Personvernnemnda (Norway) - 2021-13 (20/01874)

From GDPRhub
Revision as of 12:41, 2 March 2022 by Cms (talk | contribs)
PVN - DT-20/01874 PVN-2021-13
Courts logo1.png
Court: PVN (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1) GDPR
Article 6(1)(f) GDPR
Article 13 GDPR
Article 24(2) GDPR
Decided: 04.11.2021
Published: 04.11.2021
Parties: Basaren Drift AS
National Case Number/Name: DT-20/01874 PVN-2021-13
European Case Law Identifier:
Appeal from: Datatilsynet (Norway)
20/01874
Appeal to:
Original Language(s): Norwegian Norwegian
Original Source: Privacy Appeals Board (in Norwegian) Datatilsynet (in Norwegian)
Initial Contributor: Rie Aleksandra Walle

The Norwegian Privacy Appeals Board first reduced a fine for unlawful camera surveillance from €20,255 to €10,127, and then repealed it entirely due to the fact that the Norwegian DPA had not handled the case within a reasonable period of time.

English Summary

Facts

In May 2018, an employee at a restaurant lodged a complaint against camera surveillance at the work place. One year later, the Norwegian DPA (Datatilsynet) requested additional information from the company running that restaurant (the Company). Even though the Company replied within a few weeks, the DPA did not follow up again until March 2020.

After receiving more information from the Company, it took another five months before the DPA managed to issue a preliminary decision, which included an injunction to end the camera surveillance due to the lack of a valid legal basis as per Article 6(1)(f) GDPR and a fine of €30,382 (NOK 300,000) for breaching Article 6(1)(f), 13 and 24.

After the Company shared its comments and objections to the preliminary decision, the DPA issued a final decision where the fine was reduced to €20,255 (NOK 200,000) due to the company's financial situation under the COVID-19 pandemic.

The Company argued that the administrative fine was too high and therefore appealed the decision before the Norwegian Privacy Appeals Board. After reviewing the case, the DPA decided to uphold its decision, and the case was submitted to the Privacy Appeals Board (Personvernnemnda, PVN) for consideration.

Holding

The PVN agreed with the DPA that the the Company had infringed Article 6(1)(f) GDPR because of the absence of a valid legal basis for the processing of personal data through the installation of surveillance cameras. However, the PVN considered that the breach of Article 6 GDPR as not as serious as the DPA had found. In the opinion of the PVN, the breaches of Article 13 and 24 GDPR were more serious.

After an overall assessment, the PVN concluded that the amount of the administrative fine for such violations should be limited to €10,127 (NOK 100,000). After considering the length of the procedure, however, the PVN decided to annul the fine altogether due to the DPA's long case processing time (i.e. in total, almost three years).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision of the Privacy Board 4 November 2021 (Mats Wilhelm Ruland, Bjørnar Borvik, Line Coll, Hans Marius Graasvold, Heidi Talsethagen, Hans Marius Tessem, Morten Goodwin)
The case concerns a complaint from Basaren Drift AS against the Data Inspectorate's decision of 6 April 2021 where the Data Inspectorate fined the company NOK 200,000 for having camera-monitored the company's restaurant premises without a legal basis, cf. the Privacy Ordinance Article 6 no. cf. Article 13, and for lack of written routines for camera surveillance, cf. Article 24 no. 2.
Background to the case
Basaren Drift AS (hereinafter Basaren Drift) operates the restaurant Basarene in Storhamargata 2 in Hamar. The room has two floors and has both indoor and outdoor areas. The restaurant installed a camera surveillance system in March 2015 when the building was renovated. The monitoring equipment was installed in consultation with a security company that also installed a locking system, fire alarm and panic alarm.
Three surveillance cameras were installed covering three zones. One camera in the basement covered the area by the restaurant's wine room (zone 1). The second camera was located in the restaurant's lounge area and covered the staircase from the 1st floor (main floor) to the lounge area and the staircase from the basement (zone 2). The third camera was located on the outside of the building and covered the restaurant's outdoor area by the front door to the restaurant's backyard with outdoor seating during the summer season (zone 3).
When the camera surveillance was installed in 2015, the Personal Data Act 2000 applied. It followed from the current Act § 8 letter f that the processing was legal if the data controller safeguarded a legitimate interest, and the consideration for the data subject's privacy did not exceed this interest. The processing was subject to a notification obligation to the Norwegian Data Protection Authority and the tribunal assumes that Bazaar Drift reported the processing to the audit. Because all reports according to the Data Inspectorate were deleted three years after receipt, it has not been possible for the tribunal to verify this.
One of the restaurant's employees approached the Norwegian Data Protection Authority on 31 May 2018 and complained about the camera surveillance. The employee is not identified in accordance with the rules on the duty of confidentiality for notification to a public authority in the Working Environment Act § 2 A-7.
