A German Data Protection Authority Imposes a Large GDPR Fine on a Company for Unlawful Surveillance of Its Employees

A Lower Saxony Data Protection Authority imposed a €10.4 million ($12.5 million) GDPR fine on notebooksbilliger.de AG (dba NBB), an online e-commerce portal and IT supplies retail chain.

An investigation by the DPA revealed that NBB installed a video monitoring system inside its warehouses, salesrooms, and common workspaces to monitor employees in order to prevent and investigate potential theft and to track product movements. NBB’s customers were also affected by the video surveillance, as some cameras were aimed at seating in the sales area. The video footage was retained for least 60 days.

The DPA concluded that NBB video-monitored its employees without a legal basis under the GDPR.  According to the DPA, in order to prevent theft, a company should have first explored less intrusive means, such as random bag checks of employees leaving the premises.

According to the DPA, video surveillance to uncover criminal offenses is only lawful if there is justified suspicion against specific persons. In such cases, it may be permissible to monitor them with cameras for a limited period of time.  At NBB, however, video surveillance was neither limited to a specific period of time nor to specific employees. In addition, retaining recordings for 60 days was significantly longer than necessary.

The fine on NBB is the second recent significant GDPR fine imposed on an employer.  In October of 2020, Hamburg Data Protection Authority imposed a €35 million fine on a German subsidiary of a Swedish multinational retail company H&M for its excessive use of employee data.

Improve customer trust with Clarip’s privacy governance platform.  Schedule a demo of the Clarip data mapping software for Privacy Compliance by calling 1-888-252-5653.