information about the surveillance, and finds this to be a serious violation of the GDPR.
The Board agreed with the DPA in that the defendant's actions are serious and criticizable, deserving of a sanction and which justified the level of the fine. This was further substantiated by the lack of technical and organisational measures for GDPR compliance in the company.
Comment
The Board noted that the fine should actually have been higher, especially compared to the fine issued in case PVN-2021-13. However, the Board is not able to increase the fine due to limitations in the Norwegian Public Administration Act § 34.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Decision of the Privacy Board 15 February 2022 (Mari Bø Haugstad, Bjørnar Borvik, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin) The case concerns a complaint from an X AS against the Data Inspectorate's decision of 14 July 2021, where the inspectorate charged the company an infringement fee of NOK 100,000 for having camera-monitored the company's premises without a legal basis, cf. the Privacy Ordinance Article 6 no. to employees and customers, cf. Article 12 nos. 1 and 13, and for breaches of the principles of transparency and data minimization, cf. Article 5 no. 1 letter a and c. Background to the case The business this case concerns offers its customers, among other things, waxing, facial treatment and coloring of lashes and eyebrows. A real-time monitored camera (not fixed) was set up on the company's premises in early 2019. The camera was in use until the beginning of August the same year. On behalf of three of the four former employees in the company, the Trade Union Health, Social Affairs and Welfare complained to the Data Inspectorate on 26 August 2019 and notified them of what they thought was illegal camera surveillance. The Norwegian Data Protection Authority asked X AS to report on the case on 28 November 2019. After being given a postponed deadline, the company sent a report to the Authority on 10 January 2020. The union sent additional information to the Data Inspectorate on 27 January 2020, including a report from LO's summer patrol that visited the company on 1 July 2019, an e-mail on 27 January 2020 from a youth union representative who was present during this visit, and an e-mail as a former employee of the company sent to the Data Inspectorate on 28 February 2019, with questions about the camera surveillance at his workplace. The Data Inspectorate asked X AS on 6 March 2020 for a further statement related to whether the camera surveillance had been notified with signs, where the signs were possibly located and what information appeared. The company was also asked to submit documentation, and explained the case in a letter on 16 March 2020. The Norwegian Data Protection Authority notified X AS on 28 September 2020 of the imposition of an infringement fee of NOK 150,000 for having processed personal data in violation of the Privacy Ordinance, Article 5 (1) (a) and (c), Article 6, Article 12 (1) and Article 13. The Authority requested in the notification of documentation if the company experienced a weakened economy in connection with the corona pandemic. The salon gave its statement to the warning in a letter on 23 October 2020 and stated that the company was struggling with a deficit due to the pandemic. In a letter dated 12 February 2021, the Norwegian Data Protection Authority requested documentation of the company's weakened financial situation, and received such documentation on 13 March 2021. The Norwegian Data Protection Authority made the following decision on infringement fines on 14 July 2021: «Pursuant to the Personal Data Act § 1, cf. the Privacy Ordinance Article 58 no. 2 letter i, cf. Article 83, […], org.nr. […], To pay an infringement fee to the Treasury of 100,000 - one hundred thousand - kroner for having processed personal data in violation of the Privacy Ordinance Article 5 No. 1 letter a and c, 6, 12 Nos. 1 and 13. " The reason for the reduction in the size of the fee was the company's difficult financial situation as a result of the corona pandemic. After being granted a postponed appeal deadline, the company appealed in a timely manner to the Data Inspectorate's decision on 20 August 2021. The Data Inspectorate obtained the Trade Union's view on the complaint, which submitted its comments on 24 September 2021. The Trade Union's comments only apply to the size of the infringement fee and the Data Inspectorate states that these are not emphasized by the Data Inspectorate. § 2 letter e. The Danish Data Protection Agency assessed the complaint and assumed that the complaint concerned the size of the infringement fee. The audit maintained its assessment and forwarded the case to the Privacy Board on 20 December 2021. The salon and the Trade Union were informed of the case in a letter from the board on 21 December 2021 and were given the opportunity to comment. No further comments have been received. The case was discussed at the committee's meeting on 15 February 2022. The Privacy Committee had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem and Morten Goodwin. Secretariat leader Anette Klem Funderud was also present. The Data Inspectorate's decision in brief The relevant camera surveillance is covered by the Privacy Ordinance and the Personal Data Act. X AS, as the person responsible for processing, is responsible for proving that the camera surveillance took place in accordance with the Privacy Ordinance, cf. Article 5 no. 2 and Article 24 no. 1. The company has not submitted documentation showing that the acquisition of the equipment was discussed with the employees. or that the procurement took place at the request of the employees. Assessment of treatment basis The Data Inspectorate points out that it is unclear what legal basis for the camera surveillance the company invokes, but assumes that the company invokes the Privacy Ordinance Article 6 No. 1 letter a (consent) and Article 6 No. 1 letter f (legitimate interest). The Data Inspectorate concludes that the camera surveillance had no legal basis in Article 6, paragraph 1, letter a. It is firstly problematic to invoke consent in an employment relationship due to the power relationship, cf. the Privacy Council's guidelines 679 »adopted on 4 May 2020, point 2.1. Secondly, the Authority is of the opinion that in this case there is no valid consent for camera surveillance from the employees in the company, cf. the Privacy Ordinance Article 4 No. 11, as the consent is neither voluntary, informed nor documented, cf. Article 7 No. 1 and No 4 and points 32 and 42 of the Regulation. The Data Inspectorate then discusses the Privacy Ordinance, Article 6, paragraph 1, letter f (legitimate interest) as a possible legal basis. The assessment is whether the camera surveillance is "necessary" for purposes related to "legitimate interests" that take precedence over the interests of the data subjects. The Data Inspectorate points out that the way the camera was arranged (the location and its wide angle of 130 degrees) was not necessary to ensure the safety of employees or customers. Camera surveillance of the entrance area would be less intrusive for the employees and sufficient to achieve the purpose. Camera surveillance outside opening hours would be sufficient to prevent or deter burglary. The sound recorder function the camera was equipped with was not necessary to achieve the purpose of the camera surveillance, nor real-time monitoring with remote access. Audio recording is a very intrusive form of monitoring, especially when there is hidden audio recording that has not been notified. Real-time monitoring with remote access is an intrusive measure, and there must be particularly good reasons why such measures are legal. Real-time monitoring and storage of the recordings was also not necessary or in line with the data minimization principle. Even if the necessity requirement were to be met, the Data Inspectorate believes that the interests of the employees in any case take precedence over the interests of the company, and concludes that the camera surveillance has no basis for treatment in Article 6 no. 1 letter f. The audit further assumes that when it comes to monitoring customers, a visit to a growing salon must be considered a private matter. This means that customers must be able to expect that they are not monitored. The Authority concludes that the measure entails an illegal processing of personal data, cf. Article 6 no. 1, the principle of legality in Article 5 no. 1 letter a and the principle of data minimization in Article 5 no. 1 letter c. Transparency, information and data minimization The Norwegian Data Protection Authority assumes that the company has not provided sufficient information about the monitoring, to the employees or to customers, in the form of signage. The camera was for a period marked with a small sticker on the front door, which the general manager discovered in July 2019 had been removed. A sticker with the wording «Arlo, video monitoring in progress. You may not see arlo but arlo sees you, netgear », in any case does not meet the information requirements in Articles 12 and 13 of the Privacy Ordinance. their rights. The sticker also does not contain information on where customers and employees can find more information, which the Privacy Council has stated must appear on signs warning camera surveillance, cf. «Guidelines 3/2019 on processing of personal data through video devices», adopted on 29 January 2020 , section 7.1.2. The Data Inspectorate does not trust the company's explanation that the measure was clarified with employees in advance and refers to the report from LO's summer patrol and e-mail from the youth union representative who was also present. Furthermore, it is pointed out that it is in any case the company, as the data controller, that must prove that the processing takes place in accordance with the privacy regulations, cf. the Privacy Ordinance, Article 5, paragraph 2, and Article 24, paragraph 1. In summary, the company has not complied with its duty to provide information, which entails a breach of the Privacy Regulation, Article 12 (1) and Article 13. In conclusion, it is pointed out that the camera's location and its wide angle of 130 degrees, the sound recorder function and the remote access to the general manager's mobile phone were not necessary or adequate to achieve the purpose and are contrary to the principle of data minimization, cf. Article 5 No. 1 letter c. Infringement fee In assessing whether a fee is to be charged and in determining it, the Data Inspectorate takes as its point of departure the relevant aspects of the Privacy Ordinance, Article 83 no. 2, letters a to k. With reference to Article 83, No. 2, letter a «The nature, severity and duration of the infringement […]», the Data Inspectorate points out that the infringement violates basic requirements for legality, transparency and data minimization, cf. Articles 5 and 6 of the Privacy Ordinance. collected significantly more material, in a far more intrusive way than was necessary for the purpose. The audit places particular emphasis on the camera having an angle lens that captured 130 degrees, the camera's angle towards the reception area and the area towards the treatment room, the sound recorder function, the remote access through an app on the general manager's mobile phone, that there were no