Stjörnuna ehf., the operator of fast food sandwich chain Subway in Iceland, has been fined IKr 1,500,000 ($10,910) by Personuvernd, the Icelandic supervisory authority for data protection, after details of electronic monitoring of employees emerged.
After a complaint from an employee, one manager was found watching workers from his home via the restaurant’s surveillance cameras, and commenting on their work style. The manager took screen shots with time stamps from the surveillance cameras and passed them with his observations to the employees concerned.
In the complaint, the employee also stated that he hadn’t been educated or trained about the camera monitoring or told what his rights were.
The employee said that the “abuse of the monitoring system” and the monitoring of his work records caused a lot of anxiety and discomfort, and continued all through his employment at Subway. He resigned in May, after about a year working there.
The employee also stated that this was not an isolated case, and that the monitoring takes place at other Subway restaurants in Iceland too.
Fear of running out of bread
When investigating the complaint, the authority was sent two letters from Stjörnunn about its monitoring, dated September 9, 2021, and January 13, 2023. The Personuvernd found the company’s explanations about the store manager’s purpose in carrying out the monitoring contradictory.
In the first letter, the store manager’s behavior was explained as a mistake, and it was stated that he went beyond the stated purpose of the monitoring by using the footage to monitor work performances without the consent or knowledge of the company representatives.
In the second letter, the company completely denied that the manager had regularly monitored staff in real time through the restaurant’s surveillance camera system, and had not commented on their work style and behavior.
In one instance, the store manager claimed he was using the cameras to monitor “out of fear that the bread was running out”. He argued he carried out his actions for quality control and not staff monitoring purposes.
Contravening EU GDPR
Personuvernd found that that Stjörnuna ehf. failed to educate the employees about the monitoring, and failed to comply with the law on personal protection and processing of personal information.
The authority also said that the electronic monitoring of employees would not have been compatible with the company’s declared purpose that it would have been done for a work report.
The regulator found that with the electronic monitoring, Stjörnunn contravened the first paragraph Article 5, and Article 6, 12, and 13 of the EU GDPR.