Workplace video surveillance: the Hanako case rules out consent

At a glance — Italy’s Garante fined Hanako s.r.l. (12/03/2026) for in‑store video surveillance without layered notice and without labor authorization/union agreement while employees were filmed. Key message: in employment, consent is not a valid legal basis; legitimate interest must be documented and proportionate. Source: Garante, Provvedimento n. 167, docweb 10240451.

The case

On 12 March 2026, the Italian DPA (Garante) adopted measure no. 167 against Hanako s.r.l., a restaurant company. Findings:

• cameras covering multiple areas with a single notice board, broad access to footage, and control purposes without sufficient safeguards;
• no labor inspectorate authorization/union agreement despite employees being recorded;
• breaches of GDPR articles 12–13 (information) and national rules on remote worker monitoring.

The Garante reiterates the need for layered information (sign + detailed notice) and, at work, specific legal bases and safeguards (GDPR art. 6 and labor law). Official decision: docweb 10240451.

Legal reasoning

• Legal basis (GDPR art. 6) — Processing requires a legal basis; article 88 allows specific rules for employee data. Text: GDPR — articles 6 and 88.
• Consent and power imbalance — EDPB Guidelines 05/2020 state consent is invalid where there is a power imbalance (employer/employee). Source: EDPB — Guidelines 05/2020 on consent.
• Video and legitimate interest — The EDPB accepts legitimate interest (6(1)(f)) as often appropriate, subject to necessity/proportionality. Summary: EDPB — Summary Guidelines 3/2019.
• Luxembourg CNPD view — Consent must be “freely given, specific, informed and unambiguous” and is not always suitable; other bases (incl. legitimate interest) are often better. Reminder: CNPD — Consent reminders.

Implication: employers cannot “fix” camera systems targeting staff through employee consent forms. They must establish a legitimate purpose, evidence necessity and proportionality (framing, masking, short retention, restricted access), provide clear notice (sign + full notice), and comply with applicable labor rules. Reference: Garante 12/03/2026.

What this changes in Luxembourg

• Exposed sectors — Retail, banking, industry, transport: if staff fall within camera scope, drop “HR consent”. Build on legitimate interest (6(1)(f)), document the balancing test, and evidence minimization (masking, exclusion zones, 7–30 day retention). Expert support via a dedicated DPO mandate helps formalize this.
• Disciplinary/productivity aims — Continuous performance monitoring is likely unlawful. EDPB and the Garante limit deterrence/evidence to narrowly defined uses, not permanent monitoring. See EDPB video and Garante 12/03/2026.
• Two‑layer information — A visible sign before entry + a detailed notice (controller, purpose, legal basis, rights, retention, recipients, DPO). This was central in Hanako. Ref.: Garante decision.
• Labor rules — Check whether an agreement/administrative authorization is required before deployment (GDPR art. 88). See GDPR in Luxembourg and CNPD compliance and the core GDPR provisions on legal bases.

Common pitfalls

1. Relying on employee consent — Power imbalance often invalidates it. Prefer a well‑documented legitimate interest balancing test. See EDPB — Consent 05/2020 and CNPD.
2. Single sign for multiple areas — Insufficient. Notices must appear before each monitored area and point to a complete second layer. Ref.: Garante 12/03/2026.
3. Cameras fixed on a workstation — Generally disproportionate unless exceptional with reinforced safeguards. See EDPB — video devices.
4. Excessive retention/access — Weeks‑long storage without concrete risk and unlogged access typically fails the balancing test. See EDPB — video.
5. Forgetting GDPR/labor interplay — GDPR art. 88 plus national rules (e.g., Italy: authorization/union agreement). Anticipate country by country. See EDPB and EUR‑Lex art. 88.

Mini decision tree (Article 6 — workplace video)

• Purpose = safety/security — Assess legitimate interest (6(1)(f)): less intrusive means? fields avoiding workstations/sensitive areas? masking? minimal retention? layered notice, access controls, logging, DPIA if high risk (art. 35), handle objections; labor rules (agreement/authorization) where applicable.
• Purpose = continuous performance control — High risk of unlawfulness: revisit purpose and design.
• Employee consent? — Practically unsuitable (imbalance), see EDPB 05/2020. Also refer to the GDPR rules on legal bases.

Official sources

• Garante — Provvedimento n. 167 (12/03/2026), docweb 10240451
• EDPB — Guidelines 05/2020 on consent
• EDPB — Summary Guidelines 3/2019 (video devices)
• EUR‑Lex — GDPR, art. 6 and 88
• CNPD LU — Consent reminders

Need help structuring your balancing tests and notices? Reach out via our contact page.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.