Coop Finnmark SA – €34,800 Fine (Norway, 2020)

Coop Finnmark SA is part of a Norwegian cooperative selling groceries and more. The company submitted a data breach notification to the DPA after a store manager had filmed surveillance footage with his private mobile phone and shared this with a third party. He believed children were stealing, and his intention was to identify these. The woman he shared the footage with, sent it to her son, who sent it to someone else. The recording was, as such, shared with several people and reached, in the end, the child who was evidently stealing. The store manager realized his mistake following the incident, notified the DPA and apologized to everyone involved. The DPA notes that the company has legal grounds for using surveillance in their shop, in general, as per Article 6(1)(f). Filming and sharing a recording from the footage, however, is a new processing activity which also requires legal grounds as per the GDPR. The company has not determined legal grounds, as this processing activity shouldn't take place and is a breach of the company's internal routines. The DPA notes that the purpose of the processing was to identify the children in the footage. Sharing the footage with third parties, however, was not necessary to achive the purpose. The company should have reported the incident to the police and waited for them to initiate a criminial investigation, including asking for surveillance footage. Consequently, the DPA held that the company didn't have legal grounds for sharing the footage, as per Article 6. As the processing lacked legal basis, they were also in breach of Article 5(1)(a) GDPR. The company was fined €38,800.