Legally compliant video surveillance in the workplace:Avoid GDPR traps

Imagine walking into your office and suddenly feeling like a film star – cameras everywhere, following your every move. Sounds like Hollywood? Unfortunately, no. Many companies rely on video surveillance to ensure security. But without the right legal basis, this approach can quickly become a massive data protection problem.

Prominent case:Amazon France Logistique and the expensive lesson

Amazon France Logistique is a well-known example. In January 2024, the company was fined a hefty €32 million by the French data protection authority CNIL. The reason? Excessive and unlawful monitoring of employee activities by scanners to collect productivity data. This monitoring was not only disproportionate; the data was also stored for an excessively long period of time. A classic case of ‘Big Brother is watching you’ – and it cost Amazon dearly.

The most common stumbling blocks to video surveillance in companies

Companies often fall into similar traps when it comes to the workplace:

Unclear legal basis:
Just hang up the camera because it seems safer? A no-go without a clear legal basis.
Lack of transparency:
Not informing employees and visitors about monitoring? This can quickly become problematic.
Insufficient security measures:
If the data collected is not stored securely, you open the door to data misuse.
Lack of documentation:
Without proper logs and directories, enquiries from the authorities can be unpleasant.

Legally compliant video surveillance in the workplace:The data protection requirements from the GDPR & BDSG

Legally compliant video surveillance in the workplace is only permitted within narrow limits. Both the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) set clear rules.

Before installing video surveillance, companies must clarify the legal basis on which it is based. The GDPR requires a clear justification for any type of data processing. In many cases, a company can invoke the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR – but only if no less restrictive measures are available. At the same time, the principle of data minimisation applies: only as much surveillance may be carried out as is absolutely necessary. Legally compliant video surveillance also means that blanket permanent surveillance without a specific reason is generally not permitted.

Duty to inform and transparency in video surveillance

Another key point is the duty of disclosure. Companies must clearly and visibly indicate that video surveillance is taking place in the workplace. This includes information on the controller, the purpose of the surveillance, the legal basis and the rights of the data subject. Companies must also be transparent about how long the recordings are stored – blanket, long-term storage periods are not permitted.

In most cases, video recordings should not be stored for longer than 72 hours, unless there is a specific justification for longer storage.

Data subject rights and data protection impact assessment (DPIA)

The rights of the data subjects also play an important role. Filmed persons have a right to information about the stored data, a right to erasure and the option to object to the processing.
In the case of video surveillance in the workplace, companies must ensure that such requests are processed in a timely manner. In addition, a data protection impact assessment (DPIA) may be required in certain cases, particularly if the surveillance poses a high risk to the rights and freedoms of the data subjects – for example, in the case of intensive monitoring of employees.

Technical and organisational measures (TOMs)

The data collected must be adequately protected so that unauthorised third parties cannot access it. These technical and organisational measures, or TOMs for short, include measures such as encryption, access restrictions and secure storage systems.

In addition, companies must keep a processing register in accordance with Art. 30 GDPR, in which the processing activities are documented in detail. If this documentation is missing, it is not possible to implement video surveillance in a legally compliant manner. And this can have unpleasant consequences in the event of an audit by the data protection authority.

Another case from practice:Covert video surveillance and its limits

Another incident illustrates the risks of unauthorised video surveillance: an employer had an employee on sick leave monitored by a detective agency in order to uncover a faked incapacity to work. In November 2024, the Federal Labour Court ruled that this secret surveillance constituted a breach of the GDPR and awarded the employee damages. The judges emphasised that the covert surveillance without a sufficient legal basis violated the employee’s right to privacy (BAG, judgement of 25 July 2024, Ref. 8 AZR 225/23).

A GDPR-compliant complete package for video surveillance in the workplace

To avoid falling into the same traps, our customers rely on a modular overall package:

Legal advice from specialists
Comprehensive audit of planned or existing video surveillance systems, in which all relevant legal and technical aspects are documented
Signs designed in accordance with regulations – from apron signage to camera instructions
Creation of guidelines and company agreements for internal regulation
Sample protocol for the comprehensible evaluation of video recordings
Processing notification with risk assessment in accordance with the GDPR
Clear processing directory in accordance with Art. 30 GDPR
Data protection impact assessment (DPIA) and recommendations on the technical design of video surveillance if required

Safety with a sense of proportion

Legally compliant video surveillance in the workplace can be a useful tool – if it is implemented correctly. Anyone who violates the GDPR risks high fines and the trust of employees.

With our support, you can ensure that your measures are not only effective, but also legally compliant. This will help you avoid costly penalties and ensure a good feeling among employees and customers – without any Hollywood drama.