News

🚨 Abusive recording of employees, video surveillance, performance tracking softwareπŸ‡«πŸ‡·

Retention & Minimisation, Confidentiality & Security, Tools & Documentation | 26/03/2025

❌ €40,000 Fine for a Real Estate Company The CNIL has sanctioned a company for installing monitoring software on its employees' computers to track their working hours and assess their performance.

Source: SAN 2024-021

⏳ Abusive Monitoring of Working Hours

πŸ“Œ Automated detection of inactivity: • The software detected keyboard or mouse inactivity for 3 to 15 minutes. • These periods of inactivity were recorded and could result in salary deductions. • These times could include meetings, phone calls, or other professional tasks.

πŸ“Š Monitoring Employee Performance

πŸ“Œ Digital behavior analysis: • The software analyzed websites and applications used, categorizing them as productive or non-productive. • πŸ“Έ Automatic screenshots (screencast) every 3 to 15 minutes, depending on company-defined settings.

πŸ” Failure to Ensure Data Security (Article 32 GDPR)

⚠️ Security breaches: • Shared access to a single administrator account, preventing traceability of access and actions performed. • Major risk in case of data breaches or security incidents.

πŸ“Ή Excessive Employee Surveillance

πŸ“Œ Inappropriate video surveillance system: • Two cameras continuously recorded employees, even in break rooms. 🎀 Audio and video recording 24/7, beyond security needs.

βš–οΈ Failure to Conduct a Data Protection Impact Assessment (Article 35 GDPR)

πŸ“Œ Lack of a Data Protection Impact Assessment (DPIA): • The monitoring software enabled systematic surveillance, creating a high risk to employees' rights and freedoms. • The company should have conducted a DPIA before implementing the system.

🚨 Main GDPR Violations

πŸ“Œ Article 5.1.c – Data minimization
πŸ“Œ Article 6 – Lawfulness of processing
πŸ“Œ Article 12 – Transparency and rights of individuals
πŸ“Œ Article 13 – Information to data subjects
πŸ“Œ Article 32 – Data security

πŸ“’ Conclusion

βœ… This sanction serves as a reminder that employee surveillance must comply with GDPR and be proportionate to legitimate business objectives.
βœ… Excessive workplace surveillance is prohibited, and companies must ensure the security of collected data. βš–οΈ

Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance
]]>