CNPD (Luxembourg) - Délibération n° 17FR/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Luxembourg |DPA-BG-Color= |DPAlogo=LogoLU.png |DPA_Abbrevation=CNPD (Luxembourg) |DPA_With_Country=CNPD (Luxembourg) |Case_Number_Name=Délib...")
 
No edit summary
 
(One intermediate revision by one other user not shown)
Line 50: Line 50:
}}
}}


in progress
The Luxembourg DPA fined a controller €1900 for using their videocameras to record images of public spaces and buildings, and for applying an excessive retention period to such images.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
in progress
The Luxembourg DPA (CNPD) launched an investigation against a corporate group for the use of videocameras in the premises of two of their companies.


=== Dispute ===
The cameras were used for protecting company's goods and for security in the access, in the case of company A, and for the protection of company's property, control of the access, and to prevent work accidents, in the case of company B.


Two of the cameras included in their recording images of public spaces or buildings.


Additionally, the retention period of the images implemented by the companies was of 3 months.
=== Holding ===
=== Holding ===
in progress
The CNPD remarked, in the first place, that the cameras should not record images of public spaces or buildings. In case that such images had to be recorded due to the angle or placing of the cameras, that part of the image should have been blurred.
 
Therefore, the CNPD concluded that the controller had infringed Article 5(1)(c) GDPR by recording images of public spaces or buildings.
 
Secondly, the CNPD considered that the storage for 3 months was excessive in any case. The default period, according to the authority, should be of one week, that might be extended to 1 month, for specific purposes, when justified.
 
Therefore, the CNPD concluded that the controller had infringed Article 5(1)(e) GDPR by having a retention period of the recorded images of 3 months.
 
The authority took into account the will to cooperate of the controller and the fact that they had followed their recommendations to remedy the violations. The CNPD decided to fine the controller €1900.


== Comment ==
== Comment ==

Latest revision as of 08:28, 16 June 2021

CNPD (Luxembourg) - Délibération n° 17FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 12.05.2021
Published: 07.06.2021
Fine: 1900 EUR
Parties: n/a
National Case Number/Name: Délibération n° 17FR/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: n/a

The Luxembourg DPA fined a controller €1900 for using their videocameras to record images of public spaces and buildings, and for applying an excessive retention period to such images.

English Summary

Facts

The Luxembourg DPA (CNPD) launched an investigation against a corporate group for the use of videocameras in the premises of two of their companies.

The cameras were used for protecting company's goods and for security in the access, in the case of company A, and for the protection of company's property, control of the access, and to prevent work accidents, in the case of company B.

Two of the cameras included in their recording images of public spaces or buildings.

Additionally, the retention period of the images implemented by the companies was of 3 months.

Holding

The CNPD remarked, in the first place, that the cameras should not record images of public spaces or buildings. In case that such images had to be recorded due to the angle or placing of the cameras, that part of the image should have been blurred.

Therefore, the CNPD concluded that the controller had infringed Article 5(1)(c) GDPR by recording images of public spaces or buildings.

Secondly, the CNPD considered that the storage for 3 months was excessive in any case. The default period, according to the authority, should be of one week, that might be extended to 1 month, for specific purposes, when justified.

Therefore, the CNPD concluded that the controller had infringed Article 5(1)(e) GDPR by having a retention period of the recorded images of 3 months.

The authority took into account the will to cooperate of the controller and the fact that they had followed their recommendations to remedy the violations. The CNPD decided to fine the controller €1900.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision of the National Commission sitting in restricted formation

    on the outcome of survey No. [...] conducted with "Company A"



                       Deliberation n ° 17FR / 2021 of May 12, 2021


The National Commission for Data Protection sitting in a restricted body

composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc

Lemmer, commissioners;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

relating to the protection of individuals with regard to the processing of personal data

personal character and on the free movement of such data, and repealing the Directive
95/46 / EC;



Having regard to the law of 1 August 2018 on the organization of the National Commission for

data protection and the general data protection regime, in particular
its article 41;



Having regard to the internal regulations of the National Commission for the Protection of

data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its
article 10 point 2;



Having regard to the regulation of the National Commission for Data Protection relating to

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020,
in particular Article 9;



Considering the following:











   _____________________________________________________________

             Decision of the National Commission sitting in restricted formation on the outcome of
                            the survey no. [...] conducted with "Company A"


                                                                                                  1 / 18I. Facts and procedure


      1. During its deliberation session of February 14, 2019, the National Commission

for data protection sitting in plenary session (hereinafter: "Training
                                                                          1
Plenary ") had decided to open an investigation with the ABCD group on the basis of the article
                   er
37 of the law of 1 August 2018 on the organization of the National Commission for
data protection and the general data protection regime (hereinafter "the law

of August 1, 2018 ”) and to appoint Mr. Christophe Buschmann as chef

of investigation.



      2. According to the decision of the Plenary Panel, the investigation carried out by the
National Commission for Data Protection (hereafter: "CNPD") had as

purpose of verifying compliance with the provisions of the regulation on the protection of

natural persons with regard to the processing of personal data and the

free movement of such data, and repealing Directive 95/46 / EC (hereinafter "GDPR")

and the law of August 1, 2018, in particular through the establishment of

video surveillance and geolocation, if applicable, installed by the four companies of the

ABCD group.


      3. On September 27, 2019, CNPD agents visited

at the premises of Company A at the administrative headquarters of [S1] and at the site of [S2]. Being

given that the report no. […] Relating to the said on-site fact-finding mission

mentions that, among the four companies of the ABCD group, as head of

treatment controlled the company "Company A", the decision of the National Commission for

data protection sitting in restricted formation on the outcome of the investigation (here-

after: "Restricted Training") will be limited to the treatments controlled by the agents of the

CNPD and carried out by the company "Company A".






1
 And more specifically with the companies Société B, registered in the Trade and Companies Register of
Luxembourg under number […], with registered office at L- […]; Company A, registered in the Trade Register and
Luxembourg Companies under number […], with registered office at L- […]; Company C, entered in the register
of Commerce and Companies of Luxembourg under number […], with registered office at L- […] and Company D,
registered in the Luxembourg Trade and Companies Register under number […], with registered office at L-
[…].
2Cf. in particular the report no. […] Relating to the on-site visit carried out on September 27, 2019
with Company A.

   _____________________________________________________________

               Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey no. [...] conducted with "Company A"


                                                                                                          2/18 4. “Company A” is a […] registered in the Trade and Companies Register


Luxembourg under number […], with registered office at L- […] (hereinafter “the controlled”).
    3
[…].


       5. During the aforementioned visit of September 27, 2019 by CNPD agents to

the premises of the inspected at the administrative headquarters of [S1] and at the site of [S2], the "delegate to


data protection ”of the inspected confirmed to CNPD agents that the inspected

uses two video surveillance systems. A first system is installed in the

buildings at the administrative headquarters of [S1] and a second system is operated from the

site of [S2]. The video surveillance system installed at the administrative headquarters of [S1] is

composed of eight cameras which operate continuously (24 hours a day) and the system of 6

video surveillance installed on the [S2] site is made up of one to five cameras per [...]

([…]) And the cameras also operate continuously (24 hours a day). 8



       6. The “data protection officer” of the inspected confirmed that the

controlled does not use a geolocation device. 9



       7. As for the administrative headquarters of [S1], it was explained to the CNPD agents that

the video surveillance system is managed by Company B as a subcontractor for the
                                                                                             10
account of the inspected who is to be considered as data controller. He was

confirmed that the purposes of setting up the video surveillance system are the

protection of company assets and access security. 11



       8. As for the site of [S2], it was explained to the CNPD agents that the purposes of

the implementation of the video surveillance system are the protection of property




