CNPD (Luxembourg) - Délibération n° 35FR/2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Luxembourg |DPA-BG-Color= |DPAlogo=LogoLU.png |DPA_Abbrevation=CNPD (Luxembourg) |DPA_With_Country=CNPD (Luxembourg) |Case_Number_Name=Délib...") |
(→Facts) |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 50: | Line 50: | ||
}} | }} | ||
The Luxembourg DPA | The Luxembourg DPA (CNPD) imposed a fine of €5300 on a company for using a video camera surveillance system on its premises and tracking devices in some of its employees' vehicles in breach of the information obligation set out in [[Article 13 GDPR]] and in breach of the principle of data minimisation set out in [[Article 5 GDPR|Article 5(1)(c) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The CNPD carried out a ( | The CNPD carried out an audit on the premises of a company (the Company) to verify whether the latter was complying with the GDPR, in particular with respect to the installation of video surveillance cameras in the building and of geolocation tracking devices in the vehicles of some of its employees. | ||
=== Holding === | === Holding === | ||
During the audit | During the audit carried out by the CNPD, the CNPD found that the Company had failed to comply with several obligations relating to the principles of transparency and data minimization. | ||
==== On the use of video surveillance cameras ==== | |||
Regarding the use of video surveillance cameras, first, the CNPD found that the Company had violated the principle of data minimisation as well as the obligation to properly inform data subjects about the processing. | |||
===== Violation of the principle of data minimisation ===== | |||
According to the CNPD, the principle of data minimisation in the context of video surveillance implies that (i) the Company should only record what appears strictly necessary to achieve the purpose(s) of the processing, i.e. protecting the Company's assets and securing access to the building and (ii) that the processing operations must not be disproportionate. | |||
In this case, the CNPD found however that one of the cameras had been installed in such a way that the field of vision included the staff dining hall. Employees were thus potentially being monitored during their free time. The CNPD considered that installing cameras and filming the employees in places designed for private use is disproportionate. In particular, the CNPD pointed that the fundamental rights and freedoms of the employees (including their right to privacy) were prevailing over the legitimate interests of the employer to use video surveillance cameras foe security purposes. | |||
The outdoor camera's field of | The CNPD further found that the outdoor camera's field of vision included part of the public street as well as an adjacent site (i.e. the parking lot and the entrance of a shop located in front of the Company's building). The CNPD admitted that, depending on the configuration of the premises, it is sometimes impossible to limit the field of vision of the camera to private premises only. Sometimes, a small portion of the street or of the surrounding is also being recorded. In such a case, however, the CNPD considers that the data controller should implement masking or blurring techniques in order to limit the field of vision of the camera to its private property. | ||
In view of the above, the CNPD concluded that the Company had been acting in breach of the the principle of data minimization ([[Article 5 GDPR|Article 5(1)(c) GDPR]]). | |||
===== Violation of the information obligations ===== | |||
Informing the data subjects about the processing of their personal data is an essential element of the principle of transparency. The CNPD noted during the on-site audit that the existence of the video camera surveillance system was not notified to visitors. Furthermore, the employees were not duly informed about all the points listed in [[Article 13 GDPR]]. | |||
After the on-site audit, the Company adopted several measures in an attempt to remedy that breach, such as displaying stickers with a warning sign and an information sheet at the entrance to the building about video camera surveillance. The CNPD found however that these measures were not sufficient to fully comply with Article 13 GDPR. In this respect, the CNPD recommended to adopt a "multi-layer communication approach": (i) the first layer of information (e.g. a warning sign accompanied with a short text) should generally convey the most important information, such as the existence of a processing, the purpose of the processing, the identity of the controller, etc, as well as the way to obtain further information ; (ii) the second layer of information, which must include the rest of the elements listed in Article 13 GDPR, should be made easily accessible to the data subject, for example in the form of a comprehensive information sheet available at a central location (e.g. information desk, reception or cashier) or displayed on an easy accessible poster. As mentioned above, the first layer of information should clearly refer to the second layer of information. | |||
Based on | Based on these elements, the CNPD found that the Company had violated [[Article 13 GDPR]]. | ||
==== On the use of geolocation tracking devices ==== | |||
During the on-site audit, the CNPD found that the employees were not informed of the presence of the geolocation system in some of the Company's vehicles, except in some instances orally. The CNPD referred to the guidelines of the Article 29 Working Group on the transparency principle, and in particular to the fact that to controllers should always keep a written record of the measures that they have adopted, so that they are able to prove compliance with the obligation set out in [[Article 13 GDPR|Article 13]] GDPR. because the Company was not in position to prove that all its employees had been duly informed about the use of geolocation tracking device, the CNPD found that the Company had violated [[Article 13 GDPR]]. | |||
Considering the severity and extent of those violations, the CNPD imposed a fine of €5300 on the Company. The CNPD also issued an injunction against the Company to adopt corrective measures in order to bring its processing operations into compliance with the GDPR within a period of two months. in particular, the Company was ordered to: (i) modify the field of vision of the cameras, (ii) inform third parties in a clear and precise manner about the video surveillance system by providing them with all the information set out in [[Article 13 GDPR]], (iii) inform employees individually in a clear and precise manner about the video surveillance system and tracking devices in their cars by providing them with the information set out in [[Article 13 GDPR]]. | |||
== Comment == | == Comment == |
Latest revision as of 10:59, 17 November 2021
CNPD (Luxembourg) - Délibération n° 35FR/2021 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 06.11.2021 |
Published: | 02.11.2021 |
Fine: | 5300 EUR |
Parties: | n/a |
National Case Number/Name: | Délibération n° 35FR/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Délibération n° 35FR/2021 (in FR) |
Initial Contributor: | Matthias Smet |
The Luxembourg DPA (CNPD) imposed a fine of €5300 on a company for using a video camera surveillance system on its premises and tracking devices in some of its employees' vehicles in breach of the information obligation set out in Article 13 GDPR and in breach of the principle of data minimisation set out in Article 5(1)(c) GDPR.
English Summary
Facts
The CNPD carried out an audit on the premises of a company (the Company) to verify whether the latter was complying with the GDPR, in particular with respect to the installation of video surveillance cameras in the building and of geolocation tracking devices in the vehicles of some of its employees.
Holding
During the audit carried out by the CNPD, the CNPD found that the Company had failed to comply with several obligations relating to the principles of transparency and data minimization.
On the use of video surveillance cameras
Regarding the use of video surveillance cameras, first, the CNPD found that the Company had violated the principle of data minimisation as well as the obligation to properly inform data subjects about the processing.
Violation of the principle of data minimisation
According to the CNPD, the principle of data minimisation in the context of video surveillance implies that (i) the Company should only record what appears strictly necessary to achieve the purpose(s) of the processing, i.e. protecting the Company's assets and securing access to the building and (ii) that the processing operations must not be disproportionate.
In this case, the CNPD found however that one of the cameras had been installed in such a way that the field of vision included the staff dining hall. Employees were thus potentially being monitored during their free time. The CNPD considered that installing cameras and filming the employees in places designed for private use is disproportionate. In particular, the CNPD pointed that the fundamental rights and freedoms of the employees (including their right to privacy) were prevailing over the legitimate interests of the employer to use video surveillance cameras foe security purposes.
The CNPD further found that the outdoor camera's field of vision included part of the public street as well as an adjacent site (i.e. the parking lot and the entrance of a shop located in front of the Company's building). The CNPD admitted that, depending on the configuration of the premises, it is sometimes impossible to limit the field of vision of the camera to private premises only. Sometimes, a small portion of the street or of the surrounding is also being recorded. In such a case, however, the CNPD considers that the data controller should implement masking or blurring techniques in order to limit the field of vision of the camera to its private property.
In view of the above, the CNPD concluded that the Company had been acting in breach of the the principle of data minimization (Article 5(1)(c) GDPR).
Violation of the information obligations
Informing the data subjects about the processing of their personal data is an essential element of the principle of transparency. The CNPD noted during the on-site audit that the existence of the video camera surveillance system was not notified to visitors. Furthermore, the employees were not duly informed about all the points listed in Article 13 GDPR.
After the on-site audit, the Company adopted several measures in an attempt to remedy that breach, such as displaying stickers with a warning sign and an information sheet at the entrance to the building about video camera surveillance. The CNPD found however that these measures were not sufficient to fully comply with Article 13 GDPR. In this respect, the CNPD recommended to adopt a "multi-layer communication approach": (i) the first layer of information (e.g. a warning sign accompanied with a short text) should generally convey the most important information, such as the existence of a processing, the purpose of the processing, the identity of the controller, etc, as well as the way to obtain further information ; (ii) the second layer of information, which must include the rest of the elements listed in Article 13 GDPR, should be made easily accessible to the data subject, for example in the form of a comprehensive information sheet available at a central location (e.g. information desk, reception or cashier) or displayed on an easy accessible poster. As mentioned above, the first layer of information should clearly refer to the second layer of information.
Based on these elements, the CNPD found that the Company had violated Article 13 GDPR.
On the use of geolocation tracking devices
During the on-site audit, the CNPD found that the employees were not informed of the presence of the geolocation system in some of the Company's vehicles, except in some instances orally. The CNPD referred to the guidelines of the Article 29 Working Group on the transparency principle, and in particular to the fact that to controllers should always keep a written record of the measures that they have adopted, so that they are able to prove compliance with the obligation set out in Article 13 GDPR. because the Company was not in position to prove that all its employees had been duly informed about the use of geolocation tracking device, the CNPD found that the Company had violated Article 13 GDPR.
Considering the severity and extent of those violations, the CNPD imposed a fine of €5300 on the Company. The CNPD also issued an injunction against the Company to adopt corrective measures in order to bring its processing operations into compliance with the GDPR within a period of two months. in particular, the Company was ordered to: (i) modify the field of vision of the cameras, (ii) inform third parties in a clear and precise manner about the video surveillance system by providing them with all the information set out in Article 13 GDPR, (iii) inform employees individually in a clear and precise manner about the video surveillance system and tracking devices in their cars by providing them with the information set out in Article 13 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A Deliberation n ° 35FR / 2021 of October 6, 2021 The National Commission for Data Protection sitting in a restricted body composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc Lemmer, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data personal character and on the free movement of such data, and repealing the Directive 95/46 / EC; Having regard to the law of 1 August 2018 on the organization of the National Commission for data protection and the general data protection regime, in particular its article 41; Having regard to the internal regulations of the National Commission for the Protection of data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its article 10 point 2; Having regard to the regulation of the National Commission for Data Protection relating to investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular Article 9; Considering the following: _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 1 / 32I. Facts and procedure 1. During its deliberation session of January 16, 2019, the National Commission for data protection sitting in plenary session (hereinafter: "Training Plenary ") had decided to open an investigation with Group A on the basis of Article 37 er of the law of 1 August 2018 on the organization of the National Commission for data protection and the general data protection regime (hereinafter: "law er of August 1, 2018 ”) and to appoint Mr. Christophe Buschmann as chef of investigation. 2. According to the decision of the Plenary Panel, the investigation carried out by the National Commission for Data Protection (hereafter: "CNPD") had as purpose of monitoring the application and compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals physical with regard to the processing of personal data and to the circulation of this data, and repealing Directive 95/46 / EC (hereinafter: "RGPD") and of the law of August 1, 2018, in particular by the implementation of video surveillance and geolocation, where applicable, installed by the three companies of the Group A. 3. On February 20, 2019, CNPD agents visited the the premises of Group A. Given that the minutes relating to the said fact-finding mission on site only mentions, among the three companies of Group A, as responsible 2 of the controlled processing of Company A, the decision of the National Commission for data protection sitting in restricted formation on the outcome of the investigation (hereafter: "Restricted training") will be limited to processing operations controlled by CNPD agents and carried out by Company A. 4. Company A is a public limited company registered in the Trade and Luxembourg companies under number B […], with registered office at L- […] (hereinafter “the 1And more specifically with companies B, registered in the Luxembourg Trade and Companies Register under number B […], with registered office at L- […]; 2. C, registered in the Trade and Companies Register Luxembourg under number B […], with registered office at L- […]; 3. and A, registered in the Trade Register and Luxembourg Companies under number B […], with registered office at L- […]. 2 See in particular report no. […] Relating to the on-site fact-finding mission carried out on 20 February 2019 with Company A (hereafter: “report no. […]”). _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 2/32 controlled ”). The inspected [is active in the retail trade of furniture and appliances lighting in specialized stores.] […]. 5. During the aforementioned visit of February 20, 2019 by CNPD agents in the premises of the inspected, it was confirmed to the CNPD agents that the inspected uses a CCTV system made up of seventy-five cameras including sixty-seven were in working order and installed a geolocation device in some of the vehicles used by its employees for their trips to customers.3 6. The inspected responded to the report drawn up by the CNPD agents by letter of April 2, 2019. 7. At the end of his investigation, the head of investigation notified the inspector on 6 September 2019 a statement of objections detailing the shortcomings he considered constituted in this case, and more specifically: with regard to video surveillance: non-compliance with the requirements prescribed by Article 13 of the GDPR (right to information) with regard to individuals concerned, i.e. employees and self-employed persons, i.e. customers, suppliers, service providers and visitors (hereinafter "the third parties ”) and non-compliance with the requirements of Article 5.1.c) of GDPR (principle of data minimization); with regard to geolocation: non-compliance with the requirements prescribed by Article 13 of the GDPR (right to information) with regard to employees. 8. On 2 October 2019, the inspected filed written observations on the statement of objections. 9. A letter supplementing the statement of objections was sent to checked on August 17, 2020. In this letter, the head of the investigation proposed to the Restricted training to adopt two different corrective measures, as well as to inflict at the control an administrative fine in the amount of 5,300 euros. 3 See findings 8.10 and 9.1 of report no. […]. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 3/32 10. By letter of September 21, 2020, the inspected produced written observations on the additional letter to the statement of objections. 11. The president of the Restricted Training informed the control by letter of 5 January 2021 that his case would be registered for the Restricted Training session on 11 February 2021. The inspected confirmed their presence at the said meeting on January 14 2021. 12. During the Restricted Training session on February 11, 2021, the leader investigation and the inspectorate, represented by Me Elisabeth Alex, lawyer at the Court, explained their oral submissions in support of their written submissions and responded to questions asked by the Restricted Training. The president granted the controlled possibility of sending additional information on the forms until the end of the month information signed by employees. The controlled had the floor last. II. Place II. 1. As to the grounds for the decision II.1.1. As for the video surveillance system A. On the breach linked to the principle of data minimization 1. On the principles 13. In accordance with Article 5.1.c) of the GDPR, personal data must be "adequate, relevant and limited to what is necessary with regard to purposes for which they are processed (data minimization) ”. 14. The principle of data minimization in video surveillance implies that it should only be filmed what appears strictly necessary to achieve the purpose (s) pursued and that the processing operations must not be disproportionate. 4 4 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers- thematic / videosurveillance / necessity-proportionality.html. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 4/32 15. Article 5.1.b) of the GDPR provides that personal data must be "collected for specific, explicit and legitimate purposes, and not be further processed in a manner incompatible with these purposes; […] (Limitation of purposes) ”. 16. Before installing a video surveillance system, the person in charge of processing must define, precisely, the purpose (s) it wishes to achieve in using such a system, and cannot then use the personal data 5 personal data collected for other purposes. 17. The necessity and proportionality of video surveillance is analyzed on a case-by-case basis. case and, in particular, with regard to criteria such as the nature of the place to be placed under video surveillance, its situation, configuration or attendance. 6 2. In this case 18. During the on-site visit, it was explained to CNPD officers that the purposes of setting up the video surveillance system are the protection of property 7 of the company and securing access. 2.1 Regarding the field of view of the camera aimed at the staff dining hall 19. During the said visit, the CNPD agents noted that the field of vision of the camera called "[…]" includes, in the upper left corner, the refectory staff and allows employees to be monitored during their free time. 8 20. The head of the investigation was of the opinion that even if the aforementioned purposes "may find one or more bases of lawfulness under article 6, the supervision of employees in a space reserved for eating, relaxing and resting (such as a dining hall personnel) is, however, to be considered as disproportionate when the 5 See CNPD Guidelines, available at: https://cnpd.public.lu/fr/dossiers- thematic / videosurveillance / necessity-proportionality.html. 6 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers- thematic / videosurveillance / necessity-proportionality.html. 7 See report 8.9 of report no. […]. 8See report 8.13 of report no. […]. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 5/32 people present there will be permanently subject to video surveillance so that they choose these places as meeting places to have a good time around a meal, to communicate, have fun or relax. " (communication of grievances, Ad. A.3.). For the head of the investigation, the assertion by the inspectorate that the system surveillance would not have the purpose of monitoring employees is not nature to upset this finding and it thus retained against the inspected a non-conformity to the provisions of article 5.1. c) of the GDPR. 21. The inspected for his part explained in his reply letter to the statement of objections of 2 October 2019 that the camera at issue was not intended to film the refectory, but its purpose was to film the access corridors or platforms Delivery. Unfortunately, said camera would have captured in its field of vision the upper corner of the refectory window and the inspector would thus have decided to remove this camera. 22. Restricted Training would like to remind you that employees have the right not to be subject to continuous and permanent surveillance in the workplace. To reach the purposes pursued, it may appear necessary for a controller to install a video surveillance system in the workplace. On the other hand, respecting the principle of proportionality, the controller must have recourse to the means of monitoring the most protective of the employee's private sphere and, for example, limiting fields of view of the cameras to the only area necessary to reach the purpose (s) pursued. 23. When it comes to places reserved for employees in the workplace for a private use, such as a dining hall where employees can meet around a meal, surveillance cameras are in principle considered to be disproportionate to the purposes sought. The same goes for places such as, for example, changing rooms, toilets, smoking areas, rest, the kitchenette or any other place reserved for employees for private use. In in these cases, the fundamental rights and freedoms of employees must prevail over the interests legitimate lawsuits pursued by the employer. 9See controlled letter of April 2, 2019. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 6/32 24. The Restricted Formation notes that the inspected removed the disputed camera which included in the upper left corner of his field of vision the refectory of the staff. 25. It nonetheless agrees with the findings of the head of the investigation that the non- compliance with Article 5.1.c) of the GDPR was acquired on the day of the on-site visit of the agents of the CNPD. 2.2 Regarding the field of vision of cameras targeting public roads / land neighboring 26. During the on-site visit of February 20, 2019, the CNPD agents noted that the field of view of the camera called "[…]" allows the surveillance of a part of the public road and a neighboring land, in this case the parking lot and access to the store "[…]" located in front of the building of the inspected, while the field of vision of cameras called […] ”and“ […] ”allow part of the track to be monitored 10 public. 27. In his letter of April 2, 2019, the inspected specified that as regards " cameras placed outside the store to view the outdoor car park, the entrance and the exit from the underground car park, emergency exits and doors, gates and entrances, there unfortunately seems inevitable that a small part of the road respectively of the site […] are in the field of vision. He felt that in view of the distance between the two enclosures or between the store and the public road, "the images that appear in the field of view are more than blurry. It is impossible to recognize or identify individuals so that the invasion of privacy is more than minimal or even totally non-existent. "The controlled nevertheless specified that he will try to remedy this problem by seeking a solution that best respects the privacy of physical persons. 28. In his statement of objections, however, the head of the investigation was of the opinion an identification of the people who appear in the fields of vision of affected cameras is not excluded. As the surveillance of the public highway and 10 See findings 8.14, 15 and 16 of report no. […]. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 7/32 neighboring land would be considered disproportionate and that in view of the purposes pursued, it would not be necessary to encompass parts of the public thoroughfare or neighboring land in the fields of vision of said cameras, it thus against the inspected non-compliance with the requirements of article 5.1. c) of the GDPR. 29. The Restricted Training would like to remind you that the cameras intended to monitor an access point (entrance and exit, threshold, porch, door, awning, hall, etc.) must have a field of vision limited to the area strictly necessary to visualize people preparing to access it. Those who film exterior accesses must not signpost the entire width of a sidewalk running alongside, where applicable, the building or public roads adjacent. Likewise, outdoor cameras installed near or around a building must be configured so as not to capture the public thoroughfare, nor the surroundings, entrances, accesses and interiors of other neighboring buildings possibly entering 11 their field of vision. 30. She admits, however, that depending on the layout of the premises, it is sometimes impossible to install a camera that does not include in its field of vision a part of the public thoroughfare, surroundings, entrances, entrances and interiors of other buildings. In such a case, it considers that the controller should put in place masking or blurring techniques in order to limit the field of vision to its property. 12 31. The Restricted Formation notes that the controlled letter of October 2, 2019 contains in appendix 5 photos showing that the fields of vision of the cameras called "[…]" and "[…]" have been modified, so as to no longer film the public road or neighboring land. With regard to the camera referred to by the agents of the CNPD “[…]”, the Restricted Formation notes that two cameras are however targeted having different fields of vision and referred to as “[…]” and “[…]”. No picture annexed to the aforementioned letter of the inspected does not however demonstrate the modification of 11 See CNPD Guidelines (Point 4.1.), Available at: https://cnpd.public.lu/fr/dossiers- thematic / videosurveillance / necessity-proportionality.html. 12 See CNPD Guidelines (Point 4.1.), Available at: https://cnpd.public.lu/fr/dossiers- thematic / videosurveillance / necessity-proportionality.html. 13 See the photos […] and […] included in report 16 of report no. […]. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 8/32 fields of vision of these two cameras allowing the surveillance of part of the track public. 32. In view of the foregoing, the Restricted Formation agrees with the findings of the chief 14 investigation according to which the non-compliance with Article 5.1.c) of the GDPR with regard to the aforementioned cameras was acquired on the day of the on-site visit of the agents of the CNPD. B. On the breach related to the obligation to inform the persons concerned 1. On the principles 33. Pursuant to paragraph 1 of Article 12 of the GDPR, the "controller take appropriate measures to provide any information referred to in Articles 13 and 14 as well as to make any communication under Articles 15 to 22 and Article 34 with regard to the processing to the data subject in a concise manner, transparent, understandable and easily accessible, in clear and simple terms […]. " 34. Article 13 of the GDPR provides the following: "1. When personal data relating to a data subject are collected from this person, the controller provides them, at the time where the data in question is obtained, all of the following information: a) the identity and contact details of the controller and, where applicable, of the representative of the controller; b) where applicable, the contact details of the data protection officer; c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; 14 Statement of objections, Ad. A.3. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 9 / 32d) where the processing is based on Article 6 (1) (f), the legitimate interests pursued by the controller or by a third party; e) the recipients or the categories of recipients of the personal data, if they exist; and f) where applicable, the fact that the controller intends to carry out a transfer of personal data to a third country or to an organization international, and the existence or absence of an adequacy decision issued by the Commission or, in the case of transfers referred to in Article 46 or 47, or in Article 49, paragraph 1, second subparagraph, the reference to appropriate or adapted guarantees and the how to obtain a copy or where it was made available; 2. In addition to the information referred to in paragraph 1, the controller shall provide to the data subject, when the personal data are obtained, the following additional information which is necessary to guarantee fair and transparent treatment: a) the retention period of personal data or, when this is not possible, the criteria used to determine this duration; b) the existence of the right to request from the controller access to data at personal character, rectification or erasure thereof, or a limitation of the processing relating to the data subject, or the right to object to the processing and right to data portability; c) where the processing is based on Article 6 (1) (a) or on Article 9, paragraph 2 (a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of the processing based on consent made before the withdrawal of it; d) the right to lodge a complaint with a supervisory authority; _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 10/32 (e) information on whether the requirement to provide data to personal character has a regulatory or contractual character or if it conditions the conclusion of a contract and whether the data subject is obliged to provide the data to personal character, as well as the possible consequences of the non-provision of those data; f) the existence of automated decision-making, including profiling, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the underlying logic, as well as the significance and expected consequences of this processing for the person concerned. 3. When he intends to carry out further processing of personal data personal for a purpose other than that for which the personal data have been collected, the data controller provides the person with concerned information about this other purpose and any other information relevant referred to in paragraph 2. 4. Paragraphs 1, 2 and 3 do not apply when and to the extent that the person concerned already has this information. " 35. Communication of information relating to the processing of their data is an essential element in the context of compliance with general transparency obligations within the meaning of the GDPR. 15 These obligations have been clarified by the Article 29 Working Group in its guidelines on transparency within the meaning of Regulation (EU) 2016/679, the revised version of which has been adopted April 11, 2018 (hereafter: "WP 260 rev.01"). 36. Note that the European Data Protection Board (hereafter: "EDPS"), which replaced the Article 29 Working Party since 25 May 2018, took over 15See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 11/32 and re-approved the documents adopted by the said Group between May 25, 2016 and May 25 16 2018, as precisely the aforementioned guidelines on transparency. 2. In this case 2.1. Information of third parties 37. As regards the information of third parties, CNPD agents observed during their on-site visit that the presence of the video surveillance system 17 was not reported to them. In addition, the head of the investigation considered that the documentation submitted by the controlled by letter of April 2, 2019 did not contain any evidence sufficient to counter non-compliance with the requirements of Article 13 of the GDPR and that therefore, it is necessary to retain against the inspected a non-compliance with the prescribed of Article 13 of the GDPR with regard to third parties (communication of grievances, Ad.A.1.). 38. By letter of October 2, 2019, the inspector specified that after the departure of the CNPD agents, signage pictograms in the form of stickers have been glued to all the access doors to the building to signal the presence of cameras to third parties.18 In addition, in his letter of September 21, 2021, the inspected annexed a information sheet which has meanwhile been posted at the entrance to the building. 39. The Restricted Training would first like to point out that Article 13 of the GDPR refers to the obligation imposed on the controller to "provide" all information mentioned therein. The word "provide" is crucial here and it "means that the controller must take concrete measures to provide the information in question to the data subject or to actively direct the person concerned to the location of said information (for example by means of a link direct, a QR code, etc.). ”(WP260 rev. 01. paragraph 33). 16 See EDPS Endorsement 1/2018 decision of 25 May 2018, available at: https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf. 17See finding 8.2 of report no. […]. 18 Annex 1 of the letter of October 2, 2019 from the inspected contains photos of said pictograms. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 12/32 40. The Restricted Training notes that during the on-site visit by the agents of the CNPD, third parties were not informed of the presence of the video surveillance. 41. She also believes that a multi-level approach to communicating information on transparency to data subjects can be used in a offline or non-digital context, that is to say in a real environment such as for example personal data collected by means of a video surveillance. The first level of information should generally include the most essential information, namely the details of the purpose of the processing, the identity of the controller and the existence of the rights of the data subjects, as well that the information having the greatest impact on the treatment or any treatment likely to surprise those concerned. The second level of information, That is to say all the information required under Article 13 of the GDPR, could be provided or made available by other means, such as a copy of the confidentiality policy sent by e-mail to employees or a link on the site internet to an information notice for third parties. 19 He is important to note that first level information (sign, information note, etc.) should clearly refer to more detailed second level information which includes all the mandatory information required under Article 13 of the GDPR. 20 42. However, it notes that in this case, the signaling pictogram and the note information intended for the public, put in place after the on-site visit by the agents of the CNPD, did not contain all of the elements required by Articles 13.1 and 2 of GDPR. 43. In view of the above, the Restricted Formation agrees with the opinion of the chief investigation and concludes that at the time of the site visit by CNPD agents, Article 13 of the GDPR was not respected by the inspectorate in terms of video surveillance with regard to concerns third parties. 19WP 260 rev.01., Points 35 to 38. 20 EDPS Guidelines 3/2019 on the processing of personal data by means of video, version 2.0, adopted on 29 January 2020 (hereafter: “Guidelines 3/2019”) points 114 and 117. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 13 / 322.2. Employee information 44. As regards the information of employees about the system of video surveillance, the head of the investigation found that simply informing the delegation of staff does not ensure that company employees have been informed about the specific elements of Article 13.1 and 2 of the GDPR and that the simple visibility of the cameras monitoring does not ensure that the company's employees have been duly informed about all the precise points mentioned in said article 13. 21 It therefore considered that it should be against the controlled non-compliance with the provisions of Article 13 of the GDPR for this which concerns employees (statement of objections, Ad. A.1.). 45. By letter of October 2, 2019, the inspected specified that all employees have signed an "information sheet relating to the collection of personal data personal "which would provide information, among other things, on" the identity of the controller their data, the purpose of data collection, information on the existence of surveillance cameras and the geolocation system and their rights guaranteed by the GDPR. "A blank copy of the said sheet was attached to the aforementioned letter. Control y indicated that employees are also informed of the presence of cameras by the stickers displayed on the entrance doors, as well as an information notice hung on the information board inside the building intended for communication with the staff. 22 46. The Restricted Training would first like to point out that Article 13 of the GDPR refers to the obligation imposed on the controller to "provide" all information mentioned therein. The word "provide" is crucial here and it "means that the controller must take concrete measures to provide the information in question to the data subject or to actively direct the person concerned to the location of said information (for example by means of a link direct, a QR code, etc.). ”(WP260 rev. 01. paragraph 33). 47. Regarding the tiered approach to communicating information on transparency to data subjects that can be used in an 21See controlled letter of April 2, 2019. 22 See appendix 3 of the inspected letter of October 2, 2019. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A Real environment such as personal data collected by means of a video surveillance system, it refers to point 41 of this decision. 48. The Restricted Formation then considers that the fact that the demand authorization for video surveillance, compulsory under the repealed law of 2 August 2002 on the protection of individuals with regard to data processing of a personal nature, has been countersigned by the staff delegation as mentioned by the inspected in his letter of April 2, 2019, does not assure that the employees of the company have been validly informed in accordance with Articles 13.1 and 2 of the GDPR, unless the inspected could have shown otherwise, which is not the case in species. In addition, she agrees with the observation of the head of the investigation that the simple visibility of surveillance cameras does not ensure that company employees have been duly informed on all the specific points mentioned in Article 13. 49. It further notes that Annex 3 of the inspected letter of October 2, 2019 contains a note dated June 7, 2018 that would have been posted on the notice board inside the building of the controlled. However, it does not have any documentation demonstrating that the said note was actually posted prior to the control on placed by CNPD agents, nor of any documentation that was posted by after. The said note could at most be qualified as collective information, but not as individual information. In addition, it did not contain the required elements by Article 13.1 and 2 of the GDPR. 50. Furthermore, following a question asked during the Training session Restricted from February 11, 2021, the inspector specified by email of February 24, 2021 that the "Information sheet relating to the collection of personal data", attached to the inspected letter of October 2, 2019 and which would have been signed by all employees, do not did not yet contain a clause relating to video surveillance before the on-site check by CNPD agents. This clause had been added after the control of the agents of the CNPD in February 2019. 51. The Restricted Training notes as well as during the on-site visit by the CNPD, employees were not informed of the presence of the video surveillance in accordance with legal requirements. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 15/32 52. It further notes that the pictogram and the clause relating to video surveillance, integrated into the "information sheet relating to data collection of a personal nature ", did not contain the information required within the meaning of Article 13 of the GDPR. 53. In view of the foregoing, the Restricted Formation concludes that at the time of the site visit by CNPD agents, Article 13 of the GDPR was not respected by the controlled in terms of video surveillance with regard to employees. II.1.2. As for the geolocation system On the breach related to the obligation to inform the persons concerned 1. On the principles 54. With regard to the requirements to be met with regard to the obligation to inform the persons concerned in accordance with Article 13 of the GDPR, Restricted Training refers to points 33 to 36 of this decision. 2. In this case 55. As regards the information of employees about the system of geolocation, the head of the investigation considered that the observation of the control contained in his letter of April 2, 2019 that the employees had been informed orally, without as much to present evidence in support of this claim, is not likely to irritate the finding that the non-compliance with Article 13 of the GDPR was established on the day of the visit on the site. Moreover, he estimated that in “his letter of April 2, 2019, the company explains that employees are informed about the geolocation system through a note information hanging in the dispatching room. However, that informative note was not attached to the letter of April 2, 2019. The company has therefore not provided any evidence as to the existence or the content of this informative note. "Therefore, the head of the investigation considered that the non-compliance with article 13 of the RGPD was acquired on the day of the visit on site for employees concerning the geolocation system (statement of objections, Ad.A.6). _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 16/32 56. The Restricted Training would first like to point out that Article 13 of the GDPR refers to the obligation imposed on the controller to "provide" all information mentioned therein. The word "provide" is crucial here and it "means that the controller must take concrete measures to provide the information in question to the data subject or to actively direct the person concerned to the location of said information (for example by means of a link direct, a QR code, etc.). ”(WP260 rev. 01. paragraph 33). 57. Regarding the tiered approach to communicating information on transparency to data subjects that can be used in an real environment such as personal data collected by means of a geolocation system, it refers to point 41 of this decision. 58. In addition, the Restricted Training would like to point out that article 12 of the GDPR does not exclude de facto that the information provided for in Articles 13 and 14 of the GDPR may be provided orally by the controller to the data subject. However, the Article 29 Working Group insists that in this case, the person responsible for treatment should ensure "to keep a written record, and ensure that it is able to prove it (for the purposes of compliance with the liability requirement), of: i) the request oral information, ii) the method by which the identity of the person concerned has been verified (if applicable, see point 20 above), and iii) that the 23 information has been transmitted to the data subject. " 59. However, it notes that no documentation submitted by the inspected contained proof that the employees had been validly informed, before the site visit, orally in accordance with Article 13 of the GDPR. 60. Furthermore, the fact that the geolocation authorization request, compulsory under the repealed law of 2 August 2002 relating to the protection of persons with regard to the processing of personal data, had been countersigned by the staff delegation as mentioned by the inspected in his letter of April 2, 2019, does not ensure that the employees of the company have validly been 23WP 260 rev.01, point 21. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A Informed in accordance with Articles 13.1 and 2 of the GDPR, unless the inspected could have demonstrate the contrary, which is not the case in this case. Moreover, in his letter of 2 April 2019, the inspected state that "employees know that their vehicle is equipped with a geolocation device because they are called regularly during the day by my principal who asks them to modify their delivery schedule due to emergency repairs to be included in their schedule. The vehicle responsible for emergency repair is selected based on its proximity to the location where the repair must be carried out. The drivers are aware of this. »However, these explanations do not ensure to demonstrate that the employees of the company have been duly informed on all the precise points set out in said Article 13. 61. Annex 6 to the letter of 2 October 2019 from the inspected also contains a photo showing that a poster stating "As a reminder, this vehicle is equipped with a geolocation system ”has since been stuck on vehicle dashboards equipped with such a system. The inspector specified that all employees would have signed a "Information sheet relating to the collection of personal data" which would provide information, among other things, on "the identity of the data controller, the purpose of data collection, information on the existence of cameras monitoring and geolocation system and their rights guaranteed by the GDPR. " A blank copy of said note was attached to the aforementioned letter. 62. Nevertheless, following a question asked during the Training session Restricted from February 11, 2021, the inspector specified by email of February 24, 2021 that said "information sheet relating to the collection of personal data" does not did not yet contain a clause relating to geolocation before the on-site check by CNPD agents. This clause was added after the control of the agents of the CNPD in February 2019. 63. In his letters of April 2, 2019 and October 2, 2019, the inspector specified in addition that employees are also informed about the geolocation system through an informative note hung on the notice board for their information. The said note dated February 29, 2016 was attached to the letter of October 2, 2019 (annex 7). However, the Restricted Training does not have any documentation demonstrating that the said note was actually posted prior to the on-the-spot check by the CNPD officials, nor any documentation showing that this was the case after the said check. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A The inspected even mentioned in this context in his letter of April 2, 2019 that for "some unknown reason, this poster was taken down at some point and is no longer was hooked afterwards. The said note could not at most be qualified as collective information, but not as individual information. In addition, it did not contain not the elements required by Articles 13.1 and 2 of the GDPR. 64. The Restricted Training notes as well as during the on-site visit by the CNPD, employees were not informed of the presence of the geolocation system in accordance with legal requirements. 65. 2. It also notes that the poster mentioning "As a reminder, this vehicle is equipped with a geolocation system "stuck on the dashboards of vehicles equipped with a geolocation system and the clause relating to integrated geolocation in the "information sheet relating to the collection of personal data", did not contain the required information within the meaning of Article 13 of the GDPR. 66. 3. In view of the foregoing, the Restricted Formation concludes that at the time of the site visit by CNPD agents, Article 13 of the GDPR was not respected by the controlled in terms of geolocation with regard to employees. II. 2. On the fine and corrective measures 1. The principles er 67. In accordance with article 12 of the law of August 1, 2018, the CNPD has the power to adopt all the corrective measures provided for in Article 58.2 of the GDPR: "(A) notify a controller or processor that data processing operations treatment envisaged are likely to violate the provisions of these regulations; b) call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of this Regulation; c) order the controller or processor to comply with the requests presented by the data subject in order to exercise their rights under the this regulation; _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 19/32 (d) order the controller or processor to put the data processing operations processing in accordance with the provisions of this Regulation, where applicable, of in a specific way and within a specific timeframe; e) order the controller to communicate to the data subject a personal data breach; f) impose a temporary or permanent restriction, including a ban, of processing; g) order the rectification or erasure of personal data or the restriction of processing in application of Articles 16, 17 and 18 and the notification of these measures to the recipients to whom the personal data have been disclosed in accordance with Article 17, paragraph 2, and Article 19; h) withdraw a certification or order the certification body to withdraw a certification issued in application of Articles 42 and 43, or order the certification not to issue certification if the requirements for certification are not or no longer satisfied; i) impose an administrative fine in application of Article 83, in addition to or the place of the measures referred to in this paragraph, depending on the characteristics specific to each case; j) order the suspension of data flows addressed to a recipient located in a third country or to an international organization. " er 68. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose administrative fines as provided for in Article 83 of the GDPR, except against state or municipalities. 69. Article 83 of the GDPR provides that each supervisory authority ensures that administrative fines imposed are, in each case, effective, proportionate and dissuasive, before specifying the elements that must be taken into account in deciding _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 20/32 if it is necessary to impose an administrative fine and to decide on the amount of this fine : "(A) the nature, gravity and duration of the breach, taking into account the nature, extent or the purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered; (b) whether the violation was committed willfully or negligently; c) any measures taken by the controller or processor to mitigate the damage suffered by the persons concerned; d) the degree of responsibility of the controller or processor, account taking into account the technical and organizational measures they have implemented in accordance with the Articles 25 and 32; e) any relevant breach previously committed by the controller or the subcontractor ; f) the degree of cooperation established with the supervisory authority in order to remedy the violation and mitigate any negative effects; g) the categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the breach, in particular whether, and to what extent the controller or processor has notified the breach; (i) where measures referred to in Article 58 (2) have previously been ordered against the controller or the processor concerned for the same object, compliance with these measures; j) the application of codes of conduct approved in accordance with Article 40 or certification mechanisms approved under Article 42; and _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 21 / 32k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation ”. 70. The Restricted Training would like to point out that the facts taken into account in the framework of this decision are those noted at the start of the investigation. Any changes relating to the processing of data subject to the investigation later, even if they make it possible to fully or partially establish the compliance, do not retroactively cancel a breach found. 71. Nevertheless, the steps taken by the inspected to get into compliance with the GDPR during the investigation process or to remedy shortcomings identified by the head of investigation in the statement of objections, are taken taken into account by the Restricted Training in the context of any corrective measures and / or fixing the amount of a possible administrative fine to be pronounced. 2. In this case 2.1. As for the imposition of an administrative fine 72. In his additional letter to the statement of objections of 17 August 2020, the head of the investigation proposed to the Restricted Formation to impose a fine administrative control in the amount of 5,300 euros. 73. In its response to said additional letter of September 21, 2020, the controlled asked in view of the letters previously sent with the supporting documents and in view of his proactive attitude to reconsider the sanction proposed by the head of investigation. 74. In order to decide whether to impose an administrative fine and to decide, if applicable, the amount of this fine, the Restricted Training takes into account the elements provided for in Article 83.2 of the GDPR: As to the nature and seriousness of the violation (article 83.2.a) of the GDPR), the Restricted Training notes that with regard to the breach of Article 5.1.c) of the GDPR, it constitutes a breach of the fundamental principles of _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 22/32 GDPR (and data protection law in general), namely in principle data minimization devoted to Chapter II “Principles” of the GDPR. As for the breach of the obligation to inform the persons concerned in accordance with Article 13 of the GDPR, the Restricted Training recalls that information and transparency relating to the processing of personal data personnel are essential obligations incumbent on those responsible for treatment so that people are fully aware of the use that will be made of their personal data, once it has been collected. a breach of Article 13 of the GDPR thus constitutes an infringement of rights of the people concerned. This right to information has also been strengthened at terms of the GDPR, which testifies to their particular importance. Note that at the time of the site visit by CNPD officers, no signage pictogram, nor any poster or information leaflet be communicated to CNPD officers with regard to the information of employees and third parties with regard to the video surveillance system, on the one hand, as well as concerning employees relating to the geolocation system, on the other go. As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Training notes that these shortcomings have lasted over time, at least since May 25, 2018 and until the day of the on-site visit. The Restricted Training recalls here that two years have separated the entry into force of the GDPR from its entry into application to allow data controllers to comply with obligations incumbent on them, even if an obligation to respect the principle data minimization, as well as a comparable information obligation already existed under Articles 4.1. b), 10.2 and 26 of the repealed law of 2 August 2002 on the protection of individuals with regard to the processing of personal data. Guidance on principles and obligations provided for in the said law was available from the CNPD, in particular through mandatory prior authorizations for video surveillance and geolocation. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 23/32 As for the number of data subjects (article 83.2.a) of the GDPR), the Restricted Training notes that for video surveillance, this concerns all employees working on the inspected site, as well as all third parties, i.e. customers, suppliers, service providers and visitors are visiting said site. Regarding the geolocation system, these are the employees of the company who use the vehicles for their trips to customers. As to the question of whether the breaches were deliberately committed or not (by negligence) (article 83.2.b) of the GDPR), the Restricted Training recalls that "not willfully" means that there was no intention to commit the violation, although the controller or processor has not complied with its duty of care under the law. In this case, the Restricted Training is of the opinion that the facts and the breaches observed do not reflect a deliberate intention to violate the GDPR in the chief of the controlled. As for the degree of cooperation established with the supervisory authority (Article 83.2.f) of RGPD), the Restricted Training takes into account the statement of the head of the investigation that the cooperation of the controlled throughout the investigation was good, thus that of its desire to comply with the law as soon as possible. 75. The Restricted Panel notes that the other criteria of Article 83.2 of GDPR are neither relevant nor likely to influence his decision on taxation of an administrative fine and its amount. 76. Restricted Training also notes that although several measures have been implemented placed by the inspected in order to remedy in whole or in part certain shortcomings, these were only adopted following the control of CNPD agents on 20 February 2019 (see also point 70 of this decision). _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 24/32 77. Therefore, the Restricted Panel considers that the imposition of a fine administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for breach of Articles 5.1.c) and 13 of the GDPR. 78. Regarding the amount of the administrative fine, the Restricted Training recalls that paragraph 3 of Article 83 of the GDPR provides that in the event of violations multiple, as is the case in this case, the total amount of the fine may not exceed the amount set for the most serious violation. Insofar as a breach of Articles 5 and 13 of the GDPR is criticized for the inspectorate, the maximum amount of the fine that can be retained amounts to 20 million euros or 4% of annual turnover worldwide, whichever is higher. 79. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the Formation Restreinte considers that the imposition of a fine of five thousand three hundred euros (5,300 euros) appears to be both effective, proportionate and dissuasive, in accordance with requirements of Article 83.1 of the GDPR. 2.2. Regarding the taking of corrective measures 80. The adoption of the following corrective measures was proposed by the Chief investigation into the Restricted Training in its additional letter to the statement of objections: "A) Order the controller to complete the information measures intended for people concerned by video surveillance and geolocation, in accordance with the provisions of Article 13, paragraphs (1) and (2) of the GDPR in informing in particular the identity of the controller, where applicable, the contact details of the data protection officer, the purposes of the processing and its legal basis, the categories of data processed, the legitimate interests pursued by the inspected, the recipients, the retention period of the data thus the rights of the data subject and how to exercise them, and the right to lodge a complaint with a supervisory authority; b) Order the controller to process only data relevant, adequate and limited to what is necessary for the purposes of protecting property and securing access and, in particular, adapting the _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 25/32 video device so as not to film the staff dining hall and the public thoroughfare, for example by deleting or reorienting the camera called "[…]" and the cameras referred to as […] ”. 81. As to the corrective measures proposed by the head of the investigation and by reference to point 71 of this decision, the Restricted Training takes into account the procedures carried out by the inspected, following the visit of CNPD agents, in order to comply with the provisions of Articles 5.1.c) and 13 of the GDPR, as detailed in his letters of April 2, 2019, October 2, 2019, September 21, 2020, as well as in her email of February 24, 2021. In particular, she takes note of the following facts: 1. As for the implementation of information measures intended for people third parties involved in video surveillance, in accordance with the provisions of Article 13.1 and 2 of the RGPD, the inspected annexed to his letter of October 2, 2019 pictograms of a camera that have been pasted on the access doors to the building. In addition, to his letter of September 21, 2021 is attached a file information intended for the public, as well as a photo showing that the said sheet has been glued to the front door of the building. The Restricted Training notes that the pictograms, combined with the form information intended for the public does not contain all the information required by Article 13 of the GDPR. Thus, the basis of lawfulness (article 13.1. C) of the GDPR), the right to request a restriction of processing and the right to object to processing (Article 13.2. b) of GDPR) and the right to lodge a complaint with the CNPD (Article 13.2. D) GDPR) are not mentioned. In addition, it is noted that the information provided by the inspected does not meet neither the requirements of the first level of information, nor those of second level of information (see point 41). 