The Icelandic DPA has fined a company running ice cream parlors for processing employee‘s personal data via video surveillance camera installed in an employee area.

The Icelandic Data Protection Authority has issued an administrative fine in the amount of ISK 5.000.000 (34.000 euros) to an Icelandic company that runs five ice cream parlors.

One of the company‘s underage employees lodged a complaint with the Icelandic DPA about an area, used by the employees‘ to change into their work uniform, being under constant video surveillance. The employee also complained about not receiving notification or information regarding the surveillance and the lack of labelling and signage thereof.

Five surveillance cameras that recorded employees and clients were installed in the company‘s ice cream parlor for security reasons. The Icelandic DPA confirmed via inspection that the employees did not have access to an acceptable area to change clothes that was not under surveillance.

The Icelandic DPA concluded that the complainant‘s personal data was not processed lawfully, fairly or in a transparent manner, nor was it adequate, relevant and limited to what was necessary in relation to the purposes for which the data was processed. The Icelandic DPA also concluded that the company did not inform its employees about the personal data collected via video surveillance system and their rights in accordance with Article 13 of the GDPR. Additionally, labels and signs indicating the video surveillance in the ice cream parlor were insufficient both in the employees‘ areas as well as in the customer service area. The company also failed to fully cooperate with the supervisory authority.

Among the gravitating factors when deciding the amount of the fine was that the company was found to be in breach of numerous provisions of the Icelandic Act No. 90/2018, on Data Protection and the Processing of Personal Data and the GDPR. Moreover, the data subjects affected by these infringements, including the complainant, were in many cases underage employees whose personal data merits specific protection according to the GDPR. It was also regarded that employers have a responsibility to provide a safe workplace that complies with rules and regulations issued under the GDPR.

The company was instructed to stop the video surveillance of the employee area and delete all recordings from that camera. The company was also instructed to update and implement procedures that ensures employees receive sufficient information on the video surveillance in the ice cream parlor and their rights regarding it.