The French data protection supervisory authority (Commission nationale de l'informatique et des libertés - CNIL) recently fined a French real estate company (the “Company”) €40,000 for its excessive surveillance of employees. The decision highlights the risks of employee monitoring practices and the need for careful analysis before applying these measures.
The Company had installed software on the computers of some of its employees to monitor their activity as well as video surveillance on its premises for the prevention of theft. In light of several complaints, the CNIL carried out an inspection, revealing that the software was automatically detecting periods of employee inactivity via mouse movement and keyboard activity, as well as tracking websites visited and programs used by employees. The software also took regular screenshots of the employee’s computer screens. Additionally, the CNIL discovered that the company had on site video surveillance which was constantly capturing sound and images of the employees on its premises which was allegedly for the prevention of theft.
The CNIL determined that the Company was unable to rely on legitimate interest as a legal basis for processing personal data of employees in the context of monitoring their activity and that processing the data in such a way breached Article 6 General Data Protection Regulation (GDPR). In relation to the constant surveillance, the CNIL noted that it could only be justified in exceptional circumstances and that, to be proportionate, must not capture sound. The Company had therefore violated Article 5(1)(c) GDPR by having permanent onsite surveillance with sound.
The company was also in breach of Article 32 GDRP for allowing multiple users to share access to an administrator account through which all employee data could be accessed via a single set of login details. Due to the fact that the Company had not carried out a data protection impact assessment (DPIA) in respect of the employee tracking software, despite the likelihood that such processing would impose a high risk to the rights and freedoms of the employees, the Company had also breached Article 35 GDPR.
Ultimately, the CNIL imposed a fine of €40,000 on the company as it had breached several fundamental principles of the GDPR and that such breaches were “particularly serious” in view of the associated infringements of the fundamental rights and freedoms of its employees. In determining the amount of the fine, the CNIL took account of the company’s financial situation and its small size.
Click here for more information.