3According to the information provided on its own website: […]
4
5The address of the administrative headquarters of [S1]: […].
 The site address of [S2]: […].
6 See report 9 of report no. […] Relating to the on-site visit carried out on September 27, 2019
with Company A.
7The CNPD agents inspected the images transferred by the cameras installed on the sites of […]
(see report no. […]).
8
  See report 14 of report no. […] Relating to the on-site visit carried out on September 27, 2019
with Company A.
9 Cf. in particular report no. […] Relating to the on-site visit carried out on September 27, 2019
with Company A.
10Cf. finding 7 of report no. […] Relating to the on-site visit carried out on September 27, 2019
with Company A.
11
  See report 8 of report no. […] Relating to the on-site visit carried out on September 27, 2019
with Company A.

   _____________________________________________________________
                Decision of the National Commission sitting in restricted formation on the outcome of

                                 the survey no. [...] conducted with "Company A"


                                                                                                                    3/18 the company, securing access and preventing accidents. 12 Training

Restricted assumes that this video surveillance system is managed by the inspected

as data controller.


      9. At the end of his investigation, the head of investigation notified the inspector on 3
February 2020 a statement of objections detailing the shortcomings he considered

constituted in this case, and more specifically a non-compliance with the requirements of Article

5.1.c) of the GDPR and non-compliance with the requirements of article 5.1.e) of the GDPR.


      10. On February 28, 2020, the inspected filed written observations on the

statement of objections.


      11. A letter supplementing the statement of objections was sent to
checked on August 10, 2020. In this letter, the head of the investigation proposed to the

Restricted training to adopt two different corrective measures, as well as to inflict

at the control an administrative fine in the amount of 1,900 EUR.


      12. By letter August 25, 2020, the inspected produced written observations on the

letter supplementing the statement of objections.


      13. The president of the Formation Restricted informed the control by letter of the 16

October 2020 that his case would be registered for the Restricted Training session of the 27
November 2020. The inspected confirmed their presence at the said meeting on 13

November 2020.


      14. During the Restricted Training session on November 27, 2020, the leader

investigation team and the inspector presented their oral observations in support of their

written observations and answered questions posed by the Restricted Training. The
controlled spoke last.


II. Place



II. 1. As to the grounds for the decision


A. On the breach linked to the principle of data minimization


12Cf. finding 15 of report no. […] Relating to the on-site visit carried out on September 27, 2019
with Company A.
   ______ ______________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                             the survey no. [...] conducted with "Company A"



                                                                                                      4/181. On the principles


       In accordance with Article 5.1.c) of the GDPR, personal data must

be "adequate, relevant and limited to what is necessary for the purposes

for which they are processed (data minimization) ”.


       The principle of data minimization in video surveillance involves

that it should only be filmed what appears strictly necessary to reach the

purpose (s) pursued and that processing operations must not be
                     13
disproportionate.


       Article 5.1.b) of the GDPR states that personal data must

be "collected for specific, explicit and legitimate purposes, and not be

further processed in a manner incompatible with these purposes; […] (Limitation of

purposes) ”.


       Before installing a video surveillance system, the data controller

must define, in a precise manner, the purpose (s) he wishes to achieve by using

such a system, and cannot then use the personal data

collected for other purposes. 14


       The necessity and proportionality of video surveillance is analyzed on a case-by-case basis

and, in particular, with regard to criteria such as the nature of the place to be placed under

video surveillance, its situation, configuration or attendance. 15


2. In this case










13
   See CNPD guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
14
    See CNPD guidelines, available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
15 Cf. CNPD guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers-

thematic / videosurveillance / necessity-proportionality.html.
   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of

                                the survey no. [...] conducted with "Company A"


                                                                                                               5/18 15. As for the site of [S2], it was explained to the CNPD agents that the purposes

of the implementation of the video surveillance system are the protection of property

the company, securing access and preventing accidents.


      16. When investigating the site of [S2] and looking at the monitoring monitors

to which are transmitted the images captured by the cameras installed on the

[…], The CNPD agents noted that


                i) on the site of [S3], the fields of vision of several cameras

                include parts of the public thoroughfare and surrounding land; and6


                ii) on the site of [S4], the field of view of a camera includes parts

                from the public road and neighboring land. 7


      17. The head of the investigation was of the opinion that "(...) the surveillance of the public highway and

of neighboring land is however to be considered as disproportionate. Indeed, at

in view of the aforementioned purposes for which video surveillance is operated, it is not

necessary to include parts of the public road or neighboring land in the

fields of view of the cameras listed under points A.1. and A.2. of this. "

(statement of objections, Ad. A.1. and Ad. A.2.)


      18. The inspected for his part explained that the main purposes of the

video surveillance were the prevention of accidents (for their staff and for
external persons) and protection […]. In addition, the inspected explained that the

visualization of a small space around the fence was necessary to be able to act

in a preventive and not curative manner and that the detection of movements upstream of the

fence allowed, on the one hand, the triggering of systems [...] which were intended to

deter intrusion attempts and, on the other hand, on-site intervention

faster. Nevertheless, the inspector claimed to have adapted the fields of vision of

disputed cameras on the site of [S3] and also of the disputed camera on the site of
                                                                             18
[S4] by blurring the parts of the public road and the surrounding land.






16
17 Communication of Grievances, A.1.
18 Communication of Grievances, A.2.
  C______ ________________________ __________ the communication of __ ______________er 2020.

              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey no. [...] conducted with "Company A"


                                                                                                         6/18 19. The Restricted Formation notes that the annexes to the letter from the

February 28, 2020 contain photos of the fields of view of the disputed cameras which

show that public roads and / or neighboring land are now blurred.


      20. In his letter of 25 August 2020, the inspected reiterated that he had

already corrected the fields of view of the disputed cameras after receipt of the

statement of objections and that he had ensured, during a review of all

cameras installed, so that these cameras do not film the public road.


      21. The Restricted Training would like to remind you that the cameras intended to monitor

a place or the surroundings of a building or a site must have a limited field of vision
on the surface strictly necessary to visualize the people about to access it.

Cameras installed around or around a building must be configured to

so as not to capture the public thoroughfare, nor the surroundings, entrances, accesses and interiors of others

neighboring buildings possibly falling within their field of vision. In terms of

the configuration of the premises, it is sometimes impossible to install a camera that does not

would not include in his field of vision part of the public road, surroundings,

entrances, entrances and interiors of other buildings. In such a case, the CNPD considers that the

controller must implement masking techniques or
blurring in order to limit the field of vision to its property. 19


      22. In view of the foregoing, the Restricted Formation agrees with the findings of the chief

investigation according to which the non-compliance with Article 5.1.c) of the GDPR was established

the site visit by CNPD agents.


B. On the breach linked to the principle of limitation of retention



1. On the principles


      23. In accordance with Article 5.1.e) of the GDPR, personal data

must be kept "in a form permitting the identification of persons






19 Cf. CNPD guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
20 Communication of grievances, Ad. A.1. and Ad.A.2.

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey no. [...] conducted with "Company A"


                                                                                                         7/18concerned for a period not exceeding that necessary with regard to the purposes

for which they are processed […] ”.



      24. According to recital (39) of the GDPR "personal data
should be adequate, relevant and limited to what is necessary for the purposes

for which they are processed. This requires, in particular, to ensure that the duration of

data retention is limited to the strict minimum. Personal data

personnel should only be processed if the purpose of the processing cannot be

reasonably achieved by other means. In order to ensure that the data is not

not kept longer than necessary, time limits should be set by the

controller for their erasure or for periodic review […]. ".


2. In this case


      25. As for the administrative headquarters of [S1], it was explained to CNPD agents

during the on-site investigation that the video surveillance system is managed by Company B in

as a subcontractor on behalf of the inspected who is to be considered responsible

processing. It was confirmed that the purposes of the establishment of the
                                                                                              22
video surveillance is used to protect company assets and secure access.


      26. With regard to the retention period of the images recorded by the

CCTV cameras, it emerges from the findings of CNPD agents that the

oldest data dated June 28, 2019, i.e. the duration of
                                                 23
data retention was three months.


      27. According to the head of the investigation, the said retention period for

three months of video surveillance exceeded that necessary to carry out the

the aforementioned purposes and for which the video surveillance system had been put in

square. For this reason, the head of the investigation was of the opinion that a non-compliance with the prescribed

of Article 5.1.e) of the GDPR was acquired on the day of the on-site visit (see communication
of grievances, Ad.A.3.). Therefore, he proposed to the Restricted Training to order the controlled




21Cf. finding 7 of report no. […] Relating to the on-site visit carried out on September 27, 2019
with Company A.
22Cf. finding 8 of report no. […] Relating to the on-site visit carried out on September 27, 2019
with Company A.
23
  See report 12 of report no. […] Relating to the on-site fact-finding mission carried out on the 27th
Sep_________ _ _____ ___ _______________________________________

               Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey no. [...] conducted with "Company A"


                                                                                                          8/18 to implement a retention period policy for personal data

staff in accordance with Article 5.1.e) of the GDPR, in particular by not keeping the
                                                               24
images of the video stream for a duration exceeding one week.


      28. By letter of February 28, 2020, the inspector specified that after verification with

his subcontractor, the latter had found a programming error in the system

video surveillance as the source of the problem of erasing
records. The inspected confirmed that his subcontractor had, consequently,

rescheduled the shelf life to a maximum of 30 days and henceforth

30 day old records will be automatically deleted. 25


      29. By letter of 25 August 2020, the inspected explained that the ABCD group had

set the retention period for video recordings for all its entities at 30

days this to protect people and property from any incident that would cause

damage, but also to preserve the evidence necessary for an action in

justice. In addition, the inspector indicated that the declaration of infringements required a certain
time and that the timeframe for opening an investigation was well over one week in

the majority of cases. In addition, in the context of the legitimate interest of the ABCD group to protect

his property, acts of vandalism were not always immediately detected, but

during […] or a periodic building inspection. Thus, the delay of a

week did not allow the controlled to be able to gather the evidence

essential for a request for reparation. The inspected also considered that, in
practice, the access procedures put in place ensured that the recordings

would not be used for purposes other than those declared, so that a period of

retention of 30 days was a period necessary to fulfill the aforementioned purposes.


      30. During the hearing of the Restricted Formation of November 27, 2020, the chief

investigation explained once again that the one-week shelf life is

referred only to the administrative headquarters of [S1] where the inspectorate's offices are located,

because he considered that for the controlled offices a retention period of 30

days would not be justified, unlike the sites […]. The controlled reiterated his remarks
contained in his letter of August 25, 2020 insisting that a retention period

images from CCTV cameras a week would not be



24Cf. letter supplementing the statement of objections.
25See also the photo of the programming extract sent by mail from the inspected on February 28, 2020.
   _____________ __ _ _____________ ______ _____________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                             the survey no. [...] conducted with "Company A"


                                                                                                      9/18 sufficient, but that a shelf life of 30 days would be more realistic, especially for

what are the security issues.


      31. Restricted Training reminds that it belongs to the controller

to determine, depending on each specific purpose, a retention period
appropriate and necessary in order to achieve said purpose. As mentioned above, the controlled

believes that a 30-day retention period is necessary in order to achieve the

purposes pursued, that is to say to protect the assets of the inspected and secure access to

its premises.


      32. With regard to video surveillance, the CNPD considers that the images can
be kept in principle for up to 8 days by virtue of the aforementioned principle of Article

5.1.e) of the GDPR. The data controller may exceptionally, for reasons

duly justified, keep the images for a period of 30 days. A duration of

retention greater than 30 days is generally considered to be
                  26
disproportionate.