2. As for the implementation of information measures intended for employees concerned by video surveillance, in accordance with the provisions of article 13.1 and 2 of the RGPD, the inspected annexed to his letter of October 2, 2019 a note internal dated June 7, 2018. Nevertheless, the Restricted Training does not have any _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 26/32 of documentation demonstrating that said note has actually been posted prior to the on-site inspection by CNPD agents, or a documentation that it would have been posted afterwards. In addition, by letter of October 2, 2019, the inspected affirmed that the employees had been informed of the presence of the cameras by the stickers displayed on the entrance doors and Annex 2 of the said letter contained an "information sheet relating to the collection of personal data ”. By email from 24 February 2021, the inspected nevertheless specified that the clause relating to video surveillance was only added after the visit of CNPD agents in February 2019. The Restricted Training first notes that the inspected has dated and signed employees the aforementioned sheet and that they must tick a box that is found at the bottom of the page indicating the following: "I fully understood this information notice and I give my express consent that […] the Company A collects about me the personal data detailed in point 4 of this information notice. ”It should be noted in this context that the signature of an information sheet by the employee can at most be considered as an acknowledgment of receipt allowing the employer to document that he has provided the information under Article 13 of the GDPR, but cannot no case is valid consent of the employee to the processing of data by his 24 employer. Indeed, an employee, in view of the imbalance of the balance of power existing in the context of labor relations, cannot freely respond to a request for consent from his employer "without fear or incur negative consequences following this refusal. ". 25 Consent as the basis of lawfulness of data processing (article 6.1.a) of the GDPR) is therefore ineffective in cash due to the nature of the employer / employee relationship. 24 See the definition of consent provided for in Article 4.10) of the GDPR, as well as the conditions applicable to consent provided for in Article 7 of the GDPR. 25 Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679, Version 1.1, adopted May 4, 2020, item 21, see also Opinion 15/2011 on the definition of consent (WP 187), adopted on 13 Jul_____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 27/32 She then noted that the pictograms, combined with the "information sheet relating to the collection of personal data ”do not contain all the information required by article 13 of the GDPR. Thus, the basis of lawfulness (article 13.1. C) of the GDPR), the right to request a restriction of processing and the right to object to processing (Article 13.2. b) of GDPR) and the right to lodge a complaint with the CNPD (Article 13.2. D) GDPR) are not mentioned. The aforementioned internal note dated June 7, 2018 does not concern additional information. In addition, it is noted that the information provided by the inspected does not meet neither the requirements of the first level of information, nor those of second level of information (see point 41). 3. As for the implementation of information measures intended for employees concerned by geolocation, in accordance with the provisions of article 13.1 and 2 of the RGPD, the inspected annexed to his letter of October 2, 2019 a note internal dated February 29, 2016. However, the Restricted Training does not have nor documentation demonstrating that said note has actually been posted prior to the on-site inspection by CNPD agents, or a documentation that it would have been posted afterwards. In addition, Annex 6 of letter of October 2, 2019 from the inspected contains a photo showing that a poster stating "As a reminder, this vehicle is equipped with a geolocation ”has since been stuck on the dashboards of vehicles equipped with such a system. Annex 2 of this same letter of October 2, 2019 contains also an "information sheet relating to the collection of personal data staff ". By email of February 24, 2021, the inspected nevertheless specified that the clause relating to geolocation was only added after the visit of the agents of the CNPD in February 2019. Regarding the checkbox by employees at the bottom of the form aforementioned, the Restricted Training would like to reiterate that in view of the dependence resulting from the employer / employee relationship, the consent of the employees cannot not be considered as meeting the requirements of Articles 4.11 and 7 of the GDPR. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 28/32 She then noted that the stickers, combined with the "information sheet relating to the collection of personal data ”do not contain all the information required by article 13 of the GDPR. Thus, the basis of lawfulness (article 13.1. C) of the GDPR), the recipients or the categories of recipients of personal data collected by the geolocation system (article 13.1. e) of the GDPR), the retention period personal data collected by the geolocation system (Article 13.2. a) of the GDPR), the right to request restriction of processing and the right to object to processing (Article 13.2. b) of the GDPR), as well as the right to lodge a complaint with the CNPD (article 13.2. d) of the GDPR) are not not mentioned. The aforementioned internal note dated February 29, 2016 does not include no additional information. In addition, it is noted that the information provided by the inspected does not meet neither the requirements of the first level of information, nor those of second level of information (see point 41). In conclusion, in consideration of insufficient compliance measures taken by the inspected in this case and point 71 of this decision, the Restricted Training therefore considers that it is appropriate to pronounce the measure corrective action proposed by the head of the investigation in this regard in point 79 (a) with regard to which concerns the information of employees and third parties about the system video surveillance, on the one hand, as well as concerning employees with regard to geolocation system, on the other hand. 4. As for the obligation to process only relevant, adequate and limited to what is necessary with regard to the purposes of protecting property and for securing access, and, in particular, adapting the video device so as not to not film the staff dining hall and the public thoroughfare, Restricted Training note that the controlled deleted the disputed camera which included in the corner upper left of his field of vision the staff dining hall, on the one hand, and that the fields of view of the cameras called “[…] have been modified, from _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 29/32 so as not to film the public road or neighboring land. However, no part (for example an image capture reproducing the field of vision) demonstrates the modification of the field of view of the cameras named […] allowing the surveillance of part of the public highway. In view of the insufficient compliance measures taken by the controlled in this case and point 71 of this decision, the Restricted Panel therefore considers that the corrective measure proposed by the head of the investigation in this regard in point 79 (b) with regard to the cameras referred to as […]. In view of the foregoing developments, the National Commission sitting in restricted formation and deliberating unanimously decides: - to retain the breaches of articles 5.1.c) and 13 of the GDPR; - to pronounce against Company A an administrative fine in the amount of five thousand three hundred euros (5,300 euros) with regard to breaches of Articles 5.1.c) and 13 of the GDPR; - to issue an injunction against Company A to bring the processing with the obligations resulting from articles 5.1 c) and 13 of the GDPR, within a two months following the notification of the decision of the Restricted Panel, and in particular: with regard to the breach of the principle of minimization of personal data personnel (art 5.1.c of the GDPR): - modify the field of vision of the cameras referred to as […]; 26 See letter from the inspectorate of October 2, 2019 and its annex 5. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 30/32 with regard to the failure to inform the persons concerned of the processing of their personal data (article 13 of the GDPR): - inform non-salaried third parties in a clear and precise manner about the video surveillance system by providing them with information relating to the basis of lawfulness, the right to request restriction of processing and the right to oppose the processing, as well as the right to lodge a complaint with the CNPD; - inform employees individually in a clear and precise manner on the video surveillance system by providing them with information relating to the basis of lawfulness, the right to request restriction of processing and the right to oppose the processing, as well as the right to lodge a complaint with of the CNPD; - inform employees individually in a clear and precise manner on the geolocation system by providing them with information relating to the basis of lawfulness, to the recipients or the categories of recipients of personal data collected by the geolocation system, to the retention period of personal data collected by the geolocation system, the right to request restriction of processing and the right to object to processing, as well as the right to initiate a complaint to the CNPD. So decided in Belvaux on October 6, 2021. For the National Commission for Data Protection sitting in formation restraint Tine A. Larsen Thierry Lallemang Marc Lemmer President Commissioner Commissioner _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 31/32 Indication of remedies This administrative decision may be the subject of an appeal for reformation in the three months following its notification. This appeal is to be brought before the administrative court. and must be introduced through a lawyer at the Court of one of the Orders of lawyers. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 32/32