After a fine record of EUR 35.3 million imposed on the fashion retailer H&M for video surveillance of employees (here), the IT and electronics retailer Notebooksbilliger.de now has to pay another heavy fine. The employer observed employees by video for years without limiting the surveillance to specific employees or suspicious cases. The competent authority has now imposed a fine of EUR 10.4 million. The amount of the fines shows that it is about time for employers to check their data protection compliance!
During video surveillance of business premises, personal data of employees is collected. Therefore, video surveillance has to be compliant with the legal requirements, of the GDPR and the German Federal Data Protection Act (BDSG). According to s26 (1) of the BDSG, the collection of employees’ personal data is lawful if it is necessary for the performance of the employment relationship or for the detection of criminal offences committed by employees. This provision is very unclear and raises many questions. Nevertheless, it is the crucial key provision for any compliance check.
It is generally permissible, if the employer overtly keeps its publicly accessible premises under video surveillance (i.e. by visible cameras or with knowledge of the employees) for a specific purpose (such as protection against theft or damage to property) and for a limited time. The situation is different if the data collection conflicts with employees’ rights which deserve protection and prevail. In exceptional cases, even covert video surveillance of publicly accessible premises may be lawful, for example, if there is a concrete suspicion of a criminal offence or another serious breach of duty. Video surveillance is a particularly intensive intrusion into the personal rights of employees, because the entire behaviour of a person can be observed and evaluated. Therefore, the requirements for the legal compliance of video surveillance are very strict. An abstract suspicion or a ‘presumption’ may not be sufficient for permanent surveillance.
Even stricter legal standards apply to covert video surveillance in premises not accessible to the public (e.g. offices or factories). A preventive video surveillance for an unspecified period of time and without cause is not necessary and therefore unlawful (please refer to the opinion of the data protection officer of Lower Saxony (see here).
Even if (as notebooksbilliger.de argues for justification) the surveillance measures are customary in the mail order and logistics industry, the necessity requirement does not change. Only the concrete circumstances are decisive for the justification on the basis of the law, and not the customary practice in the industry.
The press reports on recently imposed fines for violations of data protection law show that regular compliance checks are absolutely essential to avoid or minimise legal and economic risks.
Before starting data processing operations, such as video surveillance, a data protection impact assessment (DPIA) must be carried out, including a description of the processing operation, an assessment of the necessity and proportionality of the processing and a risk assessment.
Within this framework each individual case should be checked critically examined; in particular, no data processing that appear to be standard in the industry should be adopted without critical evaluation. Every detail is important. Leaning back because everyone else is doing it ‘the same way’ is no guarantee of compliant behaviour as other conditions of the working environment, other technology or even a suspicion of a criminal offence can create a situation where the specific data processing is no longer necessary.
In addition, data processing procedures should be regularly audited. This is the only way to avoid fines permanently. Even a change in the actual circumstances in the meantime may lead to a different result from the necessity check. For example, covert video surveillance of employees may be legally compliant if there is an increase in theft of the employer’s property. If, on the other hand, the ‘thief’ is caught, the video surveillance could be non-compliant with the legal requirements. If the video surveillance continues, this could result in severe sanctions by the data protection authorities.
Employers can avoid legal and economic risks by conducting regular compliance checks regarding their employee data processing. In particular, employers who carry out potentially high-risk processing operations such as video surveillance should take the recently imposed fines as wake-up call to start compliance checks. Being guided by the processing procedures of other employers may be helpful, but it does not exempt the employer from a critical case-by-case assessment and does not protect the employer from fines.