Notebooksbilliger.de fined for lack of legal basis for video surveillance Summary Our remarks For at least two years, the company Notebooksbilliger. • When an employer considers video monitoring of de monitored both customers and employees in a the workplace, they should consider what legal range of areas, including sales, warehouses, and basis the data processing should rely on: common spaces. The company claimed that the ° The inherent power imbalance between employers purpose of the monitoring was to prevent and resolve and employees means that consent is unlikely to be criminal activities such as theft, as well as tracking the freely given. Therefore, employers should avoid using flow of goods in the warehouses. consent as a legal basis for processing personal data The monitoring was not limited to a specific timeframe about employees. or to specific conditions. In many cases, the records ° Instead, legitimate interests would likely be a more were stored for 60 days. Additionally, the Lower Saxony appropriate legal basis for video surveillance of DPA (LfD Lower Saxony) noted that the monitoring was employees. If the legitimate interest is to prove a not based on suspicion towards specific individuals. criminal act, there must be a well-documented The DPA also found that some cameras were positioned reasonable suspicion against specific persons (e.g., to observe seating areas in the salesroom. Since recent criminal offence). General suspicion is not seating areas typically encourage customers to get enough. comfortable and stay for extended periods, such as ° If you are considering monitoring workplace areas when testing devices on offer, it could also potentially that are accessible to customers, a separate result in the observation and analysis of a person’s legitimate interest must apply. If the legitimate entire behavior. interest is to prove a criminal act by visitors or customers, there must be a real and current threat, The decision of the State Commissioner for such as a recent act of vandalism of neighboring Data Protection Lower Saxony shop or statistical proof of heightened crime risk in The DPA imposed a fine of 10,400,000 EUR to the area. Notebooksbilliger.de AG for the following violations: ° Such practices, both regarding employees and • Monitoring their employees and customers without customers, should be reviewed at regular intervals to sufficient legal basis for doing so (GDPR, Article ensure the continuous necessity and proportionality 6(1)). of the processing. • Not adhering to the principles of data minimization, storage limitation and proportionality. Additionally, the DPA suggested remedial actions towards the affected employees. Published: 08-01-2021, Journal number: n/a Tags: 01 Legal basis and principles of processing 42