The Spanish Data Protection Authority has sanctioned a restaurant with a fine of EUR 12,000 for imposing a disciplinary sanction on an employee using images from a mobile phone video recording made by another employee in the restaurant as evidence.

According to the Spanish Data Protection Authority, a mobile phone that collects images of an individual who can be identified, falls within the scope of protection of article 1 of the GDPR.

In that situation, these images have been used to have a legal effect in an employment monitoring context, that is why, the data protection regulations and their guarantees fully apply.

The Spanish Authority follows its reasoning, stating that the images obtained (from another employee) and used, reproduced the employee’s image and allowed surveillance of his actions via the recording of him. This constitutes personal data, and this data was used to monitor his compliance with his employment contract.

For the purpose of the GDPR, the owner of the establishment – where the employee provided services – is the legal entity that used the recording. He is responsible for processing the data without having previously informed the employee about monitoring of his work-related activities associated with recordings of him. He had therefore, violated article 5.1 (a) of the GDPR.

To access the Spanish Data Protection Agency website click here.