CNPD (Luxembourg) - Délibération n° 11FR/2021: Difference between revisions
From GDPRhub
(→Facts) |
No edit summary |
||
| Line 52: | Line 52: | ||
}} | }} | ||
The Luxembourg DPA fined a controller €2800 for processing geolocation data from their fleet of vehicles without an adequate retention period and without providing all the necessary information to their employees. | The Luxembourg DPA fined a controller €2800 for processing geolocation data from their fleet of company vehicles without an adequate retention period and without providing all the necessary information to their employees. | ||
== English Summary == | == English Summary == | ||
Revision as of 08:17, 16 June 2021
| CNPD (Luxembourg) - Délibération n° 11FR/2021 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 5(1)(e) GDPR Article 13 GDPR Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 08.04.2021 |
| Published: | 07.06.2021 |
| Fine: | 2800 EUR |
| Parties: | n/a |
| National Case Number/Name: | Délibération n° 11FR/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | CNPD (in FR) |
| Initial Contributor: | n/a |
The Luxembourg DPA fined a controller €2800 for processing geolocation data from their fleet of company vehicles without an adequate retention period and without providing all the necessary information to their employees.
English Summary
Facts
The Luxembourg DPA (CNPD) launched an investigation on a company that was using a geolocation system in their fleet of vehicles. Such vehicles were used by their employees for home to office transport and to travel with clients.
According to the controller, the geolocation purposes were geographic identification, protection of company assets, tracking of transported goods, optimal fleet management, optimisation of the work process, responding to customer complaints, proof of service customer complaints, the provision of proof of services, invoicing of services,and the monitoring of the working time of employees on the move.
The DPA also found that the geolocation data had been stored for a period of 2 years and 4 months.
Holding
According to the CNPD, the retention period exceeded what was necessary for the purposes of the processing. Because of this, the CNPD considered that the controller had violated Article 5(1)(e) GDPR.
The DPA also noted that the storage period should not only be adequate in sight of the purposes of the processing, but should also be individualised per each purpose.
The authority also found that the controller had not properly informed their employees about the processing of geolocation data. The only information provided to the employees consisted on a sticker on the vehicles and a plastic sheet attached to the vehicle documentation. There was also not enough information about the system on their privacy note.
The CNPD therefore considered that the controller had infringed Article 13.
For these violations, the DPA fined the controller €2800, and ordered them to implement a policy for providing the necessary information to the employees, as well as to implement adequate retention periods. Additionally, the DPA ordered the controller to implement, in accordance with Article 32(1) GDPR, access measures to the geolocation data, with a system that allows the data subject to authenticate themselves in order to access it.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation
on the outcome of survey No. [...] conducted with "Company A"
Deliberation n ° 11FR / 2021 of April 8, 2021
The National Commission for Data Protection sitting in a restricted body
composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc
Lemmer, commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
relating to the protection of individuals with regard to the processing of personal data
personal character and on the free movement of such data, and repealing the Directive
95/46 / EC;
Having regard to the law of 1 August 2018 on the organization of the National Commission for
data protection and the general data protection regime, in particular
its article 41;
Having regard to the internal regulations of the National Commission for the Protection of
data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its
article 10 point 2;
Having regard to the regulation of the National Commission for Data Protection relating to
investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020,
in particular Article 9;
Considering the following:
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
1 / 26I. Facts and procedure
During its deliberation session of February 14, 2019, the National Commission for
data protection sitting in plenary session (hereinafter: "Plenary session
") Had decided to open an investigation with the ABC group on the basis of Article 37 of the
Law of 1 August 2018 on the organization of the National Commission for the Protection
data and the general data protection regime (hereinafter "Law of 1 August
2018 ") and to appoint Mr. Christophe Buschmann as head of the investigation.
According to the decision of the Plenary Panel, the investigation carried out by the
National Commission for Data Protection (hereafter: "CNPD") had as
purpose of verifying compliance with the provisions of the regulation on the protection of
natural persons with regard to the processing of personal data and the
free movement of such data, and repealing Directive 95/46 / EC (hereinafter "GDPR")
and the law of August 1, 2018, in particular through the establishment of
video surveillance and geolocation, where applicable, installed by the three companies of the
ABC group.
On February 20, 2019, CNPD agents visited the
ABC group premises. Since the report no. […] Relating to the said mission
on-site investigation only mentions that, among the three ABC group companies, as
2
responsible for the controlled processing company "Company A", the decision of the Commission
national body for data protection sitting in a restricted group on the outcome of
the investigation (hereinafter: "Restricted Training") will be limited to controlled treatments
by CNPD agents and carried out by the company "Company A".
"Company A" is a […] registered in the Trade and Companies Register of
Luxembourg under number […], with registered office at L- […] (hereinafter “the controlled”). The
1 And more specifically with companies: Company A, registered in the Trade and
Luxembourg companies under number […], with registered office at L- […]; Company B, registered at
Luxembourg Trade and Companies Register under number […], with registered office at L-
[…] And Company C, registered in the Luxembourg Trade and Companies Register under number
[…], With registered office at L- […].
2 See in particular report no. […] Relating to the on-site fact-finding mission carried out to date
of February 20, 2019 with the company Company A.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
2 / 26contrôlé's activity is to provide consultancy, installation and
3
maintenance in technology […].
During the aforementioned visit of February 20, 2019 by CNPD agents in the
controlled premises, Mr X, Director of Human Resources for the controlled,
confirmed to CNPD officers that a geolocation device is installed in a
part of the vehicles in the controlled fleet, but that the latter does not use
4
a video surveillance system.
According to the explanations provided to the CNPD agents, the persons concerned
by geolocation are employees of the company who use the vehicles for their
travel to customers and on their business trip between their home and head office
social control. Mr. X also confirmed to the CNPD agents that each
vehicle is assigned to a specific employee and that part of the vehicles that can be
used by employees for private purposes is not equipped with a
5
geolocation.
At the end of his investigation, the head of investigation notified the inspectorate on 9
August 2019 a statement of objections detailing the shortcomings he considered
constituted in this case, and more specifically a non-compliance with the prescribed requirements
by Article 13 of the GDPR with regard to employees, a non-compliance with
measures prescribed by Article 32.1 of the GDPR, as well as non-compliance with the requirements
prescribed by Article 5.1.e) of the GDPR.
The request for a meeting by the controlled of August 13, 2019 was accepted by the chief
of inquiry and the meeting was held on August 20, 2019. 6
3
According to the information provided on its own website: […].
4See report no. […] Relating to the on-site fact-finding mission carried out on February 20
2019 from Company A; see also the email from Company A of March 1, 2019 and
the letter of March 29, 2019.
5See finding 1 of report no. […] Relating to the on-site fact-finding mission carried out to date
of February 20, 2019 with the company Company A.
6
See the report of the meeting of August 20, 2019 with the company Société A.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
3/26 On October 7, 2019, the inspected produced written observations on the
statement of objections.
A letter additional to the statement of objections was sent to the inspectorate
dated August 17, 2020. In this letter, the head of the investigation proposed to the Formation
Restricted from taking three different corrective measures, as well as inflicting the controlled
an administrative fine in the amount of EUR 4,000.
By letter of September 24, 2020, the inspected produced written observations
on the additional letter to the statement of objections.
The president of the Restricted Training informed the control by letter of 9
October 2020 that his case would be registered for the Restricted Training session of 17
November 2020. The inspected confirmed their presence at the said meeting on October 20
2020.
During the Restricted Training session on November 17, 2020, the chef
investigation and the inspector reiterated their written observations orally and responded to
questions asked by the Restricted Training. The controlled had the floor last.
II. Place
II. 1. As to the grounds for the decision
A. On the breach linked to the principle of limitation of retention
1. On the principles
In accordance with Article 5.1.e) of the GDPR, personal data
must be kept "in a form permitting the identification of persons
concerned for a period not exceeding that necessary for the purposes
for which they are processed […] ”.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
4/26 According to recital (39) of the GDPR "personal data should
be adequate, relevant and limited to what is necessary for the purposes for
which they are processed. This requires, in particular, to ensure that the duration of
data retention is limited to the strict minimum. Personal data
personnel should only be processed if the purpose of the processing cannot be
reasonably achieved by other means. In order to ensure that the data is not
not kept longer than necessary, time limits should be set by the
controller for their erasure or for periodic review […]. "
2. In this case
During the on-site investigation, it was explained to CNPD officials that the purposes
of geolocation are as follows: "geographical identification, protection of
company assets, monitoring of transported goods, optimal fleet management,
optimizing the work process, providing responses to complaints from
customers, the provision of proof of services, invoicing of services as well as the
monitoring of the working time of employees on the move ”. 7
Regarding the retention period of data from the
geolocation, it appears from the findings of CNPD agents that the oldest
data dated October 14, 2016, i.e. the retention period of
8
data was 2 years and 4 months.
According to the head of the investigation, the said retention period for
geolocation of 2 years and 4 months exceeded that which was necessary for the realization of
the aforementioned purposes and for which the geolocation system had been implemented
square. For this reason, he was of the opinion that a non-compliance with the requirements of Article 5.1.e)
of the GDPR is to be retained (see statement of objections, Ad.A.3).
7See finding 5 of report no. […] Relating to the on-site fact-finding mission carried out to date
of February 20, 2019 with the company Company A.
