Persónuvernd (Island) - 2021051091
Persónuvernd fined a controller €10,059.92 for GDPR violations related to employee monitoring.
Summary
The Icelandic DPA, Persónuvernd, fined a controller €10,059.92 for violating GDPR articles 5, 6, 12, and 13. The violations stemmed from inadequate transparency and legal basis for employee monitoring, failure to properly inform employees, and not keeping records of processing activities.
Full text
Help Persónuvernd (Island) - 2021051091: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 09:35, 27 March 2024 view sourceEc (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators327 editsmTag: Visual edit← Older edit Latest revision as of 14:38, 29 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators661 editsm Tag: Visual edit Line 3: Line 3: |Jurisdiction=Iceland|Jurisdiction=Iceland |DPA-BG-Color=|DPA-BG-Color= |DPAlogo=|DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd|DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Island)|DPA_With_Country=Persónuvernd (Island) Line 101: Line 101: Regarding the second potential purpose, the DPA found that the controller did not demonstrate that quality control was the purpose of monitoring or that the objectives of quality control cannot be achieved with other and less intrusive measures. Therefore, the DPA found that there was no legal basis for processing under [[Article 6 GDPR#1|Article 6(1) GDPR]]. Regarding the second potential purpose, the DPA found that the controller did not demonstrate that quality control was the purpose of monitoring or that the objectives of quality control cannot be achieved with other and less intrusive measures. Therefore, the DPA found that there was no legal basis for processing under [[Article 6 GDPR#1|Article 6(1) GDPR]]. Secondly, the DPA explained that personal data must be processed in a fair and transparent manner in relation to the data subject under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. This means that data subjects should be aware when their personal data is collected, used, viewed or processed in another way. Moreover, in light of [[Article 13 GDPR|Article 13 GDPR]], information must be provided to the data subject and must be given a clear picture of the monitoring, including its purpose, how it is carried out, how access to monitoring material arranged and how long the data is stored. The DPA found that the data subject was not adequately informed about the monitoring or what his rights were concerning the monitoring. Moreover, the DPA rejected the controller’s claim that the installation of signs about the monitoring was satisfactory as these signs did not state who is responsible for the monitoring. Secondly, the DPA explained that personal data must be processed in a fair and transparent manner in relation to the data subject under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. This means that data subjects should be aware when their personal data is collected, used, viewed or processed in another way. Moreover, in light of [[Article 13 GDPR]], information must be provided to the data subject and must be given a clear picture of the monitoring, including its purpose, how it is carried out, how access to monitoring material arranged and how long the data is stored. The DPA found that the data subject was not adequately informed about the monitoring or what his rights were concerning the monitoring. Moreover, the DPA rejected the controller’s claim that the installation of signs about the monitoring was satisfactory as these signs did not state who is responsible for the monitoring. Thirdly, the DPA found that the controller did not keep a record of the processing activities required under [[Article 30 GDPR|Article 30 GDPR]].Thirdly, the DPA found that the controller did not keep a record of the processing activities required under [[Article 30 GDPR]]. Thus, the DPA ordered the controller under [[Article 58 GDPR#2|Article 58(2) GDPR]] to erase all screenshots of the data subject at work and to inform its employees about the monitoring, including the purpose of the monitoring and their rights related to it, and to keep record of its processing activities. Moreover, the DPA imposed an administrative fine of €10,059.92 (ISK 1,500,00) on the controller under [[Article 83 GDPR|Article 83 GDPR]] due to the controller’s violations of [[Article 5 GDPR#1|Article 5(1) GDPR]], [[Article 6 GDPR|Article 6 GDPR]], [[Article 12 GDPR|Article 12 GDPR]] and [[Article 13 GDPR|Article 13 GDPR]].Thus, the DPA ordered the controller under [[Article 58 GDPR#2|Article 58(2) GDPR]] to erase all screenshots of the data subject at work and to inform its employees about the monitoring, including the purpose of the monitoring and their rights related to it, and to keep record of its processing activities. Moreover, the DPA imposed an administrative fine of €10,059.92 (ISK 1,500,00) on the controller under [[Article 83 GDPR]] due to the controller’s violations of [[Article 5 GDPR#1|Article 5(1) GDPR]], [[Article 6 GDPR]], [[Article 12 GDPR]] and [[Article 13 GDPR]]. == Comment ==== Comment == Latest revision as of 14:38, 29 May 2026 Persónuvernd - 2021051091 Authority: Persónuvernd (Island) Jurisdiction: Iceland Relevant Law: Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 12 GDPR Article 13 GDPR Article 30 GDPR Article 58(2) GDPR Article 83 GDPR Type: Complaint Outcome: Upheld Started: 04.05.2021 Decided: 12.03.2024 Published: 20.03.2024 Fine: 1,500,00 ISK Parties: Stjörnuna ehf, the operator of Subway in Iceland National Case Number/Name: 2021051091 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Icelandic Original Source: Persónuvernd (in IS) Initial Contributor: ec The DPA imposed a fine of €10,059.92 (ISK 1,500,00) on Stjörnuna ehf, the operator of Subway in Iceland, for unlawfully monitoring its employees without adequately informing them. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject is an employee at Subway in Iceland. The controller is Stjörnuna ehf, the operator of Subway in Iceland. The data subject filed a complaint to the Icelandic DPA (Persónuvernd) on 4 May 2021. The data subject claimed that the store manager was at home monitoring the data subject in real time and called the workplace to give comments on the data subject’s work style based on the footage. This was done without the data subject’s knowledge. The controller argued in a letter to the DPA that it had installed the surveillance cameras for the sake of security and property protection. The surveillance camera system was used in a reasonable manner and it was been used for the control of workers or for monitoring work results. The controller claimed that the store manager went beyond the stated purpose of the monitoring and used the footage to monitor the work performance of the employees without the consent or knowledge of the company representatives. Immediate action was taken to prevent this from happening again. However, in a following letter, the controller denied that the store manager regularly monitored staff in real time through the restaurant's surveillance camera system and commented on their work style and behaviour. The controller argued that the store manager was looking at the surveillance camera system on the day in question out of fear that bread was running out. However, the store manager noticed that there was a big queue which did not change after 5 minutes, and therefore called the data subject who was in the rest area to request that the data subject serves the customers. Lastly, the controller argued that since there was no systematic collection of information, they had no obligation beyond the installation of signs about the surveillance cameras in the workplace to inform employees more about the monitoring. Holding Firstly, the DPA found the arguments of the controller conflicting as the purpose for processing was either (1) in the interests of security and property protection or (2) quality control. The DPA explained that under Article 5(1)(b) GDPR, monitoring must be carried out for specified, explicit and legitimate purpose. Regarding the first potential