CNPD (Luxembourg) - Délibération n° 47FR/2021
CNPD (Luxembourg) - Délibération n° 47FR/2021 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 01.12.2021 |
Published: | 17.01.2022 |
Fine: | 6800 EUR |
Parties: | n/a |
National Case Number/Name: | Délibération n° 47FR/2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | French |
Original Source: | CNPD (in FR) |
Initial Contributor: | Frederick Antonovics |
The Luxembourg DPA fined a transport company €6800 for failing to comply with the principle of data minimisation by not limiting the field of vision of its video surveillance systems as well as inadequately informing both its employees and third parties of their existence.
English Summary
Facts
The processor is a transport company that installed video surveillance systems at its office. In February 2019, the Luxembourg DPA (CNPD) launched an investigation into the company's use of these video surveillance systems to assess its compliance with the GDPR.
Holding
First, the Luxembourg DPA assessed whether the company complied with the principle of data minimisation per Article 5(1)(c) GDPR. It started by affirming that only what is strictly necessary to achieve the pursued aims can be filmed, and that the processing operations cannot be disproportionate when assessed against their purpose. Companies seeking to lawfully install such systems are therefore required to set out the exact purposes of the processing prior to their installation.
During the investigation, the company argued the systems were installed to protect its goods and access to facilities, as well as to safeguard users and prevent accidents.
The DPA nonetheless held that three cameras did not comply with the requirements under Article 5(1)(c) GDPR:
- The camera aimed at the reception, which was unlawful because workers have a right to not be constantly monitored
- The camera aimed at the "smoker's corner", which was unlawful because it monitored a space reserved to employees' leisure time
- The camera aimed at the public road outside the office and neighbouring land, which was unlawful because it was disproportionate when assessed against the purposes of the processing.
Second, the DPA assessed whether the company complied with its information obligations under Article 13 GDPR. It found that although the employees were notified of the existence of the video surveillance systems, visitors of the company's facilities had no access to this information.
Thus, the Luxembourg DPA held that the company (1) failed to comply with the principle of data minimisation by not limiting the field of vision of its video surveillance systems, and (2) failed to adequately inform its employees and third parties of their existence.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
_____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] carried out at Company A 1/26 Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] carried out on Company A Deliberation n° 47FR/2021 of 1 December 1, 2021 The National Commission for Data Protection sitting in restricted formation composed of Ms Tine A. Larsen, President, and Messrs Thierry Lallemang and Marc Lemmer, Commissioners Lemmer, Commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data personal data and on the free movement of such data, and repealing Directive 95/46/EC ; Having regard to the Act of 1 August 2018 on the organisation of the National Commission for Having regard to the Act of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime, in particular Having regard to the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime, in particular Article 41 thereof Having regard to the internal rules of procedure of the National Commission for Data Protection Having regard to the internal rules of procedure of the National Commission for Data Protection adopted by Decision No 3AD/2020 dated 22 January 2020, in particular Article 10 point 2 thereof Having regard to the Rules of Procedure of the National Commission for Data Protection adopted by decision no. 3AD/2020 dated 22 January 2020, in particular Article 10 point 2 thereof Having regard to the Rules of Procedure of the National Commission for Data Protection relating to the Having regard to the regulation of the National Commission for Data Protection relating to the investigation procedure adopted by decision n°4AD/2020 dated 22 January 2020 in particular Article 9 thereof; Considering the following: _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] carried out on Company A 2/26 I. Facts and procedure 1. At its deliberation session on 14 February 2019, the National Commission for for Data Protection sitting in plenary session (hereinafter: "Plenary Session") had decided to open an Plenary Session") had decided to open an investigation at Company A on the basis of Article 37 of the Act of 1 August 2018 on the organisation of the National Commission for Protection and the General Data Protection Regime (hereinafter: "Act"): "Act of 1 August 2018") and to appoint Mr Christophe Buschmann as head of the investigation. 2. According to the decision of the Plenary Session, the investigation conducted by the Commission for Data Protection (hereinafter: "CNPD") was to verify compliance with to verify compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the protection of individuals with regard to the processing of personal data and on the free movement of such and repealing Directive 95/46/EC (hereinafter: "RGPD") and the law of 1 August 2018, in particular through the implementation of video surveillance and geolocation systems geolocation systems, if any, installed by Company A. 3. On 20 March 2019, CNPD officers visited the premises of Company A. Company A's premises. 1 The decision of the National Commission for Data Protection 1 The decision of the National Commission for Data Protection sitting in a restricted formation on the outcome of the investigation (hereinafter: "Restricted The decision of the National Commission for Data Protection sitting in restricted formation on the outcome of the investigation (hereinafter: "Restricted Formation") will be limited to the processing operations controlled by the CNPD agents. 4. Company A is a public limited company registered in the Luxembourg Trade and Companies Register under number [... Companies Register of Luxembourg under number [...], with registered office at L- [...], [...] (hereinafter : the "controlled"). The object of the Controlled Party [is the operation of a transport company]. transport]. 2 5. During the above-mentioned visit, it was confirmed to the CNPD officers that the auditee uses a video surveillance system, but that it has not installed a video surveillance system. 1 See Minutes No. [...] of the on-site visit to Company A on 20 March 2019 (hereinafter: "Minutes"). A (hereinafter: "Minutes no. [...]"). 2 See Articles of Association coordinated at [...]. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] carried out at Company A 3/26 geolocation in its vehicles.3 The CNPD officers noted that the video surveillance system The CNPD officers noted that the video surveillance system is composed of fixed cameras, as well as "dome" type cameras. dome" type cameras. 4 6. The audited party reacted to the report drawn up by the CNPD officers in a letter dated 20 March 20 March 2019, delivered by hand after the site visit, and by letter dated 6 May 2019. 6 May 2019. 7. At the end of his investigation, the head of the investigation notified the audited company of a statement of objections dated 30 October 2019. 30 October 2019 a statement of objections detailing the shortcomings that he considered to the case, and more specifically a failure to comply with the requirements of Article 13.1 and Article 13.1 and 2 of the GDPR (right to information) as regards the data subjects, i.e. employees and employees and non-employees, i.e. customers, suppliers, service providers and visitors, suppliers, service providers and visitors (hereinafter: "third parties") and non-compliance with the requirements of Article 5.1.c) of the GDPR (data minimisation principle). principle). 8. By letter of 29 November 2019, the auditee submitted its comments on the statement of objections. 9. A supplementary letter to the Statement of Objections was sent to the the statement of objections on 3 August 2020. In this letter, the Head of Investigation proposed to the In this letter, the Head of Investigation proposed to the Panel to adopt three corrective measures and to impose an administrative fine of administrative fine of EUR 6,800. 10. By letter dated 10 September 2020, the audited party submitted written observations on the supplementary letter to the statement of objections. 11. The Chair of the Panel informed the auditee by letter of 29 April 2021 that his case would be 2021 that his case would be included in the Panel's meeting of 30 June 2021. 30 June 2021. The auditee confirmed his attendance at the said meeting by e-mail of 8 June 2021. 12. At this sitting, the Head of the Investigation and the auditee, represented by [...], lawyer the Court, made oral submissions in support of their written submissions and 3 See Minutes No [...], finding 20. 4 See Minutes No [...], Finding 4. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...], finding 4. investigation no. [...] conducted at Company A 4/26 answered the questions put by the Restricted Section. The Chairperson granted the monitor the opportunity to send to the Panel additional information on the information on the area covered by the field of view of a specific camera, within two weeks. two weeks. The auditee was given the floor last. 13. 13. By letter dated 14 July 2021, the audited party provided the additional information information requested. II. On the law II.1 As to the grounds for the decision A. On the breach of the principle of data minimisation 1. On the principles 14. According to Article 5(1)(c) of the GDPR, personal data must be be 'adequate, relevant and restricted to what is necessary for the purposes for which purposes for which they are processed (data minimisation)". 15. The data minimisation principle in relation to video-surveillance implies that that only what appears to be strictly necessary to achieve the purpose(s) pursued should be filmed. purpose(s) and that the processing operations should not be disproportionate.5 disproportionate.5 16. Article 5(1)(b) of the GDPR provides that personal data must be be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible further processed in a way incompatible with those purposes; [...] (purpose limitation)". purposes)'. 17. Before installing a video-surveillance system, the data controller must define, in a precise manner, the purpose(s) that he wishes to achieve by resorting to 5 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted at Company A 5/26 such a system, and may not subsequently use the personal data collected for any other purpose. for other purposes.6 18. The necessity and proportionality of video surveillance is analysed on a case-by-case case and, in particular, with regard to criteria such as the nature of the place to be placed under surveillance, its location, configuration or frequency of use.7 2. In the present case 19. During the on-site visit, it was explained to the CNPD officers that the purposes of the of the video surveillance system are the protection of the controller's property, the protection of of the controller, the protection of access, as well as the safety of users and the prevention of prevention of accidents. 8 2.1. Regarding the field of view of the camera aimed at reception 20. During the said visit, the CNPD officers noted that the field of vision of the camera of the camera named "[...]" allows for the permanent surveillance of the employee working at the reception desk.9 reception desk.9 21. With regard to the said camera, the head of the investigation was of the opinion that even if the purposes "may find one or more grounds for lawfulness under Article 6, the permanent surveillance of employees at their workstations is to be considered disproportionate. disproportionate. Indeed, such permanent surveillance may create a psychological pressure on employees who feel and know that they are being watched, especially as and know they are being watched, especially as the surveillance measures continue over time. (Statement of Objections, Ad. A.3.). It thus found that the audited company did not comply with the requirements of Article 5.1. c) of the GDPR and the audited company's documentation submitted by the letters of 20 March and 6 May 2019 did not contain any evidence against this against such non-compliance, nor any explanation as to why such monitoring measures might be necessary. of such monitoring measures. 6 See CNPD Guidelines, available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html. 7 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html. 8 See Finding 9 of Minute No. [...]. 9 See finding 10 of minute no. [...]. _____________________________________________________________ Decision of the National Commission sitting in a restricted formation on the outcome of investigation no. [...] conducted at Company A 6/26 22. The audited company explained in its reply to the statement of objections of statement of objections of 29 November 2019 that the camera in question was intended to the building and the reception area, but that it had in its field of view part of the the reception area, but that it had part of the reception office and the employee working there in its field of view. He also also explained that following the visit of the CNPD officers, masking was first put in place and that after the and that afterwards, for technical reasons, the camera had been disconnected from the system and was not disconnected from the system and was no longer functional since 3 June 2019. Annex 2 of the letter from the controller dated 10 September 2020 contains photos showing that the camera's field of field of view of the camera had been masked so as to no longer aim at the employee working at working at the reception desk. 23. The Panel wishes to recall that employees have the right not to be surveillance in the workplace. In order to achieve the purposes, it may seem necessary for a controller to install a video surveillance system to install a video-surveillance system in the workplace. On the other hand, by respecting the principle of proportionality, the controller must use the most protective means of the most protective means of surveillance of the employee's private sphere and, for example, limit the fields of vision of the cameras to the area necessary to achieve the purpose(s) purpose(s) pursued. 24. The Panel notes that the controlled party has masked the field of view of the camera camera aimed at the employee working in the reception area. 25. 25. It nevertheless agrees with the finding of the head of the investigation that the non-compliance with Article 5.1(c) of the GDPR was established on the day of the on-site visit of the CNPD agents as regards the the day of the on-site visit of the CNPD's agents with regard to the said camera. 2.2 Regarding the field of vision of the camera aimed at the "smoking area 26. During the said visit, the CNPD officers noted that the field of view of the camera of the camera "[...]" allowed surveillance of a space reserved for employees' free time, in this case a "smoking area". employees, in this case a "smoking area". 10 10 See finding 17 of minute no. [...]. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted at Company A 7/26 27. With regard to the camera having the "smoking area" in its field of vision, the head of the investigation considered that "the surveillance of employees the head of the investigation considered that "the surveillance of employees in a space reserved for their free time is to be considered disproportionate since the people present in the smoking area will, in a way, be smoking area will be permanently subject to video surveillance. He thus the controlled party of non-compliance with the requirements of Article 5.1. c) of the RGPD (Statement of Objections, Ad. A.11.). 28. 28. In its reply to the Statement of Objections of 29 November 2019, the statement of objections of 29 November 2019 that the purpose of the camera was to secure access access between the car park and his building and that the monitored area would never have been an official an official smoking area authorised by the controller. As the employees would have the ashtray themselves in this monitored passage area, the audited party would have decided to would have decided to remove this smoking area, which would never have been authorised, and to and to direct the employees to official break areas. By letter dated 10 September 2020, the audited party reiterated these statements. 29. When it comes to places reserved for employees at the workplace for private use, such as a private use, such as a smoking area, surveillance cameras are in principle considered disproportionate disproportionate to the intended purpose. The same applies to The same applies to places such as, for example, changing rooms, toilets, rest areas kitchenette or any other place reserved for employees for private use. In these cases, the fundamental rights and freedoms of employees must take precedence over the interests pursued by the employer. 30. With regard to the camera having the smoking area in its field of vision, the The Panel notes that the camera shows a large poster of a cigarette, signalling the authorisation to smoke in this area, as well as a sizeable ashtray. negligible size. However, it takes into account the letter from the controller dated 14 July 2021, in which he explains that after the However, it takes into account the audited party's letter of 14 July 2021, in which he explains that after the 30 June 2021 meeting of the Restricted Section, he realised that for security reasons the team in charge of building management management team ('[...]') had moved the smoking area into the field of vision of the camera without informing his internal security team. The auditor also stated that he assumed that after the on-site visit by the CNPD officers, the "[...]" team would have realized its mistake and would have realized their mistake and moved the smoking area by replacing the above-mentioned sign the aforementioned sign indicating that smoking was permitted by a sign indicating that smoking was prohibited _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted at Company A 8/26 smoking at this location. In the said letter, the inspector admitted that the smoking area was in the field of vision of a camera and that this configuration was linked to a lack of internal communication. 31. The Panel thus agrees with the finding of the head of the investigation that non-compliance with Article 5(1)(c) of the RGPD was established on the day of the on-site visit by the the day of the on-site visit of the CNPD agents with regard to the said camera. 2.3 With regard to the field of view of the cameras aimed at the public highway / neighbouring properties neighbouring properties 32. 32. During the on-site visit on 20 March 2019, the CNPD officers noted that the fields of view of four cameras include part of a neighbouring property neighbouring land,11 that the fields of view of two cameras include the public highway,12 while one camera monitors part of the public highway and a neighbouring property. surrounding land. 13 33. In its letter of 6 May 2019, the auditee stated that it was "currently limiting the field of view of the cameras and blurring the areas in question, in order to ensure that the cameras [...] do not include parts of neighbouring properties or parts of the public highway. parts of the public highway. 34. In his Statement of Objections, the Head of Investigation was of the opinion that even if the purposes indicated by the monitor may find one or more grounds for lawfulness under Article 6 of the Article 6 of the GDPR, the surveillance of the public highway and surrounding areas is However, the surveillance of the public highway and neighbouring properties is to be considered as disproportionate. He also considered that the "documentation submitted to the CNPD by the letters of 20 March and 6 May 2019 do not contain any evidence against this non-compliance, nor any explanation as to the possible need for need for such monitoring measures. However, in its letter of 6 May 2019, the controller presented mitigating elements on this issue. 11 See findings 12, 13, 15 and 19 of minute no. [...]. These are the cameras named "[...]", "[...]", "and "[...]". 12 See findings 14 and 16 of minute no. [...]. These are the cameras referred to as "[...]". 13 See finding 18 of minute no. [...]. This concerns the camera named "[...]". _____________________________________________________________ Decision of the National Commission sitting in a restricted formation on the outcome of investigation no. [...] conducted at Company A 9/26 35. The head of the investigation thus found that the audited company did not comply with the requirements of Article 5.1.c) of the GDPR. 36. The Panel wishes to recall that cameras intended to monitor a place of access access area (entrance and exit, threshold, staircase, door, canopy, hall, etc.) must have a field of view limited to limited to the area strictly necessary to view the persons about to enter about to enter. Those filming external accesses must not mark out the entire width of a pavement running alongside the building or adjacent public roads, if any. adjacent public roads. Similarly, outdoor cameras installed in or around a building should be configured so as to Similarly, outdoor cameras installed in the vicinity of or around a building should be configured so as not to capture the public highway or its surroundings, entrances, accesses and interiors of other neighbouring buildings that may be within their their field of vision.14 37. However, the Commission recognises that, depending on the configuration of the premises, it may be impossible to install a camera that does not include in its field of view a part of the part of the public highway, approaches, entrances, accesses and interiors of other buildings. In such a case, it considers that the controller should implement masking or blurring masking or blurring techniques to limit the field of view to his property.15 38. The Panel notes that in its letter of 29 November 2019, the position on each camera that contained in its field of view a part of the public highway and/or part of the public highway and/or neighbouring land. With regard to the cameras and "[...]", the auditor stated that since the on-site visit of the CNPD officers, the cameras had been the fields of view have been masked so that they no longer include a neighbouring property,16 while the neighbouring land,16 while the cameras "[...]" and "[...]", even if their fields of view have been partially masked fields of view have been partially masked, still target a small part of the surrounding land. neighbouring land. 17 39. Furthermore, the field of view of the "[...]" camera has been masked so that it no longer the public highway and a neighbouring property, while the field of view of the "[...]" camera has been masked so that it no longer targets the public highway and a neighbouring property. 14 See CNPD Guidelines (Point 4.1.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html. 15 See CNPD Guidelines (Point 4.1.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html. 16 See photos in Annexes 1 and 2 of the letter from the controller of 29 November 2019. 17 See photos in Annexes 3 and 4 of the auditee's letter of 29 November 2019. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted at Company A 10/26 [...]" no longer refers to the public highway. 18 With regard specifically to the camera "[...] "the auditor stated that, even though the field of view was partially obscured, it still the field of view has been partially obscured, it is still aimed at a part of the public highway and a nearby forest.19 40. The steps taken by the inspector, following the on-site visit of the to comply with the provisions of Article 5.1(c) of the GDPR will be taken into account by the taken into account by the Panel in the section "II.2. corrective measures and fines". 41. In view of the above, the Panel agrees with the finding of the Head of of the investigation20 that the non-compliance with Article 5.1.c) of the RGPD with regard to the the above-mentioned cameras was acquired on the day of the on-site visit of the CNPD OFFICERS. B. On the breach of the obligation to inform data subjects 1. On the principles 42. Under Article 12(1) of the GDPR, the "controller shall take appropriate measures to shall take appropriate measures to provide any information referred to in Articles 13 and 14 as well as to make any communication under Articles 15 to 22 and Article 34 in relation to the processing to the data subject in a concise, transparent, comprehensible and easily accessible manner, transparent, comprehensible and easily accessible, in clear and simple terms [...]. 43. Article 13 of the GDPR provides that: " 1. Where personal data relating to a data subject are collected from that person, the 1. Where personal data relating to a data subject are collected from that person, the controller shall, at the time when the data are obtained, provide him (a) the identity and contact details of the data subject (a) the identity and contact details of the controller and, where applicable, of the (a) the identity and contact details of the controller and, where applicable, of the representative of the controller; 18 See photos in Annexes 5 and 6 of the letter from the controller dated 29 November 2019. 19 See photo in Annex 7 of the auditee's letter of 29 November 2019. 20 Statement of Objections, Ad. A.4. to A.10. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation n° [...] carried out at Company A 11/26 b) if applicable, the contact details of the data protection officer; c) the purposes of the processing operation for which the personal data are intended and the legal (c) the purposes of the processing operation for which the personal data are intended and the legal basis of the processing operation; (d) where the processing is based on Article 6(1)(f), the legitimate interests (d) where the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party (e) the recipients or categories of recipients of the personal data, (e) the recipients or categories of recipients of the personal data, if any; and (f) where applicable, the fact that the controller intends to carry out a transfer of personal data to a third party (f) where applicable, the fact that the controller intends to transfer personal data to a third country or to an international organisation, and the existence or absence of an adequacy decision by the Commission or, in the case of or, in the case of transfers referred to in Article 46 or 47, or in Article 49, (1), second subparagraph, the reference to the appropriate or adequate safeguards and the means of means of obtaining a copy or the place where they have been made available; 2. In addition to the information referred to in paragraph 1, the controller shall provide 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data are the following additional information necessary to ensure fair and transparent processing fair and transparent processing: (a) the length of time for which the personal data will be kept or, where this is not possible, the criteria used to (a) the period of time for which the personal data will be kept or, where this is not possible, the criteria used to determine that period (b) the existence of the right to request from the controller access to, rectification of or erasure of the personal data (b) the existence of the right to request from the controller access to, rectification or erasure of personal data or a restriction of the processing (b) the existence of the right to request from the controller access to, rectification or erasure of personal data, or a restriction of the processing relating to the data subject, or the right to object to the processing and the right to data portability right to data portability; (c) where the processing is based on Article 6(1)(a) or on Article 9, (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of conducted at Company A 12/26 without affecting the lawfulness of the processing based on the consent given before the withdrawal of the consent withdrawal of consent; d) the right to lodge a complaint with a supervisory authority; (e) information on whether the requirement to provide personal data is of a regulatory or contractual nature (e) information on whether the requirement to provide personal data is of a regulatory or contractual nature or is a condition for the conclusion of a contract and whether the (e) information on whether the requirement to provide personal data is of a regulatory or contractual nature or is a condition for the conclusion of a contract and whether the data subject is obliged to provide the personal data, as well as on the consequences for the data subject of providing the data. personal data, as well as on the possible consequences of not providing such data of the data; (f) the existence of automated decision-making, including profiling, as referred to in Article (f) the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4), and, at least in such cases, relevant information about the underlying logic, as well as the logic and the significance and intended consequences of such processing for the for the data subject. 3. Where the controller intends to further process the personal data for a purpose other than that for which they were collected, the personal data for a purpose other than that for which the personal data were collected, the data were collected, the controller shall provide the data subject with prior information data subject prior to the processing for that other purpose and any other relevant information referred to in paragraph 2. 4. 4. Paragraphs 1, 2 and 3 shall not apply where, and insofar as, the data subject already has such information. concerned already has such information. 44. The provision of information to data subjects about the processing of their data is an essential element in the 44. The provision of information to data subjects on the processing of their data is an essential element of compliance with the obligations of transparency under the GDPR.21 These obligations have been clarified by the by the Article 29 Working Party in its guidelines on transparency under Regulation (EU) 2016/679, the revised version of which was adopted on 11 April 2018 11 April 2018 (hereinafter: "WP 260 rev.01"). 21 See in particular Articles 5.1(a) and 12 of the GDPR, see also Recital (39) of the GDPR. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted at Company A 13/26 45. It should be noted that the European Data Protection Committee (hereinafter: "EDPS"), which replaced the Note that the European Data Protection Committee (hereinafter: "EDPS"), which replaces the Article 29 Working Party since 25 May 2018, has taken over and re-approved the documents adopted by the Article 29 Working Party between 25 May 2016 and 25 May May 2018, such as precisely the above-mentioned guidelines on transparency.22 2. In the present case 46. The CNPD officers noted during their site visit that the presence of the video video surveillance system is not reported to the persons concerned. Upon questioning, it was nevertheless explained to the CNPD agents that the employees had been informed by an explanatory e-mail followed by a physical letter.23 In its letter of 6 May 2019, the controller clarified that the document that the employees received on 25 May 2018 by e-mail and physical mail is the document entitled "Note to all employees on personal data" and that he is working on "the implementation of an information about the video surveillance system in two complementary ways i) the installation of pictograms at the entrance to the monitored areas, and ii) the publication of a (i) the installation of pictograms at the entrance to the monitored areas, and (ii) the publication of a detailed information notice on the website of [...]. These operations shall be completed by 1 July 2019. 47. As regards third parties, the Head of the Investigation noted in his Statement of Objections that statement of objections "that no means were implemented to inform customers, visitors or customers, visitors or suppliers of the presence of the video surveillance cameras, particularly by means of signs or pictograms affixed at strategic points within the buildings. the presence of video surveillance cameras, in particular by means of signs or pictograms affixed at strategic points within the controller's buildings" and that it is therefore therefore, the audited entity should be held to be in non-compliance with the requirements of Article 13 of the GDPR with regard to third parties (Statement of Objections, Ad.A.1.). 48. With regard to employees, the head of the investigation found that non-compliance with Article 13 of the 13 of the RGPD was also established on the day of the on-site visit, as "the document 'Note to all to all employees on Personal Data" communicated to employees does not contain certain 22 See EDPS Endorsement Decision 1/2018 of 25 May 2018, available at: https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf. 23 See Findings 1 and 2 of Minute No [...]. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted at Company A 14/26 of the compulsory information prescribed by Article 13 of the GDPR. (Statement of statement of objections, Ad.A.2.). 49. In a letter dated 29 November 2019, the controller stated that after the departure of the the departure of the CNPD agents, first-level information was provided by means of pictograms and a short text in French, German and English to alert the public as soon as they the public as soon as they enter the monitored area. 24 The pictograms would refer to a second-level The pictograms would refer to a second-level information notice containing all the information required under The pictograms would refer to a second level information notice containing all the information required under Article 13 of the RGPD available to the public and to employees on their website. With regard to employees specifically for employees, the controller stated that the "Note to all employees on Personal Data" provided to on Personal Data" communicated to employees on 25 May 2018 had been updated and employees would also be informed by the pictograms and the information note available on the on the website of the controller. At the same time, the section on the GDPR on the intranet of the intranet would have been updated and the staff delegation would have been informed and consulted at all stages of the implementation of the video-surveillance system. 50. The Panel would first like to point out that Article 13 of the RGPD refers to the the obligation imposed on the controller to "provide" all the information information mentioned therein. The word "provide" is crucial in this case and it "means that the controller must take concrete steps to provide the data subject with the information in question to the data subject or to actively direct the data subject to the data subject to the location of the information (e.g. by means of a direct link, a QR code link, QR code, etc.). (WP260 rev. 01. paragraph 33). 51. 51. The Commission also considers that a multi-level approach to communicating transparency information to data subjects can be used in an offline or non-digital offline or non-digital context, i.e. in a real environment such as personal data collected personal data collected by means of a video surveillance system. video surveillance system. The first level of information (warning sign, information note, etc.) should be The first level of information (warning sign, information note, etc.) should generally include the most details of the purpose of the processing, the identity of the controller and the existence of identity of the controller and the existence of the data subjects' rights, as well as the information impact on the processing operation or any processing operation likely to cause surprise 24 See Annex 8 of the letter from the controller dated 29 November 2019. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted at Company A 15/26 the persons concerned, as well as a reference to the more detailed information of the second level (for example, via a second level (e.g. via a QR code or a website address). 25 The second level of information, i.e. the set of information required under Article 13 of the Article 13 of the GDPR, could be provided or made available by other means, such as a copy of the privacy policy sent by e-mail to employees or a link on the employees or a link on the website to an information notice in respect of non-employees non-employees. 26 2.1. Information to third parties 52. The Panel notes that during the site visit by the CNPD officers, third parties were not informed of the presence of the CNPD officers, third parties were not informed of the presence of the video surveillance system. video surveillance system. 53. However, it notes that in its letter of 29 November 2019, the audited party approach to communicating information on transparency to third parties by means of transparency to third parties through pictograms and an information note available on its website. available on its website. The Panel considers that the pictograms contain the information of the first level of information and that the second level of information, i.e. the information note available on the website, contains all the information required under Article 13 of the GDPR. The Panel notes, however, that all the documentation of the first and second level of information has been provided to the Commission. and second level of information was only put in place after the on-site visit of the CNPD officials. 54. 54. In view of the above, it therefore agrees with the Head of Investigation and concludes that that at the time of the on-site visit of the CNPD officers, Article 13 of the GDPR was not the controlled party with regard to video surveillance as far as third parties are concerned. third parties. 25 See EDPS Guidelines 3/2019 on the processing of personal data by video devices, version 2.0 devices, version 2.0, adopted on 29 January 2020 (points 114. and 117.). 26 See WP260 rev. 01 (point 38.) _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation n° [...] conducted at Company A 16/26 2.2. Information for employees 55. With regard to informing employees about the video surveillance system, the system, the Restricted Section notes that during the on-site visit by CNPD agents, the employees were employees were informed of the presence of the video-surveillance system by the document "Note to all employees by the document "Note to all employees on Personal Data". 27 While this document contains some of the information required by Article 13 of the GDPR, it nevertheless concerns all the data processed by the controller, all the legal bases applicable to the various processing carried out by the controller and all the purposes invoked for such processing, without processing operations, without differentiating between the processing operations concerned. These information does not therefore comply with the principle of transparency to which every controller is principle of transparency to which every controller is bound. According to this principle, the information must be to the data subject "in a concise, transparent, comprehensible and easily accessible manner easily accessible, in clear and simple terms". 