Norwegian DPA: Basaren Drift AS fined

13 May 2021 Norway

The Norwegian Data Protection Authority has fined Basaren Drift AS NOK EUR 20,000 (NOK 200,000) for a GDPR violation. The case relates to CCTV surveillance of restaurant premises.

The General Data Protection Regulation (GDPR) requires that all processing of personal data must have a legal basis. Having investigated a complaint relating to CCTV surveillance of a restaurant’s premises, the Norwegian Data Protection Authority has concluded that Basaren did not have a legal basis for its surveillance.

In addition, the Norwegian Data Protection Authority has concluded that the business did not provide adequate information about the CCTV surveillance and that its written procedures were inadequate.

Unlawful CCTV surveillance

  • With respect to the processing of personal data, the principles of lawfulness and transparency are completely fundamental. Violation of these principles is a serious matter, says Bjørn Erik Thon, Director-General of the Data Protection Authority.
  • In this case, we have concluded that the CCTV cameras filmed more of the restaurant's premises than necessary, and that round-the-clock surveillance was unnecessary.

Responded with a fine 
The Data Protection Authority finds that this case is so severe that a fine is the appropriate corrective measure. Importance is attached to the fact that the CCTV surveillance impacted both the restaurant employees and its guests.

  • Everyone has a right to privacy, also when we are at work. CCTV surveillance must comply with strict conditions, particularly in the workplace, explains Bjørn Erik Thon.
  • In this case, we have attached importance to the fact that the unlawful CCTV surveillance has filmed employees, and that the cameras covered guest seating areas in the restaurant. Restaurant guests have a legitimate expectation of not being filmed while they are dining there. In places used for relaxation, recreation and social gatherings, the privacy of guests must therefore be accorded considerable weight, concludes Thon.

The extent of the fine was determined on the basis of an overall assessment of the severity of the violation and the organisation's financial situation, among other factors.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.