EN
Technology

24/7 CCTV monitoring at the workplace was a breach of the data protection rules

logo
Legal news
calendar 31 March 2022
globus Denmark, Sweden, Norway

Many companies use CCTV monitoring at the workplace to a certain extent for operational or safety purposes or for other reasons. However, where there is CCTV monitoring, appropriate safeguards are required. Such safeguards were not in place in a case from the Swedish Authority for Privacy Protection where employees were subject to 24/7 surveillance, although it was not necessary.

In smaller cities located between Göteborg and Stockholm, a couple of fire stations had been using CCTV monitoring for several years.

The reason for the CCTV monitoring was to manage the work and efficiency in case of alarm, but also to ensure the work environment. However, several complaints were filed to the Swedish Authority for Privacy Protection since the CCTV monitoring was also ongoing when the employees were changing their clothes.

Strict safeguards apply to data processing arising from CCTV monitoring, in addition to the national rules. We have previously described the requirements relating to CCTV monitoring in the Nordics more in detail, here.

The processing did not comply with the data minimization principle

Although the Swedish Authority for Privacy Protection found that the CCTV monitoring was necessary to perform a task in the public interest, and therefore had a lawful basis, the processing was not in accordance with the data protection rules for two reasons.

The first reason was that the monitoring was too wide-ranging, meaning that it was contrary to the principle of proportionality. Although there was justified reasons for ensuring monitoring in case of an alarm, there were no justified reason for monitoring employees changing clothes without any censorship.

The second reason was that the monitoring was too intrusive being round-the-clock, especially as monitoring was only necessary in case of an alarm. According to the Swedish Authority for Privacy Protection, the monitoring should instead have been limited to only having been activated in the event of an alarm and in any case, the areas where the employees were changing their clothes should have been masked so that only actual necessary information was monitored.

As a direct consequence, a fine of SEK 350,000 was issued.

IUNO’s opinion

Companies must be aware that in addition to any special national rules on camera surveillance, the data protection rules will also limit and frame how CCTV monitoring can take place. This includes special information obligations, limited retention periods and more.

IUNO recommends that companies conduct thorough assessments of any CCTV monitoring it wants to put in place, regardless of whether employees are not objecting. Risks of non-compliance both exist under specific rules on the use of CCTV monitoring, data protection rules as well as employment law, making it difficult to determine exactly how to have compliant monitoring in place.

[The Swedish Authority for Privacy Protection’s decision DI-2018-22697 of 9 June 2021]

In smaller cities located between Göteborg and Stockholm, a couple of fire stations had been using CCTV monitoring for several years.

The reason for the CCTV monitoring was to manage the work and efficiency in case of alarm, but also to ensure the work environment. However, several complaints were filed to the Swedish Authority for Privacy Protection since the CCTV monitoring was also ongoing when the employees were changing their clothes.

Strict safeguards apply to data processing arising from CCTV monitoring, in addition to the national rules. We have previously described the requirements relating to CCTV monitoring in the Nordics more in detail, here.

The processing did not comply with the data minimization principle

Although the Swedish Authority for Privacy Protection found that the CCTV monitoring was necessary to perform a task in the public interest, and therefore had a lawful basis, the processing was not in accordance with the data protection rules for two reasons.

The first reason was that the monitoring was too wide-ranging, meaning that it was contrary to the principle of proportionality. Although there was justified reasons for ensuring monitoring in case of an alarm, there were no justified reason for monitoring employees changing clothes without any censorship.

The second reason was that the monitoring was too intrusive being round-the-clock, especially as monitoring was only necessary in case of an alarm. According to the Swedish Authority for Privacy Protection, the monitoring should instead have been limited to only having been activated in the event of an alarm and in any case, the areas where the employees were changing their clothes should have been masked so that only actual necessary information was monitored.

As a direct consequence, a fine of SEK 350,000 was issued.

IUNO’s opinion

Companies must be aware that in addition to any special national rules on camera surveillance, the data protection rules will also limit and frame how CCTV monitoring can take place. This includes special information obligations, limited retention periods and more.

IUNO recommends that companies conduct thorough assessments of any CCTV monitoring it wants to put in place, regardless of whether employees are not objecting. Risks of non-compliance both exist under specific rules on the use of CCTV monitoring, data protection rules as well as employment law, making it difficult to determine exactly how to have compliant monitoring in place.

[The Swedish Authority for Privacy Protection’s decision DI-2018-22697 of 9 June 2021]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

16 June 2022

Unfortunate software update gave thousands of employees access to job applications

logo
Technology

2 June 2022

Failure to inform shareholder breached the data protection rules

logo
Technology

28 April 2022

First fine to a public authority for breach of the data protection rules

logo
Technology

31 March 2022

New guidelines clarify when processing is an international data transfer

logo
Technology

24 February 2022

No unconditional right of access under whistleblower schemes

logo
Technology HR-legal Corporate

2 November 2021

Joint whistleblower schemes for multinationals

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate