Skip to main content

Can audio surveillance be justified?


At the end of 2021, the Estonian Data Protection Inspectorate (DPA) issued a precept to a gas station using audio surveillance in its service stations, requiring them to, among other things, stop using audio surveillance. In the DPA’s opinion, audio surveillance could only be justified by very exceptional circumstances.

In 2021, the Estonian DPA initiated proceedings against a gas station because it was claimedly using audio and video surveillance in its service stations to track its employees for various purposes. Although other issues related to processing of personal data were also in question, the use of audio surveillance gained the most attention. Especially as the DPA stated rather firmly that the use of audio surveillance cannot, in most cases, be justified, and must, in the current case, be stopped.

The DPA found that there are less intruisive means to achieve the purposes for which the controller said it needed to process the audio recording for, including video surveillance. The DPA also noted that: (i) it cannot be expected that any and all conflict situations can always be solved; and (ii) although there surely are situations where audio recordings can be useful, using them to solve any and all conflict situations may lead to a “new normality” where we are currently with video surveillance, meaning that it is much more normal and widely used than it was some time ago.

The DPA decisively stated that nothing makes gas stations special enough to justify the use of audio surveillance. The DPA compared gas stations to any other shops, cafes, or service stations in that regard. All in all, the DPA did not consider audio surveillance to be inherently permissible in any companies offering goods or providing services. The use of audio surveillance could only be justified by very exceptional circumstances that do not exist elsewhere. Unfortunately, the DPA did not bring any examples of such circumstances or companies who could then potentially use audio surveillance.

It is also interesting to note that the penalty for non-compliance with the precept was set at EUR 25,000, which is, to my knowledge, one of the largest proposed by the DPA. It should be reminded that in Estonia, it is not currently possible to impose administrative fines. Most often, the DPA attempts to achieve compliance by issuing precepts with the warning of a penalty (which can be imposed multiples times). It is also possible to start misdemeanor proceedings, however this is usually not practiced by the DPA.


Article provided by INPLP member: Mari-Liis Orav (TGS Baltic, Estonia)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.