8See finding 4 of report no. […] Relating to the on-site fact-finding mission carried out to date
of February 20, 2019 with the company Company A.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
5/26 By letter of March 29, 2019, the inspected for his part reiterated the comments contained
in his email of March 1, 2019, specifying that the retention period
data from the “[…]” geolocation system had been adapted to 12 months,
limit that was already in place for the "historical" component but not yet for the
"General reports". 9
During the hearing of the Restricted Training on November 17, 2020, the inspector
clarified that the retention period of 12 months was justified, among other things, by the fact that
location data is used for billing customers for services
carried out by its employees.
Restricted Training reminds that it is the responsibility of the data controller
determine, depending on each specific purpose, a retention period
appropriate and necessary in order to achieve said purpose. Thus, as the system of
geolocation set up by the controlled pursues several purposes, the durations of
conservation are to be individualized for each specific purpose.
The Restricted Training considers that the control should in particular have differentiated
between the retention period of location data for the purpose of
geographical identification, monitoring of goods transported and optimal management of its fleet,
on the one hand, and the data relating to the working time of employees having precisely
the purpose of monitoring the working time of employees on the move, on the other hand.
As mentioned above, during the hearing of the Restricted Panel, the inspector has by
elsewhere specified that the geolocation data is also intended for invoicing
to customers of services provided by its employees. As a result, the Restricted Formation
believes that an appropriate retention period should have been determined in order to achieve
said purpose.
With regard to the geolocation of employee vehicles, the Training
Restricted considers that the personal data obtained by the
geolocation can in principle only be kept for a period
maximum of two months under the aforementioned principle of Article 5.1.e) of the GDPR.
9
Regarding the different functionalities of “[…]”, see the explanations of the inspected in
his letter of October 7, 2019.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
However, it considers that if the said data is used by the person in charge of the
processing for the purposes of proof for invoicing the services provided for its
customers, the data necessary for such invoicing may be kept for a
duration of one year, provided that it is not possible to provide proof of benefits
by other means. 10
In the event that the geolocation device is installed for the purpose of verifying the
working time (when this is the only possible means), the Restricted Training considers
that the personal data obtained by geolocation which allows to
check the working time can nevertheless be kept for a period of time
maximum of three years in accordance with the limitation period set out in Article 2277 paragraph
1st of the Civil Code in matters of action for the payment of employee compensation.
In the event of an incident, the Restricted Training is of the opinion that the data may
however, be kept beyond the pre-mentioned deadlines within the framework of the
transmission of data to the competent judicial authorities and authorities
law enforcement agencies competent to ascertain or prosecute criminal offenses.
It also wishes to point out that the data obtained by geolocation
may also be kept beyond the aforementioned periods, if these have
previously made anonymous, that is to say that it is no longer possible to make a link
- direct or indirect - between these data and a specific employee.
In its former authorization no. […], On which the inspected, among others, is based
to justify that employees were already informed of the implementation of the
geolocation, the CNPD had already imposed as a condition that the data of
geolocation could not be kept beyond two months, respectively three
years for data relating to working time.
Based on all of these elements, the Restricted Training concludes that
Article 5.1.e) of the GDPR was not complied with by the inspectorate.
10See in this context the article of the National Commission for Computing and Liberties
(CNIL): “The geolocation of employee vehicles”, available at: https://www.cnil.fr/fr/la-
geolocation-of-employee-vehicles. "
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
7 / 26B. On the breach related to the obligation to inform the persons concerned
1. On the principles
Pursuant to paragraph 1 of Article 12 of the GDPR, the "controller
take appropriate measures to provide any information referred to in Articles 13 and 14
as well as to make any communication under Articles 15 to 22 and Article
34 with regard to the processing to the data subject in a concise manner,
transparent, understandable and easily accessible, in clear and simple terms […]. "
Article 13 of the GDPR provides the following:
"1. When personal data relating to a data subject are
collected from this person, the controller provides them, at the time
where the data in question is obtained, all of the following information:
a) the identity and contact details of the controller and, where applicable, of the
representative of the controller;
b) where applicable, the contact details of the data protection officer;
c) the purposes of the processing for which the personal data are intended as well
as the legal basis for the processing;
d) where the processing is based on Article 6 (1) (f), the legitimate interests
pursued by the controller or by a third party;
e) the recipients or the categories of recipients of the personal data,
if they exist; and
f) where applicable, the fact that the controller intends to carry out a
transfer of personal data to a third country or to an organization
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
8/26 international, and the existence or absence of an adequacy decision issued by the
Commission or, in the case of transfers referred to in Article 46 or 47, or in Article 49,
paragraph 1, second subparagraph, the reference to appropriate or adapted guarantees and the
how to obtain a copy or where it was made available;
2. In addition to the information referred to in paragraph 1, the controller shall provide
to the data subject, when the personal data are
obtained, the following additional information which is necessary to guarantee
fair and transparent treatment:
a) the retention period of personal data or, when this is not
possible, the criteria used to determine this duration;
b) the existence of the right to request from the controller access to data at
personal character, rectification or erasure thereof, or a limitation of the
processing relating to the data subject, or the right to object to the processing and
right to data portability;
c) where the processing is based on Article 6 (1) (a) or on Article 9,
paragraph 2 (a), the existence of the right to withdraw consent at any time,
without affecting the lawfulness of the processing based on consent made before the
withdrawal of it;
d) the right to lodge a complaint with a supervisory authority;
e) information on whether the requirement to provide data to
personal character has a regulatory or contractual character or if it conditions the
conclusion of a contract and whether the data subject is obliged to provide the data to
personal character, as well as the possible consequences of the non-provision of
those data;
f) the existence of automated decision-making, including profiling, referred to in Article
22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
Underlying logic, as well as the significance and expected consequences of this processing
for the person concerned.
