Tag: Administrative fines

German online shop receives fine of 10.4 mio. Euro for unlawful video surveillance

13. January 2021

The State Commissioner for Data Protection of Niedersachsen (“LfD Niedersachsen) has imposed a fine of 10.4 mio. Euro on notebooksbilliger.de AG, a German online shop for notebooks.

According to the press release dated 08.01.2021, notebooksbilliger.de had been video-monitoring its employees for at least two years, including at workplaces, in sales rooms, in warehouses and in common areas, without there being a legal basis for doing so. Customers were also affected by the video surveillance, as some cameras were directed at seats in the sales area.

Notebooksbilliger.de claimed that the cameras were intended to prevent and solve crimes offences and track the flow of goods in the warehouses. In the opinion of the LfD Niedersachsen, a company must consider milder measures to prevent thefts such as random bag checks when leaving the premises. Moreover, video surveillance is only be lawful, if there is reasonable suspicion against specific persons and only for a limited period of time. This was not the case at notebooksbilliger.at the authority said. Moreover, the recordings of the video surveillance were stores for 60 days in many cases, which was significantly longer than necessary.

In the meantime, notebooksbilliger.de had set up the video surveillance lawfully and had proven that to the LfD Niedersachsen. The fine is not yet legally binding. The company has appealed the fine and published a statement on its homepage. Notebooksbilliger.de considers the amount of the fine to be disproportionate to the financial strength of the company and defends itself against the statement that it systematically monitored the performance and behavior of its employees. The video system was at no time designed to monitor the behavior of employees or their performance. Moreover, despite several invitations by notebooksbilliger.de, no employee of the authority had spoken to employees in the company’s warehouses or dispatch centers.

Dutch DPA published update on policy on administrative fines

9. April 2019

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), announced an update on its policy regarding administrative fines.

In addition to the Dutch GDPR implementation law the published policy provides insides on how the Dutch DPA will use its fining powers. According to the policy the DPA differentiats three or four categories of infringements. Each infringement is fined with a basic fine and a specific penalty bandwidth.

The DPA calculates the fine in two steps. First the basic fine is applied, second the basic fine is increased or decreased according to the classification to the different categories. Various aspects are included in the calculation of the fine, such as:

  • the nature, the seriousness and duration of the violation,
  • the number of data subjects affected,
  • the extent of the damage and of the data compromised,
  • the intentional or negligent nature of the violation,
  • the measures adopted to mitigate the damages,
  • the measures that were implemented to ensure compliance with the GDPR, including information security measures,
  • prior violations,
  • the level of cooperation with the DPA,
  • the types of data involved,
  • how the DPA became aware of the violation, including whether (and if so, to what extent) the data controller or processor reported the violation,
  • adherence to approved codes of conduct an certification mechanisms,
  • any other applicable aggravating or mitigating factors.

The maximum amount in general is €1.000.000,00, but the fine can be higher in case the Dutch DPA decides that the calculated maximum amount is inappropriate in the particular case.