State Commissioner for Data Protection in Lower Saxony imposes € 10.4 million fine against notebooksbilliger.de

Jan 25, 2021

Source: European Data Protection Board

The State Commissioner for Data Protection in Lower Saxony has imposed a fine of 10.4 million euros against notebooksbilliger.de AG. The company had been using video surveillance to monitor its employees for at least two years with no legal justification. Some of the areas recorded by the illegal cameras included workspaces, sales floors, warehouses and staff rooms.

The company claimed the video cameras had been installed to prevent and investigate criminal offences and to track the flow of goods in warehouses. In order to prevent theft, however, a company must first implement less severe means (e.g. random bag checks when leaving the business premises). Furthermore, video surveillance may only be used to investigate crimes if specific individuals are reasonably suspected of committing such offences. If this is the case, the company may be allowed to monitor the individuals with cameras for a limited period. However, notebooksbilliger.de had not limited its video surveillance to specific employees or a specific period. In addition, many of the recordings were saved for 60 days, which is much longer than necessary.

General suspicion is not enough

“This is a serious case of workplace surveillance”, says the State Commissioner for Data Protection in Lower Saxony, Barbara Thiel. “Companies have to understand that such intensive video surveillance is a major violation of their employees’ rights”. While businesses often argue that video surveillance can be effectively used to deter criminals, this does not justify the permanent and unjustified interference with the personal rights of their employees. “If that were the case, companies would be able to extend their surveillance without limit. Employees do not have to sacrifice their personal rights just because their employer puts them under general suspicion”, explains Thiel. “Video surveillance is a particularly invasive encroachment on a person’s rights, because their entire behaviour can theoretically be observed and analysed. According to the case law of the Federal Labour Court, this can put staff under pressure to act as inconspicuously as possible to avoid being criticised or sanctioned for their behaviour”.

The customers of notebooksbilliger.de were also affected by the illegal video surveillance, because some cameras were directed at seating on the sales floor. In areas where people typically spend more time (e.g. to try out devices), data subjects have high legitimate interests. This is especially true for seating areas, where customers are clearly invited to take their time. Therefore, the video surveillance used by notebooksbilliger.de was not justified.

The fine of 10.4 million euros is the highest penalty that has ever been imposed by the State Commissioner for Data Protection in Lower Saxony under the General Data Protection Regulation (GDPR). The GDPR enables supervisory authorities to impose fines of up to 20 million euros – or up to 4% of a company’s total annual turnover worldwide – whichever is higher. The fine imposed against notebooksbilliger.de is pending legal enforcement. The company has since arranged its video surveillance in accordance with the law and proved this to the State Commissioner for Data Protection in Lower Saxony.

The State Commissioner for Data Protection in Lower Saxony provides more information on video surveillance here.

For more information please contact the Lower Saxony DPA here: poststelle@lfd.niedersachsen.de

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Recent news

EDPB calls for coherence of digital legislation with the GDPR

Brussels, 04 December - During its December 2024 plenary, the European Data Protection Board (EDPB) adopted a statement on the second report of the European Commission on the application of the General Data Protection Regulation (GDPR).* In its statement, the EDPB...

read more

EDPB stakeholder event AI models

The EDPB is holding a stakeholder event on “AI models” with participants representing European sector associations, organisations, NGOs, individual companies, law firms and academics.    During today’s event, the EDPB will collect input for of the preparation of a...

read more