News

🚨 Abusive recording of employees, video surveillance, performance tracking software🇫🇷

Retention & Minimisation, Confidentiality & Security, Tools & Documentation | 26/03/2025

€40,000 Fine for a Real Estate Company The CNIL has sanctioned a company for installing monitoring software on its employees' computers to track their working hours and assess their performance.

Source: SAN 2024-021

 Abusive Monitoring of Working Hours

📌 Automated detection of inactivity: • The software detected keyboard or mouse inactivity for 3 to 15 minutes. • These periods of inactivity were recorded and could result in salary deductions. • These times could include meetings, phone calls, or other professional tasks.

📊 Monitoring Employee Performance

📌 Digital behavior analysis: • The software analyzed websites and applications used, categorizing them as productive or non-productive. • 📸 Automatic screenshots (screencast) every 3 to 15 minutes, depending on company-defined settings.

🔐 Failure to Ensure Data Security (Article 32 GDPR)

⚠️ Security breaches: • Shared access to a single administrator account, preventing traceability of access and actions performed. • Major risk in case of data breaches or security incidents.

📹 Excessive Employee Surveillance

📌 Inappropriate video surveillance system: • Two cameras continuously recorded employees, even in break rooms. 🎤 Audio and video recording 24/7, beyond security needs.

⚖️ Failure to Conduct a Data Protection Impact Assessment (Article 35 GDPR)

📌 Lack of a Data Protection Impact Assessment (DPIA): • The monitoring software enabled systematic surveillance, creating a high risk to employees' rights and freedoms. • The company should have conducted a DPIA before implementing the system.

🚨 Main GDPR Violations

📌 Article 5.1.c – Data minimization
📌 Article 6 – Lawfulness of processing
📌 Article 12 – Transparency and rights of individuals
📌 Article 13 – Information to data subjects
📌 Article 32 – Data security

📢 Conclusion

This sanction serves as a reminder that employee surveillance must comply with GDPR and be proportionate to legitimate business objectives.
Excessive workplace surveillance is prohibited, and companies must ensure the security of collected data. ⚖️

Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance