CNPD (Luxembourg) - Délibération n° 13FR/2023: Difference between revisions
m (Summary) |
No edit summary |
||
Line 63: | Line 63: | ||
}} | }} | ||
The Luxembourgish DPA issued a fine of €2,500 to two public bodies as joint controllers due to their usage of geolocation systems to track vehicles used by their employees. The DPA found a violation of Article 13 GDPR and Article 5(1)(c) GDPR and Article 5(1)(b) GDPR. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Following a visit at the premises of the controllers, the | Following a visit at the premises of two public bodies (the joint controllers), the agents of the Luxembourgish DPA found that the controllers applied a geo-localisation system on the copmanies' service vehicles and construction machines. The system was constantly monitoring the movements of the vehicles and machines, and was connected to them, not the drivers. However, by using the timesheets which indicated which driver used which vehicle or machine, they could easily reconstruct which vehicle had been used on which day by each employee. | ||
On 13 December 2022, at the end of the investigation, a statement of objection was published detailing breaches in relation to the requirements of Article 13 GDPR and Article 5(1)(c) GDPR and Article 5(1)(b) GDPR. Following this, the joint controllers submitted observations, and on 13 June 2023, the rapporteur and the company presented oral observations to the DPA. | |||
=== Holding === | === Holding === | ||
Regarding the obligation to provide informatino, pursuant to Article 13 GDPR, the DPA considered that one of the conditions for the processing by an employer to be considered lawful was that the data subjects must be informed of the monitoring carried out in accordance with the provisions of Article 12 GDPR and Article 13 GDPR. In particular, it found that on the day of the on-site visit, there had been non-compliance with Article 13 GDPR as they did not provide all compulsory information. Indeed, the joint controller provided Information notes and e-mails in French and German in the vehicles and machines and made them available to the employees on the Intranet. These, however, did not contain all compulsory information, namely the identity of the controllers and of the data protection officer, the legal basis, the legitimate interests followed, the appropriate safeguards applied, the rights of the data subjects to receive a copy and the right of data subjects to submit a complaint to the supervisory authority. The notice contained as basis of transfer of personal data to the US the Privacy shield, which was invalidated by the Court of Justice. Moreover, the content of the French and German version was not identical. | |||
Secondly, in relation to Article 5(1)(c) GDPR, the DPA stated that the joint controllers did not comply with the principle of data minimisation. The geolocation system had been installed to track staff working in dangerous conditions or alone, to prevent or track the theft of vehicles and machines and to verify employees' working time. However, the system was used to track the movements of vehicles and machines both during and outside working hours, and did not have a deactivation button. | |||
The fine | |||
In addition, it found that the controllers did not comply with the principle of purpose limitations, under Article 5(1)(b) GDPR as the joint controllers could not demonstrate that the materials transported by the machines and vehicles, dirt and rocks, were of a special nature to justify the use of geolocation. | |||
The DPA issued a fine of €2,500 taking into account the gravity of the violation, its duration (as the tracking system was deactivated during the proceedings), the number of data subjects concerned (one third of the employees), that the violation was not intentional, interim measures taken by the joint controllers and their good cooperation with the investigation, the nature of data (that they could easily be attributed to the individual employees) and finally that the controllers did not financially benefit from the violation. | |||
== Comment == | == Comment == |
Revision as of 15:49, 13 November 2023
CNPD - 13FR/2023 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 5(1)(b) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 26.05.2021 |
Decided: | 21.09.2023 |
Published: | 07.11.2023 |
Fine: | 2500 EUR |
Parties: | Public organisation A Public organisation B |
National Case Number/Name: | 13FR/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | CNPD decision (in FR) |
Initial Contributor: | lszabo |
The Luxembourgish DPA issued a fine of €2,500 to two public bodies as joint controllers due to their usage of geolocation systems to track vehicles used by their employees. The DPA found a violation of Article 13 GDPR and Article 5(1)(c) GDPR and Article 5(1)(b) GDPR.
English Summary
Facts
Following a visit at the premises of two public bodies (the joint controllers), the agents of the Luxembourgish DPA found that the controllers applied a geo-localisation system on the copmanies' service vehicles and construction machines. The system was constantly monitoring the movements of the vehicles and machines, and was connected to them, not the drivers. However, by using the timesheets which indicated which driver used which vehicle or machine, they could easily reconstruct which vehicle had been used on which day by each employee.
On 13 December 2022, at the end of the investigation, a statement of objection was published detailing breaches in relation to the requirements of Article 13 GDPR and Article 5(1)(c) GDPR and Article 5(1)(b) GDPR. Following this, the joint controllers submitted observations, and on 13 June 2023, the rapporteur and the company presented oral observations to the DPA.
Holding
Regarding the obligation to provide informatino, pursuant to Article 13 GDPR, the DPA considered that one of the conditions for the processing by an employer to be considered lawful was that the data subjects must be informed of the monitoring carried out in accordance with the provisions of Article 12 GDPR and Article 13 GDPR. In particular, it found that on the day of the on-site visit, there had been non-compliance with Article 13 GDPR as they did not provide all compulsory information. Indeed, the joint controller provided Information notes and e-mails in French and German in the vehicles and machines and made them available to the employees on the Intranet. These, however, did not contain all compulsory information, namely the identity of the controllers and of the data protection officer, the legal basis, the legitimate interests followed, the appropriate safeguards applied, the rights of the data subjects to receive a copy and the right of data subjects to submit a complaint to the supervisory authority. The notice contained as basis of transfer of personal data to the US the Privacy shield, which was invalidated by the Court of Justice. Moreover, the content of the French and German version was not identical.
Secondly, in relation to Article 5(1)(c) GDPR, the DPA stated that the joint controllers did not comply with the principle of data minimisation. The geolocation system had been installed to track staff working in dangerous conditions or alone, to prevent or track the theft of vehicles and machines and to verify employees' working time. However, the system was used to track the movements of vehicles and machines both during and outside working hours, and did not have a deactivation button.
In addition, it found that the controllers did not comply with the principle of purpose limitations, under Article 5(1)(b) GDPR as the joint controllers could not demonstrate that the materials transported by the machines and vehicles, dirt and rocks, were of a special nature to justify the use of geolocation.
The DPA issued a fine of €2,500 taking into account the gravity of the violation, its duration (as the tracking system was deactivated during the proceedings), the number of data subjects concerned (one third of the employees), that the violation was not intentional, interim measures taken by the joint controllers and their good cooperation with the investigation, the nature of data (that they could easily be attributed to the individual employees) and finally that the controllers did not financially benefit from the violation.
Comment
Interesting that there apparently was transfer of personal data to the US (the supplier of the equipment was also anonymised), and taken into account in determining the missing information from the information to data subjects, but no reference is made to the legal basis of transfers before the Transatlantic Data Privacy Framework entered into force.
Also, the investigation's finding that it would have been sufficient to follow the movement of the vehicles or machines only outside of working hours, was not confirmed by the authority as the system was also deemed necessary to verify the registered working times of the employees and that they directly drive to the place of work. We do not know the precise nature of the organisations, they probably weren't public authorities although they were public organisations, as the legal basis of processing was accepted as legitimate interest.
Although it was established that the purpose of securing and monitoring the materials transported was found not to be legitimate and thus the principle of purpose limitation was violated, and this purpose had to be removed from the information notice to data subjects, no safeguards were ordered to prevent the use of the geo-localisation data for this illegitimate purpose.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B Deliberation No. 13FR/2023 of September 21, 2023 The National Commission for Data Protection sitting in restricted formation, composed of Mrs. Tine A. Larsen, president, and Messrs. Thierry Lallemang and Alain Herrmann, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of data personal character and the free movement of such data, and repealing the Directive 95/46/EC; Having regard to the law of August 1, 2018 organizing the National Commission for data protection and the general regime on data protection, in particular its article 41; Considering the internal regulations of the National Commission for the Protection of data adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its article 10.2; Having regard to the regulation of the National Commission for Data Protection relating to the investigation procedure adopted by decision no. 4AD/2020 dated January 22, 2020, in particular its article 9; Considering the following: _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 1/38I. Facts and procedure 1. During its deliberation session of March 10, 2021, the National Commission for data protection sitting in plenary session had decided to open a investigation of Public Body A and Public Body B based on Article 38 of the law of August 1, 2018 organizing the National Commission for the protection data and the general regime on data protection (hereinafter: the “law of 1 August 2018") and to appoint Mr. Marc Lemmer as head of investigation. 2. The said decision clarified that the investigation carried out by the National Commission for data protection (hereinafter: the “CNPD” or the “National Commission”) was intended to “[c]ontrol the application and compliance with the GDPR[] (and legal texts providing for specific provisions regarding the protection of personal data personal) processing implemented by a geolocation system, in considering in particular the opinion rendered by the CNPD in deliberation no. […] of […] December 2020 relating to the request for an opinion submitted on the basis of article L.261-1 paragraph (4) of the Labor Code by the staff delegation [of Public Body A and Public Body B]”. 3. The “[…]” is a […], whose address is: L - […] (hereinafter: “Public body HAS "). Public body A [performs missions of general interest]. 4. The “[…]” is a […], whose address is: L - […] (hereinafter: “Public body B” and together with Public Body A hereinafter: “[…]” or the “controlled”). Public body B [accomplishes missions of general interest]. 5. On May 26, 2021, CNPD agents carried out a visit to place in the administrative building […] located at […]. 6. By two emails of June 2, 2021, those inspected provided the CNPD with additional information requested during said visit. 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of this data, and repealing Directive 95/46/EC (hereinafter: the “GDPR”). _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 2/38 7. “Report no. [...] relating to the on-site visit carried out on May 26, 2021 with Public Body A and Public Body B” (hereinafter: the “minutes relating to the on-site visit”) drawn up by CNPD agents was sent to those inspected by mail on June 8, 2021. It follows from this report that: - those inspected had set up a geolocation system (hereinafter: the “geolocation system”) of Company C (system […]) in […] vehicles service and/or construction equipment; 2 - the geolocation system had “the functionalities and characteristics following: - Permanent monitoring of Vehicles [service vehicles and/or equipment construction site] in real time using boxes integrated into each vehicle; - Connection of said boxes to a central unit; - Transmission of information via a GPRS network; - Transmission of information to a third-party server ([…]); - Event data recorder; - Data processing software (“[…]”) and access to the location of vehicles monitored using a control monitor (Appendices 4 and 5, photo 3 […])” ; And - the data collected by the geolocation system were “the following: - Date and time of start and end of the journey; - Condition of the vehicle (moving or stationary, including any pauses); 2Minutes relating to the on-site visit, finding 3. 3Minutes relating to the on-site visit, finding 7. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 3/38 - Vehicle positioning data (within two meters) and route of the vehicle ; - Driving time and mileage traveled; And - Abnormal movement of the vehicle due to the day (Saturday or Sunday) or the schedule (“Geo-fencing” function)”; 4 - the geolocation system was associated with service vehicles, respectively to construction machinery, and not to employees, the overlap between geolocation of a service vehicle or construction machine and the employee driving it being possible, by cross-referencing with employee work sheets, the latter indicating which vehicle was used on which day by each employee. 5 8. Those inspected produced written observations on the report relating to the on-site visit by email of June 9, 2021. 9. Subsequently, those inspected and the CNPD investigation service carried out an exchange of letters. 6 10. At the end of his investigation, the head of investigation notified those inspected on December 13, 2022 a statement of objections (hereinafter: the “statement of objections initial") detailing the shortcomings that he considered constituted in this case in relation to the requirements prescribed by Article 13 of the GDPR (right to information), […] and Article 5.1.c) and b) GDPR (principles of minimization and limitation of purposes). The head of investigation proposed to the National Commission sitting in restricted formation (hereinafter: the “Restricted Training”) to adopt four different corrective measures, as well as to impose on those inspected an administrative fine in the amount of […] euros. 11. By letter dated February 2, 2023, those inspected expressed their observations relating to the initial statement of objections. 4Minutes relating to the on-site visit, finding 8. 5Minutes relating to the on-site visit, finding 10. 6 See point 12 of the statement of objections for a detailed list of exchanges throughout investigation. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 4/38 12. In response, the head of investigation notified those inspected on February 15, 2023 a new statement of objections amending the initial statement of objections (hereinafter after: the “statement of objections”). The head of investigation maintained the failings that he considered to exist in this case, as well as than the corrective measures he proposed. However, on the basis of the information transmitted under the terms of the mail of those inspected in date of February 2, 2023, it considered that the shortcomings identified in the communication initial grievances had not been committed intentionally, but were part of a gross negligence. Therefore, it reduced the amount of the administrative fine offered at […] euros. The ability to formulate their written observations on the statement of objections was offered to those inspected. The latter did not communicate observations to the chief investigation. 13. The president of the Restricted Training informed the controlled by mail dated April 18, 2023 that their case would be listed at the Training session Restricted from June 13, 2023 and that they were offered the opportunity to be heard there. By email of June 6, 2023, those inspected confirmed their presence at the said session. During this session the head of investigation […], and those inspected, represented by […], presented their oral observations in support of their written observations and responded to the questions asked by the Restricted Training. The Restricted Training gave the controlled the possibility of sending additional information until June 28, 2023 requested during said session. Those controlled had the last word. 14. By emails of June 21 and 29, 2023, those inspected provided the information additional information requested from Restricted Training. The controls had informed the Restricted Training in their email of June 21, 2023 that the results of the year 2022 of Public Body B was being finalized and could only be sent to it at most early in the next fortnight. 15. The decision of the Restricted Panel on the outcome of the investigation will be based on: - on the processing of personal data resulting from geolocation service vehicles and construction equipment made available to employees of the _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 5/38 controlled using the geolocation system and controlled by agents of the CNPD; - Deliberation No. […] of […] December 2020 of the National Commission for data protection relating to the request for an opinion submitted on the basis of article L.261-1 paragraph (4) of the Labor Code by the staff delegation of Public Body A and Public Body B; And - on the legal and regulatory provisions taken into account by the head of investigation in the statement of objections. II. Place II. 1. On the reasons for the decision A. On the determination of the controller 1. On the principles 16. Under the terms of article 4.7 of the GDPR, the data controller is “the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing”. Under the terms of article 26.1 of the GDPR “[w]hen two or more data controllers jointly determine the purposes and means of processing, they are the joint controllers”. 17. The concept of joint controllers was explained by the Committee European Data Protection Authority (hereinafter: the “EDPS”) in the “Guidelines guidelines 07/2020 concerning the notions of data controller and subcontractor in the GDPR”, version 2.0, adopted on July 7, 2021 (hereinafter: the “Guidelines 07/2020"). _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 6/38 Under these guidelines “[t]he joint responsibility for processing should be assessed on the basis of a factual rather than formal analysis of the real influence exercised on the purposes and means of processing. 7 “Joint participation in determining ends and means implies that more than one entity has a determining influence on whether and how treatment takes place.” In practice, joint participation can take several forms. forms, such as a joint decision taken by two or more entities or decisions convergent principles adopted by two or more entities regarding ends and means essential to treatment. Joint participation resulting from a common decision means that the parties decide together and assumes a common intention. Of the decisions can be considered convergent as long as they complement each other and are necessary for carrying out the processing so that they have a concrete effect on the determination of the purposes and means of the processing (“[…] the processing by each 9 of the parts is inseparable from that of the other, that is to say inextricably linked. "). 2. In the present case 18. The CNPD in “Deliberation No. […] of […] December 2020 of the National Commission for Data Protection relating to the request for opinion introduced on the basis of article L.261-1 paragraph (4) of the Labor Code by the delegation 10 of the staff of Public Body A and Public Body B” (hereinafter: the “notice of the CNPD) had held that “Public Body A and Public Body B must be considered as joint controllers of the processing, within the meaning of Articles 4 point (7) and 26 […] [of the GDPR], insofar as they seem to jointly determine the purposes and means of the treatment in question. 11 19. In the statement of objections, the head of investigation considered that those inspected were to be considered joint controllers within the meaning of the GDPR for processing implemented by a geolocation system. 12 20. In fact, those inspected had themselves declared that they considered themselves joint controllers concerning the processing carried out within the framework of the system of 7 8Guidelines 07/2020, point 52. Guidelines 07/2020, point 54. 9Guidelines 07/2020, point 55. 10Exhibit 1 of the head of investigation. 11CNPD opinion, second paragraph. 12Statement of objections point 23. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 7/38geolocation during the on-site visit of CNPD agents on May 26, 2021. They had specified in particular that […]. […] 28. In view of these circumstances, the Restricted Panel considers that the controlled had jointly determined for what purposes and how the geolocation data were treated. 29. She therefore agrees with the opinion of the head of investigation and concludes that those controlled were to qualify as joint controllers for the processing covered by the this decision. B. On the failure linked to the obligation to inform the persons concerned 1. On the principles 30. Under the terms of article 12.1 of the GDPR, the “data controller takes appropriate measures to provide any information referred to in Articles 13 and 14 as well as that to carry out any communication under Articles 15 to 22 and Article 34 in regarding the processing to the data subject in a concise, transparent manner, understandable, easily accessible, in clear and simple terms […]. Information are provided in writing or by other means including, where appropriate, by electronic. When the data subject requests it, the information may be provided orally, provided that the identity of the person concerned is demonstrated by other means. » 31. Article 13 of the GDPR provides as follows: “1. When personal data relating to a data subject are collected from this person, the data controller provides them, at the time where the data in question is obtained, all of the following information: a) the identity and contact details of the data controller and, where applicable, the representative of the data controller; b) where applicable, the contact details of the data protection officer; _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 8/38c) the purposes of the processing for which the personal data are intended as well as that the legal basis of the processing; (d) where the processing is based on Article 6(1)(f), the legitimate interests pursued by the data controller or a third party; e) the recipients or categories of recipients of the personal data, if they exist; And f) where applicable, the fact that the controller intends to carry out a transfer of personal data to a third country or to an international organization, and the existence or absence of an adequacy decision issued by the Commission or, in the case of transfers referred to in Article 46 or 47, or in Article 49(1), second paragraph, the reference to appropriate or adapted guarantees and the means of obtaining one copy or the place where they were made available; 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data is obtained, the following additional information which is necessary to ensure fair and transparent treatment: a) the duration of retention of personal data or, where this is not possible, the criteria used to determine this duration; b) the existence of the right to request from the controller access to the data to be personal nature, the rectification or erasure thereof, or a limitation of the processing relating to the data subject, or the right to object to the processing and right to data portability; (c) where the processing is based on point (a) of Article 6(1) or Article 9, paragraph 2(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent carried out before the withdrawal thereof; d) the right to lodge a complaint with a supervisory authority; (e) information on whether the requirement to provide data to personal character has a regulatory or contractual character or if it conditions the conclusion of a contract and whether the data subject is obliged to provide the data to _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 9/38personal character, as well as the possible consequences of non-provision of those data ; (f) the existence of automated decision-making, including profiling, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, useful information regarding the underlying logic, as well as the importance and intended consequences of this processing for the data subject. 3. When he intends to carry out further processing of personal data personal data for a purpose other than that for which the personal data have been collected, the data controller first provides the person with concerned information about this other purpose and any other information relevant referred to in paragraph 2. 4. Paragraphs 1, 2 and 3 do not apply when and to the extent that the person concerned already has this information. » 32. Communication to the persons concerned of information relating to the processing of their data is an essential element in respecting the general transparency obligations within the meaning of the GDPR. Said obligations were explained by the Article 29 Working Group in its guidelines on the transparency within the meaning of Regulation (EU) 2016/679, the revised version of which has been adopted on April 11, 2018 (hereinafter: “WP 260 rev.01”). 33. Note that the EDPS took up and reapproved the documents adopted by the said Group between May 25, 2016 and May 25, 2018, as specifically the guidelines mentioned above on transparency. 2. In the present case 34. With regard to the information obligation, the CNPD, in its observations formulated at the end of its opinion delivered at the request of the staff delegation of Public Body A and Public Body B, had considered that one of the conditions of lawfulness of the “processing envisaged by the employer” was that “the persons concerned 13See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR. 14 See decision Endorsement 1/2018 of the EDPS of May 25, 2018, available under: https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 10/38must be informed of the surveillance carried out in accordance with the provisions of the articles 12 and 13 of the GDPR as well as article L.261-1 paragraph (2) of the Code of 15 Work " . 35. During the on-site visit of May 26, 2021, those inspected declared to the CNPD agents that - the staff delegations of those inspected had been informed in advance of the implementation of the geolocation system; and 16 - the employees concerned had been informed of the processing implemented by the geolocation system using displays in service vehicles and construction machinery, by an information note (also included in the intranet), as well as as a memo and during a meeting. 17 Those controlled had given the CNPD agents a copy of the memo dated 18 19 of February 17, 2021, as well as an information notice relating to geolocation. 36. Subsequently, those inspected sent several documents to the CNPD of information : 37. By email of June 2, 2021, those inspected had transmitted to the CNPD “[…] report] between the staff delegation and management […], repeating the first mention of the GPS system, as well as the report […] with a more in-depth discussion regarding the subject of GPS; […]; an image of the information note in our vehicles [ ]; [and the information notices displayed in our localities (one copy in AL and FR […]) [ ]”. 38. By email of October 15, 2021, those inspected sent another copy of the information notice. In addition, they had explained that their employees had been informed of the geolocation “orally and in writing […] on June 9, 2020. The information 15CNPD opinion, page 15. 16Minutes relating to the on-site visit, finding 4. 17 Minutes relating to the on-site visit, finding 11. 18Exhibit 9 of the head of investigation. 19Exhibit 19 of the head of investigation. 20Exhibit 22 of the head of investigation. 21Exhibits 20 and 21 from the head of investigation. 22 Exhibit 14 of the head of investigation. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 11/38 were displayed in the […] [premises of the controlled] for several months, in German and in French and for the two […] [controlled]. ". 39. By email of March 24, 2022, those inspected sent the CNPD a copy of the renewed memo dated January 11, 2022. They also had confirmed that with regard to the four copies of the information notice, previously transmitted to the CNPD, namely a copy given during the on-site visit on May 26, 2021, two copies attached to their email of June 2, 2021 and one copy attached to their email of October 15, 2021, it “is the same information note, just in German and French, signed and unsigned. We used this note to inform staff.” 40. By letter dated February 2, 2023, those inspected sent the CNPD the copy of an email dated June 9, 2020 titled “GPS” and another copy of the notice information .4 41. Finally, those inspected inserted a copy of the above-mentioned email from June 9, 2020 below their email of June 21, 2023 to La Formation Restricte. They have also attached four copies of the information notice and they clarified that the email of June 9, 2020 had been “sent to all staff at the start of commissioning of the geolocation system with the corresponding annexes”. 42. In the statement of objections, the head of investigation after examining the 25 documentation submitted to CNPD agents by those inspected during the investigation, as well as the three information notices which had been communicated to the CNPD in the framework of the request for an opinion submitted on the basis of article L.261-1.4 of the Labor Code, 26 noted that on the day of the on-site visit, non-compliance with certain provisions of Article 13 of the GDPR was acquired. More particularly, he was of the opinion that on the day of the visit on site those inspected had failed in their obligation: - to inform the persons concerned of the identity of the data controller, arising from article 13.1.a) of the GDPR, given that the controlled were not 23 24Exhibits 10 and 25 of the head of investigation. Exhibit 9 of the controls. 25 In particular, the information notices (Exhibits 14, 19, 20 and 21 from the head of investigation), the photograph of the information poster in the vehicles (exhibit 22 of the head of investigation) and the notes of service (exhibits 24 and 25 of the head of investigation). 26Exhibits 11 to 13 of the head of investigation. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 12/38 indicated as joint controllers in the documents sent to their employees;7 - to inform the persons concerned of the identity of the data protection delegate data, arising from article 13.1.b) of the GDPR, because the existence of the delegate did not appear in the documents sent to their employees; 28 - to inform the data subjects of the legal basis justifying the processing, arising from article 13.1.c) of the GDPR, as information notices do not did not mention a relevant legal basis under Article 6 of the GDPR; 29 - to inform the persons concerned as to the legitimate interests pursued, arising of article 13.1.d) of the GDPR, given that the legitimate interests pursued by the controlled did not appear in the documents sent to their employees, although during the on-site visit, those inspected declared that they based the treatments on the interest legitimate ;0 - to inform the people concerned about the appropriate guarantees put in place, as well as the means of obtaining a copy or the place where they are made available. provision, arising from article 13.1.f) of the GDPR, because although the notices information mentioned “a transfer of data to a third country within the meaning of GDPR (in this case the United States of America)”, documents transmitted to employees did not mention the measures taken to guarantee an adequate level of protection and the information notices mentioned that this transfer was supervised by the “[EU- U.S.] Privacy Shield [Framework]” while this adequacy decision had been 31 32 invalidated by the Court of Justice of the European Union; - to inform the persons concerned of their right to lodge a complaint with the CNPD, arising from article 13.2.d) of the GDPR, such as this mention 33 did not appear in the documents sent to employees. 27Statement of Objections, points 39 to 44. 28Statement of Objections, points 45 to 50. 29Statement of Objections, points 51 to 55. 30 31Statement of Objections, points 56 to 60. CJEU, Case C-311/18, judgment of July 16, 2020. 32Statement of objections, points 61 to 66. 33Statement of Objections, points 67 to 69. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 13/38 43. The Restricted Training would first like to point out that article 13 of the GDPR refers to the obligation imposed on the controller to “provide” all information information mentioned there. The word “provide” is crucial here and it “means that the controller must take concrete measures to provide the information in question to the data subject or to actively direct the person concerned to the location of said information (for example by means of a link 34 direct, a QR code, etc.) » . 44. She further considers that a multi-level approach to communicating transparency information to data subjects may be used in a offline or non-digital context, i.e. in a real environment such as example of personal data collected by means of a system of geolocation. The first level of information (warning sign, note information, etc.) should generally include the most essential, namely the details of the purpose of the processing, the identity of the person responsible for the processing and the existence of the rights of the data subjects, as well as the information having the greatest impact on the treatment or any treatment likely to surprise the people concerned. The second level of information, that is to say all of the information required under Article 13 of the GDPR, could be provided or made available provision by other means, such as a copy of the policy confidentiality sent by e-mail to employees.35 45. Regarding the first level of information, Restricted Training notes that on the sticker which was affixed to service vehicles and machinery site of the inspected, a photo of which was annexed to the email of the inspected June 2, 2021, the words “GPS überwacht mit […]” and “Monitored by GPS with […]”, a reference to “[…].com”, as well as the “[…]” and “Made in Luxembourg”. However, she noted that this sticker did not contain the information required within the meaning of Article 13 of the GDPR and not even the elements required by the first level of information. In particular, details of the purpose of the processing were missing, the identity of the joint controllers and the existence of the rights of the individuals concerned. 34 35Cf. WP 260 rev.01, point 33. See WP260 rev.01, point 38. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. […] carried out with Public Body A and Public Body B 14/38 46. The Restricted Panel also notes the copy of the “Memorandum concerning the use of GPS installed in machines and vehicles […] [of those controlled]” dated February 17, 2021 which had been given to CNPD agents during the visit to place of May 26, 2021 .36 The said note specified certain practical aspects of the use of the system of geolocation such as the person responsible for the system, retention periods geolocation data and access to the system. The Restricted Panel notes, however, that this note did not contain the elements required by the first level of information. In particular, details were missing. of the purpose of the processing, the identity of the joint controllers of the processing and the existence rights of the persons concerned. Furthermore, the documentation submitted to the Restricted Training does not contain any evidence that the information note had actually been transmitted individually to the employees of those inspected before the on-site visit by CNPD agents. 47. Regarding the second level of information, Restricted Training take note - of the three information notices which had been communicated to the CNPD within the framework of the request for an opinion submitted on the basis of article L.261-1.4 of the Labor Code.7 Two of these documents were in French, dated June 9, 2020 and entitled “Information notice concerning the implementation of vehicle geolocation professionals”. Public Body A or Public Body B were identified as data controllers. 39 The third document was in German, dated June 2, 2020 and titled « Informationsblatt bezüglich des Einsatzes eines Geolokalisierungssystems in Dienstfahrzeugen”. Public Body A was identified as responsible for the treatment ; 36Exhibits 9 and 24 of the head of investigation. 37Exhibit 17 of the head of investigation. 38Exhibits 11 and 13 of the head of investigation. 39Exhibit 12 of the head of investigation. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 15/38- of the information notice entitled “Informationsblatt bezüglich des Einsatzes eines Geolokalisierungssystems in Dienstfahrzeugen” which had been handed over to the agents of the CNPD during the on-site visit on May 26, 2021. It was in German, no dated and identified Public Body B as the controller; - the two information notices that those inspected had attached to their email of June 2, 2021. A document was in French and entitled “Notice of information concerning the 41 implementation of geolocation of professional vehicles”. The other document was in German and entitled “Informationsblatt bezüglich des Einsatzes eines Geolokalisierungssystems in Dienstfahrzeugen » . None of these documents were date. The French version identified Public Body B as responsible for the processing and the German version Public Body A. Indeed, it appeared from the page cover, with which these documents were accompanied, that these were projects of models that Company C had made available to its customers together with certain other legal information to prepare an “information note […] to provide to the employees concerned”; - the information notice entitled “Informationsblatt bezüglich des Einsatzes eines 43 Geolokalisierungssystems in Dienstfahrzeugen” which the inspected had annexed to their email of October 15, 2021 and which was in German and dated June 9, 2020. She informed Public Body B as responsible for the processing; - a copy of the information notice entitled “Information notice concerning the implementation in place of geolocation of professional vehicles” which was annexed to the letter from those inspected dated February 2, 2023 and which was in French and dated June 9, 2020. It identified Public Body A as the controller; - the four copies of the information notice which were annexed to the email of the controlled from June 21, 2023 to Restricted Training and which were dated June 9, 2020. Two of these documents were in French and entitled “Notice d’information concerning the implementation of geolocation of professional vehicles”. 40Exhibit 19 of the head of investigation. 41Exhibit 21 of the head of investigation. 42Exhibit 20 of the head of investigation. 43Exhibit 14 of the head of investigation. 44 Exhibit 9 of the controls. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 16/38 Public Body B or Public Body A were identified as responsible of treatment. The other two documents were in German and titled “Informationsblatt bezüglich des Einsatzes eines Geolokalisierungssystems in Dienstfahrzeugen”. Public Body B or Public Body A were identified as responsible of treatment. The Restricted Panel considers that, with the exception of divergent information on the controller and the legal basis for the processing in the different versions linguistic, the content of the aforementioned information notices was almost identical. 45 48. She also observes that the email of June 9, 2020 that those inspected inserted below their email of June 21, 2023 and the four information notices there annexed, had been sent to their employees individually, namely to their addresses professional emails. 49. However, it notes that the aforementioned information notices do not did not contain all of the information provided for in Article 13 of the GDPR. Thus, they did not mention the joint controllers (article 13.1.a) of the GDPR), the data protection officer of the controlled (article 13.1.b) of the GDPR), information relating to the relevant legal basis under Article 6 of the GDPR (article 13.1.c) of the GDPR), the legitimate interests pursued by the joint controllers processing (article 13.1.d) of the GDPR), details of transfers to third countries and more precisely relevant information on the existence or absence of a decision of adequacy, the appropriate or adapted guarantees and the means of obtaining a copy or the place where they were made available (article 13.1.f) of the GDPR) and the information regarding the right to lodge a complaint with the supervisory authority (article 13.2.d) of the GDPR), in this case the CNPD. 50. It also notes that the information notices combined with display in service vehicles and construction machinery and/or service note did not contain all the information required by Article 13 of the GDPR either. 45[…]. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. […] carried out with Public Body A and Public Body B 17/38 51. Those inspected also claimed to have provided oral information to the employees during a meeting. The Restricted Panel notes that it does not result from the reports relating to the meetings between […] [the staff delegation and management], copies of which were attached to the email of the inspections of June 2, 2021, that the representatives of the staff delegations had been informed of all the information required by Article 13 of the GDPR. She considers moreover that information from the staff delegation could at most be qualified as collective information, and not as individual information of employees. Therefore, the Restricted Panel notes that the documentation submitted by those inspected does not contain any proof attesting that the employees of those inspected had been validly informed, before the on-site visit of CNPD agents, orally in accordance with Article 13 of the GDPR. 52. In view of the above, the Restricted Panel agrees with the opinion of the chief investigation and concludes that non-compliance with Article 13 of the GDPR was acquired on the day of the on-site visit of CNPD agents. VS. […] […] D. On the breach linked to the principle of data minimization 1. On the principles 62. In accordance with article 5.1.c) of the GDPR, personal data must be “adequate, relevant and limited to what is necessary with regard to the purposes for which they are processed (data minimization)”. 63. Article 5.1.b) of the GDPR also provides that personal data personal data must be “collected for specific, explicit and legitimate purposes, _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 18/38and not be subsequently processed in a manner incompatible with these purposes; […] (limitation of purposes)”. 2. In the present case 64. Regarding the principle of minimization, the CNPD, in its observations formulated at the end of its opinion, had considered that one of the conditions of lawfulness of “processing envisaged by the employer” was that “the geolocation of construction equipment cannot be activated only outside working hours, except for employees working alone and performing dangerous tasks in remote areas, in which case activation of geolocation must be done by employees” .6 65. During the on-site visit, those inspected declared to CNPD agents that - the geolocation system installed in service vehicles or equipment sites inspected were not provided with a deactivation button; 47 - service vehicles and construction equipment could not be used for purposes private ;8 - those inspected feared that in the case of installing a deactivation button, the geolocation system is not reactivated in the evening, due to forgetting, so that the machines are not protected against theft; 49 - the geolocation system was used for several purposes, namely security and health of employees, monitoring and verification of employees' working time, issuing invoices, optimization of the work process and the safety of service vehicles and construction machinery;50 46CNPD opinion, page 15. 47 48Minutes relating to the on-site visit, finding 9. Same. 49Idem. 50Minutes relating to the on-site visit, finding 12. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 19/38- in the past, emergency situations in which immediate identification of vehicles had been necessary (for example […]) were managed on the basis of 51 information available to those controlled in specific situations; - service vehicles and construction equipment had been the subject of attempted theft 52 (travel). 66. The head of investigation noted in the statement of objections that the system geolocation system was “in particular installed on construction equipment” and that it was not not equipped with a deactivation button. 53 67. He also recalled that “concerning construction equipment, the Opinion of the CNPD establishes that “with regard to the monitoring of construction machinery […] [of controlled], the National Commission is of the opinion that geolocating these during the hours of work would amount to monitoring the employees of data controllers in a manner quasi-permanent. Indeed, as indicated by […] [the controlled] in […] [their] mail of October 2, 2020, the personnel […] [of those controlled] often work alone or in very small teams. It is therefore easy to link a particular machine to its user. [...] There National Commission nevertheless understands the need for […] [those controlled] to be able protect your construction equipment against theft and also be able to track the time of work of employees. In this regard, the National Commission is of the opinion that geolocation construction machinery activated only outside working hours, and deactivated by employees when they start using a particular machine, would make it possible to achieve these two purposes, while being less detrimental to the private lives of employees […] [of controlled]. In addition, the National Commission recognizes that geolocation of machines construction site during working hours could be useful, or even necessary, to ensure the safety of employees who carry out dangerous tasks alone (for example, […]) in remote places. [...] Consequently, with regard to the sometimes dangerous activities carried out by employees […] [of the controlled], in spaces […] which can be very remote areas, the National Commission is of the opinion that the geolocation of construction equipment could nevertheless be activated during working hours, when these are used by employees working alone in very remote […] spaces (for example, […]) and 51Minutes relating to the on-site visit, finding 12 (i). 52Minutes relating to the on-site visit, finding 12 (v). 53 Statement of Objections, points 81 and 82. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 20/38performing tasks of a dangerous nature. Activation should then be carried out by the employee himself. » » .4 68. He considered “that none of the elements obtained during the on-site visit […] [was] likely to influence the argument developed in the CNPD Opinion” and that no element of the documentation submitted to the CNPD contained evidence 55 opposites. It therefore found that non-compliance with article 5.1.c) of the GDPR was acquired on the day of the on-site visit. 69. Those controlled by email of June 2, 2021 had specified that in the past vehicles had been moved to a construction site, but had not been stolen and that this incident had not been reported to the police. 70. Subsequently, those inspected explained in their letter of February 2, 2023 that the geolocation system had been installed to comply with a request from the staff who had justified the request “in the interests of personal security. » They had explained in particular that “the workers […] working partly alone outside and potentially far from homes, […] with equipment more or less heavy. Faced with the ever-present risk of accident, employees wanted insurance that their exact position is known in order to avoid unnecessary waste of time in case a rescue intervention should prove necessary” and that “[t]herefore, a system allowing the worker to turn it off or on according to his needs, such as proposed by the CDG, would always carry the risk of forgetting to put it into service at when he needed it. Such a module would clearly defeat the purpose sought by employees and would reduce the interest of such a system. » In addition, they explained that although an opinion had been requested from the CNPD by the staff delegation, the employees concerned would at no time have felt personally bothered by geolocation and any invasion of their privacy would be remained “purely theoretical”. 54Statement of Objections, paragraphs 83. 55Statement of Objections, paragraphs 84. 56Statement of Objections, paragraph 85. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 21/38They also stressed that permanent surveillance of employees was not necessary. at no time the purpose sought by the geolocation system. In order to confirm the above, those inspected had annexed to their aforementioned letter 57 two testimonial certificates from employees of those inspected, as well as […] [that several reports of the meetings of their governing bodies]. The Restricted Panel notes that these documents mentioned employee safety as one of the purposes of implementing location of the geolocation system. 71. During the Restricted Training session, the controls reiterated these remarks and they also confirmed that contrary to what was indicated in the 58 information notices, service vehicles and construction equipment were reserved for strictly professional use. They also explained that tracking time work was currently carried out by clocking in the technical room […] for the workers and that the use of the geolocation system was an alternative means that could be employed in order to allow workers to go directly (by their private means) on construction sites and to those inspected to verify at the same time the declarations of working times written work (via the geolocation system for construction equipment). 72. Considering the explanations on the purposes of the processing provided by those inspected in their letter of February 2, 2023 and during the Restricted Training session, as well as that the confirmation that the construction machinery was reserved for use strictly professional, Restricted Training considers that the geolocation system can be used to ensure the safety of workers working alone in isolated locations during working hours, without requiring that a separate activation button not be is installed, and to verify the workers' written working time declarations authorized to go directly to the construction sites. 73. In view of these circumstances, the Restricted Panel considers that there is no need to identify a breach of article 5.1.c) of the GDPR. 57Exhibit 1 of the controls. 58 The information notices stated the following: “The geolocation system can be disabled on vehicles that may be used outside of working hours for reasons private” or “Das Geolokalisierungssystem cann bei den Fahrzeugen deaktiviert werden, die außerhalb der Arbeitszeiten für private Zwecke genutzt werden dürfen”. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 22/38E. On the breach linked to the obligation to limit purposes 1. On the principles 74. Article 5.1.b) of the GDPR provides that personal data must be “collected for specific, explicit and legitimate purposes, and not be subsequently processed in a manner incompatible with these purposes; […] (limitation purposes)”. 75. Article 6.1 of the GDPR provides that processing is only lawful if, and in the context of provided that at least one of the six legal bases listed in this article applies. 76. Furthermore, article L. 261-1.1 of the Labor Code provides that “treatment of personal data for the purposes of monitoring employees in the context of labor relations can only be implemented by the employer in the cases referred to er in Article 6, paragraph 1, letters a) to f) » of the GDPR, and in accordance with the provisions of this article. 77. Regarding the requirement that the purpose be “legitimate”, the Working Group Work Article 29 in its opinion 03/2013 on limitation of purpose, adopted on April 2, 2013 (hereinafter: “WP 203”), clarified that in order for a purpose to be legitimate, the processing must, at any stage and at any time, be based on at least one of the legal bases provided for by Article 7 of Directive 95/46/EC and Article 6.1(b) of that Directive further requires that the purposes must comply with all the provisions of protection law applicable data, as well as any other applicable legislation, such as the law of 61 labor, general contract law, consumer law, etc. . 78. Regarding this opinion, the EDPS clarified in his “Guidelines 4/2019 relating to Article 25 Data protection by design and data protection by default”, version 2.0 of which was adopted on October 20, 2020, that the “working group 59“Opinion 03/2013 on purpose limitation”. This notice is only available in English. 60 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 relating to protection of natural persons with regard to the processing of personal data and to the free circulation of this data and which was repealed by the GDPR. 61 WP 203, pages 19 to 20; original text in English: “In order for the purposes to be legitimate, the processing must - at all different stages and at all times - be based on at least one of the legal grounds provided for in Article 7 […]. However, the requirement that the purposes must be legitimate is broader than the scope of Article 7. In addition, Article 6(1)(b) also requires that the purposes must be in accordance with all provisions of applicable data protection law, as well as other applicable laws such as employment law, contract law, consumer protection law, and so on”. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 23/38 “Article 29” provided guidance on the interpretation of the principle of limitation of purposes within the framework of Directive 95/46/EC” and that “[a]lthough this opinion has not been adopted by the committee, it can nevertheless retain its relevance, given that the principle is worded in the same way in the GDPR. 62 2. In the present case 79. The CNPD at the end of its opinion observed that it was its understanding that those inspected wished to implement the envisaged processing, among other things, to “ensure the tracking of goods due to their particular nature (materials dangerous, foodstuffs) » . 63 80. The head of investigation noted in the statement of objections that “it appears from the Information notes (EXHIBITS 11, 12, 13 and 14) that one of the purposes of the Processing is the “Guarantee of tracking of goods due to their particular nature (materials dangerous, foodstuffs, etc.)", respectively in the German versions “The terms of the Warehouse Verfolgung aufgrund der besonderen Art der transportierten Waren (gefährliche Stoffe, Lebensmittel,…) » » 64 and that “the transport of goods does not appear [however] in any of the corporate objects appearing in the statutes 65 controls " . 81. He considered that “[i]f the transport of goods can constitute in itself and in certain cases a legitimate purpose, this cannot be the case if this purpose does not cover 66 an operational reality. Thus, after having noted that “it in no way emerges from the investigation that the Controlled would actually engage in a transport activity of goods”, he held that the purpose relating to the transport of goods was devoid of legitimacy 67 so that non-compliance with article 5.1.b) of the GDPR was acquired on the day of the on-site visit.8 82. During the Restricted Training session, the controls clarified in this respect which concerns the transport of goods that in order to carry out their projects, they were 62Cf. footnote 34. 63 64CNPD opinion, page 15. Statement of Objections, paragraph 89. 65Statement of Objections, paragraph 90. 66Statement of Objections, paragraph 91. 67Idem. 68Statement of Objections, paragraph 93. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 24/38 required to transport earth and stones, as well as other similar materials which they consider to be commodities. 83. The Restricted Formation recalls that for a purpose to be legitimate, the processing must in particular be based on a relevant legal basis under the Article 6 of the GDPR. 84. She notes that the tracking of goods due to their particular nature was mentioned as one of the purposes of the processing in the information notices that the inspected had sent to their employees and that during the on-site visit the monitored invoked their legitimate interests as the legal basis for the processing (article 6.1.f) of the GDPR).9 85. The Restricted Panel has already noted that those controlled did not have mentioned in the information notices the legitimate interests pursued by the joint controllers (article 13.1.d) of the GDPR) (see point 49 of this 70 decision) […] . 86. She nevertheless expresses her doubts concerning the qualification of the lands and stones transported by controlled elements that merit monitoring due to of their particular nature as the CNPD understands it, that is to say that they are dangerous materials or perishable or particularly valuable goods. Thus, the activities in which those controlled actually engaged did not correspond not to the activities that the CNPD had considered in its opinion. In fact, it is only then of the investigation that it turned out that the purpose of tracking the goods did not reflect a operational reality. 87. It considers that the tracking of goods due to their nature particular purpose did not constitute a real and therefore legitimate purpose, and therefore could not justify the use of geolocation on the basis of article 6.1.f) of the GDPR for this purpose. 88. In view of the above, the Restricted Formation agrees with the opinion of the chief investigation and concludes that non-compliance with article 5.1.b) of the GDPR was acquired on the day of the on-site visit by CNPD agents. 69Minutes relating to the on-site visit, finding 13. 70[…]. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 25/38II. 2. On the fine and corrective measures 1. On the principles 89. In accordance with article 12 of the law of August 1, 2018, the National Commission has the powers provided for in article 58.2 of the GDPR: “a) notify a controller or a processor of the fact that the processing operations envisaged processing are likely to violate the provisions of this regulation; b) call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of this regulation; (c) order the controller or processor to comply with requests presented by the data subject in order to exercise their rights pursuant to the this regulation; (d) order the controller or processor to put the processing operations processing in accordance with the provisions of this Regulation, where applicable, of specific manner and within a specific time frame; (e) order the controller to communicate to the data subject a personal data breach; f) impose a temporary or permanent restriction, including a ban, on processing; g) order the rectification or erasure of personal data or the limitation of processing pursuant to Articles 16, 17 and 18 and the notification of these measures to recipients to whom personal data have been disclosed pursuant to Article 17, paragraph 2, and Article 19; (h) withdraw a certification or order the certification body to withdraw a certification issued pursuant to articles 42 and 43, or order the body to certification not to issue certification if the requirements applicable to the certification are not or no longer satisfied; _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no […] carried out with Public Body A and Public Body B 26/38i) impose an administrative fine pursuant to Article 83, in addition to or in addition to the place of the measures referred to in this paragraph, depending on the characteristics specific to each case; j) order the suspension of data flows addressed to a recipient located in a third country or to an international organization. » er 90. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose administrative fines as provided for in article 83 of the GDPR, except against of the state or municipalities. 91. Article 83.1 of the GDPR provides that each supervisory authority ensures that the administrative fines imposed are, in each case, effective, proportionate and dissuasive. 92. Article 83.2 of the GDPR specifies the elements which must be taken into account to decide whether to impose an administrative fine and to decide the amount of this fine: “a) the nature, seriousness and duration of the violation, taking into account the nature, scope or the purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they have suffered; (b) the fact that the violation was committed deliberately or negligently; (c) any measures taken by the controller or processor to mitigate the damage suffered by the persons concerned; d) the degree of responsibility of the controller or processor, taking into account taken into account the technical and organizational measures that they have implemented under the articles 25 and 32; e) any relevant breach previously committed by the controller or the subcontractor ; (f) the degree of cooperation established with the supervisory authority with a view to remedying the violation and to mitigate possible negative effects; g) the categories of personal data affected by the violation; _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no […] carried out with Public Body A and Public Body B 27/38h) the manner in which the supervisory authority became aware of the violation, in particular if, and to what extent the controller or processor has notified the breach; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same object, compliance with these measures; (j) the application of codes of conduct approved pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; And k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation.” 