restrictions on the camera. the camera surveillance took place around the clock with a motion sensor. Camera surveillance in the workplace is an intrusive form of surveillance. Regardless of whether the camera surveillance took place for seven to eight months as the Trade Union claims, or for five to six months as the company claims, it is a long period for employees to be monitored during working hours and the burden on the employees is great. The feeling of being monitored via video recordings, together with the fact that the general manager at all times had the opportunity to carry out audio recordings and follow the employees via his telephone, pulls in an aggravating direction. Pursuant to Article 83 (2) (b) of the Privacy Regulation, emphasis shall be placed on "whether the infringement was committed intentionally or negligently". In the decision, the Data Inspectorate has assumed that there is no requirement for subjective fault on the part of the person acting on behalf of the company. In the letter of transmission to the tribunal on 15 December 2021, the Authority has made a new assessment of this point in line with the Supreme Court's position in HR-2021-797-A. The audit concludes that the general manager of the salon, who acted on behalf of the company, in this case has acted intentionally and that the claim for guilt has thus been met. This pulls in an aggravating direction. With reference to Article 83, paragraph 2, letter f "the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible negative effects of it", the Authority assumes in a mitigating direction that the company has contributed to the disclosure of the case. At the same time, the audit points out that the company maintains that they had a basis for processing the camera surveillance and that sufficient information was provided about the surveillance. The Data Inspectorate further assumes that special categories of personal data (sensitive personal data) are not affected in this case, cf. Article 83 no. 2 letter g. The context in which the relevant monitoring has taken place, which is of a private nature for customers, in an aggravating direction. The Data Inspectorate points out that the audit was notified of the infringement by the Trade Union, which organized three of the four employees in the company, and that the salon itself did not notify the audit of the infringement, cf. Article 83 no. 2 letter h. With reference to Article 83 no. 2 letter k «any other aggravating or mitigating factor in the case», the Data Inspectorate finds it aggravating that the reason why the camera was taken down in the third week in August 2019 was that the camera stopped working and that the company did not take an active choice to interrupt camera surveillance. On the basis of the review of these factors, the Data Inspectorate came to the conclusion that an infringement fee should be imposed, cf. the Privacy Ordinance, Article 83 no. 2 and no. 5 letter a. When measuring the size of the fee, the Data Inspectorate points out that emphasis must be placed on the same assessment factors that have been reviewed above. The audit therefore refers to these assessments. It follows from Article 83 (1) of the Privacy Ordinance that the infringement fee shall be determined concretely so that in each individual case it is effective, is in a reasonable proportion to the infringement and has a deterrent effect. The Norwegian Data Protection Authority points out that the case concerns a lack of basis for processing (the principle of legality) in Article 6 and a breach of the principles of transparency and fairness and data minimization in Article 5 (1). previous financial year, cf. Article 83 no. 5. The Authority further points out that the violation is serious, including that the camera surveillance took place in the workplace with a great burden on the employees and visitors. The company has submitted documentation showing that the annual turnover in 2020 was NOK 2,596,000, in contrast to 2019 when it was NOK 4,410,000. According to the Authority's assessment, this is a significant decrease that is given weight when measuring the size of the fee. The audit nevertheless points out that according to publicly available documents, the business is still registered with good liquidity and very good solvency in 2020, despite a decline in turnover. After taking into account the seriousness of the violations and the company's financial situation, the Data Inspectorate sets the final fee at NOK 100,000. The notified fee of NOK 150,000 was thus reduced by approx. 33.33% with reference to the company's financial situation. The Authority considers that a fee of NOK 100,000 is sufficiently effective, is in a reasonable proportion to the infringement and has a deterrent effect, cf. the Privacy Ordinance Article 83 no. 1. The Authority points out that the fee is in the lower tier of what the Ordinance prescribes. When sending the case to the tribunal, the Data Inspectorate provides an assessment of the significance of the case processing time for determining the fee, cf. Article 83 no. 2 letter k. The Data Inspectorate attaches crucial importance to the fact that there have been no long periods of inactivity in the case to reduce the amount of the infringement fee due to the case processing time. X AS 'views on the matter in brief X AS requests that the infringement fee be waived or significantly reduced. The company's financial situation is critical. Turnover decreased by more than one million kroner from 2018 to 2019. From a small profit in the operating profit for 2018, the accounts in 2019 showed a deficit of more than 363,000 kroner. Turnover has been further reduced from 2019 to 2020 by almost two million kroner, which