Back to Cases
technologyRetail · 2020
notebooksbilliger.de AG
The Lower Saxony DPA (LfD Niedersachsen) fined notebooksbilliger.de AG €10.4 million for operating a pervasive undisclosed video surveillance system that filmed employees at six locations — including workplaces, rest areas, and social rooms — continuously for over two years without adequate legal basis, without informing employees, and far beyond any demonstrable security purpose. The 60 cameras operated without defined retention periods and the footage was never systematically deleted. The LfD found the surveillance violated GDPR Arts. 5, 6, and 13 as well as the data minimisation principle.
Fine Imposed€10.4M
Authority
Regulation
Bundesdatenschutzgesetz (Federal Data Protection Act 2018)
Max fineGDPR maxima apply (€20M / 4% global turnover); BDSG §43 adds up to €300,000 for certain specific violations
Statusactive
Key Takeaways
- Workplace CCTV must be justified by a specific documented security purpose, disclosed to employees, and subject to strict retention limits — continuous undisclosed monitoring for general management purposes is an inherent GDPR violation regardless of whether misconduct is suspected.