Fast Candy AS – Violation Found (Norway, 2023)

1. June 2023, The Norwegian DPA (Datatilsynet) did an inspection of the CCTV practices on the premises of Fast Candy AS (the contoller), a candy store in Oslo with 27 employees. Prior to the visit, Datatilsynet had received three tips about CCTV affecting employed minors. 19. June 2023, based on Article 58(2)(d) of the GDPR, a preliminary report was sent to the controller in which Datatilsynet notified about the intent to order Fast Candy to bring CCTV processing operations into compliance. The controller did not provide any comments upon receiving the report. The decisions of the final report, including a series of definitive bans of processing (Article 58(2)(e) GDPR), is outlined below. Datatilsynet set a deadline for the controller to comply with the ordered measures by 15. November 2023. Due to missing legal basis, see Article 6(1)(f) GDPR, Datatilsynet ordered the controller to: - stop CCTV of the area behind the counter, which is only accessed by employees - stop or adjust CCTV in the storage/office area - stop all actual and potential use of audio recordings - stop all actual and potential use of remote access to CCTV, and - stop any surveillance with the purpose of controlling customer payment and subsequent collection of goods Fast Candy was equally ordered to document the specific purposes, legal bases, and routines for processing, access, provision of recordings and deletion of CCTV, see Article 24 GDPR. Also, the controller must provide employees with an information letter explaining the use of CCTV on the work place pursuant to Articles 12 and 13 of the GDPR. A copy of the letter is to be sent to Datatilsynet. Further, on the basis of Article 13 GDPR, Fast Candy was instructed to more clearly specify that surveillance is occurring and who is the data processor (through an improved notification at the store front). Lastly, recordings were to be deleted after a maximum retention period of one week, see the Norwegian regulation on business use of C