About one year later, and after the Personal Data Act 2018 had entered into force, the Data Inspectorate approached Bazaar Drift on 9 May 2019 and asked questions related to camera surveillance. The then chairman of the board, A, gave his statement on 3 June 2019. The following year, the Data Inspectorate asked for further information in a letter dated 12 March 2020, and asked for an answer on 8 May 2020. The chairman of the board answered the questions by e-mail to the Authority 2. July 2020.
The Data Inspectorate notified Bazaar Drift on 31 November 2020 of an order to terminate the camera surveillance due to a lack of grounds for processing in the Privacy Ordinance, Article 6, paragraph 1, letter f. Article 13 and Article 24.
The bazaar Drift gave its statement to the warning in a letter on 18 December 2020 and informed that the camera surveillance in the restaurant was disconnected.
The Norwegian Data Protection Authority made the following decision on infringement fines on 6 April 2021:
«Pursuant to the Privacy Ordinance, Article 58 no. 2, letter i, Basaren Drift AS, org.nr. 813 507 102, an infringement fee of 200,000 kroner
· For camera surveillance in the premises in Storhamargata 2 without a legal basis, cf. Article 6 no. 1,
For lack of information to the data subjects, cf. Article 13, and
· For lack of organizational measures, cf. Article 24 and the Personal Data Act § 26 first paragraph.
Our legal basis for imposing the infringement fee is Article 58 (2) of the Privacy Ordinance. "
It appears from the decision that the reason for the reduction in the size of the fee was the company's difficult financial situation as a result of the corona pandemic.
Bazaar Drift timely complained about the Data Inspectorate's decision of 28 April 2021.
The Norwegian Data Protection Authority assessed the complaint, but found no basis for changing its decision. The audit forwarded the case to the Privacy Board on 1 July 2021. The parties were informed of the case in a letter from the board on 2 July 2021. Subsequently, the board has been informed that Bazaar Drift has been sold to the company Lokal AS. The former board member, B, has, on the authority of the current chairman of the board, spoken on behalf of the company in the appeal case, and it is assumed that the sale of the company has no significance for the parties in the appeal case.
The case was considered at the tribunal's meetings on 28 September and 4 November 2021. The Privacy Committee had the following composition: Mats Wilhelm Ruland (chairman), Bjørnar Borvik (deputy chairman), Line Coll, Hans Marius Graasvold, Heidi Talsethagen, Hans Marius Tessem and Morten Goodwin. Secretariat leader Anette Klem Funderud was also present.
The Data Inspectorate's decision in brief
The Data Inspectorate generally explains the legal principles for camera surveillance in the Personal Data Act, the Privacy Ordinance and in the regulations on camera surveillance in enterprises (the Camera Surveillance Regulations, FOR-2018-07-02-1107), which particularly protect employees' privacy. Reference is also made to the duty to provide information in Article 13 of the Privacy Ordinance, the requirement for notification of camera surveillance in Section 4 of the Camera Surveillance Regulations, and the requirement for internal control set out in Article 24 of the Privacy Ordinance and the Camera Surveillance Regulations.
The Norwegian Data Protection Authority states that camera surveillance of individuals who can be identified, whether by recording or real-time monitoring, constitutes a processing of personal data, cf. the Privacy Ordinance, Article 4, Nos. 1 and 2.
Assessment of treatment basis
The Data Inspectorate assumes that the cameras do not film areas where only a limited circle of persons reside regularly, cf. the Camera Surveillance Regulations § 3. The question of legal basis in the case is therefore only regulated by the general rules in the Personal Data Act and the Privacy Ordinance.
The Data Inspectorate believes that the screens presented show that the cameras in zones 1 and 2 are aimed at the guests' seats inside the restaurant. No screen has been presented from zone 3 «out the back door and at the exit door the back area of the building». Based on information on Basaren Drift's website, the audit assumes that the camera in zone 3 captures both guests and employees when they move out the back door, and that the camera captures parts of the outdoor area where the guests are sitting.
The Data Inspectorate assumes that the surveillance in all three zones took care of the same interest: to keep an overview of undesirable incidents in the restaurant for the sake of the employees' safety, as well as to prevent or solve future burglaries and thefts. The audit therefore assesses the legality of the camera surveillance as a whole.
The relevant legal basis for camera surveillance is the Privacy Ordinance, Article 6, paragraph 1, letter f.
The Data Inspectorate concludes that there is no real and concrete risk for uninvited guests and unwanted incidents in the restaurant's premises. The need to keep an overview in the restaurant does not constitute a legitimate interest, cf. Article 6 no. 1 letter f. A pure precautionary idea behind the monitoring is not sufficient. There must be a concrete and real situation.
