IT retailer faces €10.4m GDPR fine for employee surveillance

Graphic of a CCTV camera observing anonymous people in a crowd
(Image credit: Shutterstock)

Regulators have imposed a fine of €10.4 million (roughly £9.3 million) on notebook retailer AG (NBB) after it was found to have conducted intrusive video surveillance against its employees.

The firm monitored its employees for at least two years without a legal basis, violating the principles of GDPR, with illegal cameras set up in workplaces, salesrooms, warehouses and other common areas.

Filming wasn’t limited to a specific period nor specific employees under suspicion, and footage was often saved for 60 days, which was deemed significantly longer than necessary by the state commissioner for data protection in Lower Saxony, Barbara Thiel.

In her judgement, Thiel said that video surveillance is only permissible in this way in order to uncover criminal offences if there’s a justified suspicion against specific individuals. The video surveillance operation in this case, however, violated the personal rights of the company’s employees. She added that unrestricted video surveillance constitutes a major encroachment on rights because, theoretically, employee behaviour can be analysed.

The way some of the cameras were positioned also meant that some footage recorded was of customers, who may have been dwelling in sales areas or testing devices offered.

The online IT retailer has objected to the fine, with its CEO Oliver Hellmold branding it entirely disproportionate. In a statement, he added it bears no relation to the size and financial weight of the company, nor the seriousness of the violation.

NBB claims it began recording the flow of high-quality IT products during the storage, sales and dispatch from 2017, and that this process was in full compliance with GDPR. This would provide a record which can be examined in the event of missing or damaged goods.

Hellmold added that protection authorities declined invitations to attend the workplace and see the use of cameras first-hand, adding had they done so, they wouldn’t have been able to maintain the core allegation. In the company’s view, it’s being set up to be made an example of.

Organisations can expect fines of up to €20 million, or 4% of annual turnover, for the most severe GDPR violations. The penalty against NBB is one of the largest recorded to date, not just in Germany but in wider Europe.

The case bears similarity to that levied against a german wing of the fashion retailer H&M last year, in which the firm was fined €35 million (roughly £31.9 million) for monitoring employees and recording information about their personal lives.

Investigators found in that instance that bosses at a Nuremberg-based operations centre conducted ‘welcome back’ interviews with employees returning from annual leave or sickness. Through these meetings, details about their whereabouts, family lives and even health status were recorded and discussed behind their backs.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.