The Norwegian Data Protection Authority has fined Waxing Palace AS NOK 100,000. The enterprise operates a waxing salon, and their CCTV monitoring of the reception area has been found to be in breach of the General Data Protection Regulation (GDPR).
The GDPR requires that all processing of personal data have a legal basis. Having investigated a complaint relating to CCTV monitoring of salon premises, the Data Protection Authority has concluded that the enterprise did not have a legal basis for its monitoring. The Data Protection Authority also found that the enterprise did not satisfactorily inform visitors of its CCTV monitoring.
“The rules concerning CCTV monitoring are stringent, especially in the workplace. The processing of personal data must be lawful and transparent. Any breach of these fundamental principles is a serious matter,” says Director Bjørn Erik Thon.
“One should always be transparent and open with anyone whose personal data one register. Among other things, the information provided should make it clear which areas are covered by the CCTV monitoring. As a rule, nobody should be surprised to discover that they have been monitored,” says Thon.
The Data Protection Authority finds that this case is so severe that a fine is the appropriate sanction.
Everyone has a right to privacy, and this extends to their workplace. Unlawful CCTV monitoring can be very stressful for the employees.
“In this case, we have emphasized that the unlawful CCTV monitoring affected both visitors to the salon and its employees. The monitoring did not cover areas of the salon where treatments were performed, but we have taken into account the nature of the company’s services. Many customers would consider a visit to a waxing salon as something private, and they would not expect to be caught on camera,” Thon concludes.
The fine amount is based on an overall assessment, taking into account the severity of the offence and the financial situation of the enterprise.