Using CCTV at Your Company? Watch Out For GDPR Violations.

by | Jul 25, 2023 | California, Europe, GDPR, Labor & Employment, Policies

The Circuit Court of Ireland recently weighed in on employee-employer dispute regarding CCTV and processing of an employee’s personal data. This decision is particularly relevant in light of the California Attorney General’s recent announcement of a compliance sweep focusing on employee data.
There are a few notable takeaways in the Irish decision, and our thoughts in response:

 

  1. The defendant provided to its employees four separate data protection documents covering CCTV usage in various levels of detail dated 2011, 2014, 2016, and 2018. In addition, only one of the documents explicitly disclosed that CCTV would be used for training, but the defendant indicated it did not rely upon that document in developing and conducting the training program that utilized the CCTV footage. The Court determined the company’s data protection policies were not sufficiently clear and transparent due to there being four separate documents covering overlapping material.
    • Many companies routinely update their internal policies but neglect to deprecate older versions. Companies should be sure to locate and remove old versions of updated policies and ensure all relevant links point to the most recent version (and that employees have access to those documents).
  2. The four policies were not provided in Polish, the plaintiff’s first language.
    • While it seems impractical to translate every data-related (or even non-data related) employee policy intro every employee’s first language, it appears this Court found problematic that the policies were not available in the plaintiff’s first language. Companies should consider translating its internal policies – or, at least, its most critical and sensitive policies – into the first language of its employees, if known.
  3. While the defendant eventually submitted that it was relying on the legal basis of legitimate interests, it did not conduct a legitimate interests assessment to show that the processing was necessary for the purposes for which it was used.
    • Among the ever-expanding list of projects for privacy and compliance teams, the legitimate interest assessment often lingers toward the bottom. Companies should ensure these assessments find their way back up the list and are timely completed.
  4. The defendant used CCTV cameras which captured the plaintiff engaging in poor safety practices at work, and the video was shown to his peers as part of training, which he claimed caused him embarrassment. The court found that bearing in mind the plaintiff’s role as a supervisor, his loss went beyond mere upset and created “an emotional experience and negative emotions of insecurity which did affect him for a short period of time.” 
    • Many companies use an assortment of workplace and productivity monitoring tools, whether CCTV  or SaaS-based platforms to support employee productivity, which coincidentally monitor the employee’s activities in email, for example. Companies should ensure that if they use CCTV or other monitoring tools and plan to use the results of these tools in employee training, they remove personal information from the results so as to not identify the employee. And companies should review whether they need to conduct DPIAs and consult with Works Councils prior to deploying these tools.   
  5. The CCTV footage was stored and available on a communal computer without password protection, which created a “significant risk” according to the Court, even though the footage was not actually subjected to unauthorized access.
    • This makes plainly clear the crucial role basic access controls play. Use strong passwords. Rotate them. Use MFA where appropriate. Restrict access based on the principle of least privilege and need-to-know. Log accesses.
  6. The court awarded a small damages award of 2000 Euros.
    • Though an award of this size is minor, the legal fees, loss of productivity, and potential harm to employee morale throughout the company are likely more damaging.
  7. The plaintiff initially filed a complaint with the Irish DPC, but the complaint was not assigned to a handler due to a backlog of complaints, so the plaintiff opted to commence court proceedings.
    • As has been reported, many data protection regulators are understaffed. This may result in more claims of this nature finding their way to court instead of being resolved by a regulatory authority. Companies should increase data protection training and ensure they have readily-available and easy-to-use complaint mechanisms in place to handle data protection complaints as early in the process as possible. And if all else fails, see above points...

If you have questions about your internal company data protection or data privacy policies, or if you’re using employee monitoring tools such as CCTV or other productivity monitoring platforms, please reach out to us.