Background information
- Date of final decision: 5 October 2024
- National case
- Legal reference: Article 6 (Lawfulness of processing)
- Decision: Compliance order, Definitive limitation data processing, Administrative fine
- Key words: CCTV, Lawfulness of processing, Legitimate interest, Employment
Summary of the Decision
Origin of the case
The Slovenian Supervisory Authority (SA) carried out an investigation in 2023 against the company FOVELLA d.o.o., acting as the owner of DODO PIZZA franchise in Slovenia.
The investigation revealed unlawful monitoring of employees in the restaurant’s kitchen via CCTV and unlawful broadcasting of these CCTV footages live on the company’s website. Such broadcasting appeared to be part of the company’s business model.
Key findings
The Slovenian SA found two breaches in the inspection proceeding. First, unlawful CCTV instalments inside working premises – the restaurant’s kitchen, since such monitoring of employees can only be carried out as an exception (ultima ratio) and when it is absolutely necessary for the safety of people or property (violation of Article 78 of the national Data Protection Act). And second, these CCTV footages were broadcasted live on the company’s website https://dodopizza.si/ljubljana.
The controller failed to demonstrate compliance with Article 6 of the GDPR in accordance with the accountability principle. Slovenian SA decided that there is no legal basis under Article 6 of the GDPR for the broadcast of the CCTV footage of employees working in the kitchen live on the company's website, not even legitimate interest of the controller, since already CCTV inside the working premises was found unlawful under national legislation.
Decision
The Slovenian SA imposed a fine of EUR 25.000,00 on FOVELLA d.o.o. for unlawful CCTV inside the restaurant's kitchen, together with the broadcast of these CCTV footages via the company's website and notified of its decision also other DPAs, since DODO PIZZA has its franchises also in other EU countries.
For violation of Article 76, paragraph three and four of the national Data Protection Act and Article 13 of the GDPR since the company also failed to inform data subjects of the data processing, a reprimand was issued to the controller. The decision in inspection and misdemeanor proceedings are both final.
For further information: download the decision in national language - zip file.
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.