German Data Protection Authorities continue to impose record penalties: notebooksbilliger.de fined 10,4 Mio EUR

Barbara Thiel, the Data Protection Commissioner for the Federal State of Lower Saxony, has issued a record fine of 10.4 million euros against the company notebooksbilliger.de AG for unlawful video surveillance of staff and customers.

Summary

The company is alleged to have unlawfully monitored its staff and customers by video over a period of at least two years, without being able to demonstrate a legal basis for doing so. At 10.4 million euros, the fine is the highest issued so far by Lower Saxony’s data protection authority under the GDPR, and the third highest such fine in Germany.

What exactly is the regulator accusing the company of?

Over a period of at least two years, notebooksbilliger.de AG is alleged to have unlawfully monitored its staff, and in some cases even its customers, by video. This is said to have occurred at the employees’ place of work, in sales rooms and the warehouse, but also in generally accessible areas within the company.

This practice was reportedly not restricted in duration, nor was it limited to certain areas or groups of people.

In addition, the recordings are reported to have been stored for up to 60 days in many cases, much longer than would normally be allowed under data protection law even if the surveillance were lawful.

The company’s stance: Why us, why not big corporations?

One of the justifications offered by the company was its desire to prevent or detect criminal activity.

According to company founder Arnd von Wedemeyer, the cameras were primarily used to track the flow of goods during the storage, sale and shipping of products. Wedemeyer claimed that this was “standard practice” in shipping and logistics companies. It was argued that the recordings were only ever examined retrospectively in the event that goods were reported as damaged or missing, and that, contrary to the data protection authority’s claim, the employees had at no time been placed under general suspicion. In particular, the company said that the video recordings had never been used to evaluate the conduct of staff or their performance.

However, it was the size of the fine that drew most criticism from Oliver Hellmold, Managing Director of notebooksbilliger.de. He argued that notebooksbilliger.de was “just a modest SME and not some faceless conglomerate”.

According to his statement, the company attaches “great importance to complying with data protection regulations” and has always cooperated with the supervisory authority. Hellmold felt that an example was being made of the company, and that this was jeopardising its “good reputation”. The company has already lodged an appeal against the fine. According to notebooksbilliger.de, the hope is for a ruling similar to that in the 1&1 case before the regional court in Bonn, where the court reduced the fine originally imposed by the Federal Data Protection Commissioner by around 90 %.

The State Data Protection Commissioner justified the amount of the fine imposed by stating that the video surveillance carried out by notebooksbilliger.de constitutes a particularly serious case, with the personal rights of staff and customers significantly affected. This is in part because:

• The practice did not occur for a limited period only, and
• The surveillance also occurred in areas where people typically choose to spend time, where surveillance would thus only be permissible within very narrow limits and taking into account the need to protect the legitimate interests of data subjects.

The authority’s position: Video surveillance is particularly invasive and only permissible in exceptional cases

The authority also stressed that companies should generally be careful when using video surveillance technology on their employees. Monitoring by means of video cameras represents a particularly invasive intrusion into the personal rights of employees, for which a special justification is required. It argued that merely pointing out the deterrent effect of cameras is not sufficient to justify an indiscriminate and ongoing infringement of the employees’ personal rights. Rather, it would require concrete indications, giving rise to serious fears of the commission of criminal offences, to be able to justify preventive video surveillance. In addition, such a practice would have to be limited in time and must not lead to ongoing surveillance of employees without a single offence ever being detected.

Spirit Legal checklist: What should companies consider when it comes to video surveillance?

If your company is planning to use video surveillance, it is important to clarify and document the reason, the technical set-up as well as the legal framework in advance:

1. Reason for video surveillance

A. Why do you intend to use video surveillance?

B. What has caused this decision?

C. Who will be affected by the video surveillance?

2. Video surveillance set-up

A. Which areas does the company intend to monitor?

B. Does this include public spaces?

C. Will the company provide transparent information about the video surveillance?

D. Will some areas not be monitored? Will there be places where data subjects can go without being filmed?

E. Will the video be recorded? If so, how long will the recordings be stored and where?

F. What about the video cameras’ technical specifications? (high-res, zoom function, pixelation etc.)

G. Do the cameras have audio recording capabilities?

H. Will third parties be involved in recording and storing the video surveillance?

3. Legal framework and compliance with documentation requirements

A. Which employees and contractors are allowed to view the recordings and for what reason?

B. Does it have to be a video surveillance measure to monitor employees or company space – is there really no “less severe remedy”?

C. On what legal basis is video surveillance allowed in the specific case?

D. Have the interests of data subjects been sufficiently taken into account, and this balancing of interests documented?

E. Has the works council been consulted, if there is one?

F. Has a data protection impact assessment been carried out?

G. Is there a security concept or any documentation of the relevant security measures?

H. At what intervals will the company review the circumstances and the legal conditions, and who is responsible for this?

I. If service providers will be involved in video surveillance, have appropriate contracts been concluded with them to ensure compliance with data protection regulations?

If you have any questions about your actual video surveillance or are planning to introduce video surveillance in your company, we will be happy to assist you.