Amazon France Logistique (AFL) fined EUR 32m by French Data Protection Authority, CNIL

What happened

• AFL manages Amazon’s large French distribution centres, where parcels are received, stored and prepared for delivery
• Employees use scanners as part of their duties, but these have been used to monitor how quickly items are scanned and also how much downtime employees take between scanning items
• The scanning has enabled AFL to easily spot errors made by employees and also their levels of productivity
• The data collected was stored for 31 days and then used to plan work schedules and assess employees’ performance and training needs
• Additionally, video surveillance was also used at some warehouses
• The French data protection authority, CNIL, investigated and made a number of site inspections and in July 2023 decided that AFL had committed the following breaches of EU GDPR.

(i) failure to comply with the data minimisation principle by holding all data produced by scanners for 31 days instead of aggregating it

(ii) failure to have a lawful basis for processing the personal data collected via the monitoring activities.  They intended to rely on legitimate interests but the monitoring was disproportionate

(iii) failure to provide a  privacy notice to temporary workers and failure to give workers and visitors necessary information in the warehouses where the video surveillance was used

(iv) failure to ensure that personal data collected was sufficiently secure, as the video surveillance software had inadequate passwords and account sharing was prevalent

• AFL were fined EUR 32m

Why it matters

• Although CNIL’s decision is not binding on the UK, this case is of interest for both UK and EU businesses because the relevant parts of EU GDPR and UK GDPR are substantially similar
• Legitimate interests can be relied upon as a lawful basis, but only if data processing is undertaken proportionately and takes account of employees’ rights and freedoms, which was not the case
• Only a minimal amount of personal data must be collected and it must not be retained longer than necessary
• Data collected must be held securely and employees must be informed how their data is processed (via a privacy notice)

Further information

Monitoring of employees is a current area of interest for the ICO, particularly with many employees now working from home. The ICO has provided guidance at Employment practices and data protection: monitoring workers | ICO

What happened

• On 23 February 2024, the ICO issued an enforcement notice to Serco. One of its subsidiaries was asked to stop processing the biometric data of 3,000 staff members in 38 of its leisure centres
• Serco had been using facial recognition and fingerprint scanning to monitor and pay staff; processes which produce biometric data which is considered to be special category data under the UK GDPR
• Special category data requires a greater level of care when processing, than personal data
• The ICO deemed Serco’s practice to be unfair and disproportionate because other ways of monitoring could have been used
• Necessity is a critical requirement of most lawful bases for processing personal data. Whilst it might be necessary for Serco to record staff attendance in order to pay them, couldn’t the monitoring be less intrusive?
• The power imbalance between Serco and its employees, would mean that employees are unlikely to say no if asked for consent – so consent would not be a valid alternative
• A data protection impact assessment (DPIA) must be completed early on, in this type of project, particularly where special category data is involved, to assess the privacy risks
• Additionally, if Serco had intended to rely upon legitimate interests as a lawful basis, then a Legitimate Interests Assessment would have to be completed and data processing could only go ahead if the balance test is met

Why it matters

• Whilst monitoring of staff might be necessary in order to pay staff, facial recognition is privacy intrusive and there are simpler ways to obtain the monitoring data
• Serco employees were not offered an alternative to having their faces and fingers scanned to clock in and out
• A DPIA would have highlighted the risks of using biometric technology. This would have shown that the processing was too intrusive and disproportionate
• Serco have now been told to stop all processing of biometric data for monitoring employees’ attendance at work and Serco must also destroy all biometric data they are not legally obliged to retain, within 3 months.

Further information

Details of the action taken by the ICO can be found at;

ICO orders Serco Leisure to stop using facial recognition technology to monitor attendance of leisure centre employees | ICO

What happened

• The European Data Protection Board (EDPB) has launched a website auditing tool that can be used to analyse whether websites are compliant with the law, in terms of cookie compliance
• Both data controllers and data processors who want to test their own websites, can use it
• The tool allows them to prepare, carry out and evaluate audits directly in the tool, by simply visiting the website in question
• The tool can also generate reports where required
• Previously, website auditing tools required technical expertise to use them, so the EDPB wanted to develop something that was easy to use

The tool does, however, enable enforcement by national data protection authorities as well as allowing organisations to test their own sites

Why it matters

• Over the past few months, the ICO has warned organisations that they face enforcement action if they do not make changes to their advertising cookies to comply with data protection law and the Privacy and Electronic Communications Regulations (PECR)
• Websites must inform users if cookies are set and also clearly explain what cookies are set and what the different types of cookies do and why
• The ICO has given certain companies 30 days to ensure websites comply with the law
• The new website auditing tool will help compliance checks by data controllers/processors and also enforcement by regulators
• It signals time for all organisations to pay attention to the cookie policies on their websites

Further information

Details of the ICO’s warning to organisations can be found at;

ICO warns organisations to proactively make advertising cookies compliant after positive response to November call to action | ICO

The website auditing tool is a free and open source software under the EUPL 1.2 Licence and is available for download at Releases · EDPB / EDPB Website Auditing Tool · GitLab (europa.eu)