The General Data Protection Regulations (GDPR) are due to come into force in the UK in May 2018. The penalty for a breach of the GDPR is up to 20 million euros or 4% or worldwide turnover of the business involved. The stakes for such a breach have now got significantly higher.
In the case of Antovic and Mirkovic v Montenegro, the Dean of the School of Mathematics installed video surveillance in a lecture theatre at Montenegro University. The reason given was to protect the safety of property, people and students. The video footage could only be viewed via the insertion of a code held solely by the Dean and was destroyed after one year. It was therefore limited in time and access. In recording the lecture theatre, the video also recorded the teaching of the tutors in it. Two tutors, unhappy at this, claimed that the surveillance breached Article 8 of the European Convention on Human Rights – their right to respect for private and family life. The domestic courts concluded there was no breach. The European Court of Human Rights disagreed. They concluded that the right to private life includes business and professional activities. The cameras were installed with no legitimate aim as there was no evidence to suggest that safety was an issue.
In the second case, Lopez Ribalda & Others v Spain, a supermarket installed CCTV cameras after suspecting theft was occurring. There were discrepancies over the stock sold compared to recorded levels. They had a legitimate aim to discover the culprit. Visible and hidden cameras were installed. Staff were notified of the visible cameras only. The footage revealed staff ringing in purchases and then voiding them, allowing stock to be taken. When confronted about the footage the staff admitted the thefts. They went on to bring claims for compensation alleging their rights under Article 8 had been breached. Whilst the European Court on Human Rights accepted that the store had a legitimate reason for installing the cameras, they concluded the employees’ rights had been breached. They had not been ‘explicitly, precisely and unambiguously’ informed of the fact that there would be covert cameras, or the purpose for them in advance. The surveillance was of all employees, not just those suspected. It covered all working hours and had no limitation in time. The employees were awarded 4,000 euros each, despite having admitted the thefts.
These decisions may seem rather harsh, given the employer in each case had genuine business reasons for their actions. However, the way in which they were implemented caused the problem. In the UK, the Information Commissioner currently requires employers who use such recordings to carry out a risk analysis (or privacy impact assessment) and to use less intrusive methods of addressing any concerns where possible. Where used, access to the footage should be limited to key individuals. Employees should usually be notified in advance that the area is subject to monitoring and notified of the reason for surveillance and what it shall be used for. Footage should be used solely for the purpose communicated and retained only for so long as is genuinely needed.
If you have not yet reviewed your systems in light of these cases and the new GDPR requirements, you may wish to do so before May! Unsure what the GDPR means for your business – click here to book on to one of our GDPR seminars.
If you would like to discuss any issues raised in this article, we have specific employment law expertise in advising in this area. For further advice, please contact Angela Gorton, Partner in our award winning employment team.
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.