Background
On 23 January 2024, the French Data Protection Authority (“CNIL”) published its decision, which was issued on 27 December 2023, regarding the fine it imposed upon Amazon France for numerous violations of the General Data Protection Regulation (“GDPR”) following an investigation. The fine imposed amounts to €32 million.
The CNIL investigated Amazon France after press articles were published on the practices implemented by Amazon France and after receiving numerous complaints from employees.
The Amazon warehouses, which are located in France, are managed by Amazon France. As part of this, each warehouse employee is equipped with a scanner, which documents the execution of certain tasks. Every time an employee makes use of the scan function, it results in the recording of data that can be used to calculate values relating to the quality, productivity, and periods of inactivity of each employee.
Findings of the CNIL
The data collected from employees was collected in real time and all data reported was kept for 31 days. The smallest details of an employee’s productivity were available to supervisors. The CNIL determined that supervisors should rather rely on data reported in real time to identify difficulties encountered by employees and that a selection of aggregated data, which has already been collected for other data, should be sufficient. Thus, Amazon France was found to be in violation of Article 5(1)(c) GDPR as it did not process personal data in a manner that is relevant, adequate and limited to what is necessary in relation to the purposes of the processing.
Regarding the monitoring of employees, the CNIL indicated that the three methods of monitoring – when an employee scans an item too quickly, the idle time indicator indicating interruptions of 10 minutes or more and latency times of less than 10 minutes – cannot be based upon legitimate interest as the methods are excessively intrusive. Therefore, in the absence of a lawful basis, Amazon France was found to have violated Article 6 GDPR.
Numerous employees were contracted on a temporary basis and the confidentiality and privacy policy of Amazon France was not provided before the collection of their personal data. The CNIL held that the information provided to temporary workers on the company’s intranet was insufficient due to the fact that temporary workers were not requested to read it and this was not the most appropriate method of informing temporary workers who did not have access to an office computer during working hours.
Lastly, the information provided about the video surveillance was not properly communicated to employees and external visitors and the access to the video surveillance was found to be insufficiently secured as the password access was not robust and access accounts were shared between multiple employees. Regarding the characteristics of processing and risks involved, the CNIL found that Amazon France was in violation of Article 32 GDPR for failure to guarantee a level of security appropriate to the risk of processing.
To ensure that your organization does not receive a fine similar to the one discussed, contact us, the Experts in Data Privacy at info@dpoconsultancy.nl, for further assistance.