10.4 million euros in fines: unauthorised video surveillance in retail
The Data Protection Commissioner of Lower Saxony [Landesbeauftragte für den Datenschutz Niedersachsen, LfD Niedersachsen]) announced on 8 January 2021 that it had imposed a fine of €10.4 million on notebooksbilliger.de AG.
The company had monitored its employees without any legal basis for doing so. The fine is the first known case of application of the guidance on video surveillance by non-public bodies published by the DSK in July of last year. In these guidelines, the DSK had taken an extremely strict stance, especially with regard to employee data protection, a great deal of which has not been confirmed by the courts, however. Hence, it remains to be seen whether or not the fine (in this amount) will be upheld.
According to notebooksbilliger.de AG, it has already lodged an objection and announced that it will take legal action against the fine, if necessary.
Video surveillance at notebooksbilliger.de AG
According to the Data Protection Commissioner of Lower Saxony, the video cameras installed by notebooksbilliger.de AG had recorded workplaces, sales rooms, warehouses and common areas, among other things. The aim of the surveillance had been to prevent and solve crimes and to trace the flow of goods in the warehouses. The monitoring had neither been limited to a certain period of time nor to specific employees. Finally, in many cases, the records had been stored for 60 days.
Data Protection Commissioner relies on the strict guidance of the DSK
In the opinion of the Data Protection Commissioner of Lower Saxony, the purposes given by notebooksbilliger.de AG for the video surveillance were not sufficient to justify it. Companies should first consider milder means of preventing theft.
Video surveillance for the purpose of detecting criminal offences is only lawful if there is reasonable suspicion against specific persons. Only in such a case can it be permissible to monitor these persons with cameras for a limited period of time. The retention of records for a period of 60 days is significantly longer than necessary.
As expected, the authority’s arguments adopt the DSK’s position from its guidance on video surveillance. This states with regard to the surveillance of employees, in reference to § 26 (1) sentence 2 German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG], that surveillance in order to disclose criminal offences can only be permissible in case of a concrete suspicion.
As far as the retention period is concerned, according to the guidance, only a period of 72 hours is regularly required to establish that a relevant incident has occurred and to prevent the deletion of the relevant video sequences.
Legal situation not yet clarified
However, the argumentation of the Data Protection Commissioner of Lower Saxony is by no means uncontroversial in the legal literature and case law:
In addition to the cases of a temporary monitoring of employees in the event of the concrete suspicion of a criminal offence (§ 26 (1) sentence 2 BDSG), conduct and performance checks of employees - and thus in principle also video surveillance - can be based on § 26 (1) sentence 1 BDSG or Article 6 (1) lit. f GDPR. On grounds of these provisions, such conduct and performance checks may be permissible on the basis of a balancing of interests. According to Supreme Court jurisprudence, the limit is definitely reached where there is a complete monitoring, without grounds and without interruption, which allows comprehensive movement and performance profiles to be drawn up.
In certain cases, it is justifiably questionable whether video surveillance can be regarded as uninterrupted, complete monitoring: for example, if video recordings are only evaluated in the case of a concrete and previously defined reason and further technical and organisational measures - in particular encrypted storage and automatic overwriting after expiry of the defined storage period - are taken and only the video sequences in question are viewed.
In all events, all-encompassing video surveillance is not advisable, because this leaves no areas for employees to withdraw.
The view of the supervisory authorities on the maximum permissible storage period, however, contradicts the case law of the Federal Labour Court [Bundesarbeitsgericht, BAG]. The BAG recently ruled in a decision of 23 August 2018 (docket No.: 2 AZR 133/18, margin No. 33) that even storage periods of several months may be permissible.
Calculation of the fine
The amount of the fine is based on the DSK's concept for the calculation of fines in proceedings against companies (we reported on the calculation of fines in our newsletter). The basis for the calculation is worldwide group sales. This can lead to very high fines, especially for large companies, even if the underlying data protection breach is classified as "minor" by the supervisory authority.
Because of this discrepancy between fault and the amount of fines, jurisprudence has been sceptical about the supervisory authorities’ new practice of imposing fines. The Regional Court [Landgericht, LG] of Bonn ruled by decision of 11 November 2020 (docket No.: 29 OWi 1/20) that a fine of EUR 9.55 million that had been imposed on 1&1 Telecom GmbH by the Federal Commissioner for Data Protection and Freedom of Information [Bundesbeauftragte für Datenschutz und Informationsfreiheit] be reduced by approximately 90% to EUR 900,000.
It therefore remains to be seen whether the supervisory authorities will be able to adhere to their approach to fines in the long term or whether an adjustment will be necessary.
The case shows that the supervisory authorities perceive the topic of video surveillance as a particularly sensitive area, especially when employees are involved. Companies should take the decision as an opportunity to check the compliance of the video surveillance they use with data protection law. In many cases, compliance with the strict requirements of the German supervisory authorities is likely to be difficult. In this case, companies need to find a risk-appropriate solution by implementing tailor-made technical and organisational measures.