Newsletter March 2021 – Data protection violation through unloawful CCTV surveillance: new fine in the tens of millions of euros issued

Never before has the state data protection authority in the German state of Lower Saxony imposed such a high GDPR fine: 10.4 million euros were imposed on a company trading in consumer electronics.

What happened in this case?

The company in question, notebooksbilliger, monitored its employees as well as its customers using CCTV cameras without a valid legal basis. Not only were the employees’ workplaces recorded, there were also cameras in the sales areas, which meant that customers were also affected by the illegal CCTV surveillance. In addition, the data was stored for much longer than what would have been permissible.

Barbara Thiel, State Data Protection Commissioner of Lower Saxony, explains her decision as follows:

“We are dealing with a serious case of video surveillance in the workplace here. Businesses must understand that they are massively violating the rights of their employees with such intensive CCTV surveillance. CCTV surveillance is a particularly intensive encroachment on the right to privacy, as it can theoretically be used to observe and analyse a person’s entire behavior. According to the case law of the German Federal Labor Court, this can lead to those affected feeling pressure to behave as inconspicuously as possible so as not to be criticised or sanctioned for deviant behavior.”

Monitoring was inteded to protect against theft

notebooksbilliger stated that it had used surveillance to prevent theft. However, a mere general suspicion is not sufficient to justify such measures. Other forms of monitoring must be preferred for detecting such crimes. Only if there is reasonable suspicion against a specific person, he or she could possibly be monitored through CCTV for a short period of time.

To prevent theft, a company must first consider less invasive means, such as the possibility of random bag checks when leaving the premises.

How did the business react to the fine?

notebooksbilliger clarified that the company fully commits to GDPR compliance, but views the fine as disproportionate. In fact, this is the highest fine that the state data protection authority in Lower Saxony has imposed under the GDPR to date. Fines can amount to up to 4% of a company’s annual turnover. In this case, it was just over 1%.

Our takeaway: This decision tries to set an example

It is not yet clear how the legal dispute will end. But it is already clear that companies should never use CCTV surveillance of their employees on a permanent basis and should also document that other means of monitoring were previously tried out. However, in recent weeks, fines imposed by German data protection authorities have been greatly reduced in a number court proceedings or even declared void in their entirety – so the story doesn’t end here.