In this article, we address a common question in practice – under which conditions can an employer use video surveillance footage in disciplinary proceedings against an employee?
In this regard, we analyze the following example from European practice, which provides some answers.
Namely, the Luxembourg Data Protection Commission (CNPD - Commission Nationale pour la Protection des Données) (“Commission”), as an independent body responsible for overseeing the application of data protection regulations in Luxembourg, issued Decision No. 2FR/2024 (“Decision”) on May 21, 2024.
In the Decision, the Commission took the position that the use of video surveillance footage for the purpose of conducting a termination procedure of an employment contract violates the principle of purpose limitation if the video surveillance was originally established solely for the purpose of ensuring the safety of employees.
Facts of the Case
The employer established a video surveillance system, which the Commission approved.
Subsequently, the Commission received a complaint from an employee regarding the data controller’s use of video surveillance footage to determine the factual circumstances of a violation of work rules or conduct by the employee, and on this basis, terminated the employment contract.
Upon investigating the complaint, the Commission found that the video surveillance system was established to ensure the safety of employees and users of the employer’s infrastructure.
In this case, the employer argued that, in order to comply with Luxembourg labor law and the lawful conduct of the termination procedure, which requires precise details of the circumstances of the disciplinary offense attributed to the employee, it was necessary to use the video surveillance footage, regardless of data protection laws.
Relevant Provisions
The Decision is based on the following provisions of the General Data Protection Regulation of the European Union (“GDPR”):
- Article 5(1)(a), which states that personal data must be processed lawfully, fairly, and transparently in relation to the data subject (“principle of lawfulness, fairness, and transparency”);
- Article 5(1)(b), which states that data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“principle of purpose limitation”);
- Article 5(2), which states that the controller is responsible for and must be able to demonstrate compliance with paragraph 1 (“principle of accountability”);
- Article 6(4), which states that if processing for a purpose other than that for which the personal data were collected is not based on the data subject’s consent or on Union or Member State law that constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) GDPR, the controller must, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data were initially collected, take into account, among other things: (a) any link between the purposes for which the data were collected and the purposes of the intended further processing; (b) the context in which the data were collected; (c) the nature of the personal data; (d) the possible consequences of the intended further processing for data subjects; (e) the existence of appropriate safeguards;
- Article 13(1)(c), which states that the controller must provide the data subject with all information about the purpose of processing and the legal basis for processing at the time of collection.
Furthermore, the Decision is based on the Guidelines of the European Data Protection Board (European Data Protection Board), which emphasize the importance of defining the purpose of processing, subsequent use of data for other purposes, clear establishment of the legal basis for processing, prior notification to the data subjects, and accountability for processing.
Commission's Decision
Referring to the aforementioned provisions, the Commission took the position that before using video surveillance footage, the purposes of the surveillance or data processing must be initially detailed in writing, and if processing occurs for other purposes than the original, the controller must first ensure that such processing has purposes compatible with the original purposes, in accordance with the GDPR and the mentioned guidelines, and that the data subjects must be provided with information.
Considering the above, the Commission determined that the purpose of the video surveillance system in this case was to ensure a certain level of safety for employees and users of the employer’s infrastructure, and that the collected personal data were processed for another purpose, for conducting disciplinary proceedings against the employee and terminating the employment contract.
The Commission further determined that the employer in this case could process the data collected through the video surveillance system for the purpose of conducting disciplinary proceedings against the employee only if the processing was based on the employee's consent or if the further processing was compatible with the originally established purposes, in accordance with the above provisions, which, according to the Commission, considering the provisions of the GDPR and the mentioned guidelines, was not the case here.
For the aforementioned reasons, the Commission issued a warning to the employer for violating the aforementioned provisions.
Conclusion
Domestic regulations address this issue in the same way, and additionally, the supervisory body of the Republic of Serbia (Commissioner for Information of Public Importance and Personal Data Protection) has taken similar positions on this matter in the past.
Therefore, all purposes related to the application of video surveillance must be previously regulated in writing, in the employer’s internal acts, in accordance with applicable regulations, and that any further use of this data must be carried out in accordance with these acts.