24/7 CCTV monitoring at the workplace was a breach of the data protection rules
Many companies use CCTV monitoring at the workplace to a certain extent for operational or safety purposes or for other reasons. However, where there is CCTV monitoring, appropriate safeguards are required. Such safeguards were not in place in a case from the Swedish Authority for Privacy Protection where employees were subject to 24/7 surveillance, although it was not necessary.
In smaller cities located between Göteborg and Stockholm, a couple of fire stations had been using CCTV monitoring for several years.
The reason for the CCTV monitoring was to manage the work and efficiency in case of alarm, but also to ensure the work environment. However, several complaints were filed to the Swedish Authority for Privacy Protection since the CCTV monitoring was also ongoing when the employees were changing their clothes.
Strict safeguards apply to data processing arising from CCTV monitoring, in addition to the national rules. We have previously described the requirements relating to CCTV monitoring in the Nordics more in detail, here.
The processing did not comply with the data minimization principle
Although the Swedish Authority for Privacy Protection found that the CCTV monitoring was necessary to perform a task in the public interest, and therefore had a lawful basis, the processing was not in accordance with the data protection rules for two reasons.
The first reason was that the monitoring was too wide-ranging, meaning that it was contrary to the principle of proportionality. Although there was justified reasons for ensuring monitoring in case of an alarm, there were no justified reason for monitoring employees changing clothes without any censorship.
The second reason was that the monitoring was too intrusive being round-the-clock, especially as monitoring was only necessary in case of an alarm. According to the Swedish Authority for Privacy Protection, the monitoring should instead have been limited to only having been activated in the event of an alarm and in any case, the areas where the employees were changing their clothes should have been masked so that only actual necessary information was monitored.
As a direct consequence, a fine of SEK 350,000 was issued.
IUNO’s opinion
Companies must be aware that in addition to any special national rules on camera surveillance, the data protection rules will also limit and frame how CCTV monitoring can take place. This includes special information obligations, limited retention periods and more.
IUNO recommends that companies conduct thorough assessments of any CCTV monitoring it wants to put in place, regardless of whether employees are not objecting. Risks of non-compliance both exist under specific rules on the use of CCTV monitoring, data protection rules as well as employment law, making it difficult to determine exactly how to have compliant monitoring in place.
[The Swedish Authority for Privacy Protection’s decision DI-2018-22697 of 9 June 2021]
In smaller cities located between Göteborg and Stockholm, a couple of fire stations had been using CCTV monitoring for several years.
The reason for the CCTV monitoring was to manage the work and efficiency in case of alarm, but also to ensure the work environment. However, several complaints were filed to the Swedish Authority for Privacy Protection since the CCTV monitoring was also ongoing when the employees were changing their clothes.
Strict safeguards apply to data processing arising from CCTV monitoring, in addition to the national rules. We have previously described the requirements relating to CCTV monitoring in the Nordics more in detail, here.
The processing did not comply with the data minimization principle
Although the Swedish Authority for Privacy Protection found that the CCTV monitoring was necessary to perform a task in the public interest, and therefore had a lawful basis, the processing was not in accordance with the data protection rules for two reasons.
The first reason was that the monitoring was too wide-ranging, meaning that it was contrary to the principle of proportionality. Although there was justified reasons for ensuring monitoring in case of an alarm, there were no justified reason for monitoring employees changing clothes without any censorship.
The second reason was that the monitoring was too intrusive being round-the-clock, especially as monitoring was only necessary in case of an alarm. According to the Swedish Authority for Privacy Protection, the monitoring should instead have been limited to only having been activated in the event of an alarm and in any case, the areas where the employees were changing their clothes should have been masked so that only actual necessary information was monitored.
As a direct consequence, a fine of SEK 350,000 was issued.
IUNO’s opinion
Companies must be aware that in addition to any special national rules on camera surveillance, the data protection rules will also limit and frame how CCTV monitoring can take place. This includes special information obligations, limited retention periods and more.
IUNO recommends that companies conduct thorough assessments of any CCTV monitoring it wants to put in place, regardless of whether employees are not objecting. Risks of non-compliance both exist under specific rules on the use of CCTV monitoring, data protection rules as well as employment law, making it difficult to determine exactly how to have compliant monitoring in place.
[The Swedish Authority for Privacy Protection’s decision DI-2018-22697 of 9 June 2021]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing