CNIL Fines Samaritaine €100,000 for Hidden Cameras: A Legal Analysis

On 18 September 2025, the French Data Protection Authority (CNIL) issued Deliberation SAN-2025-008, imposing a €100,000 fine on Samaritaine SAS for clandestinely installing surveillance cameras in employee areas.

In August 2023, in response to a rise in stockroom thefts, the company installed five hidden cameras disguised as smoke detectors. The devices also recorded audio. Within weeks, employees discovered and dismantled them, taking the SD cards containing the recordings. The matter came to CNIL’s attention, prompting an investigation.

This case illustrates the strict limits placed on covert workplace surveillance. CNIL recalled European human rights jurisprudence, particularly Lopez Ribalda and Others v. Spain (ECHR, 2019), which held that hidden cameras may only be deployed in exceptional and temporary circumstances, following a documented proportionality assessment. Samaritaine’s measures fell short on multiple GDPR grounds.

CNIL’s Findings

Transparency and Accountability Failures

The covert system was never included in the company’s Register of Processing Activities. No Data Protection Impact Assessment (DPIA) was carried out to assess the necessity and proportionality of the surveillance measures, and the DPO was not consulted.

CNIL stressed that covert surveillance may only be considered after a clear GDPR compliance analysis demonstrating necessity, proportionality, and accountability. As the authority recalled:

“…In exceptional circumstances and under certain conditions, the controller may temporarily install cameras that are not visible to employees. The controller must then analyse the compatibility of the device with the GDPR and be able to justify it.”

Disproportionate Data Collection

The cameras recorded both video and audio, capturing employee conversations. CNIL deemed this excessive and unnecessary for theft prevention, in breach of the data minimization principle under Article 5 para. 1 lit. c GDPR. The authority underlined that audio recording, in particular, was unjustified given the purpose.

Failure to Notify a Data Breach

When employees dismantled the cameras, they also removed the SD cards containing the recordings. This constitutes a personal data breach under Article 4 para. 12 GDPR: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Management became aware in September 2023 but only notified CNIL in December, far beyond the 72-hour deadline set out in Articles 33 GDPR.

Failure to Involve the DPO

The DPO was informed only after the cameras had already been dismantled. CNIL highlighted this as a serious governance failure, as the DPO’s advice could have prevented the violations.

Overall, CNIL condemned Samaritaine for adopting an intrusive, undocumented, and disproportionate surveillance measure outside the GDPR framework.

In Lopez Ribalda, the European Convention on Human Rights (ECHR) permitted covert cameras in a Spanish supermarket but only under strict safeguards, including:

• Limited duration. In Lopez Ribalda, monitoring lasted only 10 days. By contrast, Samaritaine set no end date; the cameras remained until employees discovered them.
• Strong and documented justification. In Lopez Ribalda, there was documented suspicion of systematic theft. Samaritaine, by contrast, provided no analysis demonstrating that less intrusive measures—such as video-only monitoring—were inadequate.

This case reinforces a fundamental principle: only in exceptional circumstances and under certain conditions may a controller temporarily install cameras that are not visible to employees. In any case, the controller must analyse the compatibility of the device with the GDPR and be able to justify its installation.

Covert monitoring is a last-resort measure, permissible only when strictly necessary, proportionate, and accompanied by safeguards.

The message is clear: property protection cannot limit employee privacy without rigorous legal justification. Any company considering employee monitoring—especially covert methods—must involve their DPO or privacy specialists to implement the appropriate safeguards and align with both GDPR requirements and relevant jurisprudence.