(Mar. 22, 2021) On January 8, 2021, the data protection commissioner for the German state of Lower Saxony (Landesbeauftragte für den Datenschutz Niedersachsen, LfD Niedersachen) issued a press release announcing that the laptop retailer notebooksbilliger.de AG had been fined 10.4 million euros (about US$12.55 million) for violating the data protection rules of the General Data Protection Regulation (GDPR). She stated that the video surveillance of the retailer’s employees for more than two years had been conducted without a proper legal basis. In accordance with the guidelines on processing of personal data through video devices issued by the European Data Protection Board (EDPB), she held that a general suspicion that theft or other crimes are taking place does not justify such a massive violation of the employees’ right to protection of personality. Less severe measures, such as checking bags on a random basis when employees are leaving, must be explored first.
The Lfd explained that video surveillance of employees may take place only if there are reasonable grounds for suspecting specific individuals. In addition, it must be time limited. In the case at issue, the video surveillance was unlimited and based on a general suspicion. Furthermore, data was stored for 60 days, which is longer than necessary.
Customers were also affected by the illegal video surveillance, because some of the cameras were filming the seating areas in the show rooms. The video surveillance in such areas was not proportionate, because people have high legitimate interests in areas where they typically stay for a longer period of time—for example, to test out the devices offered in the store.
The fine represents the highest penalty that has ever been imposed by the State Commissioner for Data Protection in Lower Saxony and one of the largest fines under the GDPR that have been imposed to date by a national data protection authority.
The GDPR took effect on May 25, 2018, and is directly applicable in all European Union member states. It covers the processing of all personal data, irrespective of the means of transmission. Controllers processing personal data must ensure that the processing complies with the principles set out in the GDPR, in particular lawfulness, meaning that there needs to be a proper legal basis for the processing. National supervisory authorities may fine businesses that violate these principles. The GDPR sets the maximum amount for fines; it is up to the national authorities to determine an amount that is “effective, proportionate and dissuasive.” (GDPR art. 83, para. 1.) There are two tiers of fines, depending on the nature of the breach. Fines are either as much as 10 million euros (about US$12.1 million), or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, or up to 20 million euros (about US$24.1 million) or up to 4% of the total worldwide annual turnover, whichever is higher. (Art. 83, paras. 4, 5.)