However, in the Authority's assessment, preventing or resolving any future burglaries constitutes a sufficiently concrete and real risk for the restaurant and meets the requirement of "legitimate interest" in Article 6, paragraph 1, letter f. the purpose, and that there is also no need for 24-hour camera surveillance, cf. the European Privacy Council's guidelines «Guidelines 3/2019 on processing of personal data through video devices» points 3.1.1 to 3.1.3. The audit indicates that the camera in zone 3 films the area outside the front door and the outdoor seating around the clock and when serving outside in the summer. It is further pointed out that property can be secured with less intrusive measures such as physical security and a locking system. In the Authority's assessment, it will be sufficient to monitor doors and windows, and areas close to them, to prevent or solve burglary.
After concluding that the monitoring does not meet the requirement of necessity, the Data Inspectorate makes a balance of interests in the alternative. In the balance of interests, the Data Inspectorate emphasizes that guests at a restaurant generally have a justified expectation of not being filmed in the restaurant's seating areas, and that considerations of privacy weigh heavily. The audit also emphasizes the employees' right to privacy at work, and that the filming took place throughout the working day. The Data Inspectorate came to the conclusion that the consideration for the privacy of employees and guests in any case outweighs the company's need for camera surveillance.
The Data Inspectorate considers the Privacy Board's decision in PVN-2013-03 to have limited transfer value in the present case, as the question in that case concerned whether a jeweler's business had a "special need" to monitor the area where "a limited circle of people travel", cf. § 38 of the Personal Data Act 2000. The same security considerations do not apply to a catering business as to a jeweler.
The audit concludes that the processing involves an illegal processing of personal data.
Information for the registered
Information about the camera surveillance of employees through signage and via the personnel handbook does not meet the requirements of Article 13 of the Privacy Ordinance. Employees also did not receive information about the data subjects' rights or the legal basis for camera surveillance. The audit assumes that Bazaar Drift has violated the duty to provide information in Article 13.
Internal control
Camera surveillance in a workplace is an intrusive processing of personal data as employees are filmed during working hours. The Authority is of the opinion that Bazaar Drift had not implemented sufficient organizational measures to ensure and demonstrate that the processing is carried out in accordance with the Privacy Ordinance at the time of the inspection, cf. Article 24.
Infringement fee
The Data Inspectorate concludes that Bazaar Drift shall be charged an infringement fee for the infringement, cf. the Privacy Ordinance Article 58 no. 2 letter i, cf. Article 83 nos. 2 and 5 and the Personal Data Act § 26 first paragraph. In the decision of 6 April 2021, the Authority assumes that a clear preponderance of probabilities is required for offenses in order to be able to impose a fee. The case and the question of imposing a fee have been assessed on the basis of this evidentiary requirement.
In the decision, the Norwegian Data Protection Authority has assumed that there is no requirement for subjective fault on the part of the person acting on behalf of the company. In the letter of transmission to the tribunal on 23 June 2021, the Authority has made a new assessment of this point in line with the Supreme Court's position in HR-2021-797-A. The audit concludes that the chairman / board member in this case has acted intentionally and that the guilt requirement has thus been met.
In assessing whether a fee is to be charged and in determining it, the Data Inspectorate takes as its point of departure the elements in the Privacy Ordinance, Article 83 no. 2, letters a to k.
With reference to Article 83 no. 2 letter a «The nature, severity and duration of the infringement […]», the Data Inspectorate concludes in the decision of 6 April 2021 that the infringement constitutes a serious breach of employees' privacy and violates basic requirements for legality, information and responsibility for the processing, cf. Article 5 of the Privacy Ordinance. It is pointed out that the monitoring, which involves a continuous monitoring of the restaurant's 21 employees and customers, has been going on for a long time (2.5 years) 2018.
The audit has also placed great emphasis on the lack of written routines for camera surveillance, and that employees have not received good enough information about camera surveillance in the workplace.
It is not conciliatory that other restaurants in the immediate area also use camera surveillance.
With reference to Article 83, paragraph 2, letter d - "the degree of responsibility of the controller or processor" - the Authority emphasizes in an aggravating direction that the monitoring has been introduced by the company's management without the requirements in the regulation being
fulfilled. It is pointed out that written routines pursuant to Article 24 were lacking, cf. the responsibility principle in Article 5 no. 2, which presupposes a strong anchoring of the regulations in the management of companies. Internal routines could have helped prevent the illegal camera surveillance.
With reference to Article 83, paragraph 2, letter g "The category of affected information", the Authority has aggravatedly assumed that the case concerns the employee's personal data which is in a special dependency on the employer, and that guests are filmed during the entire restaurant visit in a situation characterized by recreation, socializing and relaxation.
With reference to Article 83, paragraph 2, letter k "any other aggravating or mitigating factor in the case", the Authority notes that the company chose to monitor cameras both during and outside opening hours, and has thus processed more personal data than necessary.
On the basis of the review of these elements, the Data Inspectorate came to the conclusion that an infringement fee should be imposed, cf. the Privacy Ordinance, Article 83, No. 2 and No. 5.
When measuring the size of the fee, the Data Inspectorate points out that emphasis must be placed on the same assessment factors that have been reviewed above. The audit therefore refers to these assessments.
The audit points out that the main purpose of the infringement fee is to act as a deterrent and contribute to increased compliance with the regulations. The fee should be set so high that it has an effect beyond the specific case, at the same time as the size of the fee must be in a reasonable proportion to the infringement and the activity, cf. Article 83 no. 1.
The Norwegian Data Protection Authority points out that the case concerns a lack of basis for processing (the principle of legality) and breaches of the duty to provide information (the principle of transparency), which are serious breaches of the Privacy Ordinance. In addition, there was a lack of organizational measures for compliance with the regulations (the principle of accountability). The violations have been going on for a long time, which suggests a fee of a certain size. The Authority considers it aggravating that the monitoring was initiated by the company's management without the conditions in the regulation being met and that the employees have received insufficient information about the monitoring in the workplace. It is also aggravating that the employer has not considered protests from the employees in accordance with Article 21.
The Norwegian Data Protection Authority points out that Bazaar Drift had operating revenues of NOK 10,764,512 in 2020, and a negative annual result of NOK 485,449. In comparison, Basaren Drift had an operating income of NOK 12,249,112 in 2019 and a negative annual result of NOK -1,611,000 in 2019. The fall in turnover from 2018 to 2020 amounts to 25%.
After taking into account the seriousness of the violations and the comments of Bazaar Drift, the Data Inspectorate sets the final fee at NOK 200,000. The Data Inspectorate points out that the notified fee of NOK 300,000 has thus been reduced by approx. 25%, corresponding to Basaren Drift's turnover drop between 2018 and 2020. The Authority considers that a fee of NOK 200,000 is sufficiently effective, is in a reasonable proportion to the infringement and has a deterrent effect, cf. the Privacy Ordinance Article 83 no. 1. The Authority points out - with reference to the general rules of the regulation on the determination of fees - that the fee is in the lower tier of what the regulation prescribes.
Bazaar Drift's view of the case in brief
Basis for treatment
The Bazaar Operation has a legal basis in the regulation, Article 6, No. 1, letter f, for camera surveillance of the restaurant's premises. Bazaar Drift has a legitimate interest in conducting camera surveillance to prevent and solve thefts and burglaries. The restaurant has previously experienced theft and burglary and the risk is both imminent and real.
The building is large and has a long design. It consists of long dark corridors and basement rooms, cf. presented floor plans. The Norwegian Data Protection Authority has not seen the design of the premises or the location of the cameras. Employees find it uncomfortable to lock / close in the evening when they are alone at work. The cameras were therefore installed only in these parts of the premises for the sake of the employees' safety and security, but also to prevent / solve theft / burglary. Camera surveillance for the safety and security of employees is a relevant purpose, although the risk of adverse events is not as imminent as for theft and burglary.
The camera in zone 1 in the basement covered the area where the restaurant's wine room is installed. There are several hundred wine bottles in the wine room with a total value of approx. 200-250 000 kroner. The wine stands behind a glass wall with an integrated glass door. The restaurant has experienced theft of wine in the past and the risk of theft is real. The toilets are located in the basement, so there is some traffic from guests. Serving is rare in the basement and the employees will therefore not stay there long. It is impractical to close or lock the wine room as the employees need continuous access to this.
No camera surveillance was installed in the restaurant's main area on the ground floor when a panic button in the bar was considered sufficient to ensure the safety of employees here. There was no surveillance on the ground floor which is the main area for guests, nor at the restaurant's main entrance, office, kitchen area, bar or in the staff's break room.
The second camera in the restaurant's lounge area (zone 2) covered the staircase from a dark basement and was to detect any thefts from the basement. The employees do not supervise in zone 2 because it is rarely served here.
The third camera on the outside of the building (zone 3) covered the restaurant's outdoor area, which is most prone to theft and burglary. There has been theft here before. The surveillance in zone 3 was implemented to prevent theft and vandalism of outdoor furniture and unwanted traffic at night. There are no guests staying in this area from September to May. The staff does not supervise here, not even in the summer, as most of the serving takes place inside the restaurant. The camera also captured any intruders.
Camera surveillance was necessary both during and outside the restaurant's opening hours.
The cameras have never been used to monitor employees. The employees were familiar with the cameras and the purpose of the surveillance (security purpose and to prevent and solve theft), cf. PVN-2013-03.
An external neutral third party has reviewed the hardware, software and logs, and confirms that the system has barely been in use and that it was not in use or logged in in 2018, which was the year the employee complained to the audit.
Police have requested access to files, photos from the building and the surrounding area once after a burglary in the building. Another time, the police asked for photos due to conditions around the building that were not connected to the restaurant. Data has never been disclosed to third parties.
Neither physical security, locking and alarm systems nor attentive employees will reduce the risk of burglary and theft, and guarding during the restaurant's opening hours will entail a disproportionately high cost.
Bazaar Drift's legitimate interests in camera surveillance outweigh the privacy of employees and guests.
The cameras were clearly signposted so that guests were made aware of monitored areas. Guests could easily avoid surveillance as most of the areas where dining is taking place were not monitored. Bazaar Drift does not agree that guests have a high expectation that the premises are not monitored. Other restaurants in Hamar also use surveillance.
Employees have not complained about the cameras, but have stated that they appreciate the security measure.
Information and organizational measures
It is acknowledged that Bazaar Drift has not sufficiently fulfilled its obligations related to information on the registered or organizational measures. However, the employees have been informed about the cameras through signs and information in the personnel handbook as an appendix to the employment contracts. Guests were informed via the signage.
Routines and documentation in connection with the camera surveillance are deficient. However, thorough assessments were made in connection with the installation of the cameras, including which location would be least intrusive and which privacy law requirements the company had to meet. The assessments have to a small extent been documented, but it appears from e-mail correspondence from February / March 2015 that Låsgruppen, which installed the cameras, inquired about the requirements for an application to the Norwegian Data Protection Authority.
Infringement fee
The Bazaar Operation has a basis for processing the camera surveillance, but disconnected the cameras immediately after the Data Inspectorate's notification of the decision.
An infringement fee of NOK 200 000 is too high based on the facts of the case, the severity of the infringement, the size of the company and its financial capacity. Bazaar Drift is a small business with a turnover of around NOK 10-13 million a year. In recent years, they have struggled with negative results and negative equity, and have been hit extra hard in the corona pandemic. The size of the fee puts jobs at risk by hitting the company's strained finances hard. Exemption from fee is requested. The Bazaar Operation has always acted in good faith.
In a similar case in the Data Inspectorate which also applies to camera surveillance, but of a public area, the audit imposed a fee of NOK 150,000 for illegal camera surveillance in a decision of 8 March 2021 on the power company Dragefossen. The violation was considered serious because the video recording was continuously broadcast live on YouTube, so that the personal information could reach an unlimited number of viewers. Dragefossen had operating revenues of around NOK 113 million and an annual profit of approx. NOK 13 million, which the audit characterized as a «significantly larger economy than is the case with previous decisions on illegal camera surveillance». The fee corresponds to approx. 0.13% of the mentioned operating revenues. In comparison, the Bazaar corresponds to Drift's fee of DKK. 200,000, approximately 1.8% of the company's operating revenues from 2020. The difference between the fees is significant. The case shows that the fee for Bazaar Drift's violation has been set unreasonably high.
The Privacy Board's assessment
The Privacy Board shall decide whether Bazaar Drift has processed personal data illegally. If the tribunal comes to the conclusion that the Personal Data Act has been violated, the tribunal shall decide whether an infringement fee is to be imposed and, if applicable, whether the fee imposed is to be maintained or reduced.
Camera surveillance is defined in the Personal Data Act § 31 second paragraph as "continuous or regularly repeated personal surveillance by means of remote-controlled or automatically operating surveillance cameras or other similar equipment that is permanently mounted."
The Personal Data Act does not have its own rules on camera surveillance. Collection and storage of images from camera surveillance that captures an identified or identifiable natural person is considered processing of personal data, and is covered by the general rules in the Personal Data Act and the Privacy Ordinance, cf. the Act § 1 and the Ordinance Article 4 nos. 1 and 2.
In addition, the employer's access to carry out camera surveillance in the enterprise is regulated by the Working Environment Act, Chapter 9, and the regulations on camera surveillance in the enterprise (FOR-2018-07-02-1107), cf. the Camera Surveillance Regulations § 2. Only camera surveillance carried out by the employer is covered by the rules in the Working Environment Act. It is also a condition that the monitoring can be regarded as a control measure within the meaning of the Working Environment Act, cf. the preparatory work for the Personal Data Act, Prop. 56 LS (2017-2018), section 31.3.3.3. It is not required that the purpose of the monitoring is to monitor the employees for the rules to be applied. Surveillance that takes place for security purposes or to solve possible crime is also covered by the rules if it also involves monitoring the employees. In such cases, the Working Environment Act § 9-2 sets requirements for discussion, information and evaluation of the control measure.
The tribunal assumes that the camera surveillance of the restaurant's premises is covered by both the general rules in the Personal Data Act and the Privacy Ordinance, and the provisions of the Working Environment Act in Chapter 9 and the Camera Surveillance Regulations.
Section 3 of the Camera Surveillance Regulations sets out a stricter requirement for surveillance of areas in activities where a limited circle of persons travel regularly. The Norwegian Data Protection Authority has assumed that this stricter requirement will not be applied in this case. The tribunal agrees with that assessment and refers to the Ministry of Justice and the Police's statement in Ot.prp. No. 56 (1992-93) point 6 page 28:
The stricter requirement applies where "a limited circle of persons travels regularly". Places that are accessible to the public and where the public normally travels will not be included. For example, the parts of the premises that are publicly available in shops, petrol stations, banks, restaurants / cafés, railway stations, metro stations and airports will be excluded. This will be the situation even if some people regularly travel to the place where the monitoring is carried out, eg employees in shops, etc. »
Basis for treatment
All processing of personal data that falls under the Personal Data Act and the provisions of the Privacy Ordinance must have a legal basis (processing basis) to be legal, cf. the Privacy Ordinance Article 6 no. 1. In Article 6 no. for the processing of personal data. The relevant basis of treatment in this case is Article 6, paragraph 1, letter f.
Basis for processing pursuant to the Privacy Ordinance Article 6 No. 1 letter f requires that three cumulative conditions are met. First, there must be a legitimate interest. In assessing whether there is a legitimate interest, consideration shall be given to whether the data subject can reasonably expect the personal data to be used for the purpose in question, etc., cf. section 47 of the preamble.
Secondly, under Article 6 (1) (f), there is a requirement that the processing of personal data is necessary for purposes related to the legitimate interests. In its guidelines 3/2019, section 24, the Privacy Council has stated the following about the necessity criterion with regard to camera surveillance (Danish version):
'Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization"), in accordance with Article 5 (2). 1, letter c). The data controller must always carry out a critical examination of whether this measure is, firstly, suitable for achieving the desired objective and, secondly, is appropriate and necessary for the purpose. Video surveillance should only be chosen if the purpose of the processing cannot reasonably be fulfilled in any other way which is less intrusive in the data subject's fundamental rights and freedoms. "
Thirdly, a balance of interests must be struck. In this case, on the one hand, it is about the right of employees and guests to privacy and their interest in not being monitored when staying in areas of the restaurant that are being monitored. On the other hand, the restaurant's interest is in monitoring areas of the restaurant to prevent and solve theft and burglary, as well as avert unwanted incidents. If, after weighing the various interests, it is concluded that the data subject's basic privacy interests outweigh the data controller's interest in processing the information, the processing basis cannot be used.
Although, according to the wording of Articles 5 and 6, it may appear that three independent assessments are to be made, the tribunal's view is that these three criteria are closely linked in an overall assessment.
Questions may be raised as to whether camera surveillance may involve the processing of information on criminal convictions and offenses, cf. Article 10 of the Privacy Ordinance. The tribunal refers to the Ministry's statement in Prop.
"As mentioned in section 8.2, the scope of Article 10 of the Regulation is unclear, and it is unclear, among other things, whether the provision covers suspected offenses. However, in the Ministry's view, there is no evidence that the provision covers camera surveillance that only captures actual acts that may involve offenses, without processing information about suspicion, accusation, judgment or another form of finding that an offense has taken place. The Ministry therefore assumes that Article 10 does not make it necessary for national legal provisions that allow camera surveillance to detect or that are intended to detect criminal acts. "
The tribunal bases its corresponding understanding on the law, cf. also PVN-2019-09. The Bazaar Operation's camera surveillance consequently does not involve the processing of information on criminal convictions and offenses, cf. Article 10 of the Privacy Ordinance. It also does not involve the processing of special categories of personal data, cf. Article 9.
The tribunal assumes that the main purpose of the camera surveillance in all three zones was to keep track of unwanted incidents in the restaurant for the sake of the employees' safety, as well as to prevent or solve possible future burglaries and thefts. The bazaar Drift has, at the request of the tribunal, sent further photographs of the premises, because the received photos were of poor quality and did not show well enough which parts of the premises were captured by the cameras. The photos show that the camera surveillance was signposted both in the restaurant's premises and at the outdoor terrace.
Based on the photos received, the tribunal assumes that the cameras in all three zones are mounted so that they in periods, and at least in periods with many guests, make recordings of both guests in the restaurant and employees who serve the guests. This applies even if the cameras are not mounted so that they capture the busiest areas in the restaurant. The camera mounted outside the wine room will also monitor guests in the restaurant when guests are in their own room ("chambre separee") located on the same floor as the wine room. With the exception of the camera that monitors the restaurant's outdoor dining area, the cameras are mounted so that the restaurant's table where guests sit and the employees serve is to a small extent monitored. However, during busy periods, the cameras in zones 1 and 2 will capture parts of the tables and partly the movement of employees and guests in parts of the restaurant.
The tribunal assumes that Basaren Drift's interest in keeping track of adverse events in the restaurant for the sake of the employees' safety, as well as the interest in preventing or solving future burglaries and thefts, basically represents legitimate interests in the business. The question for the tribunal is whether the relevant processing (ie camera surveillance) is necessary for this purpose. As pointed out above, it is a question both whether the treatment in question is suitable for achieving this purpose, and whether it is appropriate and necessary. Camera surveillance can only be permitted if the same purpose can not reasonably be achieved in another way that is less intrusive in the data subjects' rights.
The assessment to be made pursuant to Article 6 (1) (f) is clearly discretionary. In assessing whether there is a valid basis for treatment, it is then important whether the person responsible for treatment can document that a thorough assessment and balancing has been made of both the necessity of the treatment and the various interests that apply. In a case like this where the monitoring also involves a control measure towards employees, it is important that the procedure in the Working Environment Act, Chapter 9, is followed.
It appears from the documents that Bazaar Drift, when they installed the camera surveillance in 2015, carried out investigations of which rules applied and reported the processing to the Data Inspectorate as they should. The company states that the installation of the monitoring equipment was in line with the wishes of the employees, but this is not documented in writing. The employer's obligations under the Working Environment Act § 9-2 on discussion, information and evaluation of control measures were adopted in June 2018 and did not apply when the equipment was installed in 2015. However, after the amendment and entry into force of the Privacy Ordinance, it is the responsibility of the data controller legislation is taken care of. It appears from the personnel handbook that there is camera surveillance in the restaurant, even though the information provided there is deficient in accordance with the requirements of Article 13 of the Privacy Ordinance. at the same time represented the least possible monitoring in that there were areas where both guests and staff stayed to a lesser extent. It is also clear that the recordings have been viewed to a very small extent, they have not been used for external purposes, they have been deleted continuously after seven days and have not been handed over to third parties. The only extradition has taken place to the police on one occasion in connection with an incident that the police are investigating.
The tribunal has been in doubt about the outcome of the discretionary assessment to be made in accordance with Article 6, paragraph 1, letter f. In such cases of doubt, it is important that the data controller can document organizational measures, cf. Article 24 of the Privacy Ordinance. the decision-making process takes place. The tribunal refers to PVN-2021-01 which also applied to camera surveillance. The tribunal concluded that a residential condominium had a valid basis for treatment to monitor parts of the condominium's locked common areas. In assessing whether Article 6 (1) (f) provided a basis for consideration, it was emphasized that the issue of camera surveillance had been thoroughly addressed and investigated by the condominium board and then discussed at two condominium meetings where a unanimous decision had been made to initiate camera surveillance. Transferred to the present case, the tribunal's assessment is that the outcome of the balancing of interests according to article 6 no. 24.
In the absence of such documentation, the conclusion is that Bazaar Drift does not have a valid basis for processing the implemented monitoring pursuant to Article 6.
Information and organizational measures
Bazaar Drift has acknowledged that the duty to provide information to the data subjects has not been complied with, cf. Article 13 of the Privacy Ordinance, and that documentation of organizational measures required under Article 24 was not in place.
Infringement fee
In the event of a breach of the provisions of the Privacy Ordinance, the supervisory authority may impose an infringement fine, cf. Article 58, paragraph 2, letter i, cf. Article 83. Both infringements of Article 6 and Article 13 may be sanctioned with a fee, cf. Article 85, paragraph 5, letter a and letter b. Violations of Article 24 may also be sanctioned with a fee, cf. the Personal Data Act § 26, which gives Article 83 no. 4 corresponding application for violations of, among other things, this provision.
The question for the tribunal is whether according to the Privacy Ordinance Article 83 No. 5 and Article 83 No. 4, cf. Article 83. No. 2, an infringement fee shall be imposed for the acts, and if a fee is to be imposed, how large the fee shall be.
It follows from Article 83 (1) that the imposition of infringement fines in each individual case must be effective, proportionate and dissuasive. Both in the assessment of whether a fee is to be imposed and in the calculation of the fee, the factors in the Privacy Ordinance Article 83 no. 2 letters a to k shall be taken into account.
It is firstly important to look at the nature, severity and duration of the infringement, cf. Article 83 (2) (a). It follows from the provision that the nature, scope or purpose of the act concerned must be taken into account, as well as the number of registered affected and the extent of the damage they have suffered.
Although the tribunal, with regard to the assessment of the basis for processing pursuant to Article 6, has concluded that the company has no basis for processing, the tribunal does not agree with the Data Inspectorate that Basaren Drift's assessment has such shortcomings that it appears in isolation as a serious violation of the Privacy Ordinance. the audit is based on. Although the company has concluded incorrectly in the assessment of whether Article 6 no. 1 letter f (the Personal Data Act § 8 letter f when the equipment was installed in 2015) provides a legal basis for processing, it must be taken into account when assessing the seriousness of the violation. is about a discretionary rule where different interests are to be weighed against each other. The fact that the person responsible for processing makes a different, and thus incorrect, discretionary assessment than the privacy authorities, does not necessarily entail a serious violation. Both in the assessment of whether a fee is to be imposed and in the event of a determination of the size of the fee, this must be taken into account, cf. section 113 of the Constitution and Hans Petter Graver; General administrative law, chapter 5.3 «The legal requirement as a principle of interpretation».
