CNPD (Luxembourg) - Délibération n° 16FR/2022: Difference between revisions
No edit summary |
No edit summary |
||
Line 61: | Line 61: | ||
}} | }} | ||
The Luxembourg DPA fined a bank institution €10,000 for using surveillance cameras without sufficiently informing the data subjects and filming some of them continuously. The | The Luxembourg DPA fined a bank institution €10,000 for using surveillance cameras without sufficiently informing the data subjects and filming some of them continuously. The above in breach of [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 13 GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 14 February 2019, the Luxembourg DPA decided to open an investigation into the companies of Group A and particularly into Company A, a bank institution (controller). The purpose of this investigation was to verify the compliance with the GDPR of the video surveillance and | On 14 February 2019, the Luxembourg DPA decided to open an investigation into the companies of Group A and particularly into Company A, a bank institution (controller). The purpose of this investigation was to verify the compliance with the GDPR of the controller's video surveillance and company's cars geolocation systems. | ||
'''Surveillance cameras''' | |||
The investigation showed that surveillance cameras were indeed in place. Cameras’ fields of view included safe rooms, meeting rooms, the reception desk, the cash desk, offices, a computer room and a room where employees take breaks. The head of the investigation considered this to be permanent surveillance of employees at their workplace, which could create psychological pressure. He described the surveillance as “disproportionate to the purpose” and an “excessive intrusion into the employees’ private sphere”. He added that employees had no way of escaping the surveillance. | |||
After receiving the minutes of this visit, the Company wrote a letter in which it explained that distinction should be made between two types of locations filmed, depending on their economic and strategic sensitivity: the counters and the safe room on one hand, and other locations on the other. It also considered that employees were not filmed permanently since they could avoid the cameras' field of vision. The company also argued that the presence of certain cameras was justified in relation to the purpose. | |||
For example, a camera positioned in the safe where one of the employees was stationed and where the company kept precious metals and physical securities. The company stressed that the room is locked for security reasons and that the camera made it possible to see if the employee was "feeling unwell". The company also explained that this is an ''ad hoc'' workstation, subject to patrols, which means that the employee working there was not filmed at all times. | |||
Another example was given by the cameras placed upon the counters. The company explained that employees were only filmed from behind and that their hands, faces, private or professional equipment were not targeted. According to the company, the presence of these cameras was therefore necessary and proportionate to the aims pursued. | |||
Finally, with regard to the surveillance of the public highway, the investigation showed, among other things, that buildings not belonging to the company were filmed. The company argued that this was necessary to effectively protect their building. The head of the investigation however considered this surveillance to be disproportionate. | |||
'''Information on surveillance cameras''' | |||
The investigation showed that data subjects were informed about the use of surveillance cameras by a pictogram and an old CNPD authorisation sticker at the entrance door and at a passageway closed to the public. According to the head of the investigation, this information was incomplete because it did not provide, among other things, the following elements: the retention period, the purposes of the processing, the right to rectification and erasure. The GDPR intranet section did not contain sufficient information either. | |||
The investigation showed that data subjects were informed about the use of surveillance cameras by a pictogram and an old CNPD authorisation sticker at the entrance door and at a passageway closed to the public. According to the head of the investigation, this information was incomplete because it did not provide, among other things, the following elements: the retention period, the purposes of the processing, the right to rectification and erasure | |||
In its letter in response to the minutes of the visit, the company explained that the pictograms were the first step of a various steps information which included the GDPR intranet section and mandatory trainings on data privacy. The company also reported that it had initiated the replacement of the pictograms and would indicate the missing information in the future. | In its letter in response to the minutes of the visit, the company explained that the pictograms were the first step of a various steps information which included the GDPR intranet section and mandatory trainings on data privacy. The company also reported that it had initiated the replacement of the pictograms and would indicate the missing information in the future. | ||
With regard to third parties, the agents noted that a sign was installed containing a camera image and the words "locals under video surveillance".) The company considered that informing third parties was not an absolute obligation under [[Article 13 GDPR|Article 13]] (which states that it is not required when communication is impossible or would require disproportionate effort). | With regard to third parties, the agents noted that a sign was installed containing a camera image and the words "locals under video surveillance".) The company considered that informing third parties was not an absolute obligation under [[Article 13 GDPR|Article 13]] (which states that it is not required when communication is impossible or would require disproportionate effort). | ||
'''Geo-location system on company's cars''' | |||
The investigation did not demonstrate the existence of such geo-location systems. | |||
=== Holding === | === Holding === |
Revision as of 16:11, 14 February 2023
CNPD - 16FR/2022 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 14.02.2019 |
Decided: | 07.07.2022 |
Published: | 24.01.2023 |
Fine: | 10,000 |
Parties: | n/a |
National Case Number/Name: | 16FR/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | CNPD (in FR) |
Initial Contributor: | ls |
The Luxembourg DPA fined a bank institution €10,000 for using surveillance cameras without sufficiently informing the data subjects and filming some of them continuously. The above in breach of Article 5(1)(c) and Article 13 GDPR.
English Summary
Facts
On 14 February 2019, the Luxembourg DPA decided to open an investigation into the companies of Group A and particularly into Company A, a bank institution (controller). The purpose of this investigation was to verify the compliance with the GDPR of the controller's video surveillance and company's cars geolocation systems.
Surveillance cameras
The investigation showed that surveillance cameras were indeed in place. Cameras’ fields of view included safe rooms, meeting rooms, the reception desk, the cash desk, offices, a computer room and a room where employees take breaks. The head of the investigation considered this to be permanent surveillance of employees at their workplace, which could create psychological pressure. He described the surveillance as “disproportionate to the purpose” and an “excessive intrusion into the employees’ private sphere”. He added that employees had no way of escaping the surveillance.
After receiving the minutes of this visit, the Company wrote a letter in which it explained that distinction should be made between two types of locations filmed, depending on their economic and strategic sensitivity: the counters and the safe room on one hand, and other locations on the other. It also considered that employees were not filmed permanently since they could avoid the cameras' field of vision. The company also argued that the presence of certain cameras was justified in relation to the purpose.
For example, a camera positioned in the safe where one of the employees was stationed and where the company kept precious metals and physical securities. The company stressed that the room is locked for security reasons and that the camera made it possible to see if the employee was "feeling unwell". The company also explained that this is an ad hoc workstation, subject to patrols, which means that the employee working there was not filmed at all times.
Another example was given by the cameras placed upon the counters. The company explained that employees were only filmed from behind and that their hands, faces, private or professional equipment were not targeted. According to the company, the presence of these cameras was therefore necessary and proportionate to the aims pursued.
Finally, with regard to the surveillance of the public highway, the investigation showed, among other things, that buildings not belonging to the company were filmed. The company argued that this was necessary to effectively protect their building. The head of the investigation however considered this surveillance to be disproportionate.
Information on surveillance cameras
The investigation showed that data subjects were informed about the use of surveillance cameras by a pictogram and an old CNPD authorisation sticker at the entrance door and at a passageway closed to the public. According to the head of the investigation, this information was incomplete because it did not provide, among other things, the following elements: the retention period, the purposes of the processing, the right to rectification and erasure. The GDPR intranet section did not contain sufficient information either.
In its letter in response to the minutes of the visit, the company explained that the pictograms were the first step of a various steps information which included the GDPR intranet section and mandatory trainings on data privacy. The company also reported that it had initiated the replacement of the pictograms and would indicate the missing information in the future.
With regard to third parties, the agents noted that a sign was installed containing a camera image and the words "locals under video surveillance".) The company considered that informing third parties was not an absolute obligation under Article 13 (which states that it is not required when communication is impossible or would require disproportionate effort).
Geo-location system on company's cars
The investigation did not demonstrate the existence of such geo-location systems.
Holding
The DPA generally agreed with the opinion of the head of the investigation. It considered that Company A failed to comply with Article 5(1)(c), i.e. the principle of data minimisation, and with Article 13, which imposes an obligation to provide information. In accordance with Article 83(2), it therefore imposed a fine of €10,000.
Taking into account the measures already taken by Company A, the DPA also ordered corrective measures: in particular 1) to stop filming the employees' workplans and, if this cannot be avoided at all, to arrange for their faces to be blurred, and 2) to obscure the public area within the cameras' field of vision. Another measure is the obligation to have a single place where all the information required by Article 13 is available.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.