A German state data protection authority has issued a fine of EUR 10.4m against a mid-size online retailer who allegedly violated the EU General Data Protection Regulation (GDPR) by monitoring their employees using CCTV.
The State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Lower Saxony (the State Commissioner) imposed the fine on the electronics retailer “notebooksbilliger.de AG” (the Retailer) at the end of 2020.
The Retailer used CCTV in its premises to prevent and investigate criminal offences and to track the flow of goods in the warehouses over a period of at least two years. The State Commissioner did not consider these purposes sufficiently legitimised the use of CCTV in working areas and areas accessible to visitors.
The State Commissioner said that a general suspicion against the employees was not sufficient. The Retailer should, instead, have considered milder measures (e.g. random bag checks when leaving the premises). The State Commissioner also said that a retention period of CCTV footage of up to 60 days was far too long. She said that CCTV for the investigation of criminal offences is only permissible if there is reasonable suspicion against specific individuals. In this case, it may have been acceptable to monitor the employees with cameras for a limited period of time. However, at the Retailer’s premises, the CCTV was neither limited to a specific period nor to specific employees.
The Retailer has taken corrective measures and stated in its recent press release that it would challenge the decision of the State Commissioner in court. The Retailer questions that it was treated fairly and suggests that the fine is not proportionate to the company’s size and turnover. Moreover, the Retailer claims that it had not systematically monitored the performance and behaviour of its employees and that the State Commissioner’s press release endangers the Retailer’s reputation. Although the Retailer invited the State Commissioner into its premises to gain insight about the operation of the CCTV and the Retailer’s organisational culture, the State Commissioner was said not to take the Retailer up on this offer..
This is the highest fine the State Commissioner of Lower Saxony has ever issued under the GDPR. Given this is a mid-size company (with a revenue of approx. € 750m in 2019), the amount of fine is certainly remarkably high. It is not fully clear whether the State Commissioner used the German DPA’s GDPR fine model.
The Retailer is taking action against this fine. We are looking forward to a court decision since it might have impact on the future of the turnover based GDPR fine model already questioned by the Regional Court of Bonn.
The Retailer also claimed that monitoring the flow of goods using CCTV is standard practice within the industry where expensive products are handled. A court decision on this new fine may therefore give guidance on the legality of monitoring practices which are commonplace in the industry.