On 30/12/2019, the Hellenic Data Protection Authority (hereinafter the “Authority” or “HDPA”) issued a decision regarding the use of video surveillance systems in the workplace. The case concerned a complaint submitted by a company’s employee union, which focused on the legality of a closed-circuit television (hereinafter “CCTV”) system operating in areas such as company warehouses and the call center, not solely for security purposes but also for the monitoring and supervision of staff.
The company argued that the operation of the CCTV system on its premises was based on its legitimate interest in protecting individuals and/or assets (notably high-tech and therefore high-value goods) processed at its stores and facilities.
The HDPA identified various breaches of the applicable data protection framework in force at the time of the complaint, regarding the employer’s obligations. It subsequently issued both a warning to the company for the violation and an order to implement corrective measures.
Taking into account this decision of the HDPA and the recent guidance issued both by the HDPA and the European Data Protection Board (EDPB) concerning the lawful and transparent adoption of CCTV systems in the workplace, this document aims to briefly describe both the relevant legal framework and the practical steps a data controller must follow to ensure compliance with the privacy requirements under Regulation (EU) 2016/679 (GDPR) and national law.
I. Legal Framework
It should be noted at the outset that the use and operation of a CCTV system with recording capabilities in the workplace constitutes processing of personal data. On 31/03/2011, the HDPA issued Guideline 1/2011, defining CCTV systems as “systems permanently installed in a space, operating continuously or at regular intervals, and capable of capturing and/or transmitting video and/or audio signals from that space to a limited number of display monitors and/or recording devices” (see also Opinion No. 2/2010, para. 8).
In general, the lawfulness of processing is assessed based on the purpose pursued in conjunction with the means used, and the necessity and proportionality of such means. Specifically, the lawfulness of a CCTV system’s operation is evaluated based on the purpose of the data controller, the level of risk involved, the rights and freedoms of the data subjects, and the existence of alternative measures, according to the principle of proportionality, which is crucial in such assessments, especially in workplace settings.
Regarding CCTV in the workplace, the HDPA has stated that such systems generally constitute a means of employee monitoring and control. If installation is deemed necessary for security reasons, they must not be used for staff surveillance. Therefore, their installation should not extend to general workplace areas (e.g. hallways, offices, etc.) but only to locations requiring protection (e.g. entrances/exits, cash registers, safes, etc.).
This approach is also reflected in Law 4624/2019, which allows installation of CCTV in workplaces only for the protection of individuals and property, provided that the core of the data subjects’ rights and freedoms is not infringed.
If employee data is collected via CCTV, such data must not be used to assess employee behavior or performance. Any data used for employee evaluation must be directly linked to the employment relationship and must not include unrelated information (e.g. behavioral data, interpersonal relations, etc.). In all cases, the controller must ensure that data subjects are informed timely and appropriately, use adequate technical and organizational measures (e.g. face masking, image-only capture), and retain the data only for the prescribed period (up to 15 days).
II. Accountability
As data controllers, employers may need to conduct a Data Protection Impact Assessment (DPIA) before installing a CCTV system.
Under GDPR, a DPIA is mandatory when the data processing involves systematic monitoring of a publicly accessible area on a large scale, or when it appears on the list of high-risk processing activities defined by the supervisory authority of the relevant Member State.
According to the HDPA, a DPIA is required where there is “systematic and large-scale monitoring, observation or control of individuals through video surveillance systems in public, publicly accessible, or private spaces open to an unlimited number of persons”.
The Article 29 Working Party has identified nine criteria to determine whether a DPIA is necessary. If two or more are met, a DPIA is required:
-
Evaluation or scoring, including profiling.
-
Automated decision-making producing legal or similarly significant effects.
-
Systematic monitoring.
-
Processing of sensitive or highly personal data.
-
Large-scale processing.
-
Matching or combining data sets.
-
Data concerning vulnerable subjects.
-
Use of new or innovative technologies.
-
Processing that prevents data subjects from exercising a right or using a service/contract.
III. Conclusion
As discussed above, under both EU and national legal frameworks and in light of CJEU case law and EDPB/HDPA guidance, CCTV installation and use in the workplace is permissible solely for security purposes (e.g., safeguarding goods, facilities, staff engaged in high-risk work). If an employer deems installation necessary, they must ensure the following:
-
No image capture from adjacent streets/sidewalks or neighboring properties.
-
No image capture in areas violating privacy (e.g., restrooms, locker rooms, showers).
-
As a rule, no audio recording (allowed only in exceptional cases).
-
As a rule, no use of cameras with zoom or pan features (permitted only under specific conditions).
-
No installation in work areas (e.g., offices, hallways, kitchens), except in high-risk facilities, provided cameras focus solely on the asset being protected.
-
Only designated and authorized staff may access CCTV systems.
-
CCTV data must not be used to evaluate employees.
-
Data must be deleted within 15 days. Exceptionally, if an incident occurs, it may be stored separately for up to 30 days; if third-party involvement exists, up to 3 months.
-
No data transfer is allowed unless the data subject consents, or unless lawful requests are made by judicial/prosecutorial/police authorities. Victims or perpetrators of crimes may receive copies.
-
Data subject rights must be respected. If a legitimate objection is raised, appropriate action must follow to prevent recurrence of unlawful processing.
-
Employees must be timely and adequately informed about the CCTV system’s installation.
-
The records of processing activities must be updated.
-
A DPIA must be conducted if required.
-
If the DPIA outcome so mandates, a prior consultation with the HDPA must take place to seek guidance on risk mitigation measures.
It is emphasized that, since the GDPR came into effect, non-compliance with data protection obligations can lead to significant administrative fines, up to 4% of annual turnover or €20,000,000, whichever is higher.
For this reason, it is essential to collaborate with specialized advisors, whose expertise ensures both operational continuity and compliance with the data protection legal framework at EU and national level.