Norway: Privacy Board dismisses NOK 200,000 fine imposed on Basaren Drift
The Norwegian Privacy Board ('Personvernnemnda') issued, on 4 November 2021, its decision PVN-2021-13, in which it dismissed the fine of NOK 200,000 imposed on Basaren Drift AS by the Norwegian data protection authority ('Datatilsynet') for having camera surveillance on restaurant premises without a legal basis in violation of Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), in addition to providing inadequate information about the camera surveillance to the data subjects in violation of Article 13 of the GDPR, and having inadequate data protection policies in violation of Article 24(2) of the GDPR.
Background to the case
The case concerns a complaint from Basaren Drift against the Datatilsynet's decision issued, on 6 April 2021, whereby the Datatilsynet fined the company NOK 200,000 (approx. €20,000) for conducting camera surveillance on restaurant premises without a legal basis, in violation of Article 6(1) of the GDPR. In addition, the Datatilsynet concluded that Basaren Drift had not provided adequate information about the camera surveillance to the data subjects, in violation of Article 13 of the GDPR, and that its data protection policies were inadequate, hence in violation of Article 24(2) of the GDPR.
Findings of the Personvernnemnda
In particular, the Personvernnemnda stated that it did not agree with the Datatilsynet that the company's legitimate interest assessment pursuant to Article 6(1)(f) of the GDPR had such shortcomings that it appears in isolation as a serious violation of the GDPR. In addition, the Personvernnemnda added that the fact that the controller makes a different, and thus incorrect, assessment than the privacy authorities, does not necessarily constitute a serious violation. Instead, the Personvernnemnda noted that the breaches of Articles 13 and 24 of the GDPR i.e. lack of information to the data subjects and lack of organisational measures are more serious violations, may justify a sanction. Additionally, the Personvernnemnda highlighted that it is unacceptable that the requirements in Section 9(2) of the Working Environment Act of 1 January 2006 have not been complied with and that practices and other necessary documentation are thus not available. Hence, the Personvernnemnda considered the infringement as a whole to be less serious, but nevertheless believed that breaches of Articles 13 and 24 of the GDPR in this case in principle imply that an infringement fee should be imposed. Specifically, the Personvernnemnda stated that, after an overall assessment, it has come to the conclusion that the fee for the violations in this case should be around NOK 100,000 (approx. €10,000).
However, the Personvernnemnda found the time period taken by Datatilsynet to process the case to be long, which it determined must also be taken into account, when determining the fee in accordance with Article 83(2)(k) of the GDPR. In light of this, the Personvernnemnda clarified that, following the employee's report of the camera surveillance to the Datatilsynet, on 31 May 2018, it took the Datatilsynet almost three years to investigate, process and make a decision in the case. In addition, the Personvernnemnda highlighted that the person or entity at risk of criminal or equivalent sanctions has a protected interest in having the issue clarified within a reasonable time, and the administrative body is obliged, with the resources available to it, to arrange its business in such a way that this interest is safeguarded. Further to this, the Personvernnemnda stated that the scope and complexity of the case does not justify said processing time and spotlighted that there have been extended periods without progress in the case, despite the fact that the Datatilsynet believed that the violation was serious. As a result, the Personvernnemnda stated that, after an overall assessment, it concluded that the infringement fee should be dismissed.
The Personvernnemnda upheld Basaren Drift's appeal that the imposed fee lapses, due to the time period taken by Datatilsynet to process the case.
You can read the decision, only available in Norwegian, here.