3. When he intends to carry out further processing of personal data
personal for a purpose other than that for which the personal data
have been collected, the data controller provides the person with
concerned information about this other purpose and any other information
relevant referred to in paragraph 2.
4. Paragraphs 1, 2 and 3 do not apply when and to the extent that the person
concerned already has this information. "
Communication to data subjects of information relating to the processing
of their data is an essential element in the context of compliance with obligations
general transparency within the meaning of the GDPR. 11 These obligations have been explained
by the Article 29 Working Group in its guidelines on transparency in the sense
of Regulation (EU) 2016/679, the revised version of which was adopted on April 11, 2018 (here-
after: "WP 260 rev.01").
Note that the European Data Protection Board (hereafter: "EDPS
»), Which replaced the Article 29 Working Group on May 25, 2018, took over and
re-approved the documents adopted by the said Group between May 25, 2016 and May 25
2018, as precisely the aforementioned guidelines on transparency. 12
2. In this case
According to the head of the investigation, the employees of the inspected were not validly informed
on the precise elements of articles 13.1 and 2 of the GDPR (see statement of objections,
page 2, Ad.A.1.).
11See in particular articles 5,1, a) and 12 of the GDPR, see also recital (39) of the GDPR.
12 See EDPS Endorsement 1/2018 decision of 25 May 2018, available at:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
10/26 By letter of March 29, 2019, the inspected for his part reiterated the comments contained
in his email of March 1, 2019, specifying that already before the visit on
CNPD site, a plastic sheet was added to the vehicle documents
equipped with a geolocation system specifying that the vehicle is equipped with such
system, on the one hand, and that said vehicles had a label on the rear door
informing the driver of the presence of said system, on the other hand.
The inspected attached to the aforementioned letter of March 29, 2019 a declaration from the
staff delegation dated March 27, 2019 and certifying that it was informed of
the implementation of a geolocation system in certain vehicles of the ABC group.
By letter of October 7, 2019, the inspector also sent the head of the investigation
a copy of the information note intended for all staff on the
geolocation and which has been displayed since October 4, 2019 on the controlled site, as well
than a photo of its display.
Finally, in his letter of September 24, 2020, the inspected added that in [...],
a geolocation authorization had been issued by the CNPD and that already
at that time, the employees had been informed of the implementation of the
geolocation, in particular via staff delegation. The controlled specified having
asked the ABC group staff delegations to certify that
the information to the staff was actually given in 2009.
The Restricted Training first of all wishes to point out that Article 13 of the GDPR makes
reference to the obligation imposed on the controller to "provide" all
the information mentioned therein. The word "provide" is crucial here and it "means
that the controller must take concrete measures to provide the
information in question to the data subject or to actively direct the person
concerned to the location of said information (for example by means of a link
direct, a QR code, etc.). ”(WP260 rev. 01. paragraph 33).
13See deliberation no. […].
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
11/26 The declaration of the staff delegations of Company A and Company B of the
March 27, 2019 certifies in this context that they were informed of the establishment of a
geolocation system in certain vehicles of the ABC group, while
the joint statement of September 14, 2020 from said delegations indicates that they were
"Duly informed by the controller of the establishment of a
geolocation in company vehicles. It should be noted that the delegations of
staff have been informed of this since it was set up in 2009. […]. "
Nevertheless, the Restricted Training considers that a simple declaration,
respectively a certificate by the delegation of inspected personnel indicating that they have
been informed of the presence of the geolocation device does not ensure that employees
of the company have been validly informed in accordance with Articles 13.1 and 2 of the GDPR,
Especially since the said documents are dated after the on-site visit by the agents of the
CNPD.
Moreover, as mentioned above, the inspected indicates in its position paper of 24
September 2020 that, as he had an authorization from the CNPD of [...], the
employees had already been informed at that time of the implementation of the
geolocation, in particular via staff delegation.
The only possible derogation from the information obligations referred to in Article 13 of
GDPR of a controller is in effect "when and to the extent that the
14
data subject already has this information ”. The principle of responsibility
however requires controllers to demonstrate (by documenting)
what information was already in the possession of the data subject, how and
when it has received them and no changes have been made to this information
likely to make them obsolete. 15
The Restricted Training however notes that no documentation submitted by
the control does not contain proof that the information of employees has in fact taken place
14According to article 13.4 of the GDPR.
15
See WP260 rev. 01, paragraph 56.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
12/26 in 2009, at least in relation to the requirements provided for by the legislation in force in
the time .6
Then, the Restricted Training would like to note that there is in the GDPR a
"Inherent conflict between, on the one hand, the requirement to communicate to the persons concerned
the complete information that is required under the GDPR and, on the other hand, the requirement
to do so in a concise, transparent, understandable and easily accessible manner. "
(WP260 rev. 01, para. 34) Prioritize the information to be provided to individuals
concerned and determine what levels of detail and methods are appropriate for the
communication of information is not always easy.
It is for this reason that a multi-level approach to communicating
information on transparency to data subjects can be used in a
offline or non-digital context, that is to say in a real environment such as
for example personal data processed by means of a
geolocation. The first level of information should generally include
the most important information, namely details of the purpose of processing, identity
of the controller and the existence of the rights of the data subjects, as well
that the information having the greatest impact on the treatment or any treatment
likely to surprise those concerned. The second level of information,
That is to say the other information required under Article 13 of the GDPR, could
be provided later and by other means, such as a copy
17
of the privacy policy sent by e-mail.
Finally, the joint attestation of the delegations of company personnel
Company A and Company B of September 14, 2020 indicates that said delegations have to
were again informed during the publication of the information note on the
geolocation intended for all staff as of October 4, 2019. Exhibit
appended to the audit observations of September 24, 2020 contains the said note
information and a photo of its display.
16 In accordance with article 26 of the repealed law of 2 August 2002 on the protection of
people with regard to the processing of personal data.
17
See WP260 rev. 01 (point 38).
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
13/26 The Restricted Training nonetheless notes that the plastic sheet added to the
vehicle documents indicating only that the vehicle "is equipped with a
geolocation ", as well as the label affixed to the rear door of the vehicle
mentioning "Monitored by GPS with […]" do not even meet the requirements of the
mandatory content of the first level of information. In addition, the control failed
to its obligation to put in place a confidentiality policy which contains all
information required in accordance with Articles 13.1 and 13.2 of the GDPR.
In view of the above, the Restricted Training concludes that Article 13 of the GDPR
was not respected by the controlled.
C. The breach linked to the obligation to guarantee appropriate safety
1. On the principles
Under Article 32.1 of the GDPR and "given the state of knowledge,
implementation costs and the nature, scope, context and purposes of the
treatment as well as risks, which vary in likelihood and severity, for
rights and freedoms of natural persons, the controller and the processor
implement the appropriate technical and organizational measures in order to
guarantee a level of security adapted to the risk including, among other things, according to the needs:
a) pseudonymization and encryption of personal data;
b) the means to guarantee the confidentiality, integrity, availability and
continued resilience of treatment systems and services;
c) the means to restore the availability of personal data
and access to them within an appropriate timeframe in the event of a physical or technical incident;
d) a procedure for regularly testing, analyzing and evaluating the effectiveness of
technical and organizational measures to ensure the security of the processing. "
18Y is also a link to the website of the developer of said software….
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
14/262. In this case
The head of the investigation examined the security aspect of data access
appearing in the geolocation system. As access to the operating software of the
geolocation device was only secured by means of identification
unique, i.e. a unique username and password, which is used by
all persons authorized to access the software, it held against the controlled
non-compliance with the measures prescribed by Article 32.1 of the GDPR (see
statement of objections, Ad.A.2).
The inspected defends himself based on his written observations of October 7, 2019
relating to the email he sent in this context on August 21, 2019 to the
person who manages access to user accounts of the geolocation system.
In said letter, the inspected asks the person who manages access to the accounts
users to create custom logins and passwords for
19
people who have access to "[...]" and to delete existing logins, on the one hand, and on
ensure that passwords are regularly updated and not shared with
third parties, on the other hand. In addition, it is specified that the "perimeter to which they have access
remains unchanged (so only the vans of the service for which these people
working) ".
The Restricted Training noted that on the day of the visit by CNPD agents
in the premises of the controlled, the policies of access to the geolocation software do not
did not meet the minimum necessary security requirements, i.e.
have individual accounts in place by means of a username and password
for people authorized to access it as part of the performance of their
missions.
In view of the above, the Restricted Training concludes that Article 32.1 of the GDPR
was not respected by the controlled.
19This is the name of the geolocation software developed by […].
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
15/26 II. 2. On corrective measures and fines
1. The principles
In accordance with article 12 of the law of August 1, 2018, the CNPD has the power
to adopt all the corrective measures provided for in Article 58.2 of the GDPR:
"(A) notify a controller or processor that data processing operations
treatment envisaged are likely to violate the provisions of these regulations;
b) call to order a controller or a processor when the
processing operations have resulted in a violation of the provisions of this Regulation
;
c) order the controller or processor to comply with the requests
presented by the data subject in order to exercise their rights under the
this regulation;
d) order the controller or processor to put the data processing operations
processing in accordance with the provisions of this Regulation, where applicable, of
in a specific way and within a specific timeframe;
e) order the controller to communicate to the data subject a
personal data breach;
f) impose a temporary or permanent restriction, including a ban, of processing;
g) order the rectification or erasure of personal data or the
restriction of processing in application of Articles 16, 17 and 18 and the notification of these
measures to the recipients to whom the personal data have been disclosed
in accordance with Article 17, paragraph 2, and Article 19;
h) withdraw a certification or order the certification body to withdraw a
certification issued in application of Articles 42 and 43, or order the
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
16/26 certification not to issue certification if the requirements applicable to the certification
are not or no longer satisfied;
i) impose an administrative fine in application of Article 83, in addition to or
the place of the measures referred to in this paragraph, depending on the characteristics
specific to each case;
j) order the suspension of data flows addressed to a recipient located in a
third country or to an international organization. "
er
In accordance with article 48 of the law of August 1, 2018, the CNPD may additionally impose
administrative fines as provided for in Article 83 of the GDPR, except against
state or municipalities.
Article 83 of the GDPR provides that each supervisory authority ensures that
administrative fines imposed are, in each case, effective, proportionate and
dissuasive, before specifying the elements that must be taken into account in deciding
whether to impose an administrative fine and to decide on the amount of this
fine:
"(A) the nature, gravity and duration of the breach, taking into account the nature, extent
or the purpose of the processing concerned, as well as the number of data subjects
affected and the level of damage they suffered;
(b) whether the violation was committed willfully or negligently;
c) any measures taken by the controller or processor to mitigate the
damage suffered by the persons concerned;
d) the degree of responsibility of the controller or processor, account
taking into account the technical and organizational measures that they have implemented by virtue of
Articles 25 and 32;
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
17/26 e) any relevant breach previously committed by the controller or
the subcontractor ;
f) the degree of cooperation established with the supervisory authority in order to remedy the violation
and mitigate any negative effects;
g) the categories of personal data affected by the breach;
h) the manner in which the supervisory authority became aware of the breach, in particular whether,
and to what extent the controller or processor has notified the breach;
(i) where measures referred to in Article 58 (2) have previously been
ordered against the controller or the processor concerned for the
same object, compliance with these measures;
j) the application of codes of conduct approved in accordance with Article 40 or
certification mechanisms approved under Article 42; and
k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as financial benefits obtained or losses avoided, directly or
indirectly, as a result of the violation ”.
The Restricted Training would like to point out that the facts taken into account in the
of this decision are those noted at the start of the investigation. Any
changes relating to the processing of data subject to the investigation
later, even if they make it possible to fully or partially establish the
compliance, do not retroactively cancel a breach found.
However, the steps taken by the inspected to comply
with the GDPR during the investigation procedure or to remedy breaches
noted by the head of investigation in the statement of objections, are taken into account by
Restricted Training as part of any corrective measures to be taken
and / or fixing the amount of a possible administrative fine.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
18/262. In this case
2.1. As for the imposition of an administrative fine
In its additional letter to the statement of objections of August 17, 2020,
the head of the investigation proposed to the Restricted Formation to impose an administrative fine
to the control relating to the amount of 4,000 euros, taking into account the elements
following:
"The fact that clear and complete information to the people concerned about the
processing (s) carried out by the controller constitutes a
essential condition for these data subjects to know
the existence of said treatment, but also grasp its scope. Do not provide these
information or providing it in an incomplete manner will not only prevent
data subjects to understand what will happen to their data at
personal character, but will effectively deprive them of exercising all
remedies granted by the GDPR.
The fact that partial information of the persons concerned has actually been
performed.
The scale of the geolocation system, installed in at least 191 vehicles.
The good cooperation of the company throughout the investigation as well as its willingness
to comply with the law as soon as possible. "
In its response to the additional letter of September 24, 2020, the inspected
maintained in particular that the concrete criteria taken into account by the head of the investigation
resulted in the quantum determination were unclear and he did not understand on which
objective elements the proposal for the fine would have been made.
