Basaren Drift AS – Court Ruling (Norway, 2021)

In May 2018, an employee at a restaurant lodged a complaint against camera surveillance at the work place. One year later, the Norwegian DPA (Datatilsynet) requested additional information from the company running that restaurant (the Company). Even though the Company replied within a few weeks, the DPA did not follow up again until March 2020. After receiving more information from the Company, it took another five months before the DPA managed to issue a preliminary decision, which included an injunction to end the camera surveillance due to the lack of a valid legal basis as per Article 6(1)(f) GDPR and a fine of €30,382 (NOK 300,000) for breaching Article 6(1)(f), 13 and 24. After the Company shared its comments and objections to the preliminary decision, the DPA issued a final decision where the fine was reduced to €20,255 (NOK 200,000) due to the company's financial situation under the COVID-19 pandemic. The Company argued that the administrative fine was too high and therefore appealed the decision before the Norwegian Privacy Appeals Board. After reviewing the case, the DPA decided to uphold its decision, and the case was submitted to the Privacy Appeals Board (Personvernnemnda, PVN) for consideration. The PVN agreed with the DPA that the the Company had infringed Article 6(1)(f) GDPR because of the absence of a valid legal basis for the processing of personal data through the installation of surveillance cameras. However, the PVN considered that the breach of Article 6 GDPR as not as serious as the DPA had found. In the opinion of the PVN, the breaches of Article 13 and 24 GDPR were more serious. After an overall assessment, the PVN concluded that the amount of the administrative fine for such violations should be limited to €10,127 (NOK 100,000). After considering the length of the procedure, however, the PVN decided to annul the fine altogether due to the DPA's long case processing time (i.e. in total, almost three years).