Search
Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

€32 Million GDPR Fine for Amazon France Logistique

amazon logistique gdpr fine

Amazon France Logistique incurred a €32 million GDPR fine from the French Data Protection Authority (CNIL) for implementing an overly invasive system to monitor employee activity and performance.

Additionally, Amazon faced fines for conducting video surveillance without providing adequate information or ensuring sufficient security measures.

What does Amazon France Logistique do

Amazon France Logistique oversees warehouses of the Amazon group in France, where it receives, stores, and prepares parcels for customer delivery.

As an integral part of its operations, each warehouse employee is equipped with a scanner to document the real-time performance of assigned tasks, including item storage or retrieval, shelving, and packaging.

Every scan executed by employees leads to the recording of data, which is subsequently stored and utilized to create insights into each employee’s quality of work, productivity levels, and periods of inactivity.

Reasons for the investigation

In addition to receiving complaints from employees, the CNIL also responded to media coverage regarding the company’s warehouse practices and conducted multiple investigations.

CNIL’s Findings

The CNIL deemed the system for monitoring employee activity and performance excessive and the retention of data and the resulting statistical indicators disproportionate, citing the following reasons:

  1. Implementation of indicators tracking the inactivity time of employees’ scanners was deemed unlawful. The CNIL concluded that establishing a system with such precision, measuring work interruptions to the extent of potentially requiring employees to justify every break or interruption.
  2. The CNIL found it excessive to retain all data collected by the system and resulting statistical indicators for all employees and temporary workers for 31 days.
  3. The system measuring the speed at which items were scanned was overly stringent. Operating on the premise that items scanned too quickly increased the risk of errors, an indicator measured whether an item had been scanned in less than 1.25 seconds after the previous one.

The Root of the Problem

As a result, the restricted committee – the CNIL body responsible for issuing sanctions, imposed a fine of €32 million based on several violations.

Failure to comply with the data minimization principle

Amazon France Logistique uses indicators of employee activity and performance, collected with the help of scanners, to manage stocks and orders in its warehouses in real-time.

Additionally, it allows the supervision of each employee to offer assistance when needed (coaching) or to reassign tasks as necessary.

However, providing support or reassigning them does not necessitate access to every detail of an employee’s quality and productivity indicators gathered through scanners over the past month.

The committee highlights that supervisors can already use real-time data to identify any challenges an employee might face, requiring coaching or pinpointing employees for reassignment during peak activity periods.

The company also used employee activity and performance data and indicators to plan work in its warehouses, assess employees each week, and train them.

The committee believes that analyzing statistics on an individual employee, aggregated weekly, is enough to evaluate the employee’s proficiency. There is no need to process every detail provided by the scanner.

Finally, the restricted committee concluded that monitoring an employee’s work, evaluating their performance, or providing training did not warrant recording any period of inactivity exceeding ten minutes.

Failure to ensure lawful processing

CNIL specifically focused on three indicators that were processed by the company:

  • the “Stow Machine Gun” indicator signals an error when an employee scans an item “too quickly.”
  • the “idle time” indicator, which signals periods of scanner downtime of ten minutes or more;
  • the “latency under ten minutes” indicator signals periods of scanner interruption between one and ten minutes.

The restricted committee concluded that the processing of these three indicators could not be based on legitimate interest, as it led to excessive monitoring of employees.

The “Stow Machine Gun” indicator monitors how quickly employees perform the task of storing items. If an employee completes the storage task too rapidly, the system may view it as an error or anomaly, possibly leading to further investigation or corrective measures.

The other two indicators also made it possible to monitor any time the scanner was interrupted, even for a short period. However, the company already has access to other real-time indicators that allow it to achieve its quality and safety objectives, which indicates this processing to be excessively intrusive and unnecessary.

Failure to comply with the obligation to provide information and transparency

The committee noticed that the company did not provide the information mandated by the GDPR about the video surveillance systems to employees or visitors.

Failure to comply with the obligation to ensure the security of personal data

The video surveillance software lacked adequate security measures as the access password was weak, and the access account was shared among multiple users.

Deciphering Reasons Behind the Fine

While recognizing the challenges faced by Amazon’s business and its ambitious performance targets, the CNIL found fault with the extensive data retention and statistical indicators, deeming them disproportionately excessive.

When deciding on the amount of the penalty, the committee factored in that this type of processing of employee data represents a departure from the traditional monitoring methods. It also considered the scale and exhaustiveness of collected data, which kept employees under close surveillance and put them under continuous pressure.

Taking into account the substantial number of individuals impacted (several thousand), it concluded that the limitations placed on employees through this computer monitoring played a direct role in the company’s financial gains, providing it with a competitive edge over other businesses.

Read the entire decision in French: Délibération de la formation restreinte n°SAN-2023-021 du 27 décembre 2023 concernant la société AMAZON FRANCE LOGISTIQUE – Légifrance

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top