In order to decide whether to impose an administrative fine and to decide, the
if applicable, of the amount of this fine, the Restricted Training analyzes the criteria
posed by Article 83.2 of the GDPR:
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
19/26 As to the nature and seriousness of the violation (article 83.2.a) of the GDPR), the
Restricted Training notes that with regard to the breach of Article 5.1.e)
of the GDPR, it constitutes a breach of one of the fundamental principles of
GDPR (and data protection law in general), namely in principle
of the limitation of data retention devoted to Chapter II "Principles
Of the GDPR.
As for the failure to inform people in accordance with
Article 13 of the GDPR, the Restricted Training recalls that the information and
transparency relating to the processing of personal data are
essential obligations incumbent on data controllers so that
people are fully aware of the use that will be made of their
personal data, once collected. A breach of
Article 13 of the GDPR thus constitutes an infringement of the rights of individuals
concerned. This right to information has also been strengthened under the terms of
GDPR, which testifies to their particular importance.
As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Training
notes that these shortcomings have lasted over time, at least since
May 25, 2018. The Restricted Formation recalls here that two years have separated the entrance
of the GDPR when it comes into effect to allow
data controllers to comply with their obligations and
this even if a comparable information obligation existed in application of
Article 26 of the repealed law of August 2, 2002 relating to the protection of persons
with regard to the processing of personal data.
Regarding the retention period of data, the Restricted Training
would like to recall that already in its authorization n ° […], the CNPD had imposed
as a condition that personal data cannot be
kept beyond two months, respectively three years for data
relating to working time.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
20/26 As for the number of data subjects (article 83.2.a) of the GDPR), such as the
controlled specified that each vehicle is allocated to a specific employee, the
number of persons concerned corresponds to the number of vehicles equipped with a
geolocation system.
During the hearing of the Restricted Training of November 17, 2020, the inspected
confirmed that the "ABC" group has a total of 191 vehicles equipped with
geolocation system, as the head of the investigation also retained in his
additional letter to the statement of objections of August 17, 2020.
Nevertheless, he clarified that the company "Company A" only has 92
vehicles equipped with a geolocation system.
As the head of the investigation limited the scope of the investigation to one of the three companies
of the “ABC” group and more specifically of the “Company A” company, Formation
Restricted only retains 92 vehicles, unlike 191 vehicles
mentioned by the head of the survey, corresponding to 92 people who are
concerned by the processing implemented by the geolocation system.
As to the question of whether the breaches were deliberately committed
or not (by negligence) (article 83.2.b) of the GDPR), the Restricted Training recalls
that "not willfully" means that there was no intention to commit the
violation, although the controller or processor has not
complied with its duty of care under the law.
In this case, the Restricted Training is of the opinion that the facts and the breaches
observed do not reflect a deliberate intention to violate the GDPR in the chief
of the controlled.
As for the degree of cooperation established with the supervisory authority (Article 83.2.f) of
RGPD), the Restricted Training takes into account the statement of the head of the investigation
that the cooperation of the controlled throughout the investigation was good, thus
that of its desire to comply with the law as soon as possible.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
21/26 As to the mitigating circumstances applicable to the circumstances in the present case
(article 83.2.k) of the GDPR), the Restricted Training takes into account the elements
following:
o partial information has been provided to the persons concerned,
in particular by the plastic sheet added to the on-board documents indicating
that the vehicle "is equipped with a geolocation system", as well as
the label affixed to the rear door of the vehicle mentioning "
Monitored by GPS with […] ”;
o taking measures to comply with Articles 12 and 13 of the
RGPD, in particular by the development and posting on its site of a note
information on the geolocation system for the entire
staff ;
o reducing the retention periods for data contained in the
2-year and 4-month to 12-month geolocation system.
The Restricted Training notes that the other criteria of Article 83.2 of the GDPR
are neither relevant nor likely to influence his decision to impose a
administrative fine and its amount.
Regarding the breach of the obligation to ensure data security, in
application of Article 32 of the GDPR, the Restricted Training considers that in view of the
measures taken by the company, in particular the efforts made to create logins and
personalized passwords for people who have access to "[…]" and
remove existing logins and ensure that passwords are regularly
updated and not communicated to third parties, it has shown good faith in connection with
of the procedure. Consequently, the Restricted Training considers that with regard to
circumstances of the case, there is no need to base his fine on the basis of this
breach, although it is characterized.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
22/26 The Restricted Training also notes that although several measures have been implemented
placed by the inspected in order to remedy in whole or in part certain shortcomings,
these were only adopted following the control of CNPD agents on
February 20, 2019.
Therefore, the Restricted Panel considers that the imposition of a fine
administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for
breach of Articles 5 and 13 of the GDPR.
