The Data Protection Commissioner of the German state of Lower Saxony, Barbara Thiel, announced in a press release dated 8 January 2021 that she had imposed a fine of EUR 10.4 million on the operator of the electronics retailer notebooksbilliger.de. This is the highest fine ever imposed by the Lower Saxony Data Protection Authority for violations of the European General Data Protection Regulation (GDPR).
The Data Protection Authority stated as a reason for its decision that there had been serious violations of the law in connection with the video surveillance carried out by the electronics retailer in its company. According to the Authority, the retailer's employees had been unlawfully monitored by video over a period of at least two years. Customers had also been affected by the unlawful video surveillance in the sales rooms of the electronics retailer, who additionally runs its own local shops. The Authority also pointed out, however, that the company's video surveillance activities are today organised in a lawful manner.
notebooksbilliger.de had argued that it used video surveillance to prevent and solve thefts in general. In this regard, however, the Data Protection Authority criticised in particular that the surveillance of the employees had taken place without a concrete reason and that the storage of the recordings for up to 60 days went far beyond what was necessary. In the opinion of the Authority, the video surveillance had, therefore, been suitable for systematically monitoring the employees' performance. The Authority further stated that the monitoring of seating areas in the electronics retailer's shops, where customers typically spend longer periods of time, had also been disproportionate.
notebooksbilliger.de has already filed an appeal against the decision of the Data Protection Commissioner of Lower Saxony. The electronics retailer criticises that the Data Protection Authority failed to sufficiently determine the facts of the case, for example, by inspecting the cameras in question on site. It further takes the view that the fine is disproportionately high compared to the seriousness of the violation. The company therefore considers the decision to be unlawful.
The fine imposed by the Data Protection Commissioner of Lower Saxony shows that data protection authorities are today imposing severe fines even for supposedly minor violations of the GDPR. Although video surveillance is a standard practice especially in the mail order business and in the logistics industry, data controllers must, therefore, carefully examine the use of each individual video camera. Details such as the orientation of the respective camera or the storage period of the recordings can also have an impact on the lawfulness of the entire procedure. As a result, companies that use surveillance cameras in their business premises should regularly check whether their procedure meets the data protection authorities' current requirements regarding the lawfulness of video surveillance.
In particular, the storage period of the recordings must be carefully examined. Even where surveillance serves the purpose of preventing and detecting criminal offences, it should be carefully considered how long the recordings actually need to be stored for this processing purpose. In its publication "Orientierungshilfe Videoüberwachung durch nicht-öffentliche Stellen" (which translates as "Guidance on video surveillance by non-public bodies") dated 17 July 2020 (the German language version is available at: https://www.datenschutzkonferenz-online.de/media/oh/20200903_oh_vü_dsk.pdf), the Conference of Independent Data Protection Authorities of the Federal Government and the German States (Datenschutzkonferenz, hereinafter: "Data Protection Conference") assumed that video recordings must generally be deleted after 72 hours if there are no indications within this period of time that would justify extending the storage period. Data controllers would thus be obliged to view the recorded material within 72 hours and would only be allowed to refrain from deleting the material if there were indications that a criminal offence has been committed.
However, in this context it could be disputed that the employees' rights and freedoms would actually be more severely affected by the regular thorough viewing of the recorded material than they would be if the recordings were stored for a longer period and then only viewed if there was a concrete reason to do so. The same applies to the view taken by the Data Protection Commissioner of Lower Saxony that data controllers must first consider less intrusive means, such as random bag checks, before carrying out video surveillance of a work space to prevent criminal offences, as many employees might actually find a search of their private belongings more intrusive than the video surveillance of their work space.
The amount of the fine imposed must also be viewed critically in this case. It can be assumed that the Lower Saxony Data Protection Authority determined the amount of the fine using the controversial fine model agreed by the members of the Data Protection Conference. In December 2019, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) had already imposed a drastic fine of a similar amount on 1&1 Telecom GmbH, applying the Data Protection Conference's fine model. However, this fine was reduced by 90% by the Bonn Regional Court following an appeal by 1&1 Telecom GmbH. The appeal filed by notebooksbilliger.de could, therefore, also have a chance of success, at least with regard to the amount of the fine.