Workplace video monitoring under GDPR: what the law says

Workplace video monitoring under GDPR: what the law says

In the Modern Workplace: Let's take a look at the potential pitfalls businesses face when employing video surveillance on their staff in Romania, as explained by Mihaela Murariu, Legal Professional at Grecu Partners Business Law Firm.

In today's world, the incorporation of video surveillance systems in professional environments has become commonplace. The primary motivations behind this trend include safeguarding assets, ensuring employee safety, and monitoring productivity. However, adopting such measures brings crucial questions into light, particularly regarding employees' right to privacy.

The General Data Protection Regulation (GDPR) and Romanian legislation, notably Law no. 190/2018, set forth stringent rules to prevent the misuse of video surveillance. Employers must abide by these legal stipulations to ensure compliance with GDPR provisions, safeguarding not only the employer's interests but also the employees' fundamental rights. Current practices significantly affect employees' privacy. These regulations aim to protect employees' privacy rights and limit the unjustified processing of personal data.

According to Article 5 of the GDPR (EU Regulation 2016/679), the processing of personal data should adhere to the following principles:

• Lawfulness and transparency - Monitoring must have a clear legal basis and be transparently communicated to employees.
• Specific purpose - Surveillance should be justified by legitimate interests, such as asset protection or employee safety.
• Data minimization - Processing should be limited to what is absolutely necessary; invasive methods, such as audio recording, should be avoided if the intended purpose can be achieved through less intrusive means.
• Limited storage duration - Collected data should not be retained for more than 30 days, unless there exist exceptional circumstances.

A recent case handled by the National Supervisory Authority for Personal Data Processing (ANSPDCP) exhibits the consequences of neglecting the applicable personal data processing legislation. In line with the complaints received, ANSPDCP discovered that the Cluj-Napoca Public Transport Company was penalized 19,902 lei (approximately 4,000 euros) for the improper usage of audio-video surveillance systems in drivers' cabins. surveillance was conducted without a clear and legal justification, hence violating the principles of legality, transparency, and purpose limitation. The collected data, including images and sounds, were even employed for disciplinary sanctions against employees, an objective not initially declared. This practice impacted both employees and passengers, as the surveillance systems captured sounds/voices from them as well.

It's worth noting that the absence of video surveillance tools can result in several undesirable consequences for both employers and employees, depending on the industry. Companies may encounter challenges, such as managing security, preventing theft, identifying causes of workplace accidents, and addressing vulnerabilities like financial losses caused by thefts or employee negligence. Consequently, the objective of processing personal data via video surveillance is closely associated with the risks tied to workplace activities. Furthermore, the legality of data processing relies on the purpose and risks identified by each operator, which is why it's essential to collect only necessary data for achieving the intended goal.

Law 190/2018 offers additional clarifications concerning employee monitoring in Romania:

• Employer’s Legitimate Interest - The employer must demonstrate that surveillance is necessary and proportionate to the desired outcome.
• Employee Notification - Employees must be clearly informed in writing about the existence, purpose, and duration of monitoring.
• Consultation with Unions/Employee Representatives - Any decision to install surveillance systems should be discussed with labor allies.
• Choosing Less Invasive Methods - If the purpose can be achieved through other, less intrusive measures, video or audio monitoring should be avoided.
• Data Storage Limitation - The maximum duration for preserving images is 30 days, unless exceptional circumstances prevail.

Performing impact assessments enables operators to ensure compliance with data protection regulations and those applicable to the protection of the rights and freedoms of the data subjects (employees).

To sum up, the implementation of video surveillance systems should be accomplished responsibly and only under the conditions established by the law. The example of the Cluj-Napoca Public Transport Company illuminates how readily employees' and other data subjects' rights can be jeopardized through abusive practices. Employers are required to demonstrate the necessity of surveillance, clearly inform affected parties, and avoid invasive methods that may endanger privacy. Before installing a monitoring system, alternative, less intrusive solutions should be examined.

For more information or further inquiries, please contact [email protected].

This content is sponsored.

(Photo source: © Chernetskaya | Dreamstime.com)

(Note: The above article has been generated using AI and may not pass a human review.)

Background Knowledge:

• Romania's GDPR enforcement and national data protection laws impose stringent requirements for video surveillance in workplaces, particularly for employee monitoring. Key regulations and recent enforcement trends include:
  • GDPR Core Principles: Legal basis, transparency, purpose limitation, data minimization, and storage duration.
  • Romanian Law 190/2018: Prior notification, minimization, security measures, and compliance checks.
• ANSPDCP has enforced GDPR compliance in recent cases, imposing fines for excessive monitoring (CTP), insufficient data security (United Business Solutions SRL), and inadequate employee training.
• It's crucial for controllers to conduct impact assessments, document their lawful basis, display visible signage, provide written employee notifications, implement appropriate storage durations, implement access control and audit trails, and ensure compliance with impact assessments for high-risk processing.
• Using surveillance for secondary purposes, such as performance evaluation, without explicit consent or contractual basis, risks fines under GDPR Art. 5(1)(b).

1. The European Union's General Data Protection Regulation (GDPR) and Romania's Law 190/2018 necessitate that businesses ensure lawfulness and transparency in their use of video surveillance, particularly in regards to employees' data and privacy rights.
2. In Romania, according to Article 5 of the GDPR, video surveillance must have a clear legal basis and be transparently communicated to employees, with the aim to safeguard employees' fundamental rights.
3. Murariu at Grecu Partners Business Law Firm reports that the National Supervisory Authority for Personal Data Processing (ANSPDCP) issued a penalty of approximately 4,000 euros to the Cluj-Napoca Public Transport Company for failing to follow the principles of lawfulness, transparency, and purpose limitation in their video surveillance practices.
4. In order to ensure compliance with data protection regulations, performing impact assessments is essential for companies looking to implement data-and-cloud-computing technology, like video surveillance systems, in their business operations.

Read also: