Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Iceland: Persónuvernd issues fine of ISK 1.5M on Stjörnuna for unlawful monitoring of employees
On March 20, 2024, the Icelandic data protection authority (Persónuvernd) published its decision in Case No. 2021051091, in which it imposed a fine of ISK 1.5 million (approx. $11,000) on Stjörnuna ehf., the operator of Subway in Iceland, for violations of the General Data Protection Regulation (GDPR) and the corresponding provisions of the Act on Privacy and Processing of Personal Data (the Act), following a complaint submitted by an individual.
Background to the case
The Persónuvernd outlined that on May 4, 2021, it received a complaint from an employee of Subway regarding the monitoring of their work by the store manager and the lack of information provided to the employee regarding such monitoring. The data included in the complaint showed that the store manager had taken a number of screenshots of the employee from the surveillance cameras, noting down the actions of the employee.
Findings of the Persónuvernd
The Persónuvernd noted that processing of personal data in the context of employee monitoring may be based on legitimate interest under Article 6(1)(f) of the GDPR and Article 9 of the Act if the rights and freedoms of the data subject in question do not outweigh the legitimate interests of the controller. Furthermore, the Persónuvernd clarified that such processing must not go beyond what is absolutely necessary, and particular attention must be paid to determine if the objectives of the monitoring can be achieved by other less intrusive means following Article 5(1)(b) of the GDPR and Article 8(1) of the Act.
In the present case, the Persónuvernd found that Stjörnuna was not able to demonstrate that it did not have other less intrusive means of achieving quality control of the employees' work, thus infringing the above-mentioned articles. Moreover, the Persónuvernd found that Stjörnuna failed to inform its employees that monitoring is taking place as prescribed by Articles 5(1)(a), 12, and 13 of the GDPR and Articles 8(1) and 17 of the Act, and did not keep a register of processing activities in accordance with Article 30 of the GDPR and Article 26 of the Act.
Outcomes
In light of the above, the Persónuvernd imposed a fine of ISK 1.5 million (approx. $11,000) on Stjörnuna and ordered it to delete the screenshots of the employee, to install monitoring signs, to provide information on the monitoring to the employees via its website or in the employment contract, and to prepare and submit for review a record of its processing activities, all by April 12, 2024.
You can read the decision, only available in Icelandic, here.