      33. In the event of an incident or violation, Restricted Training is of the opinion that the
images may be kept beyond this period and, if necessary, be

communicated to the competent judicial authorities and law enforcement authorities

competent to ascertain or prosecute criminal offenses.


      34. While Restricted Training may understand the need for the controlled

keep the images from video surveillance for 30 days, she notes

however, during the on-site visit by CNPD agents, the duration was three
months which largely exceeded the time necessary to achieve the purposes

pursued.


      35. Based on all of these elements, the Restricted Training concludes that at

at the time of the site visit by CNPD officials, Article 5.1.e) of the GDPR was not

not respected by the controlled.


II. 2. On corrective measures and fines




26 Cf. CNPD guidelines (Point 4.7.), Available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
   ___________ ____________ __________ _________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                             the survey no. [...] conducted with "Company A"



                                                                                                    10/181. The principles

                                                        er
      36. In accordance with article 12 of the law of August 1, 2018, the CNPD has the

power to adopt all the corrective measures provided for in Article 58.2 of the GDPR:

"(A) notify a controller or processor that data processing operations

treatment envisaged are likely to violate the provisions of these regulations;



b) call to order a controller or a processor when the

processing operations have resulted in a violation of the provisions of this Regulation;


c) order the controller or processor to comply with the requests

presented by the data subject in order to exercise their rights under the

this regulation;


d) order the controller or processor to put the data processing operations

processing in accordance with the provisions of this Regulation, where applicable, of

in a specific way and within a specific timeframe;


e) order the controller to communicate to the data subject a

personal data breach;



f) impose a temporary or permanent restriction, including a ban, of processing;


g) order the rectification or erasure of personal data or the

restriction of processing in application of Articles 16, 17 and 18 and the notification of these

measures to the recipients to whom the personal data have been disclosed

in accordance with Article 17, paragraph 2, and Article 19;


h) withdraw a certification or order the certification body to withdraw a

certification issued in application of Articles 42 and 43, or order the

certification not to issue certification if the requirements for certification

are not or no longer satisfied;



   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of

                              the survey no. [...] conducted with "Company A"


                                                                                                     11/18 (i) impose an administrative fine in application of Article 83, in addition to or

the place of the measures referred to in this paragraph, depending on the characteristics
specific to each case;



j) order the suspension of data flows addressed to a recipient located in a

third country or to an international organization. "

      37. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose

administrative fines as provided for in Article 83 of the GDPR, except against

state or municipalities.


      38. Article 83 of the GDPR provides that each supervisory authority ensures that

administrative fines imposed are, in each case, effective, proportionate and
dissuasive, before specifying the elements that must be taken into account in deciding

whether to impose an administrative fine and to decide on the amount of this

fine:


"(A) the nature, gravity and duration of the breach, taking into account the nature, extent
or the purpose of the processing concerned, as well as the number of data subjects

affected and the level of damage they suffered;



(b) whether the violation was committed willfully or negligently;


c) any measures taken by the controller or processor to mitigate the

damage suffered by the persons concerned;



d) the degree of responsibility of the controller or processor, account
taking into account the technical and organizational measures they have implemented under

Articles 25 and 32;



e) any relevant breach previously committed by the controller or
the subcontractor ;



f) the degree of cooperation established with the supervisory authority in order to remedy the violation

and mitigate any negative effects;
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                             the survey no. [...] conducted with "Company A"


                                                                                                    12 / 18g) the categories of personal data affected by the breach;



h) the manner in which the supervisory authority became aware of the breach, in particular whether,

and to what extent the controller or processor has notified the breach;


(i) where measures referred to in Article 58 (2) have previously been

ordered against the controller or the processor concerned for the

same object, compliance with these measures;


j) the application of codes of conduct approved in accordance with Article 40 or

certification mechanisms approved under Article 42; and


k) any other aggravating or mitigating circumstance applicable to the circumstances of

the species, such as financial benefits obtained or losses avoided, directly or

indirectly, as a result of the violation ”.


      39. The Restricted Training would like to point out that the facts taken into account in the
framework of this decision are those noted at the start of the investigation. Any

changes relating to the processing of data subject to the investigation

later, even if they make it possible to fully or partially establish the
compliance, do not retroactively cancel a breach found.


      40. Nevertheless, the steps taken by the inspected to get into

compliance with the GDPR during the investigation process or to remedy

shortcomings identified by the head of investigation in the statement of objections, are taken

taken into account by the Restricted Training in the context of any corrective measures
to pronounce.


2. In this case



2.1. As for the imposition of an administrative fine





   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                             the survey no. [...] conducted with "Company A"


                                                                                                  13/18 41. In his additional letter to the statement of objections of 10 August
2020, the head of the investigation proposed to the Restricted Formation to impose a fine

administrative control in the amount of 1,900 euros.


      42. In its response to the additional letter of August 10, 2020, the inspected

claimed in particular that he had promptly taken all corrective measures
recommended subject to the 30-day retention period and that he misunderstood

why he would be liable to an administrative fine.


      43. In order to decide whether to impose an administrative fine and to decide,

if applicable, the amount of this fine, the Restricted Training takes into account
the elements provided for in Article 83.2 of the GDPR:


     As to the nature and seriousness of the violation (article 83.2.a) of the GDPR), the

       Restricted Training notes that with regard to breaches of articles

       5.1.c) and e) of the GDPR, they constitute breaches of the principles

       fundamental principles of the GDPR (and of data protection law in general), to
       know the principles of data minimization and limitation of

       retention of data devoted to Chapter II “Principles” of the GDPR.


     As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Training

       notes that these shortcomings have lasted over time, at least since
       May 25, 2018 and until the day of the on-site visit. The Restricted Training recalls

       here that two years have separated the entry into force of the GDPR from its entry into

       application to allow data controllers to comply with

       obligations incumbent on them, even if the obligations to respect
       principles of minimization and limitation of conservation already existed in

       application of Articles 4.1. b) and d) of the repealed law of 2 August 2002 on the

       protection of individuals with regard to the processing of personal data

       staff.

     As for the number of data subjects (article 83.2.a) of the GDPR), the

       Restricted Training notes that


           o with regard to the breach of Article 5.1.c) of the GDPR in relation to

              at the sites of [S3] and [S4], are concerned, on the one hand passers-by using
   _____________________________________________________________

             Decision of the National Commission sitting in restricted formation on the outcome of
                           the survey no. [...] conducted with "Company A"


                                                                                              14/18 public roads, and on the other hand land owners
               neighbors;


           o with regard to the breach of Article 5.1.e) of the GDPR in relation to

               at the administrative headquarters of [S1], all employees working

               at the administrative headquarters, as well as all third parties, that is to say
               customers, suppliers, service providers and visitors visiting

               said site.


     As to the question of whether the breaches were deliberately committed

       or not (by negligence) (article 83.2.b) of the GDPR), the Restricted Training recalls

       that "not willfully" means that there was no intention to commit the
       violation, although the controller or processor has not

       complied with its duty of care under the law.



       In this case, the Restricted Training is of the opinion that the facts and the breaches
       observed do not reflect a deliberate intention to violate the GDPR in the chief

       of the controlled.


     As for the degree of cooperation established with the supervisory authority (Article 83.2.f) of

       RGPD), the Restricted Training takes into account the statement of the head of the investigation
       that the cooperation of the controlled throughout the investigation was good, thus

       that of its desire to comply with the law as soon as possible.


      44. The Restricted Panel notes that the other criteria of Article 83.2 of

GDPR are neither relevant nor likely to influence his decision on taxation
of an administrative fine and its amount.


      45. The Restricted Training also notes that while several measures have been implemented

placed by the inspected in order to remedy in whole or in part certain shortcomings,

these were only adopted following the control of CNPD agents on
September 27, 2019.


