In September 2025, France’s Data Protection Authority (CNIL) fined La Samaritaine €100,000 (Deliberation SAN-2025-008) for installing cameras disguised as smoke detectors, equipped with microphones, inside employee storage areas.
The stated goal: identify those responsible for internal theft.
The result: a series of GDPR violations.
⚖️ The facts and the line that was crossed
Five cameras. Audio recording. Employees filmed and recorded without their knowledge.
When the staff discovered the system, it was removed — but the complaint had already been filed.
The CNIL deemed the surveillance deceptive, disproportionate, and undocumented.
European case law doesn’t prohibit hidden workplace surveillance outright, but it allows it only under strict, exceptional conditions.
The European Court of Human Rights, in López Ribalda v. Spain (ECHR, Oct. 17, 2019), defined three cumulative requirements:
1️⃣ Reasonable suspicion of serious misconduct;
2️⃣ No less intrusive alternative available;
3️⃣ Strictly temporary and proportionate use of the measure.
La Samaritaine met none of these requirements.
No prior documentation, no Data Protection Impact Assessment (DPIA), and an audio system with no valid justification.
📜 The legal basis for the CNIL’s decision
The CNIL identified five major GDPR breaches:
- Breach of fairness and transparency (Art. 5(1)(a))
Disguising cameras as smoke detectors amounted to intentional deception. - Violation of data minimization (Art. 5(1)(c))
Audio recording was neither necessary nor proportionate.
In professional settings, sound recording is almost always prohibited unless justified by compelling necessity. - Failure of accountability (Art. 5(2))
No record of processing, no DPIA, and no internal traceability. - Failure to consult the DPO (Art. 38(1))
The Data Protection Officer was informed after installation, preventing any preventive oversight. - Unreported data breach (Art. 33)
Two SD cards containing footage were stolen during the testing phase — and no notification was made to the CNIL within the required 72 hours.
🔍 The broader principle: control ≠ surveillance
The principle is simple yet essential:
👁️ Employee monitoring is not unrestricted surveillance.
Both the CNIL and French labor courts have long emphasized that any monitoring tool must comply with the principles of purpose limitation, proportionality, and transparency.
This case isn’t isolated.
It echoes a wider pattern of technological monitoring:
- Continuous vehicle geolocation,
- Keystroke or screen activity tracking,
- Automated email or chat analysis,
- Voice recording for “quality assurance” purposes.
All share the same legal foundation: the measure must remain necessary, proportionate, and strictly limited to its objective.
🧠 The real issue: from surveillance to algorithmic monitoring
The CNIL’s decision foreshadows a broader debate — that of AI-driven workplace surveillance.
Tomorrow’s systems will not just record but analyze behavior: facial recognition, emotion detection, productivity scoring.
Under the EU AI Act (2024), such systems are categorized as “high-risk AI”, requiring enhanced safeguards — human oversight (“human-in-the-loop”), explainability, traceability, and continuous risk assessment.
The intersection of labor law and data protection law now centers on a common goal: preserving human dignity and autonomy in an increasingly automated environment.
📘 Practical takeaways
✅ Document every exception — hidden surveillance must be justified, proportionate, and temporary.
✅ Conduct a DPIA before any installation.
✅ Consult the DPO early, not after the fact.
✅ Limit the technical scope — avoid audio capture, restrict coverage, set a clear end date.
✅ Report data breaches promptly within 72 hours.
Compliance is not bureaucracy — it is the evidence of corporate integrity and ethical governance.
🎯 Conclusion
The CNIL doesn’t ban hidden surveillance per se.
It treats it as an extraordinary exception, permissible only when every legal safeguard has been met.
The Samaritaine case underscores a key truth: technology isn’t inherently unlawful — poor governance is.
Far from being a constraint, the GDPR remains the most effective framework for balancing organizational security, operational efficiency, and fundamental rights.
Source : https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000052266505
