SUPERCOR, S.A. – €70,000 Fine (Spain, 2023)

On 1 February 2022, two employees of SUPERCOR, S.A. filed complaints with the Spanish DPA (AEPD) after being dismissed based on video footage from a camera installed in a break room. The camera was installed without notifying employees or obtaining their consent. SUPERCOR claimed the room was used for storing damaged goods and argued that the surveillance was necessary to investigate internal theft. However, during the investigation, the company’s HR manager had referred to the room as the “break room” during employee interviews and in dismissal notices. SUPERCOR later explained that this was an error. The data subjects argued that SUPERCOR did not provide any signage or notification regarding the video surveillance. SUPERCOR maintained that the surveillance was justified under Article 6 GDPR, arguing that it had a legitimate interest for the processing of personal data due to the alleged thefts. The AEPD found SUPERCOR in violation of Article 6 GDPR, as the company did not properly balance its legitimate interest in investigating theft with the employees' right to privacy. The DPA determined that there were less invasive alternatives available to investigate the alleged theft. The DPA rejected SUPERCOR’s defense that the room was a room for damaged goods determining that it was a break room, regularly used by employees for rest and meals, thus making the surveillance unlawful under [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673#a8-11 Article 89.2 of the Spanish implementation of the GDPR (LOPDGDD)]. The DPA found that the room was indeed used for rest and meals, as the employees provided photographs showing a microwave, a fridge, and evidence of the employees changing clothes in the room. Additionally, SUPERCOR violated Article 5(1)(f) GDPR, which requires the protection of personal data through appropriate security measures. SUPERCOR failed to implement proportional measures and infringed the principles of data minimization and proportionality under