Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Technology

GDPR: German Laptop Retailer Fined $12.6M For Video-Monitoring Employees (zdnet.com) 100

The data regulator for the German state of Lower Saxony has fined a local laptop retailer a whopping $12.6 million for keeping its employees under constant video surveillance at all times for the past two years without a legal basis. From a report: The penalty represents one of the largest fines imposed under the 2018 General Data Protection Regulation (GDPR) not only in Germany but across Europe as well. The recipient is notebooksbilliger.de AG (doing business as NBB), an online e-commerce portal and retail chain dedicated to selling laptops and other IT supplies. The State Commissioner for Data Protection (LfD) for the state of Lower Saxony said that the company installed two years ago a video monitoring system inside its warehouses, salesrooms, and common workspaces for the purpose of preventing and investigating thefts and tracking product movements. Officials said the video surveillance system was active at all times, and recordings were saved for as much as 60 days in the company's database.
This discussion has been archived. No new comments can be posted.

GDPR: German Laptop Retailer Fined $12.6M For Video-Monitoring Employees

Comments Filter:
  • by AleRunner ( 4556245 ) on Tuesday January 19, 2021 @11:38AM (#60964296)

    Rosbifs and Yankees stunned. Thought everybody belonged to their employer for the time of work.

    • In that case I should be compensated $100 million .. for being under constant surveillance by my boss because and only because he wanted to please his boss with my ideas.. duh.
      • Mind you that Americans misunderstand this:
        The problem is that employees were not being told! And weren't able to opt out. Let alone withour repercussions. They didn't even know.

        You are perfectly allowed to film your employees if you follow those rules. I's just that nobody would willingly work for you anymore if you go as far as NBB with it.
        Which is exactly why they kept it a secret.

        So, if it happened without your (non-forced) consent, you *do* deserve compensation, in whatever you lost, including privacy.

        • by mridoni ( 228377 )

          I don't know about Germany, but in Italy remotely surveillance/monitoring of employees is always forbidden, it doesn't matter whether you tell them or not. There are obviously exceptions for particular jobs (handling of hazardous materials, cash oe valuables, etc.)

        • The problem is that employees were not being told!

          Neither the summary nor the article says that the employees were not informed of the surveillance.

          The article says that customers visiting the company were not informed, which implies that employees were informed.

          The article also says that the constant surveillance caused "stress and pressure" on the employees, which would not be the case if they were unaware they were being recorded.

    • Not many people more of a privacy nut than I am, but this is bullshit. Privacy belongs to the owner of the device. If I provide my employee with a device for use for company puposes, I have the right and the duty to know everything that device is used for. There should be no implied sense of privacy for the user of the device that I own.

      • Not many people more of a privacy nut than I am, but this is bullshit. Privacy belongs to the owner of the device.

        OK, let's ignore that you have got completely the wrong end of the stick, because it wasn't about laptops, it was about surveillance cameras owned by a laptop retailer.

        So ignoreing that, no. There are rules about what you can and cannot do to your employees. Giving them a work owned device doesn't exempt you from the rules simply because the device is yours. IOW, you can do whatever you want on

        • So you can't install cctv to mointor your own warehouse/business? Make sure no one is just walking out with a massive stack of laptops because for some reason your employees are allowed to do whatever they want and you're not allowed to know what's happening in various places of your own business without being pysically there to observe? Or if someone breaks in you're not allowed to video that because the thiefs don't give their consent to be recorded? What a mad, mad system. It's not like they installed cc
  • Does the NSA still have their backup copy?
  • Must take a large staff just for surveillance.

  • by stikves ( 127823 ) on Tuesday January 19, 2021 @11:50AM (#60964350) Homepage

    When I read the headline, I though "oh another company that surveils their employees at home", but no this was not some spyware installed on the laptops. It was clearly an internal security system.

    This is crazy. Monitoring premises goes both way. They not only protect against insider theft, but will also help outsiders from harming them. With all those crazies attacking tech campuses in the recent years, does it not make sense to have 24/7 surveillance at the premises?

    Pre-covid we had security card access at all doors (with logging), and camera for almost all angles inside our buildings. I never thought "gee, they are infringing my privacy". At my internship the computers had a warning "we might use keyloggers", and I though they were serious. There is no reason not to keep track of what is going on inside premises, as long as that does not extend to the outside.

    • It was clearly an internal security system. This is crazy. Monitoring premises goes both way.

      What this clearly was is good intentions gone wild. Security in a warehouse? Sure. Tracking product movement and thefts is normal. Security in sales rooms and offices with data retained for very long periods, that's where they crossed the line.

      With all those crazies attacking tech campuses in the recent years, does it not make sense to have 24/7 surveillance at the premises?

      That's not actually a thing in countries that treat people like people.

      Pre-covid we had security card access at all doors (with logging)

      Logging? Why logging? Not being funny here, this is another one of the things you can't track in Germany. If a security card is personalised then it is not allowed to be logged. If a security card

      • by stikves ( 127823 )

        But these are not just "perceived" security issues.

        Target was hacked by the HAVC service company:
        https://krebsonsecurity.com/20... [krebsonsecurity.com]

        They were late in detecting that. Without internal surveillance, it could have taken even longer. Think about not having logs of who is inside (security card logging).

        A business is a business. Unless they track you at home, I expect to have keyloggers, screen recorders, video surveillance, and door logging all the time. As you said, this also protects me as a worker. If at any ti

        • by thegarbz ( 1787294 ) on Tuesday January 19, 2021 @12:25PM (#60964490)

          Target was hacked by the HAVC service company:

          If you're relying on video surveillance to keep you safe from nefarious actors you specifically invite in then you're doing something VERY wrong. Maybe being banned from taking video surveillance will actually force you to take security more seriously.

          A business is a business.

          Indeed. It's a business, not a farm. Treating employees like cattle may work in the USA, but in Europe a business is a business and employees are treated as humans.

          Expecting privacy at work (except for breaks / restrooms / etc) does not sound meaningful. That is one place I prefer security over freedom.

          If you want security then tracking you via surveillance is the single dumbest way to go about it. I did a great little test the other day in a secure area of one of our facilities after I left my phone in there. I went to the smokers room (damn Germans still have those) and told him I left my phone on his desk and asked if I "could quickly borrow his key". He said "No, I'll come with you" and put down his cigarette. Absolutely the right answer, and far better than pointing a camera at his desk.

          • by Joviex ( 976416 )

            If you want security then tracking you via surveillance is the single dumbest way to go about it. I did a great little test the other day in a secure area of one of our facilities after I left my phone in there. I went to the smokers room (damn Germans still have those) and told him I left my phone on his desk and asked if I "could quickly borrow his key". He said "No, I'll come with you" and put down his cigarette. Absolutely the right answer, and far better than pointing a camera at his desk.

            Man, that is some of the most obtuse shit I ever read.

            You just said "security is ONLY AS GOOD AS THE PEOPLE".

            Not all people are "GOOD", my dude. THAT is why we USE technology to TRACK their dumbasses.

            But you keep going with "all people are good", hoss.

            • You just said "security is ONLY AS GOOD AS THE PEOPLE".

              Nope. I said video is shit. You think a camera would have prevented a hack? You think a camera would have prevented me doing something dangerous if an employe gave me the keys to the door? You think cameras stop people plugging in USBs, or lock doors as people leave?

              Security is a complete system and set of processes that work together to remove *the ability* for something goes wrong. Video surveillance does jack shit, ... oh expect maybe provide great footage to use against you in court to expose how poor y

        • Keylogging is pretty stupid. It is a security risk, why would anyone do that? And under EU worker laws: not allowed anyway.

    • by BAReFO0t ( 6240524 ) on Tuesday January 19, 2021 @12:21PM (#60964468)

      This is only crazy in the way that not getting beaten for "something you clearly were guilty of" is "crazy" for abused children.

      Hint: Since the GDPR, you MUST tell everyone when and what you are recording, MUST give detailed reasonable justified reasons for why, and MUST inform of the duration of storage, which must be reasonable and justified too.
      BEFOREHAND.
      WITH PROVEN AGREEMENT BY THOSE RECORDED. (E.g. signing it, or entering a door with such a sign anyway.)

      And the reasonability of those reasons you give, must be court-proof. Otherwise one can sue. They cannot override law either.

      Furthermore, we have the expectation of privacy in public. By that we do not mean nobody who was there can point and laugh and tell others later. We mean that it can't go out to the entire world and permanently ruin the person's life even decades after. That is called forgiveness. Even a murderer is forgiven after 20 years.

      • by Joviex ( 976416 )

        Furthermore, we have the expectation of privacy in public. By that we do not mean nobody who was there can point and laugh and tell others later. We mean that it can't go out to the entire world and permanently ruin the person's life even decades after. That is called forgiveness. Even a murderer is forgiven after 20 years.

        This wasnt in Public. I can understand "disclosure", that can be done with COMMON FUCKING SENSE and a few SIGNS.