28 Furthermore, the document does not document does not contain all the information within the meaning of Article 13 of the GDPR. 56. However, the Commission notes that in its letter of 29 November 2019, the controller has specified its approach at several levels to communicate information on transparency to transparency to employees, in particular through pictograms and an information note available on its website. In addition, it mentioned that the document "Note to all [...] employees on Personal Data" has been updated to include the information available on the said website. The Panel considers that the pictograms pictograms contain the first level of information and that the second level of information information, i.e. the information note available on the website, contains all the information required under Article 13 of the GDPR. The Panel notes, however, that all the documentation of the first and second level of information has been provided to the Commission. and second level of information was only put in place after the on-site visit of the CNPD officials. 27 The said document can be found in the annex to the inspection letter of 6 May 2019 and mentions the following: [...]. 28 See Article 12.1. of the GDPR. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted at Company A 17/26 57. In view of the above, it agrees with the opinion of the head of the investigation and concludes that, at the time of the on-site visit by the the time of the on-site visit of the CNPD agents, Article 13 of the GDPR was not Article 13 of the RGPD was not complied with by the audited company with regard to video surveillance of employees. II. 2. Corrective measures and fines 1. On the principles 58. In accordance with Article 12 of the Act of 1 August 2018, the CNPD has the power to power to adopt all the corrective measures provided for in Article 58(2) of the RGPD: "(a) to warn a controller or processor that the proposed processing operations are likely to infringe (a) warn a controller or processor that the proposed processing operations are likely to infringe the provisions of this Regulation ; (b) call a controller or processor to order where the processing operations have led to a breach of the (b) call a controller or processor to order where the processing operations have led to a breach of the provisions of this Regulation (c) order the controller or processor to comply with requests made by the data (c) order the controller or processor to comply with requests made by the data subject to exercise his or her rights under this Regulation (c) order the controller or the processor to comply with requests made by the data subject to exercise his rights under this Regulation ; (d) order the controller or the processor to bring the processing operations into conformity with the (d) order the controller or the processor to bring the processing operations into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period (d) order the controller or the processor to bring the processing operations into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period ; (e) order the controller to notify the data subject of a personal data (e) order the controller to notify the data subject of a personal data breach (f) impose a temporary or definitive restriction, including a ban, on processing (g) order the rectification or erasure of personal data or the restriction of processing pursuant to (g) order the rectification or erasure of personal data or the restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such (g) order the rectification or erasure of personal data or the restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such measures to the recipients to whom the personal data have been disclosed pursuant to Articles 17(2) and 19 ; (h) withdraw a certification or order the certification body to withdraw a certification (h) withdraw a certification or order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or order the certification body to withdraw a certification issued pursuant to Articles 42 and 43 _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation n° [...] carried out at Company A 18/26 certification body not to issue a certification if the requirements applicable to the certification are not or no longer met; (i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph (i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the specific characteristics of each case (i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the specific characteristics of each case (j) order the suspension of data flows to a recipient in a third country or to an (j) order the suspension of data flows to a recipient in a third country or to an international organisation. 59. In accordance with Article 48 of the Act of 1 August 2018, the CNPD may impose administrative administrative fines as provided for in Article 83 of the GDPR, except against the State or State or municipalities. 60. Article 83 of the RGPD provides that each supervisory authority shall ensure that the administrative fines imposed are, in each case, effective, proportionate and dissuasive and dissuasive, before specifying the elements that should be taken into account when deciding whether an administrative fine should be imposed and the amount of the fine (a) the nature, gravity and gravity of the infringement "(a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned (a) the nature, gravity and duration of the infringement, having regard to the nature, scope or purpose of the processing operation concerned, as well as to the number of data subjects affected and the level of damage that the infringement causes affected and the level of damage suffered by them ; (b) whether the breach was committed intentionally or negligently; (c) any measures taken by the controller or processor to mitigate the damage suffered by (c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects (d) the degree of responsibility of the controller or processor, taking into account the (d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures they have implemented pursuant to Articles 25 and 32 ; (e) any previous relevant breach by the controller or processor (e) any previous relevant breach by the controller or the processor; (f) the degree of cooperation established with the supervisory authority in order to remedy the breach and (f) the degree of cooperation established with the supervisory authority in order to remedy the breach and to mitigate any negative effects thereof; _____________________________________________________________ Decision of the National Commission sitting in a restricted formation on the outcome of investigation no. [...] carried out at Company A 19/26 g) the categories of personal data affected by the breach; (h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the data controller had been informed of the breach; and (h) the manner in which the supervisory authority has become aware of the breach, including whether and to what extent the controller or processor has notified the breach; (i) where measures referred to in Article 58(2) have previously been (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same subject-matter, compliance with those measures shall be verified (i) where measures referred to in Article 58(2) have previously been ordered against the controller or the processor concerned in relation to the same matter, compliance with those measures ; (j) the application of codes of conduct approved pursuant to Article 40 or of (j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and (k) any other aggravating or mitigating circumstances applicable to the circumstances of the (k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, as a result of the (k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation. 61. The Panel wishes to make it clear that the facts taken into account in the context of this decision are those found at the beginning of the investigation. Any changes to the data processing modifications relating to the data processing operations under investigation, even if they even if they make it possible to establish full or partial compliance, do not compliance, do not allow for the retroactive annulment of a failure found. 