EN
Data protection

CCTV monitoring at the workplace

logo
Legal news
calendar 11 March 2020
globus Denmark, Norway, Sweden

The General Data Protection Regulation (GDPR) also applies to CCTV monitoring, but many companies are not introducing the appropriate safeguards when introducing surveillance at the workplace. Just recently, the German Data Protection Authority sanctioned a clothing-retail company with a EUR 35.3 million fine for unlawful surveillance of employees. The same company, along with another, are now being investigated by the Swedish Data Protection Authority.

Although many employees might be fine with having CCTV monitoring set up at the workplace for security purposes or for other reasons, safeguards must be taken to avoid misuse for unexpected or different reasons, such as for marketing purposes or employee performance monitoring.

In Denmark, Sweden and Norway, CCTV monitoring constitutes a control measure towards the employees. Companies must therefore – in addition to applicable data protection rules – first and foremost ensure that the national rules and limitations are adhered to before surveillance is introduced at the workplace. Obligations include but are not limited to requirements on ensuring that employees receive prior notification, that the measure does not violate the employees’ integrity, but may also include consultation requirements.

Statutory limitations also apply under national law in the Nordics as for how long CCTV footage can be retained. CCTV footage should in all circumstances not be retained longer than necessary, which in Denmark means usually no longer than 72 hours, in Sweden the main rule is three days, while CCTV footage in Norway usually should not be retained for more than one week. When the CCTV monitoring occurs for crime-preventing purposes, the period should be 30 days in Denmark and Norway. In Sweden, there is no specific retention period. Instead, the rule is that the footage may only be retained for as long as it is necessary with respect to the purpose in each individual case.

Further companies in all three countries must be aware that specific laws regulate the use of CCTV monitoring which includes a duty to issue warning signs.

CCTV monitoring must always be informed and transparent

Pursuant to the European Data Protection Board, companies must always carefully consider the so-called data protection principles before introducing CCTV monitoring. These principles include, for example, that companies must ensure that processing always is fair, transparent and lawful but also limited to the specified purpose and limited to what is necessary hereto.

As part of its investigation of the multinational clothing-retail company on its use of CCTV monitoring towards several hundred employees, the Swedish Data Protection Authority therefore also asked questions to determine:

  • When the CCTV monitoring is taking place and why?
  • If CCTV monitoring occurs as real-time monitoring and what retention periods are applied?
  • What the purpose of the CCTV monitoring is and if there were other alternatives?
  • What the lawful basis is and what information the employees received?

As part of ensuring that companies give employees the required information in an understandable way, a two-layered approach is recommended; the first layer being the warning sign itself and the second layer being the mandatory details given by other means.

IUNO’s opinion

Employees are in most cases not expecting to be monitored at their place of work, and the use of CCTV monitoring is undoubtedly an intense intrusion on their rights. In the mentioned decision of the German Data Protection Authority, it emphasized that the company had recorded intensive details on the employees’ private lives, including holiday, sick leave, family issues and religious beliefs.

IUNO recommends that companies carefully consider all circumstances involved on current or future use of CCTV footage, both in light of applicable data protection rules but also potential restrictions under national employment law. To lessen the administrative burden and the risk of non-compliance companies should implement efficient systems and routines to ensure focus on the many rights and obligations in play.

Although many employees might be fine with having CCTV monitoring set up at the workplace for security purposes or for other reasons, safeguards must be taken to avoid misuse for unexpected or different reasons, such as for marketing purposes or employee performance monitoring.

In Denmark, Sweden and Norway, CCTV monitoring constitutes a control measure towards the employees. Companies must therefore – in addition to applicable data protection rules – first and foremost ensure that the national rules and limitations are adhered to before surveillance is introduced at the workplace. Obligations include but are not limited to requirements on ensuring that employees receive prior notification, that the measure does not violate the employees’ integrity, but may also include consultation requirements.

Statutory limitations also apply under national law in the Nordics as for how long CCTV footage can be retained. CCTV footage should in all circumstances not be retained longer than necessary, which in Denmark means usually no longer than 72 hours, in Sweden the main rule is three days, while CCTV footage in Norway usually should not be retained for more than one week. When the CCTV monitoring occurs for crime-preventing purposes, the period should be 30 days in Denmark and Norway. In Sweden, there is no specific retention period. Instead, the rule is that the footage may only be retained for as long as it is necessary with respect to the purpose in each individual case.

Further companies in all three countries must be aware that specific laws regulate the use of CCTV monitoring which includes a duty to issue warning signs.

CCTV monitoring must always be informed and transparent

Pursuant to the European Data Protection Board, companies must always carefully consider the so-called data protection principles before introducing CCTV monitoring. These principles include, for example, that companies must ensure that processing always is fair, transparent and lawful but also limited to the specified purpose and limited to what is necessary hereto.

As part of its investigation of the multinational clothing-retail company on its use of CCTV monitoring towards several hundred employees, the Swedish Data Protection Authority therefore also asked questions to determine:

  • When the CCTV monitoring is taking place and why?
  • If CCTV monitoring occurs as real-time monitoring and what retention periods are applied?
  • What the purpose of the CCTV monitoring is and if there were other alternatives?
  • What the lawful basis is and what information the employees received?

As part of ensuring that companies give employees the required information in an understandable way, a two-layered approach is recommended; the first layer being the warning sign itself and the second layer being the mandatory details given by other means.

IUNO’s opinion

Employees are in most cases not expecting to be monitored at their place of work, and the use of CCTV monitoring is undoubtedly an intense intrusion on their rights. In the mentioned decision of the German Data Protection Authority, it emphasized that the company had recorded intensive details on the employees’ private lives, including holiday, sick leave, family issues and religious beliefs.

IUNO recommends that companies carefully consider all circumstances involved on current or future use of CCTV footage, both in light of applicable data protection rules but also potential restrictions under national employment law. To lessen the administrative burden and the risk of non-compliance companies should implement efficient systems and routines to ensure focus on the many rights and obligations in play.

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Associate

Similar news

logo
Data protection HR Legal

5 April 2021

Can companies ask to see their employees’ corona passports?

logo
HR Legal Corporate Data protection

15 March 2021

New Act will introduce requirements on whistleblower schemes

logo
Data protection

25 February 2021

Company faces 100 million NOK fine for unlawful disclosure of data

logo
HR Legal Data protection

25 February 2021

Remembering data protection when receiving employees’ test results

logo
HR Legal Data protection

25 February 2021

How to lawfully prevent the spread of coronavirus at the workplace

logo
Data protection

20 May 2020

Companies can apply the Danish Standard Data Processing Agreement in Norway and Sweden

Learning

logo
HR Legal Data protection
18 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Stockholm)

logo
HR Legal Data protection
17 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Oslo)

logo
HR Legal Data protection
11 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Copenhagen)

logo
HR Legal Data protection
10 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Helsinki)