Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Iceland: Persónuvernd issues fine of ISK 1.5M on Stjörnuna for unlawful monitoring of employees

On March 20, 2024, the Icelandic data protection authority (Persónuvernd) published its decision in Case No. 2021051091, in which it imposed a fine of ISK 1.5 million (approx. $11,000) on Stjörnuna ehf., the operator of Subway in Iceland, for violations of the General Data Protection Regulation (GDPR) and the corresponding provisions of the Act on Privacy and Processing of Personal Data (the Act), following a complaint submitted by an individual.

Background to the case

The Persónuvernd outlined that on May 4, 2021, it received a complaint from an employee of Subway regarding the monitoring of their work by the store manager and the lack of information provided to the employee regarding such monitoring. The data included in the complaint showed that the store manager had taken a number of screenshots of the employee from the surveillance cameras, noting down the actions of the employee.

Findings of the Persónuvernd

The Persónuvernd noted that processing of personal data in the context of employee monitoring may be based on legitimate interest under Article 6(1)(f) of the GDPR and Article 9 of the Act if the rights and freedoms of the data subject in question do not outweigh the legitimate interests of the controller. Furthermore, the Persónuvernd clarified that such processing must not go beyond what is absolutely necessary, and particular attention must be paid to determine if the objectives of the monitoring can be achieved by other less intrusive means following Article 5(1)(b) of the GDPR and Article 8(1) of the Act.

In the present case, the Persónuvernd found that Stjörnuna was not able to demonstrate that it did not have other less intrusive means of achieving quality control of the employees' work, thus infringing the above-mentioned articles. Moreover, the Persónuvernd found that Stjörnuna failed to inform its employees that monitoring is taking place as prescribed by Articles 5(1)(a), 12, and 13 of the GDPR and Articles 8(1) and 17 of the Act, and did not keep a register of processing activities in accordance with Article 30 of the GDPR and Article 26 of the Act.

Outcomes

In light of the above, the Persónuvernd imposed a fine of ISK 1.5 million (approx. $11,000) on Stjörnuna and ordered it to delete the screenshots of the employee, to install monitoring signs, to provide information on the monitoring to the employees via its website or in the employment contract, and to prepare and submit for review a record of its processing activities, all by April 12, 2024.

You can read the decision, only available in Icelandic, here.