On 19 December 2024, the French Commission Nationale de l'Informatique et des Libertés (CNIL) imposed a €40,000 fine on a real estate company for excessive surveillance of its employees. 

Context

The company had installed software on employees' computers to monitor their activity during remote work and used a video surveillance system on its premises. Following complaints received in 2022, the CNIL conducted an inspection and found several illegal activities:

• Continuous Video Surveillance: The company installed two cameras that continuously recorded both images and sound in workspaces and recreational areas. 
• Inactivity Monitoring: The software tracked periods of inactivity by registering any time an employee did not hit the keyboard or use the mouse for more than 3 to 15 minutes. If employees did not compensate for these "inactive" periods, they faced pay reductions.
• Regular Screenshots: The software took screenshots of employees' computer screens every 3 to 15 minutes. 
• Shared Administrator Account: The company allowed shared access to an administrator account, which had access to the tracking software, making it impossible to track who accessed the data. 

GDPR breaches

The CNIL identified several breaches of the GDPR by the real estate company:

Article 5(1)(c) – failure to comply with the data minimisation principle 

The continuous video surveillance and the software's measurement of "inactive" periods were deemed excessive and not justified by any exceptional circumstances. The CNIL found that the system did not allow for a reliable count of working hours and disproportionately infringed on employees' rights. 

Article 6 – failure to ensure lawful processing

The software's ability to track time and take regular screenshots was considered particularly intrusive, as sensitive personal information could also be captured. The CNIL found that this practice had no legal basis and violated the principle of lawful processing. 

Articles 12 and 13 – failure to comply with the obligation to provide information and transparency

Although the company had put up a camera sign with the words "video-monitored space" on one of the doors and orally informed the employees of the tracking software, the CNIL found that the company had failed to provide sufficient information to employees about the monitoring software and video surveillance.

Article 32 – failure to comply with the obligation to ensure security of personal data

The CNIL found that the company permitted shared access to an administrator account, which posed a significant security risk and made it a prime target for ransomware. 

Article 35 – failure to carry out a Data Protection Impact Assessment (DPIA)

The company did not carry out a DPIA for the monitoring software, which was required due to the high risk to employees' rights and freedoms. 

Comparison to the Amazon Fine

This case is reminiscent of the €32 million fine imposed on Amazon France Logistique by the CNIL in February 2024 for similar GDPR breaches. Amazon was fined for excessive and illegal surveillance of employee activities, including the illegal tracking of inactive time. (For more details on that fine, please see our article here). However, the CNIL took into account the real estate company's relatively small size and annual turnover in setting the fine at €40,000.

UK's ICO Stance on Employee Monitoring

The UK Information Commissioner's Office (ICO) guidance covers various processing activities like those conducted by the real estate company, such as video and audio recording, screen captures, and productivity monitoring. The ICO stresses that such activities must be necessary, proportionate, and transparent – please see our article on the ICO's October 2023 update here. 

For instance, the ICO notes that device monitoring activities that track workers' productivity through screen captures are likely to capture excessive amounts of employees' personal information, similar to the CNIL's assessment. The ICO also provides an example where an employer rolls out device monitoring to allow senior management to access automatic webcam images to check if remote workers are at work. The ICO deemed this approach likely to infringe data protection law because it was disproportionate. There are less intrusive ways to check start times, such as checking the times workers log onto the computer system and then giving workers the opportunity to explain any discrepancies. You can refer to the ICO's detailed guidance on monitoring workers here.

Conclusion

The CNIL's fine against the real estate company serves as a reminder of the stringent requirements under the GDPR for employee monitoring. Employers must ensure that their monitoring practices are justified, transparent, and secure, and that they conduct necessary impact assessments to protect employees' rights and freedoms.