        The world is spinning into this "memememe" bullshit as an excuse to act like a selfish asshole -- in this case -- at a PRIVATE business where they are EMPLOYED.

        Again, I can understand the lack of disclosure being a problem, but, 12 million? What do you think you are doing "in private" inside someone else's BUSINESS?

        again, that is just people screaming "MEMEMEMEMEMME" all the time with zer

        • What do you think you are doing "in private" inside someone else's BUSINESS?
          As an employee?
          a) having a private chat while working calling my boss a dumb ass?
          b) having a private chat telling another employee I will on vacation with my wife at place X
          c) having a private chat telling another employee that I will leave the company in 3 month?
          d) having a private chat telling another employee my wife is pregnant, and I'm going to take "parent care vacation" in 6 month?
          e) doing a private phone call during a perio

    • by AmiMoJo ( 196126 ) on Tuesday January 19, 2021 @12:29PM (#60964510) Homepage Journal

      Video monitoring has to be justified. If there has been theft in a particular area then that might justify putting cameras there, temporarily until the thief is caught. It does not justify putting cameras everywhere, especially in places like sales offices where no theft has taken place and any thieves would likely be caught with their swag on cameras outside the building anyway.

      It matters what area it is, e.g. the office is more sensitive than the back door. It also matters what the camera can see and if it has sound. The intrusion must be justified and while there is a fair bit of leeway given this kind of blanket surveillance is not allowed.

      • is PREVENTION.

        It is done to PREVENT and CURTAIL potential crime, AND as a way to track after the fact.

        sticking up video cameras after the theft is tantamount to stupidity, hoping the thief will do it AGAIN! and that they don't notice your "now" existing security.
        • by spitzak ( 4019 )

          To prevent crime they have to know they are being video recorded, and apparently that was not happening.

      • by nnull ( 1148259 )

        I just have one main one facing the offices just in case someone does break in. I find letting people know about my office security camera and giving them access to it completely calms people nerves. Mostly they've been using it to find lost stuff, or find out who was in their office messing with stuff. If they want to look, go for it. There's no harm.

    • by kot-begemot-uk ( 6104030 ) on Tuesday January 19, 2021 @01:58PM (#60964844) Homepage

      Sure, you can have surveillance in the workplace in Germany. You have to comply with local law. That was the case 21 years ago when I had to explain this to a Texan idiot from the security section in the IT department of the USA company I worked for at the time. It is the case now. In fact, we are all compliant to German law as GDPR and other privacy regs have had a lot of passages copied from the German and Austrian law code.

      1. The surveillance must be fit for purpose. You cannot just jot cameras every where and record every move of an employee. That is absolute NO. If you want surveillance to prevent theft, etc, you have to install it only where it is relevant to the task.

      2. The surveillance records must be disposed of in a timely manner. You cannot keep them forever.

      3. The surveillance system records must be accessed only under a specific procedure and only as a part of a formal investigation.

      Looks like they violated 1 + 2 and I can bet that they violated 3. Violations of 3 are the norm in UK and USA as well as any other place which is stupid enough to violate 1 or 2. In the days when I carried the hat of head of IT in a company I had more than one case where I was threatened to be fired myself if I do not give company execs access to video footage WITHOUT a formal HR case in progress. I caved in at the time (difficult to resist when you have a family to feed and mortgage to pay). Try doing it in Germany - the result will be as described in the article.

    • by nnull ( 1148259 )

      They not only protect against insider theft, but will also help outsiders from harming them. With all those crazies attacking tech campuses in the recent years, does it not make sense to have 24/7 surveillance at the premises?

      This is Europe, not the US. There is an expectation of privacy in a civilized nation.

    • The issue, as I understand it, is not the surveillance.

      It's the retention, the lack of notification, and lack of opt-out option for the employees.

  • Correction: (Score:5, Informative)

    by BAReFO0t ( 6240524 ) on Tuesday January 19, 2021 @12:00PM (#60964372)

    The State Commissioner for Data Protection (LfD) [...] said that the company installed [it] two years ago a video monitoring system [...] for the purpose of preventing and investigating thefts and tracking product movements.

    The commissioner did not say that.
    The company said that they die it for that reason.
    The state commissioner said that the company said that.
    And he disagreed. Which is key here.

    • The commissioner did not say that.
      The company said that they die it for that reason.
      The state commissioner said that the company said that.
      And he disagreed. Which is key here.

      The commissioner can agree or disagree all she wants, she still needs to make sense and the lack of good sense is key here.