the pandemic has contributed to. The operating profit appears to be a loss of NOK 972,000. Fixed expenses must still be covered at the same time as the customer base is becoming smaller and smaller. The company's bank accounts are being emptied. Reference is made to the documentation the company has submitted to the Data Inspectorate in a letter dated 17 August 2021, including an overview of monthly expenses including the company's invoices in August 2021. The company states that the fixed monthly expenses amount to NOK 136,480, which together with the general manager's salary employed in a 100% position, legal expenses and NHO membership amounted to NOK 307,405 in August 2021. The company has also attached a bank statement for the current balance on the company's corporate account on 19 August 2021. This shows that the book balance was NOK 231,862. The Privacy Board's assessment The question for the tribunal is whether according to the Privacy Ordinance Article 83 no. 5, cf. Article 83 no. 2, an infringement fee shall be imposed for the illegal camera surveillance, and if a fee is to be imposed, how large the fee shall be. It appears from the case documents that X AS and the Trade Union disagree somewhat on the facts of the case. Although the case before the tribunal concerns whether a fee is to be imposed and, if necessary, the measurement of the amount of the fee, the tribunal must take a position on the facts. This is due to the fact that, among other things, the nature, severity and duration of the infringement will be key factors in assessing whether an infringement fee is to be imposed and, if necessary, the imposition of the fee, cf. Article 83 of the Privacy Ordinance. Infringement fees under the Personal Data Act are to be regarded as an administrative sanction that has the character of a penalty pursuant to Article 6 of the ECHR. Rt-2012-1556. In practice, this means that it is the fact that the company itself describes that must be taken into account, unless there is clear evidence in the available evidence that it behaves in a different way. In other words, an overweight probability is not sufficient to base a fact other than what the company itself explains, unless the overweight is "clearly" more than 50%. It also means that where there is uncertainty about the fact, the fact that is most favorable to the company must be used as a basis. The facts of the case The following describes the fact on which the Privacy Board bases its decision. An account is then given of the tribunal's assessment of evidence. It is clear that in 2019 the company acquired a surveillance camera that was set up on the company's premises. The camera used was an Arlo Q VMC3040-100NAS 1080P HD Wireless, Security Camera with Audio. The camera was active around the clock and was placed in the reception area on top of a two meter high cabinet. The camera had a built-in microphone and speaker, motion sensor, full HD resolution and 130-degree viewing angle. The camera covered the entrance area and the reception area in the salon, not the treatment rooms and the staff lunch room. The recordings were stored in the cloud where the recordings were available in a separate app for seven days, and then were automatically deleted. Only the general manager had remote access to the recordings via the app on his mobile phone. The company has stated that the purpose of the camera surveillance was to ensure the safety of employees and customers. The tribunal assumes that the camera was also used to monitor the employees, and that the acquisition of the monitoring equipment had not been discussed with the employees in advance. The equipment had a sound function and those present in the reception room could not look at the equipment whether the microphone was on or not. However, the tribunal bases its information on the company that the sound function on the camera was not used. A sticker from the camera supplier Arlo was affixed to the front door of the company. Sticker of approx. 6 x 6 cm was transparent and showed both inside and outside a green / white image of a bird with a Wi-fi sign instead of wings where it says: «Arlo, video monitoring in progress. You may not see Arlo but Arlo sees you, netgear ». The sticker was removed once during the summer of 2019. The camera was installed at the turn of the month February / March 2019 and was removed in the third week of August the same year. By this time, the camera had stopped working. The fact that there is disagreement is first and foremost whether the acquisition of the equipment was discussed with the employees in advance, whether consent had been obtained from the employees, possibly whether the acquisition took place at the request of the employees, and whether the camera footage was also used for control purposes. The tribunal's assessment that the camera surveillance was also used for control purposes is based on the employees' explanations to LO's summer patrol during the summer of the camera surveillance. The employees informed the summer patrol that they experienced that the general manager sat at home and watched the camera recording (direct transfer) from the salon, when she herself was not present in the room. She followed how much time they spent on customers and the employees experienced being called by the general manager and, for example, being informed that they had spent too much time on the customer they had just dispatched. The tribunal also points out that if the sole purpose was to safeguard the safety of employees and customers, signage and information to those who visited the premises - also for preventive reasons - should have been much clearer. The tribunal, like the Norwegian Data Protection