CCTV monitoring at the workplace
The General Data Protection Regulation (GDPR) also applies to CCTV monitoring, but many companies are not introducing the appropriate safeguards when introducing surveillance at the workplace. Just recently, the German Data Protection Authority sanctioned a clothing-retail company with a EUR 35.3 million fine for unlawful surveillance of employees. The same company, along with another, are now being investigated by the Swedish Data Protection Authority.
Although many employees might be fine with having CCTV monitoring set up at the workplace for security purposes or for other reasons, safeguards must be taken to avoid misuse for unexpected or different reasons, such as for marketing purposes or employee performance monitoring.
In Denmark, Sweden and Norway, CCTV monitoring constitutes a control measure towards the employees. Companies must therefore – in addition to applicable data protection rules – first and foremost ensure that the national rules and limitations are adhered to before surveillance is introduced at the workplace. Obligations include but are not limited to requirements on ensuring that employees receive prior notification, that the measure does not violate the employees’ integrity, but may also include consultation requirements.
Statutory limitations also apply under national law in the Nordics as for how long CCTV footage can be retained. CCTV footage should in all circumstances not be retained longer than necessary, which in Denmark means usually no longer than 72 hours, in Sweden the main rule is three days, while CCTV footage in Norway usually should not be retained for more than one week. When the CCTV monitoring occurs for crime-preventing purposes, the period should be 30 days in Denmark and Norway. In Sweden, there is no specific retention period. Instead, the rule is that the footage may only be retained for as long as it is necessary with respect to the purpose in each individual case.
Further companies in all three countries must be aware that specific laws regulate the use of CCTV monitoring which includes a duty to issue warning signs.
CCTV monitoring must always be informed and transparent
Pursuant to the European Data Protection Board, companies must always carefully consider the so-called data protection principles before introducing CCTV monitoring. These principles include, for example, that companies must ensure that processing always is fair, transparent and lawful but also limited to the specified purpose and limited to what is necessary hereto.
As part of its investigation of the multinational clothing-retail company on its use of CCTV monitoring towards several hundred employees, the Swedish Data Protection Authority therefore also asked questions to determine:
- When the CCTV monitoring is taking place and why?
- If CCTV monitoring occurs as real-time monitoring and what retention periods are applied?
- What the purpose of the CCTV monitoring is and if there were other alternatives?
- What the lawful basis is and what information the employees received?
As part of ensuring that companies give employees the required information in an understandable way, a two-layered approach is recommended; the first layer being the warning sign itself and the second layer being the mandatory details given by other means.
IUNO’s opinion
Employees are in most cases not expecting to be monitored at their place of work, and the use of CCTV monitoring is undoubtedly an intense intrusion on their rights. In the mentioned decision of the German Data Protection Authority, it emphasized that the company had recorded intensive details on the employees’ private lives, including holiday, sick leave, family issues and religious beliefs.
IUNO recommends that companies carefully consider all circumstances involved on current or future use of CCTV footage, both in light of applicable data protection rules but also potential restrictions under national employment law. To lessen the administrative burden and the risk of non-compliance companies should implement efficient systems and routines to ensure focus on the many rights and obligations in play.
Although many employees might be fine with having CCTV monitoring set up at the workplace for security purposes or for other reasons, safeguards must be taken to avoid misuse for unexpected or different reasons, such as for marketing purposes or employee performance monitoring.
In Denmark, Sweden and Norway, CCTV monitoring constitutes a control measure towards the employees. Companies must therefore – in addition to applicable data protection rules – first and foremost ensure that the national rules and limitations are adhered to before surveillance is introduced at the workplace. Obligations include but are not limited to requirements on ensuring that employees receive prior notification, that the measure does not violate the employees’ integrity, but may also include consultation requirements.
Statutory limitations also apply under national law in the Nordics as for how long CCTV footage can be retained. CCTV footage should in all circumstances not be retained longer than necessary, which in Denmark means usually no longer than 72 hours, in Sweden the main rule is three days, while CCTV footage in Norway usually should not be retained for more than one week. When the CCTV monitoring occurs for crime-preventing purposes, the period should be 30 days in Denmark and Norway. In Sweden, there is no specific retention period. Instead, the rule is that the footage may only be retained for as long as it is necessary with respect to the purpose in each individual case.
Further companies in all three countries must be aware that specific laws regulate the use of CCTV monitoring which includes a duty to issue warning signs.
CCTV monitoring must always be informed and transparent
Pursuant to the European Data Protection Board, companies must always carefully consider the so-called data protection principles before introducing CCTV monitoring. These principles include, for example, that companies must ensure that processing always is fair, transparent and lawful but also limited to the specified purpose and limited to what is necessary hereto.
As part of its investigation of the multinational clothing-retail company on its use of CCTV monitoring towards several hundred employees, the Swedish Data Protection Authority therefore also asked questions to determine:
- When the CCTV monitoring is taking place and why?
- If CCTV monitoring occurs as real-time monitoring and what retention periods are applied?
- What the purpose of the CCTV monitoring is and if there were other alternatives?
- What the lawful basis is and what information the employees received?
As part of ensuring that companies give employees the required information in an understandable way, a two-layered approach is recommended; the first layer being the warning sign itself and the second layer being the mandatory details given by other means.
IUNO’s opinion
Employees are in most cases not expecting to be monitored at their place of work, and the use of CCTV monitoring is undoubtedly an intense intrusion on their rights. In the mentioned decision of the German Data Protection Authority, it emphasized that the company had recorded intensive details on the employees’ private lives, including holiday, sick leave, family issues and religious beliefs.
IUNO recommends that companies carefully consider all circumstances involved on current or future use of CCTV footage, both in light of applicable data protection rules but also potential restrictions under national employment law. To lessen the administrative burden and the risk of non-compliance companies should implement efficient systems and routines to ensure focus on the many rights and obligations in play.
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing