Can audio surveillance be justified?


At the end of 2021, the Estonian Data Protection Inspectorate (DPA) issued a precept to a gas station using audio surveillance in its service stations, requiring them to, among other things, stop using audio surveillance. In the DPA’s opinion, audio surveillance could only be justified by very exceptional circumstances.

In 2021, the Estonian DPA initiated proceedings against a gas station because it was claimedly using audio and video surveillance in its service stations to track its employees for various purposes. Although other issues related to processing of personal data were also in question, the use of audio surveillance gained the most attention. Especially as the DPA stated rather firmly that the use of audio surveillance cannot, in most cases, be justified, and must, in the current case, be stopped.

The DPA found that there are less intruisive means to achieve the purposes for which the controller said it needed to process the audio recording for, including video surveillance. The DPA also noted that: (i) it cannot be expected that any and all conflict situations can always be solved; and (ii) although there surely are situations where audio recordings can be useful, using them to solve any and all conflict situations may lead to a “new normality” where we are currently with video surveillance, meaning that it is much more normal and widely used than it was some time ago.

The DPA decisively stated that nothing makes gas stations special enough to justify the use of audio surveillance. The DPA compared gas stations to any other shops, cafes, or service stations in that regard. All in all, the DPA did not consider audio surveillance to be inherently permissible in any companies offering goods or providing services. The use of audio surveillance could only be justified by very exceptional circumstances that do not exist elsewhere. Unfortunately, the DPA did not bring any examples of such circumstances or companies who could then potentially use audio surveillance.

It is also interesting to note that the penalty for non-compliance with the precept was set at EUR 25,000, which is, to my knowledge, one of the largest proposed by the DPA. It should be reminded that in Estonia, it is not currently possible to impose administrative fines. Most often, the DPA attempts to achieve compliance by issuing precepts with the warning of a penalty (which can be imposed multiples times). It is also possible to start misdemeanor proceedings, however this is usually not practiced by the DPA.


Article provided by INPLP member: Mari-Liis Orav (TGS Baltic, Estonia)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.