The Norwegian Data Protection Authority has fined the company Miljø- og Kvalitetsledelse AS EUR 3,500 (NOK 35,000) for illegal distribution of personal data from camera recordings.
Miljø- og Kvalitetsledelse operates a car wash. When a payment terminal was vandalised, recordings and data from the cash wash’s CCTV camera system were sent to the employer of the person the company believed had committed the vandalism.
Lacked legal basis
The Data Protection Authority concluded that the disclosure lacked legal basis, and contravened Article 6(1) and Article 5(1)(a) of the GDPR. The recordings had already been handed over to the police, and their disclosure to the data subject’s employer was unnecessary for the purpose of preventing vandalism or resolving the case.
We have given weight to the fact that the disclosure of personal data concerning alleged or suspected criminal offences to the data subject’s employer will often be experienced as personally distressing and could have an impact on the data subject’s employment relationship.
Fined under previous legislation
The infringement occurred before the GDPR went into effect on 20 July 2018. The fine was therefore imposed at the level practised under previous legislation.
For further information, please contact the Norwegian DPA: firstname.lastname@example.org
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.