Regarding the amount of the administrative fine, the Restricted Training recalls
that paragraph 3 of Article 83 of the GDPR provides that in the event of multiple violations,
as is the case here, the total amount of the fine cannot exceed the amount
set for the most serious violation. Insofar as a breach of Articles 5 and
13 of the GDPR is criticized for the inspectorate, the maximum amount of the fine that may be
retained amounts to 20 million euros or 4% of global annual turnover, the amount
the highest is retained.
In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the
Restricted Training considers that the pronouncement of a fine of 2,800 euros appears
both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1
of the GDPR.
2.2. Regarding the taking of corrective measures
The adoption of the following corrective measures was proposed by the head of the investigation
to the Restricted Training in its additional letter to the communication of
grievances:
"A) Order the controller to put in place information measures
intended for people affected by geolocation, in accordance with
provisions of Article 13, paragraphs (1) and (2) of the GDPR, in particular by providing
the identity and contact details of the controller, where applicable,
contact details of the data protection officer, the purposes of the processing and its basis
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
Legal, the categories of data processed, the legitimate interests pursued by the
controlled, the recipients, the retention period of the data as well as the
the data subject and how to exercise them, and the right to introduce a
complaint to a supervisory authority;
b) Order the controller to take all security measures in the
framework of the use of the operating software of the geolocation device, in particular
(i) define authorizations to access the geolocation operating software at
only persons for whom it is strictly necessary for the accomplishment of
their missions and (ii) to create individual accounts using a username and a
password for the persons authorized above;
c) Order the data controller to implement a duration policy
retention of personal data in accordance with the provisions of e) of
Article 5 of the GDPR, not exceeding the time necessary for the purposes for which they
are collected, and in particular by not keeping location data for more than
two months and data relating to working time for a maximum of
three years. "
As for the establishment of a data retention period policy
personal character in accordance with the provisions of article 5.2.e) of the GDPR, the inspector has
adapted after the on-site visit of CNPD agents the retention period of
data from the geolocation system from 2 years and 4 months to 12 months.
The Restricted Training considers, however, that the retention periods for
data from the geolocation system must be adapted according to the
different purposes pursued.
As for information intended for people concerned by geolocation,
in accordance with the provisions of article 13.1 and 13.2 of the GDPR, the inspected maintains that they have
developed and posted since October 4, 2019 on its website an information note on the
geolocation system for all staff.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
24/26 The Restricted Training considers, however, that the information note does not include
not all of the rights enjoyed by data subjects under the
GDPR. Thus, the right of objection (Article 21 of the GDPR) is not mentioned. Otherwise,
Information on the retention period of data must be updated.
As for the obligation to put in place policies for access to
geolocation under article 32.1 of the GDPR, the Restricted Training considers that
despite the efforts made by the inspectorate, the latter must, by virtue of the principle of
accountability implement mechanisms and
internal procedures to demonstrate compliance with Article 32.1 of the GDPR.
In view of the foregoing developments, the National Commission sitting
in restricted formation and deliberating unanimously decides:
- to pronounce against Company A an administrative fine of one
amount of two thousand and eight hundred euros (2,800 euros), in view of the breaches
constituted in Articles 5.1.e) and 13 of the GDPR;
- to issue an injunction against Company A to bring into compliance
processing with the provisions of Articles 5.1.e), 13 and 32.1 of the GDPR, within a
two months following the notification of the decision of the Restricted Panel, the supporting documents
the compliance must be sent to the Restricted Training, at the latest,
within this period;
and especially :
1.with regard to the breach of the obligation to implement a term policy
retention of personal data in accordance with the provisions of article
5.1.e) of the GDPR: adapt the retention periods for personal data
obtained by geolocation according to the different purposes pursued, and
in particular by not keeping the personal data obtained by the
geolocation beyond two months, the personal data obtained by the
geolocation used for proof purposes for invoicing the services provided
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
25/26 for customers beyond one year and personal data obtained by the
geolocation which makes it possible to check working time beyond three years;
2. with regard to the failure to inform the persons concerned of the
processing of their personal data in accordance with Article 13 of the GDPR: inform
the persons concerned in a clear and complete manner, in accordance with the provisions
of Article 13 of the GDPR, in particular by providing information relating to the duration of
data retention according to the purposes pursued and to all rights
people ;
3.with regard to the failure to take any appropriate security measures in the
framework of the use of the operating software of the geolocation device under
Article 32 of the GDPR, create individual accounts using a username and a word
password only for people for whom access to the
geolocation is strictly necessary for the accomplishment of their missions.
So decided in Belvaux on April 8, 2021.
For the National Commission for Data Protection sitting in formation
restraint
Tine A. Larsen Thierry Lallemang Marc Lemmer
President Commissioner Commissioner
Indication of remedies
This administrative decision may be the subject of an appeal for reformation in the
three months following its notification. This appeal is to be brought before the administrative court.
and must be introduced through a lawyer at the Court of one of the Orders of
lawyers.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with "Company A"
26/26
