You are contacting
The French branch of Ingka Group, which owns various international Ikea stores, has been ordered to pay a fine of €1 million after a Versailles court held that it had unlawfully processed its employees’ personal data.
1 minute read
16 June 2021
It was reported yesterday that the French branch of Ingka Group, which owns various international Ikea stores, has been ordered to pay a fine of €1 million after a Versailles court held that it had unlawfully processed its employees’ personal data. Ikea had been accused of subjecting its employees to illegal surveillance, including trying to catch an employee who had claimed unemployment benefits despite driving a Porsche.
Even though the case concerns Ikea’s practices between 2009 and 2012, the issues it raises are particularly timely. The rise in home working during the current pandemic has led to many employers becoming increasingly interested in deploying some form of staff surveillance in order to monitor productivity levels.
Those organisations that do intend on introducing monitoring ensures will need to ensure that their staff’s personal data is handled in a lawful, fair, and transparent way under the General Protection Regulation (GDPR). This will mean identifying a lawful basis on which to collect and continue to process the relevant personal data and communicating the details of this to the relevant staff. Many employers will opt to rely on their ‘legitimate interests’ as a lawful basis, but it is important to remember that these specific legitimate interests will need to be explicitly stated in an updated privacy notice circulated to staff. They will also need to be balanced against employees’ individual rights and freedoms by way of a data protection impact assessment. This is a process used to assess whether the proposed form of monitoring is necessary and proportionate, taking into account what employees’ privacy expectations and what they would likely consider excessive. Certain intrusive forms of monitoring (for example, software that records mouse movements and keystrokes) may well fall foul of the GDPR, especially if they are used for automated decision-making (such as basing pay rises on those who are recorded to have logged in at certain times).
Although the GDPR was not a consideration in the Ikea case, given that it only came into force in 2018, the UK-implemented version of it still applies to British employers. If a UK business were to conduct similar activities as described in the Ikea case today, the consequences would likely be far more severe, given that the UK GDPR allows the Information Commissioner to impose fines of up to 4% of worldwide turnover or £17.5 million (whichever is greater) for non-compliance. In a UK context, excessive staff surveillance could also breach the duty of trust and confidence implied in every employment relationship, or potentially even the right to respect for privacy and family life.
16 June 2021
You are contacting
FINDING OUR ARTICLES OF INTEREST? SUBSCRIBE TO RECEIVE THE LATEST CONTENT DIRECT TO YOUR INBOXSubscribe now