News
Amende de 40 000 € pour une société immobilière
? €40,000 Fine for a Real Estate Company The CNIL has sanctioned a company for installing monitoring software on its employees' computers to track their working hours and assess their performance.
Source: SAN 2024-021
? Abusive Monitoring of Working Hours
? Automated detection of inactivity: • The software detected keyboard or mouse inactivity for 3 to 15 minutes. • These periods of inactivity were recorded and could result in salary deductions. • These times could include meetings, phone calls, or other professional tasks.
? Monitoring Employee Performance
? Digital behavior analysis: • The software analyzed websites and applications used, categorizing them as productive or non-productive. • ? Automatic screenshots (screencast) every 3 to 15 minutes, depending on company-defined settings.
? Failure to Ensure Data Security (Article 32 GDPR)
?? Security breaches: • Shared access to a single administrator account, preventing traceability of access and actions performed. • Major risk in case of data breaches or security incidents.
? Excessive Employee Surveillance
? Inappropriate video surveillance system: • Two cameras continuously recorded employees, even in break rooms. • ? Audio and video recording 24/7, beyond security needs.
?? Failure to Conduct a Data Protection Impact Assessment (Article 35 GDPR)
? Lack of a Data Protection Impact Assessment (DPIA): • The monitoring software enabled systematic surveillance, creating a high risk to employees' rights and freedoms. • The company should have conducted a DPIA before implementing the system.
? Main GDPR Violations
? Article 5.1.c – Data minimization
? Article 6 – Lawfulness of processing
? Article 12 – Transparency and rights of individuals
? Article 13 – Information to data subjects
? Article 32 – Data security
? Conclusion
? This sanction serves as a reminder that employee surveillance must comply with GDPR and be proportionate to legitimate business objectives.
? Excessive workplace surveillance is prohibited, and companies must ensure the security of collected data. ??