93. The imposition of administrative fines was explained by the Group of Labor Article 29 in its “Guidelines on the application and setting of fines administrative measures for the purposes of Regulation (EU) 2016/679” adopted on October 3, 2017. These The guidelines have been taken up and re-approved by the EDPS. Restricted Training underlines that these guidelines have been supplemented by the “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of the EDPS, version 2.1 of which has been adopted on May 24, 2023.72 94. The Restricted Panel would like to point out that the facts taken into account in the framework of this decision are those noted at the start of the investigation. The possible modifications relating to the data processing subject to the investigation that have taken place subsequently, even if they make it possible to fully or partially establish the compliance, do not allow retroactive cancellation of a noted breach. 95. Nevertheless, the steps taken by those inspected to put themselves in compliance with the GDPR during the investigation procedure or to remedy the shortcomings noted by the head of investigation in the statement of objections, are taken taken into account by the Restricted Training as part of any corrective measures to be pronounced and/or the setting of the amount of a possible administrative fine to be pronounce. 71 See decision Endorsement 1/2018 of the EDPS of May 25, 2018, available under: https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf. 72The guidelines on calculating fines are currently only available in English. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 28/382. In this case 2.1 As for the imposition of an administrative fine 96. In the statement of objections, the head of investigation proposed to the Panel Restricted from imposing an administrative fine of one amount of […] euros “for the payment of which the Controlled will be jointly and severally held » .3 97. The controlled in their letter of February 2, 2023, by which they had taken position in relation to the initial statement of objections, had first raised the incompetence of the CNPD to pronounce an “administrative sanction” […]. In the alternative, those inspected had contested the amount of the administrative fine proposed by the head of investigation in the initial statement of objections, in particular in given previous decisions taken by the Restricted Formation. They also have contested any intention on their part to commit the breaches identified in the initial statement of objections. 98. The head of investigation in his letter dated February 15, 2023 by which he notified to the auditees the statement of objections set out “[w]hen the arguments relating to to the incompetence of the National Commission for Data Protection to pronounce an administrative sanction […]” that “the latter are rejected and, therefore, not likely to modify the CDG”. 99. During the Restricted Training session of June 13, 2023, those controlled were reiterated the above-mentioned remarks. 2.1.1 On the competence of the CNPD to impose an administrative fine er 100. […] given that the exemption from article 48.1 of the law of August 1, 2018 only targets “the State and municipalities” and not legal entities under public law in general, the Restricted Panel considers that it is competent to impose administrative fines […] [to Public Bodies A and B]. 101. […] 73Statement of Objections, paragraph 125. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. […] carried out with Public Body A and Public Body B 29/382.1.2 On the advisability of imposing an administrative fine 102. In order to decide whether it is appropriate to impose an administrative fine, the Restricted Training analyzes the criteria set by article 83.2 of the GDPR. 103. As for the nature and seriousness of the violation (article 83.2.a) of the GDPR), it notes that with regard to the breach of article 5.1.b) of the GDPR, it is constitutive of a breach of a fundamental principle of the GDPR (and of the law of protection of data in general), namely the principle of limitation of purposes devoted to the Chapter II “Principles” of the GDPR. As for the failure to comply with the obligation to inform the persons concerned in accordance in article 13 of the GDPR, it recalls that information and transparency relating to the processing of personal data are essential obligations weighing on data controllers, so that people are fully aware of the use that will be made of their personal data, once these collected. A breach of Article 13 of the GDPR therefore constitutes an infringement of rights of the persons concerned. This right to information has also been strengthened in terms of the GDPR, which demonstrates its particular importance. 104. As for the duration criterion (article 83.2.a) of the GDPR), the Training Restricted notes that these failures have lasted over time, at least since […] March 2021 and until the day of the on-site visit. In fact, those inspected explained during the Restricted Training session that the geolocation system had been deactivated pending a return from the CNPD. However, the mail […] that the controlled attached to their email to the Restricted Training of June 21, 2023 specifies that the system geolocation […] [was] reactivated after those controlled had become aware of the opinion of the CNPD and before the on-site visit of CNPD agents dated May 26 2021. 105. As for the number of affected persons and the level of damage they have suffered (article 83.2.a) of the GDPR), the Restricted Formation notes that this concerns all employees of those inspected who have used service vehicles and machinery of construction sites equipped with the geolocation system. In this regard, it takes into account the explanations provided by those inspected during the Restricted Training session according to which the people concerned by geolocation were the […] employees-workers who left daily with the service vehicles and used the equipment of site, as well as their […] other employees who occasionally used one of the vehicles _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 30/38 service. La Formation Restricte notes that only a third of the employees were not capable of being constantly monitored. 106. As to the question of whether the breaches were committed deliberately or negligently (article 83.2.b) of the GDPR), Restricted Training reminds that “intent”, that is to say an offense committed deliberately, includes both the knowledge and will in relation to the characteristics of an offense, while “not deliberately” (negligently) means that there was no intention to commit the violation, although the controller or processor has not complied the duty of care incumbent upon it under the legislation. The controlled in their aforementioned letter of February 2, 2023 had explained that they were initially suspicious of the geolocation system, but that the said system had nevertheless been installed at the request of employees for reasons mainly of security. They also stressed that at no time was permanent surveillance of employees would not have been the purpose sought by the geolocation system (cf. point 70 of this decision). The Restricted Panel also takes into account the assertions of the head of investigation according to which “the Controlled have had a certain number of internal discussions regarding the way of concretely adapting the CNPD Opinion to their needs (PIECES 28 and 29)” which “at no time […] indicate any desire to ignore the 74 recommendations of the CNPD Opinion”. While the Restricted Panel is of the opinion that the facts and the shortcomings observed do not reflect a deliberate intention to violate the GDPR on the part of those inspected, it nevertheless considers that the breaches were committed through negligence. 107. As for the measures taken by those inspected or their subcontractor to mitigate the damage suffered by the persons concerned (article 83.2.c) of the GDPR), the Restricted Training takes into account the measure taken by those controlled and refers to the Chapter II.2, Section 2.2 of this decision for the related explanations. Those inspected had also explained in their letter of February 2, 2023, as well as during the Restricted Formation session that they had appointed a delegate to the external data protection, namely Company D, already before the request for an opinion 74Statement of Objections, paragraph 115. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 31/38 addressed to the CNPD and that the latter “had the particular mission of ensuring the implementation in compliance of […] [of the inspected] with the rules of the GDPR”. However, like this appointment 75 had not resulted in a mitigation of the damage, the Formation Restricted cannot take it into account as a mitigating factor. This also applies to the aforementioned deactivation of the geolocation system, given that those controlled had reactivated the system after receiving the notice from the CNPD and before the on-site visit of CNPD agents (see point 104 of this decision). 108. As for the degree of cooperation established with the supervisory authority (article 83.2.f) of the GDPR), the Restricted Training takes into account the assertion of the head investigation according to which “the Controlled showed good cooperation”. 76 109. As for the categories of personal data concerned by the violation (article 83.2.g) of the GDPR), this is the date and time of the start and end of the journey, the state of the vehicle (moving or stationary, including any possible breaks), vehicle positioning data (within two meters) and route of the vehicle, driving time and mileage traveled and start-up abnormality of the vehicle due to the day (Saturday or Sunday) or the schedule (function 77 “Geo-fencing”). The controlled persons declared during the on-site visit of the agents of the CNPD that the geolocation system was associated with service vehicles and machines site and not to employees. However, the overlap between the geolocation of the vehicle and the employee driving it was possible, by cross-referencing the work sheets employees, to the extent that they documented which vehicle was used which day by which employee. 110. As for any other aggravating or mitigating circumstance applicable to circumstances of the case (article 83.2.k) of the GDPR), the Restricted Training takes into account assertions by the head of investigation according to which “the violations identified are not 75 Exhibits 26 and 27 of the head of investigation according to which the declaration forms of delegate to the data protection were transmitted to the CNPD by email of November 9, 2020 (Organization public B) and email of November 16, 2020 (Public body A). 76Statement of Objections, paragraph 118. 77Minutes relating to the on-site visit, finding 8. 78Minutes relating to the on-site visit, finding 10. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 32/38 a priori not likely to bring an economic benefit to the Controlled. The head of investigation 79 furthermore, did not find any elements allowing us to conclude that losses were avoided. 111. The Restricted Panel notes that the other criteria of article 83.2 of the GDPR are neither relevant nor likely to influence its decision regarding taxation an administrative fine and its amount. 