Date: 8 January 2021
In the first big GDPR fine of 2021 today The State Commissioner for Data Protection for Lower Saxony (LfD) imposed a fine of €10.4 million on notebooksbilliger.de AG, a vendor of laptops and computer equipment. The company had used video surveillance for around 2 years to monitor its employees. The fine follows another large German fine for HR practices last year against H&M who were fine €35.2m for GDPR violations in October. There is more on the H&M case here https://bit.ly/hamburgfine.
What was this case about?
We’re increasingly seeing data protection authorities focus on CCTV and workplace surveillance as a real area of regulatory activity. We’ve looked at the legal issues around CCTV and surveillance previously including in our note on some of the legal consequences here https://www.corderycompliance.com/client-alert-using-cctv-on-business-premises-dp-implications/. Our note includes a look at earlier cases in Denmark, Finland, France, The Netherlands, Spain, Sweden and the UK.
In this case the LfD said that the company had monitored its employees for at least two years without any legal basis. The cameras recorded workplaces, sales areas, warehouses and common areas. The company claimed that the aim of the cameras was to prevent and investigate criminal offences and to track the flow of goods in its warehouses.
What did the LfD say?
The LfD was not convinced that the company hadn’t looked at more appropriate means before installing CCTV. It said that these could have included random bag checks when leaving the company premises. It also said that the company did not have a “justified suspicion against specific persons” which could have made the CCTV use lawful for a limited period of time.
The LfD also criticised the company’s retention of CCTV images – in this case images were retained for 60 days. This is an area where we’ve seen other organisations have difficulties – it is important to remember that storing CCTV images for long periods of time also makes responding to subject access requests or even eDiscovery more challenging.
The LfD said that as well as employees being under surveillance customers were also affected since some cameras were aimed at customer seating areas. It said that organisations need to take special care with CCTV covering seating areas as these areas “are obviously intended to invite you to linger for a longer period of time.”
As well as imposing the fine (which has yet to be formally confirmed) the LfD agreed remedial measures with the company.
What did the company say?
The company is now considering an appeal. The company has said that it started co-operating with the LfD in 2017. It said that the fine was “completely disproportionate”. As we have said in the past there’s a high success rate for appeals against large GDPR fines when they go to court – the 1&1 case in November (https://www.corderycompliance.com/1and1-gdpr-fine-reduced/) being just one example – and whether a fine of this level will hold up in court remains to be seen. Wherever the fine ends up however the reputational damage should not be underestimated. A company that sells technology products may well be expected by its customers to get its own data protection compliance right.
There are a number of lessons to be learned from this case including:
- CCTV systems will always require a DPIA under data protection law. Make sure you address the type of questions we’ve covered in our alert here https://www.corderycompliance.com/client-alert-using-cctv-on-business-premises-dp-implications/ including considering whether the CCTV system is necessary, how long the footage can be viewed for, who can view it and how it is being kept secure.
- Whilst this case is confined to CCTV organisations should consider other types of video surveillance too. For example some organisations have routinely recorded Teams and Zoom meetings during the pandemic or monitored the performance of employees using built-in tools on O365 or other means. All of those activities are likely to need a DPIA too. We’ve written about some of these issues here https://www.corderycompliance.com/coronavirus-covid19-and-dp/
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes template processes and procedures to deal with data rights requests and short films and other guidance. You can find out more about GDPR Navigator at www.bit.ly/gdprnav
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/ and on Brexit related issues here https://www.corderycompliance.com/category/brexit/
The LfD’s statement is here http://bit.ly/3s5KQLW
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785