In the tribunal's assessment, it is therefore the breaches of Article 13 and Article 24 (lack of information to the registered and lack of organizational measures) that represent the acts worthy of criticism that there is reason to sanction. It is reprehensible that the requirements in the Working Environment Act § 9-2 have not been complied with and that routines and other necessary documentation are thus not available, cf. Article 24. It is further reprehensible that the information to the data subjects is deficient. The tribunal considers the violation to be less serious overall, but nevertheless believes that the violations of the Privacy Ordinance Articles 13 and 24 in this case in principle indicate that an infringement fee is imposed.
There is no doubt that lack of information and deficient organizational measures represent intentional actions. Lack of knowledge of the rules does not absolve from liability unless the error is prudent. It was not. The debt requirement, which also applies to corporate liability, cf. HR-2021-797-A, is thus fulfilled.
The Norwegian Data Protection Authority has emphasized in an aggravating direction that the employer has not assessed protests from the employees in accordance with Article 21. The tribunal does not agree with this. The protest or protests mentioned in the case documents were made before Article 21 of the Privacy Ordinance entered into force in Norwegian law, and there was no corresponding provision in the Personal Data Act 2000.
For breaches of Article 13, the supervisory authority may impose a fee of up to EUR 20,000,000, or if it is an undertaking, up to 4% of the annual turnover in the preceding financial year, cf. Article 83 (5). For breaches of Article 24, a fee of up to EUR 10,000,000 euros, or if it is an enterprise, up to 2% of the annual turnover prior to the financial year, cf. the Personal Data Act § 26, cf. Article 83 no. 4. It follows from both provisions that it is the higher number of the two alternatives that must be used as a limit. It further follows from Article 83 (3) that if the controller infringes several of the provisions, the total amount of the infringement fine shall not exceed the amount indicated for the most serious infringement. The tribunal emphasizes that the use of significant infringement fees is an important tool in a system that gives the data controller a large independent responsibility. The Privacy Ordinance's indication of maximum fee rates is at the same time in an order of magnitude that deviates from Norwegian criminal and administrative practice. The indication of the maximum fee as a certain percentage of the total turnover therefore provides better guidance, but neither can this be more than a starting point. In any case, it must be borne in mind that this limit will cover many types of violations, from the least serious to the serious and serious violations that affect many people.
Bazaar Drift had a turnover of NOK 12.2 million in 2019 and a turnover of NOK 10.7 million in 2020. If you use the turnover figures for the previous financial year (2020), 4% will amount to NOK 428,000. The tribunal assumes that a fee of this magnitude is reserved for the serious violations.
After an overall assessment, the Privacy Board has come to the conclusion that the fee for the violations in this case, according to the level that follows from the Privacy Ordinance, should be around NOK 100,000.
In the tribunal's assessment, however, the long case processing time must also be given weight when determining the fee, cf. Article 83 letter k, where emphasis must be placed on "any other aggravating or mitigating factor in the case".
The employee reported the camera surveillance to the Data Inspectorate on 31 May 2018, and the Data Inspectorate asked the restaurant for a statement one year later. After the restaurant responded to the audit in the summer of 2019, it took nine months before the audit requested further information. After the restaurant answered the questions, it took almost half a year before the Data Inspectorate notified the restaurant of orders and fees at the end of November 2020. The Data Inspectorate finally made a decision in the case on 6 April 2021, almost three years after the case started with the Authority. It has now been another almost half a year.
The Norwegian Data Protection Authority has a duty to account for its assessment of the significance of case processing time for the sanction issue. The Tribunal refers to PVN-2021-03 with further reference to the Civil Ombudsman's (formerly the Civil Ombudsman's) decision of 17 August 2012 in case 2011/2718 and NOU 2003: 15 «From fine to improvement» section 5.7.11 (page 102). This has not been done in this case.
In the tribunal's assessment, the total case processing time at the audit has been unacceptably long. The person or entity at risk of criminal or equivalent penalties has a protected interest in having this issue clarified within a reasonable time, and the administrative body is obliged - with the resources made available - to arrange its business in such a way that this interest is safeguarded.
In the tribunal's view, the scope and complexity of the case does not indicate such a long case processing time as has taken place here. The tribunal points out in particular that there have been long periods without progress in the case, despite the fact that the Data Inspectorate believes that the violation is serious. After an overall assessment, the tribunal has come to the conclusion that the infringement fee should be dropped.
After this, the bazaar Drift AS is upheld in its appeal in that the imposed fee lapses.
The decision is unanimous.
Conclusion
The Data Inspectorate's decision to impose a fee is reversed by the fee lapse.
Oslo, 4 November 2021
Mats Wilhelm Ruland
Manager