      46. Therefore, the Restricted Panel considers that the imposition of a fine

administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for

breaches of Articles 5.1.c) and e) of the GDPR.
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                            the survey no. [...] conducted with "Company A"


                                                                                                 15/18 47. Regarding the amount of the administrative fine, the Restricted Training
recalls that paragraph 3 of Article 83 of the GDPR provides that in the event of violations

multiple, as is the case in this case, the total amount of the fine may not exceed

the amount set for the most serious violation. Insofar as breaches of

Article 5 of the GDPR is criticized for the inspectorate, the maximum amount of the fine being
to be retained amounts to 20 million euros or 4% of global annual turnover, the

the higher amount being withheld.


      48. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the

Restricted Training considers that the pronouncement of a fine of 1,900 euros appears
both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1

of the GDPR.


2.2. Regarding the taking of corrective measures


      49. The adoption of the following corrective measures was proposed by the Chief

investigation into the Restricted Training in its additional letter to the
statement of objections:


       "A) Order the controller to process only data

      relevant, adequate and limited to what is necessary for the purposes of

      protecting property and securing access and, in particular, adapting the
      video device so as not to film the public road, for example by "blackening"

      partially the cameras named "[…]", "[…]", "[…]" and "[…]" installed

      on the site of [S3] and the camera named "[…]" installed on the site of [S4].


       b) Order the controller to implement a policy of

      retention period for personal data in accordance with

      provisions of e) of article 5 of the GDPR, not exceeding the time necessary for
      purposes for which they are collected, and in particular by not keeping

      the images of the video stream for a period exceeding one week. "


      50. The Restricted Training takes into account the steps taken by the

controlled, following the visit of CNPD agents, in order to comply with the
Articles 5.1.c) and e) of the GDPR, as detailed in his letters of February 28, 2020

and of 25 August 2020. More particularly, it takes note of the following facts, which were
   _____________________________________________________________

             Decision of the National Commission sitting in restricted formation on the outcome of
                            the survey no. [...] conducted with "Company A"


                                                                                                 16/18 confirmed by the inspected during the Restricted Training session on November 27
2020:


    - As for the obligation to process only relevant, adequate and

        limited to what is necessary for the purposes indicated in accordance with the

        provisions of Article 5.1.c) of the GDPR, the inspector has adapted the system
        video surveillance so that the public road and neighboring land are no longer

        filmed, in particular by blurring the parts of the public road and the grounds

        neighbors. The appendices to the inspected letter of February 28, 2020 contain

        photos showing the blurring of the areas in question.

    - As for the implementation of a data retention period policy

        personal character in accordance with the provisions of Article 5.1.e) of the GDPR, the

        controlled adapted, after the on-site visit by CNPD agents, the duration of

        retention of data from the video surveillance system from 3 months to 30
        days. The annexes to the letter of February 28, 2020 from the inspected contain a

        photo showing that the parameters of the video surveillance system have been

        amended so that the retention period was limited to 30 days.


      51. In consideration of the compliance measures taken by the inspectorate in
the species, the Restricted Formation considers that there is no need to pronounce measures

corrective measures with regard to it.




In view of the foregoing developments, the National Commission sitting

in restricted formation and deliberating unanimously decides:


- to pronounce against the company "Company A" an administrative fine of one

amount of one thousand nine hundred euros (1,900 euros), with regard to the violation of articles
5.1.c) and e) of the GDPR.





So decided in Belvaux on May 12, 2021.




   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                             the survey no. [...] conducted with "Company A"


                                                                                                   17/18 For the National Commission for Data Protection sitting in formation

restraint






Tine A. Larsen Thierry Lallemang Marc Lemmer
  President Commissioner Commissioner






                           Indication of remedies



This administrative decision may be the subject of an appeal for reformation in the

three months following its notification. This appeal is to be brought before the administrative court.
and must be introduced through a lawyer at the Court of one of the Orders of

lawyers.
































   _____________________________________________________________

             Decision of the National Commission sitting in restricted formation on the outcome of
                            the survey no. [...] conducted with "Company A"


                                                                                               18/18