Authority, assumes that the implemented control measure had not been discussed with the employees in advance. The tribunal points out that the company has not documented that such discussions have taken place, as well as the explanations from previous employees. Imposition of infringement fine In the case of processing of personal data in violation of Articles 6 and 5, 12 and 13 of the Privacy Ordinance, to which this case applies, the supervisory authority may, pursuant to Article 58 (2), letter i, cf. Article 83 (5), cf. Article 83 (2) impose it processing managers a violation fee of up to 20,000,000 euros or, in the case of an enterprise, up to 4% of the total global annual turnover in the previous financial year, where the highest amount is used. It follows from Article 83 (1) that the supervisory authority, in its assessment, must ensure that the imposition of infringement fines is effective, proportionate and dissuasive. Both in the assessment of whether a fee is to be imposed and in the calculation of the fee, the factors in the Privacy Ordinance Article 83 no. 2 letters a to k shall be taken into account in each individual case. Continuous monitoring of a workplace is very intrusive for the employees. The company's inadequate signage and information to customers also entails an encroachment on customers' privacy and gives the registered persons very limited preconditions for being able to safeguard their rights under the Privacy Ordinance, Chapter III. In the tribunal's assessment, the illegal camera surveillance in this case, and in particular the continuous surveillance of the employees, represents a serious violation of the Privacy Ordinance. The Board has in PVN-2021-13, which concerned illegal camera surveillance of a restaurant premises, stated that in assessing how serious the violation should be considered, it must be taken into account that the provision in the Privacy Ordinance Article 6 No. 1 letter f, is a discretionary rule where different interests should be weighed against each other. The fact that the person responsible for processing concludes differently from the privacy authorities in this balancing of interests does not necessarily in itself entail a serious violation. In this case, however, the infringement is serious since a monitoring has been initiated with a clear purpose of controlling the employees without having a legitimate interest in this. The Working Environment Act's rules on the implementation of such a measure have also not been followed. The tribunal therefore agrees with the Norwegian Data Protection Authority that these are serious and reprehensible acts that there is reason to sanction. The objectionable procedure is given weight in an aggravating direction when measuring the size of the fee. There is no doubt that the illegal camera surveillance and inadequate signage about this, represent intentional actions committed by the general manager on behalf of the company. Lack of knowledge of the rules does not absolve from liability unless the error is prudent. It was not. The debt requirement, which also applies to corporate liability, cf. HR-2021-797-A, is thus fulfilled. In an aggravating direction, the tribunal emphasizes that the company lacked technical and organizational measures for compliance with the privacy regulations (the principle of liability in the Privacy Ordinance, Article 24). For violations of the basic principles of processing (including Articles 5 and 6 that are relevant to this case), the supervisory authority may impose a fee of up to 20,000,000 euros, or if it is an enterprise, up to 4% of the annual turnover of the previous financial year, cf. Article 83 no. 5. It follows from the provision that it is the higher number of the two alternatives that must be used as the limit. It further follows from Article 83 (3) that if the controller infringes several of the provisions, the total amount of the infringement fine shall not exceed the amount indicated for the most serious infringement. The tribunal emphasizes that the use of significant infringement fees is an important tool in a system that gives the data controller a large independent responsibility. The company's annual turnover in 2019 was NOK 4,410,000, while in 2020 it was NOK 2,596,000. The Data Inspectorate has taken into account the decrease in annual turnover and has set the fee at NOK 100,000, which amounts to 3.85% of annual turnover in 2020. In PVN-2021-13, the tribunal assumed that the fee should be around NOK 100,000 for a violation that was not considered serious, where the company had a higher annual turnover. The seriousness of the infringement in the present case indicates that the fee should in principle be set higher, even though the annual turnover here is clearly lower. Section 34 of the Public Administration Act limits the tribunal's possibility to change the decision to the detriment of the complainant. The fee is then set at NOK 100,000 in line with the Data Inspectorate's decision, cf. Article 83 of the Privacy Ordinance. The fact that the case processing time has been long is then also sufficiently taken into account. The Norwegian Data Protection Authority has pointed out that there have not been long periods of inactivity, but the tribunal will note that this alone is not decisive. The total case processing time must also be included in the assessment. The tribunal believes that the case processing time here of 2 years is too long, given the case's lack of complexity. After this, X AS does not uphold the appeal. Conclusion The Data Inspectorate's decision to impose an infringement fee of NOK 100,000 on X AS is upheld. The decision is unanimous. Oslo, 15 February 2022 Mari Bø Haugstad Manager