Norwegian DPA imposed a €10,000 fine for unlawful CCTV monitoring in the reception area of a salon.
A salon was recently fined by the Norwegian DPA following an investigation into CCTV monitoring on their premises. The investigation came about as a result of a complaint, which eventually led to a €10,000 fine for the salon. The waxing salon’s video monitoring in their reception area was found to be in breach of the GDPR. After investigating the salon based on the complaint made, the Norwegian authority, Datatilsynet found that there wasn’t a legal basis for the video monitoring in the reception area. In addition, the DPA deduced that the waxing salon, Waxing Palace AS had not taken sufficient action to inform visitors or employees on their premises that they were being monitored using CCTV in the reception area.
The controller was found to have lacked sufficient legal basis for, and transparency in informing visitors and employees of the CCTV monitoring.
The data controller was found to lack legal basis for the processing, while also failing to sufficiently inform both visitors and employees of its practices of CCTV monitoring. Director of the Norwegian DPA, Bjørn Erik Thon stressed the importance of transparency in video monitoring and said “The rules concerning CCTV monitoring are stringent, especially in the workplace. The processing of personal data must be lawful and transparent. Any breach of these fundamental principles is a serious matter,”
The Director of the Norwegian DPA also mentioned that the information provided should be very clear about which specific areas are being monitored, in line with the principle of transparency. It is important to note that other principles need to be adhered to including data minimisation as well as legal basis, making it imperative to ensure that it is absolutely necessary to record and process information within the specific areas being monitored.
The fine imposed for CCTV monitoring, due to the perceived seriousness of the offence was €10,000.
The DPA decided on a fine of €10,000 due to the seriousness of the offence. The authority also took into account the size and financial situation of the business. The matter was deemed an infringement of several principles of the GDPR including legal basis (article 6), lawfulness, fairness and transparency (article 5 (1) (a)), data minimisation (article 5 (1) (c)), transparent information (article 12 (1)), and information (article 13).