62. Nevertheless, the steps taken by the supervised party to comply with the with the GDPR during the investigation procedure or to remedy the shortcomings by the head of the investigation in the statement of objections, are taken into account by the the Panel in the context of possible remedial action and/or the setting of a possible fine. the amount of any administrative fine to be imposed. 2. In the present case 2.1 On the imposition of an administrative fine 63. In the letter supplementing the statement of objections of 3 August 2020, the head of the proposes to the Restricted Section to impose an administrative fine on the amount of six thousand eight hundred (6,800) euros. 64. In his letter of 10 September 2020, the audited party considered that the amount of the fine is disproportionate to the disproportionate due to the absence of any intention to cause the _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] carried out at Company A 20/26 alleged violations and its efforts to comply, while in its letter of 14 July 2021 it indicated July 14, 2021 he indicated that he accepts the fact that he had monitored a smoking area with a camera in violation of the requirements of the GDPR and that he accepts the fine of EUR 6,800.29 65. In order to decide whether an administrative fine should be imposed and to decide the amount of the fine, the Panel shall take into account the elements the elements provided for in Article 83(2) of the RGPD : - As regards the nature and gravity of the breach (Article 83.2.a) of the RGPD), it notes As regards the breaches of Article 5(1)(c) of the RGPD, they are constitute breaches of a fundamental principle of the RGPD (and of data protection law in general) protection law in general), namely the principle of data minimisation enshrined in principle enshrined in Chapter II "Principles" of the RGPD. It should be noted that at the time of the time of the on-site visit by the CNPD agents, a camera allowed the permanent surveillance of the employee working in the reception area, one camera surveillance of an area reserved for employees' free time, in this case a "smoking smoking area, while seven cameras were aimed at the surrounding grounds and/or the and seven cameras were aimed at neighbouring properties and/or the public highway. - As for the failure to inform the persons concerned in accordance with Article 13 of the RGPD, the Panel recalls that information and transparency regarding the processing of personal data are essential transparency regarding the processing of personal data is an essential obligation for data controllers data controllers so that individuals are fully aware of the use that will be made of their their personal data, once collected. A failure to comply with Article 13 of the RGPD thus constitutes a breach of the rights of the of the data subjects. This right to information has also been strengthened under the under the RGPD, which shows their particular importance. It should be noted that that at the time of the site visit by the CNPD agents, no pictograms, posters or notices pictograms, posters or information leaflets could be shown to the CNPD officials. to the CNPD officers. Thus, third parties were not at all informed of the presence of the video surveillance system in accordance with Article 13 of the GDPR, while the document given to the employees, i.e. the 29 Original text of the controller's letter of 14 July 2021: "Accordingly we accept the fact that we monitored a smoking area by CCTV in contravention of CNPD requirements and accept the penalty of Euro 6,800." _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation n° [...] carried out at Company A 21/26 "Note to all employees on Personal Data", did not contain all the information information required by Article 13 of the GDPR. - As regards the criterion of duration (Article 83(2)(a) of the GDPR), the Panel notes that these shortcomings lasted over time, at least since 25 May 2018 and until 25 May 2018 and until the day of the on-site visit. It recalls here that two years have the entry into force of the RGPD from its entry into application to allow to comply with their obligations. obligations. In particular, an obligation to respect the principle of minimisation, as well as a comparable obligation to provide information already existed under 4.1.b), 10.2 and 26 of the repealed Act of 2 August 2002 on the protection of persons with regard to the processing of personal data. personal data. Guidance on the principles and obligations laid down in the said Act was available from the law was available from the CNPD, in particular through mandatory prior authorisations prior authorisations for video surveillance. - As for the number of data subjects (Article 83.2.a) of the GDPR), the As for the number of data subjects (Article 83.2.a) of the GDPR), the Panel notes that these are [...] employees30 working on the premises of the premises of the controller, as well as all third parties visiting the said premises. - As to the question of whether the breaches were committed deliberately (Article 83.2.b) of the GDPR), the Panel recalls that "not deliberately" means that the that "not deliberately" means that there was no intention to commit the breach, although the breach, although the controller has not complied with its duty of care under duty of care under the legislation, which is the case here. - As for the measures taken by the controller to mitigate the damage suffered by the persons concerned (Article 83.2.c), the Panel takes into account the measures measures taken by the auditee and refers to Chapter II.2. section 2.2. of this decision for decision for the explanations related thereto. - As to the degree of cooperation established with the supervisory authority (Article 83.2.f) of the RGPD), the Panel takes into account the statement of the head of the investigation 30 [...]. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] carried out at Company A 22/26 that the cooperation of the audited company throughout the investigation was good, as well as its willingness to comply with the and its willingness to comply with the requirements of the GDPR as soon as possible.31 as soon as possible.31 66. The Panel notes that the other criteria of Article 83.2 of the GDPR are neither relevant nor are neither relevant nor likely to influence its decision on the imposition of an administrative fine and its administrative fine and its amount. 67. It also notes that while several measures have been put in place by the supervised to remedy certain shortcomings in whole or in part, these were only adopted following the adopted following the inspection by CNPD officials on 20 March 2019 (see also point 61 of this see also paragraph 61 of this decision). 68. The Panel therefore considers that the imposition of an administrative fine is justified in the light of the criteria laid down in Article 83(2) of the RGPD for breach of Articles 5(1)(c) and 13 of the RGPD. 69. With regard to the amount of the administrative fine, it recalls that Article 83(3) of the 3 of Article 83 of the RGPD provides that in the event of multiple breaches, as in the case of case, the total amount of the fine may not exceed the amount set for the most serious violation. Insofar as a breach of Articles 5 and 13 of the GDPR is alleged, the maximum fine the maximum fine that can be imposed is EUR 20 million or 20 million or 4% of annual worldwide turnover, whichever is higher. 70. In the light of the relevant criteria of Article 83(2) of the GDPR mentioned above, the Panel considers that the imposition of a fine of six thousand eight hundred (6,800) appears to be effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR. 2.2 As regards the taking of corrective measures 71. In his supplementary letter to the Statement of Objections of 3 August 2020 the Head of Investigation proposes that the Restricted Panel adopt the following corrective measures corrective measures: 31 See supplementary letter to the Statement of Objections. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation n° [...] carried out at Company A 23/26 "a) Order the data controller to complete the information measures to third parties ([...]) affected by the video surveillance, in accordance with the provisions of Article 13, paragraphs (1) and (2) of the GDPR by the identity of the data controller, the contact details of the data protection Data Protection Officer, the purposes of the processing and its legal basis, the categories of data processed, the legitimate interests pursued by the controller, the recipients of the data, the duration of the data storage as well as the indication of the the rights of the person and how to exercise them. b) Order the controller to complete the information measures (b) Order the controller to complete the information measures for the employees concerned by the video surveillance, in accordance with the provisions of Article 13(1) and (2) of the GDPR by informing in particular the purposes of the processing and its legal basis, the categories of data processed, the legitimate interests pursued by the controller, the recipients of the recipients of the data as well as the period for which the data are kept. c) Order the controller to process only relevant data, (c) Order the controller to process only relevant, adequate and limited to what is necessary for the purposes of protecting (c) Order the controller to process only data which are relevant, adequate and limited to what is necessary for the purposes of protecting property, securing access, ensuring user safety and preventing accidents, and in particular and, in particular, to adapt the video system so that employees are not filmed at their workstations or in at their workstations or in areas reserved for their free time, nor to film parts of the public highway or neighbouring properties, for example by removing or or reorienting the cameras. 72. As for the remedial measures proposed by the head of the investigation and with reference to to point 62 of this decision, the Panel takes into account the steps taken by the the steps taken by the auditee, following the on-site visit of the CNPD officers, to comply with the provisions of Articles 5 and 6 of the to comply with the provisions of Articles 5.1.c) and 13 of the GDPR, as detailed in its letters of 6 May 2019 in its letters of 6 May 2019, 29 November 2019, 10 September 2020 and 14 July 2021. July 2021. In particular, it notes the following facts: With regard to the implementation of information measures for data subjects (third parties and employees), the concerned (third parties and employees) by the video surveillance, in accordance with the the provisions of Article 13.1 and 2 of the RGPD, the controller specified in its letter of 29 November 2019 its approach to letter of 29 November 2019, the audited body specified its multi-level approach to _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted at Company A 24/26 communicate information on transparency to the persons concerned by pictograms containing a brief text in French, German and English, as well as an and by an information note available on its website. In addition, the Note to all [...] employees on Personal Data" has been updated to include the information to include the information available on the website. The Panel considers that the pictograms contain the first level of information and are information of the first level of information and that the second level of information, i.e. the information note available on the website, contains all the information required under Article 13 of the GDPR. As to the obligation to process only relevant, adequate and limited to what is necessary for the purposes of protection of property, protection of access, as well as the safety of users and the prevention of of accidents, the Select Committee takes into account that : o Annex 2 of the letter from the controller dated 10 September 2020 contains o Annex 2 of the letter from the audited party of 10 September 2020 contains photos showing that the field of view of the camera "[...]" has now been masked so as not to interfere with the access to the premises. "has been masked so as to no longer permanently aim at the employee working at the reception working at the reception desk; o the audited party attached to its letter of 29 November 2019 photos o the auditor attached to his letter of 29 November 2019 photos showing that the fields of view of the cameras "[...] " " [...] ", " [...] "and "[...]" have been masked so that they no longer include a neighbouring property and/or public road and/or the public highway; o the inspector attached to his letter of 29 November 2019 photos o the auditor attached to his letter of 29 November 2019 photos showing that the fields of view of the cameras "[...]", "[...]" and "[...]" had been [...]" have been masked, but he specified that they are still aimed at a small part of a neighbouring plot of land (a field) and / or the public highway. In view of the sensitivity of the land under surveillance ([...]), the considers that the masking in place has reduced the field of view of the cameras in question to the field of vision of the cameras in question necessary to pursue the purposes of securing the surroundings and the entrances to the building. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] carried out at Company A 25/26 o in its letter of 14 July 2021, following the meeting of the session of 30 June 2021, that the "[...]" camera allowed the surveillance of an area reserved for employees' free time, in this case a "smoking area", and that this constellation was linked to a This constellation was linked to a lack of internal communication. In fact, it would have realised that for safety reasons, the team in charge of managing the buildings management team ('[...]') had moved the smoking area into the field of vision of the of the camera in question, without knowing that a smoking area was now in the without knowing that a smoking area was now in the field of view of a camera and without informing his and without informing his internal security team, and that he assumed that after the on-site visit by the the team "[...]" would have moved the smoking area by replacing the aforementioned sign the aforementioned sign indicating that smoking was permitted by a sign indicating that smoking is prohibited in this area. 73. In view of the compliance measures taken by the controlled party in this case and and point 62 of this decision, the Panel considers that there is no evidence of a breach of the the three remedial measures proposed by the head of the investigation in this respect as the three remedies proposed by the head of the investigation in this respect as set out in paragraph 71 of this Decision. In view of the above developments, the National Commission, sitting in a restricted in a restricted formation and deliberating unanimously decides : - to retain the breaches of Articles 5.1.c) and 13 of the GDPR ; - to impose an administrative fine on Company A in the amount of six thousand eight hundred (6,800) euros, in view of the breaches of Articles 5.1.c) and 13 of the GDPR Articles 5.1.c) and 13 of the GDPR; _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] carried out at Company A 26/26 Thus decided in Belvaux on 1 December 1, 2021. For the National Commission for Data Protection sitting in restricted formation sitting in restricted formation Tine A. Larsen Thierry Lallemang Marc Lemmer President Commissioner Commissioner Indication of the means of appeal An appeal against this administrative decision may be lodged within three months of its notification. three months after its notification. This appeal must be brought before the administrative court and must be lodged through a lawyer at the Court of one of the Bar Associations. of lawyers.