The Icelandic DPA has fined a company running ice cream parlours for processing employee‘s personal data via video surveillance camera installed in an employee area.

29 June 2021 Iceland

The Icelandic DPA has fined a company running ice cream parlours for processing employee‘s personal data via video surveillance camera installed in an employee area.

The Icelandic Data Protection Authority has issued an administrative fine in the amount of ISK 5.000.000 (34.000 euros) to an Icelandic company that runs five ice cream parlours.
One of the company‘s underage employees lodged a complaint with the Icelandic DPA about an area, used by the employees‘ to change into their work uniform, being under constant video surveillance. The employee also complained about not receiving notification or information regarding the surveillance and the lack of labelling and signage thereof.

Five surveillance cameras that recorded employees and clients were installed in the company‘s ice cream parlour for security reasons. The Icelandic DPA confirmed via inspection that the employees did not have access to an acceptable area to change clothes that was not under surveillance.

The Icelandic DPA concluded that the complainant‘s personal data was not processed lawfully, fairly or in a transparent manner, nor was it adequate, relevant and limited to what was necessary in relation to the purposes for which the data was processed. The Icelandic DPA also concluded that the company did not inform its employees about the personal data collected via video surveillance system and their rights in accordance with Article 13 of the GDPR. Additionally, labels and signs indicating the video surveillance in the ice cream parlour were insufficient both in the employees‘ areas as well as in the customer service area. The company also failed to fully cooperate with the supervisory authority.

Among the gravitating factors when deciding the amount of the fine was that the company was found to be in breach of numerous provisions of the Icelandic Act No. 90/2018, on Data Protection and the Processing of Personal Data and the GDPR. Moreover, the data subjects affected by these infringements, including the complainant, were in many cases underage employees whose personal data merits specific protection according to the GDPR. It was also regarded that employers have a responsibility to provide a safe workplace that complies with rules and regulations issued under the GDPR.

The company was instructed to stop the video surveillance of the employee area and delete all recordings from that camera. The company was also instructed to update and implement procedures that ensures employees receive sufficient information on the video surveillance in the ice cream parlour and their rights regarding it.

The decision can be found in Icelandic here: https://www.personuvernd.is/urlausnir/huppuis-ehf.-sektud-vegna-voktunar-med-eftirlitsmyndavelum-i-starfsmannarymi-1

For further information, please contact the Icelandic DPA: international@dpa.is
 
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.