      She argues, "Video surveillance is a particularly intensive encroachment on personal rights, because, theoretically, the entire behavior of a person can be observed and analyzed," and while her argument is true does it ignore that it also entails observing and analysing the behaviour of thieves, which is exactly why companies are allowed to install cameras in the first place. It is how

      • Seriously the "Nothing to hide argument"?! https://en.wikipedia.org/wiki/... [wikipedia.org]

        Just read this https://spreadprivacy.com/thre... [spreadprivacy.com]

        I can provide more links but I bet you will not even read the one provided.

        • I can provide more links but I bet you will not even read the one provided.

          You must have a lot of fear in you, but I read both of them briefly, and neither explains why people would experience "continuous stress and pressure". We have surveillance almost everywhere here in the UK and I can say with certainty that nobody gives a single thought about it. So you can dig up as many articles you want, they simply don't reflect reality at this point. All you're really trying to do is to spread fear and doubt about CCTV as if behind every camera there was some imaginary evil ghost lurkin

  • As long as there are strict rules about what conditions the video can be reviewed, by who and what is allowed to be shared I'm fine with it. In Ottawa Canada, the city experimented putting cameras in city parks. They laid out all the rules about it. If no crime was reported within X days of the recording the recordings would automatically be deleted. If there was a crime reported there was a set of rules for approving a review and by who. Also the cameras filtered out the neighbouring yards so they nev
  • Despite the strict German labor laws, Amazon's warehouses in Germany get away with as much as they possibly can and some more.

    • Source?

      • by gustgr ( 695173 )

        The source is mostly anecdotal: my wife worked for Amazon in Germany. They don't actually break the law but they treat employees extremely poorly [by German standards]. Strikes are frequent and unionization is coming, so things are bound to change.

        If you Google for amazon deutschland betriebsrat and similar terms you will find a myriad of articles on the topic.

  • To punish with a fine of $12.6 million when every employee has got a camera on their mobile phone and makes frequent use of it even at work, then the punishment becomes unreal. And laptops get stolen a lot. A company, who sells valuable items that are in demand, should have the right to protect itself against theft. The verdict is a sad victory for crime, and not one against crime, because it signals every criminal that it has become more safe to steal. It will further drive off future investors and so dama

    • Germany is the world's number 3 in total exports and number 1 per capita, so clearly this law doesn't damage the economy.
      • A foreign investor is a company who sets up business in Germany. This company then produces goods in Germany and exports them. Much of the resources needed for the production are then imported and don't simply all come from within Germany.

        To believe privacy laws couldn't have an effect on a economy when one just focuses hard enough on export is just weird. Do you believe Germany is doing a fire sale where everything has to go and this would somehow make for the best economy?

    • No, the fine were too little. Should have made an example of that company. 25% to 50% of the company's total worth should the fine have been.

      • But paid to whom? It doesn't even seem to be going to the employees but to the government. So all the huffing and puffing you are doing is for the government, the biggest surveillance organisation there is. And by taking even more money from the company do you risk jobs, because when a company can no longer remain profitable then they'll have to fire people. So there you are, moron of the year, financing Big Brother and putting people out of work, because you don't want companies to do what governments have

  • GDPR is going to do a lot more than this to get in my good books. Like maybe stop making literally every website produce that stupid popup up that everyone has to blindly click Agree on if they want to use the internet.

    • The websites don't have to show the popup if they only use technically required cookies.

    • The popup on most sites is not required at all, it is a dumb lack of understanding by those producing the sites. You only need the popup when you are collecting and storing data about the user in the background or transferring that information to a 3rd party or using that cookie to track the user beyond your site. A session cookie or various auth cookies etc have absolutely no requirement for the popup.
  • While workers' councils are widespread in Germany's companies in the industrial and the traditional commerce sectors, they're still not as prevalent in the IT sector, even though workers and employees have a guaranteed right to form one. If there would have been a workers' council at NBB, any management attempt to install any kind of surveillance would have been subject to the workers' council's participation, and as the most important job of a workers' council is to see that laws are followed within the company, it would have prevented the illegal installation that now has become rather expensive for the company.

  • by bloodhawk ( 813939 ) on Tuesday January 19, 2021 @05:17PM (#60965632)
    This is actually an example of where I think the GDPR has gone to far (assuming the story and summary and accurate). I don't think it is unreasonable for a business to have video surveillance to prevent theft by employee's. My parents used to run retail business and employee theft actually cost them more than customer theft.

Genius is ten percent inspiration and fifty percent capital gains.

Working...