A German data regulator last week announced a €10.4 million (U.S. $12.7 million) fine against an online laptop and electronic goods retailer for video-monitoring employees for at least two years without legal basis.

The State Commissioner for Data Protection (LfD) Lower Saxony said NBB’s (notebooksbilliger.de) constant surveillance was “inadmissible” under the General Data Protection Regulation (GDPR). The fine is the highest the authority has set so far.

According to the regulator, cameras recorded employees in workplaces, salesrooms, warehouses, and common areas. NBB claimed the aim was to prevent and investigate criminal offenses and to track the flow of goods in the warehouses.

“Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees.”

Barbara Thiel, Head of LfD Lower Saxony

However, in order to prevent theft, a company must first use “milder” methods, such as random bag checks when employees leave the premises. Moreover, the LfD said video surveillance is only lawful if there is “justified suspicion” against specific persons, and even then, video monitoring may only be used for a “limited” time.

The data authority found NBB’s video surveillance was neither limited to a specific period of time nor to specific employees. The recordings were saved for 60 days in many cases. Customers were also filmed in seating areas without their knowledge or consent.

The regulator said “the allegedly deterrent effect of video surveillance, which is repeatedly put forward, does not justify a permanent and unprovoked interference with the personal rights of employees” in a translated press release.

“We are dealing with a serious case of video surveillance in the company,” said Barbara Thiel, head of LfD Lower Saxony, in a translated statement. “Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees.”

Thiel added video surveillance is “a particularly intensive encroachment on personal rights” because it can pressurize employees “to behave as inconspicuously as possible in order not to be criticized or sanctioned for deviating behavior.”

“Employees do not have to give up their personal rights just because their employer puts them under general suspicion,” she said.

Last October, the Data Protection Authority of Hamburg handed retailer H&M the country’s largest GDPR fine to date (€35.2 million) for similar employee-monitoring violations.

Germany’s federal and regional data protection authorities have been keen to focus on steering organizations away from “common” privacy violations under the GDPR—such as video monitoring, cold-calling, etc.—rather than pursuing record fines. Regulators feel such an approach creates a greater understanding of what privacy means and how the GDPR impacts people and work on a day-to-day basis.

The fine imposed on NBB is not yet legally binding. The company announced it intends to challenge the decision.

“The fine is completely disproportionate. It bears no relation to the size and financial strength of the company or to the seriousness of the alleged violation,” CEO Oliver Hellmold said in a translated statement. “We consider the decision to be unlawful and demand that it be repealed.”