112. Therefore, the Restricted Panel considers that the imposition of a fine administrative is justified with regard to the criteria set by article 83.2 of the GDPR for breach of articles 5.1.b) and 13 of the GDPR. 2.1.3 On the amount of the fine 113. Those controlled transmitted to the Restricted Training by emails from 21 and June 29, 2023 their respective accounts for the year 2022. 114. Regarding the amount of the administrative fine, the Restricted Panel recalls that article 83.3 of the GDPR provides that in the event of multiple violations, as is in the present case, the total amount of the fine cannot exceed the maximum amount set for the most serious violation. To the extent that a breach of Articles 5 and 13 of the RGPD is blamed on those inspected, the maximum amount of the fine that can be withheld amounts to 20 million euros or 4% of global annual turnover, the highest amount high being retained, in accordance with article 83.5 of the GDPR. 115. With regard to the responsibility of those controlled, their financial capacities and the relevant criteria of article 83.2 of the GDPR mentioned above in chapter “2.1.2 On the advisability of imposing an administrative fine”, the Restricted Training considers that the imposition of a fine of two thousand five hundred (2,500) euros appears both effective, proportionate and dissuasive, in accordance with the requirements of article 83.1 of the GDPR. 2.2 Regarding taking corrective measures 116. In the statement of objections the head of investigation proposed to the Training Restricted to adopt the following corrective measures: “within 1 79Statement of Objections, paragraph 121. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. […] carried out with Public Body A and Public Body B 33/38 months from notification to the Auditors of the decision taken by the Panel Restraint : Pronounce against the Controlled under article 58.2 d) of the GDPR a injunction to bring the Processing into compliance with provisions 13.1 a, b, c, d, f and 13.2 d) of the GDPR and more precisely to complete, respectively rectify the information measures intended for Employees, by: - completing the identity of the Data Controller; - providing the identity of the data protection officer; - correcting the legal basis of the Processing; - providing information on the legitimate interests pursued by the Controlled; - providing information as to the existence or not of an adequacy decision and, where appropriate where applicable, indicating the existence of appropriate guarantees and the means[s] of obtain a copy; - indicating the right to lodge a complaint with the supervisory authority; - harmonizing the corrected German and French information notes in order to that they have identical content; and to communicate any supporting evidence capable of demonstrating compliance with this injunction. […] Pronounce against the Controlled under article 58.2 d) of the GDPR a injunction to bring the Processing into compliance with the provisions of article 5.1 c) of the GDPR and more precisely to provide the geolocation system installed in the construction machinery with a deactivation button and to communicate any supporting documents to even to report compliance with this injunction. Pronounce against the Controlled under article 58.2 d) of the GDPR a injunction to bring the Processing into compliance with the provisions of article 5.1 b) of the GDPR and more precisely to remove from the Information Notes the purpose “Guarantee of tracking of goods due to their particular nature (materials _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 34/38 dangerous, foodstuffs, etc.)", respectively in the versions German “Sicherstellung der Warennachverfolgung aufgrund der besonderen Art der transportierten Waren (gefährliche Stoffe, Lebensmittel,…)” and to communicate any supporting evidence capable of demonstrating compliance with this injunction. ". 117. As for the corrective measures proposed by the head of investigation and by reference to point 95 of this decision, the Restricted Training takes into account the steps taken by those inspected in order to comply with the provisions of the articles 5.1.b) and 13 of the GDPR, as detailed in their letter of February 2, 2023. More particularly, it takes note of the following facts: 118. In their letter of February 2, 2023, the controlled […]. They had […] contested that they would have taken no measures to comply with their legal obligations “after receipt of the CNPD’s opinion”. Thus, they explained that they initially planned to wait for reception in the opinion of the CNPD before initiating internal compliance measures and that they did not expect to be “subject shortly after [receipt of this notice] to a detailed control”. Otherwise, the necessary measures would have been taken more quickly. […] Then, they emphasized that a memo had been put in place after the receipt of the “first opinion” from the CNPD and remained in place pending guidance from the CNPD in the form of its “final opinion”. In support of their argument they had annexed […] [several reports from meetings of their governing bodies]. 119. During the Restricted Training session of June 13, 2023, the controlled reiterated their words. 120. As for the first corrective measure proposed by the head of investigation repeated under point 116 of this decision to put the information measures intended for employees of those controlled in accordance with the provisions of articles 13.1.a), b), c), d), f) and 13.2.d) of the GDPR and more precisely to complete, respectively rectify, said information measures, the Restricted Training holds 80Statement of Objections, paragraph 124. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. […] carried out with Public Body A and Public Body B 35/38 includes the copy of the renewed version of the memo dated 81 January 11, 2022 which was annexed to the controlled email of March 24, 2022, and mentioned in their aforementioned letter of February 2, 2023. The Restricted Panel notes, however, that the content of the said note was substantially identical to that of the memo dated February 17, 2021. Being given that it has already noted that the latter document did not contain the elements required by the first level of information (see point 46 of this decision), it therefore considers that the same observation is necessary for the memo dated January 11, 2022. Furthermore, the documentation submitted to the Restricted Training does not contain any evidence that the renewed information note had indeed been transmitted in a manner individual to the employees of the controlled. In consideration of insufficient compliance measures taken by those inspected in the present case and point 95 of this decision, the Restricted Panel therefore considers that it is appropriate to pronounce the corrective measure proposed by the head of investigation in this regard. 121. […] 122. As for the third corrective measure proposed by the head of investigation repeated under point 116 of this decision to bring processing into compliance with the provisions of article 5.1.c) of the GDPR and more precisely to provide the system geolocation installed in construction equipment with a deactivation button, the Restricted Training, given that it did not retain the breach linked to the principle of minimization retained by the head of investigation (see point 73 of this decision), it considers that there is also no reason to pronounce the corrective measure proposed by the head investigation in this regard. 123. As for the fourth corrective measure proposed by the head of investigation repeated under point 116 of this decision to bring processing into compliance with the provisions of article 5.1.b) of the GDPR and more precisely to delete information notes the purpose relating to the tracking of goods, Restricted Training recalls that it noted that the tracking of goods due to their nature 81Exhibits 10 and 25 of the head of investigation. 82Exhibits 9 and 24 of the head of investigation. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. […] carried out with Public Body A and Public Body B 36/38 did not constitute a legitimate purpose of the processing (see point 87 of this decision). In consideration of insufficient compliance measures taken by those inspected in the present case and point 95 of this decision, the Restricted Panel therefore considers that it is appropriate to pronounce the corrective measure proposed by the head of investigation in this regard. Taking into account the foregoing developments, the National Commission sitting in restricted training, after having deliberated, decides: - to identify breaches of articles 5.1.b) and 13 of the GDPR; - to pronounce against Public Body A and Public Body B a administrative fine in the amount of two thousand five hundred (2,500) euros in respect of breaches of articles 5.1.b) and 13 of the GDPR; - to pronounce against Public Body A and Public Body B a injunction to bring processing into compliance with the obligations resulting from Article 13.1 and 2 of the GDPR and in particular to individually inform employees of clearly and precisely on the geolocation system, within two months following notification of the decision of the Restricted Panel, or by proceeding by a first and second level, either by providing them in a single location or in the same document (in paper or electronic format) information on all the elements required under Article 13 of the GDPR, and more specifically to complete, respectively rectify, the information measures intended for employees, in o completing the identity of the data controllers; o providing the identity of the data protection officer; o deleting the purpose of the processing indicated as “tracking of goods in due to their particular nature (dangerous materials, foodstuffs, …)” ; _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 37/38 o providing information on the legal basis of the processing in relation to other purposes; o providing information on the legitimate interests pursued; o providing information as to the existence or not of an adequacy decision and, where appropriate where applicable, indicating the existence of appropriate guarantees and the means of obtain a copy; o indicating the right to lodge a complaint with the Commission national for data protection; o harmonizing the corrected German and French information notes in order to that they have identical content. Belvaux, September 21, 2023. The National Commission for Data Protection sitting in restricted formation Tine A. Larsen Thierry Lallemang Alain Herrmann President Commissioner Commissioner Indication of avenues of appeal This administrative decision may be the subject of an appeal for reform in the three months following its notification. This appeal must be brought before the administrative court and must be introduced through a lawyer to the Court of one of the Orders of lawyers. _________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Public Body A and Public Body B 38/38