Stronachs Logo

The European Court of Human Rights (ECtHR) recently heard the case of Lopez Ribalda & Other v. Spain, concerning five workers in a supermarket chain who raised concerns regarding covert surveillance within their workplace.


In February 2009 the supermarket owners noticed that there were abnormalities between the stock levels and what was being sold. In order to investigate, they installed surveillance cameras in the supermarket, some of which were visible and some which were hidden from view.  The employers gave notice to the employees about the visible cameras but did not mention those that were hidden. The hidden cameras were focused on the checkout counters where the applicants worked as cashiers. As a result of the hidden cameras, five employees were dismissed having been caught stealing items and helping co-workers steal. They brought their case to the ECtHR alleging a breach of their Article 8 rights (the right to privacy) and data protection rights on the basis that they were not notified of the covert cameras.


The ECtHR found that the employers had breached the cashiers’ Article 8 rights to privacy by not informing them that they were under surveillance. Under Spanish data protection law the employees were entitled to be “previously and explicitly, precisely and unambiguously informed” of “the existence of a personal data file or that the data will be processed, the purpose thereof and the recipients of the information,” but the employees received no such notice. The Spanish courts failed to strike a fair balance between the right to privacy and the employer’s rights given the suspicions of theft. Consequently, the employees had been prevented from exercising their individual rights of access, rectification, erasure and objection.

Whilst the case is not binding in the UK, it is persuasive, and it underlines that employers may have to adapt or change how they can monitor staff in the workplace. Covert surveillance of employees without notification will not be compliant with UK data protection laws, employees have to be “explicitly, precisely and unambiguously” informed if a personal data file exists and how it is being used. The Information Commissioners Office note that “the covert monitoring of workers can rarely be justified” and only where an employer is “satisfied that there are grounds for suspecting criminal activity.” However if there are such grounds then proper notification of such data processing is necessary to render proportionate processing lawful. The key way to do this is by way of an appropriate policy and privacy notice issued to employees. With the introduction of the General Data Protection Regulations (GDPR) in May, employers should be updating their privacy policies and notices in order to be compliant.

Privacy Notices

In order to be compliant with the GDPR, employers should provide information on the processing they are undertaking of employee personal data (including any surveillance) by way of privacy notices (sometimes referred to as fair processing notices). A privacy notice informs individuals about how the organisation collects, uses, stores, transfers and secures personal data. Without a privacy notice data subjects cannot exercise their rights or decide whether or not to provide their personal data.

The GDPR has introduced more specific and detailed requirements of what to include in a privacy notice than previously under the Data Protection Act 1998. The information must be concise, transparent, easily accessible and given in plain language. The GDPR outlines what information should be provided to the data subject at the point of data collection, the key ones being:

1. the identity and the contact details of the data controller;
2. the contact details of the data protection officer;
3. the legal basis for the processing and the purposes of the processing;
4. the recipients or categories of recipients of the personal data;
5. if the controller intends to transfer personal data to a third country or international organisation;
6. a list of the individuals rights;
7. the period for which the personal data will be stored; and
8. the existence of any automated decision-making, including profiling.

Ahead of the 25th of May, organisations should be reviewing existing privacy notices in order to ensure compliance. Failure to do so will make organisations potentially liable for fines of up to 4% of their turnover or €20 million, whichever is greater.

If you have any queries about any of the issues raised above or require assistance reviewing existing privacy notices, please do not hesitate to contact a member of the Stronachs Employment Team.

Ross Michie, Trainee Solicitor

Chambers Leading Firm 2019

Contact Info

28 Albyn Place, Aberdeen AB10 1YL
Tel: +44 1224 845845


Camas House, Fairways Business Park,
Inverness IV2 6AA
Tel: + 44 1463 713225