Audio and video surveillance of employees, storage for too long, inadequate security measures
The data protection authority in Lower Saxony started investigations against the company, especially since they had received information that live images from several video surveillance cameras, which were located in the market, were published on a website specializing in unsecured camera recordings. The cameras recorded not only customers and employees, but also technical equipment and the company premises.
When asked by the data protection authority why all-day audio and video surveillance was necessary, the company claimed that it was used to protect customers and employees, to comply with house rules, to punish crimes and vandalism, and to pursue civil claims. Recordings from the cameras were stored for a week and checked live by the store manager.
However, the authority found that the monitoring of employees at their workplaces (especially in the checkout area and at counseling stations) had no legal basis, as there was no specific suspicion of a crime and the recordings were made on a blanket basis. The audio surveillance was also unlawful because it was not necessary and had no legal basis. In addition, the recordings had been stored longer than was necessary for the stated purposes. According to the authority, it would already be possible to determine within 72 hours whether the recording needed to be secured.
Furthermore, the data protection authority saw a violation of the principle of integrity and confidentiality, as adequate security measures were not taken. Furthermore, no data protection impact assessment was carried out, although this would have been necessary due to the extensive monitoring of public areas.
The owner of the electrical store has appealed against the fine notice. Accordingly, the decision is not yet final.
No exact date could be taken from the activity report of the Hessian data protection authority, the date was given here as December 31, 2021.
Entscheidungsdatum:
31.12.2021
Land:
Germany
Art des Verstoßes:
Illegal data collection
Betroffene Datensätze:
unknown
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 16,000,-