CNPD (Luxembourg) - Délibération n° 16FR/2022
CNPD - 16FR/2022 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 14.02.2019 |
Decided: | 07.07.2022 |
Published: | 24.01.2023 |
Fine: | 10,000 |
Parties: | n/a |
National Case Number/Name: | 16FR/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | CNPD (in FR) |
Initial Contributor: | ls |
The Luxembourg DPA fined a bank institution €10,000 for using surveillance cameras without sufficiently informing the data subjects and filming some of them continuously. The above was in breach of Article 5(1)(c) and Article 13 GDPR.
English Summary
Facts
On 14 February 2019, the Luxembourg DPA decided to open an investigation into the companies of Group A and particularly into Company A, a bank institution (controller). The purpose of this investigation was to verify the compliance with the GDPR of the controller's video surveillance and company's cars geolocation systems.
Surveillance cameras
The investigation showed that surveillance cameras were indeed in place. Cameras’ fields of view included safe rooms, meeting rooms, the reception desk, the cash desk, offices, a computer room and a room where employees take breaks. The head of the investigation considered this to be permanent surveillance of employees at their workplace, which could create psychological pressure. He described the surveillance as “disproportionate to the purpose” and an “excessive intrusion into the employees’ private sphere”. He added that employees had no way of escaping the surveillance.
After receiving the minutes of this visit, the Company wrote a letter in which it explained that distinction should be made between two types of locations filmed, depending on their economic and strategic sensitivity: the counters and the safe room on one hand, and other locations on the other. It also considered that employees were not filmed permanently since they could avoid the cameras' field of vision. The company also argued that the presence of certain cameras was justified in relation to the purpose.
For example, a camera positioned in the safe where one of the employees was stationed and where the company kept precious metals and physical securities. The company stressed that the room is locked for security reasons and that the camera made it possible to see if the employee was "feeling unwell". The company also explained that this is an ad hoc workstation, subject to patrols, which means that the employee working there was not filmed at all times.
Another example was given by the cameras placed upon the counters. The company explained that employees were only filmed from behind and that their hands, faces, private or professional equipment were not targeted. According to the company, the presence of these cameras was therefore necessary and proportionate to the aims pursued.
Finally, with regard to the surveillance of the public highway, the investigation showed, among other things, that buildings not belonging to the company were filmed. The company argued that this was necessary to effectively protect their building. The head of the investigation however considered this surveillance to be disproportionate.
Information on surveillance cameras
The investigation showed that data subjects were informed about the use of surveillance cameras by a pictogram and an old CNPD authorisation sticker at the entrance door and at a passageway closed to the public. According to the head of the investigation, this information was incomplete because it did not provide, among other things, the following elements: the retention period, the purposes of the processing, the right to rectification and erasure. The GDPR intranet section did not contain sufficient information either.
In its letter in response to the minutes of the visit, the company explained that the pictograms were the first step of a various steps information which included the GDPR intranet section and mandatory trainings on data privacy. The company also reported that it had initiated the replacement of the pictograms and would indicate the missing information in the future.
With regard to third parties, the agents noted that a sign was installed containing a camera image and the words "locals under video surveillance".) The company considered that informing third parties was not an absolute obligation under Article 13 (which states that it is not required when communication is impossible or would require disproportionate effort).
Geo-location system on company's cars
The investigation did not demonstrate the existence of such geo-location systems.
Holding
The DPA generally agreed with the opinion of the head of the investigation. It considered firstly that for some cameras, the field of view was not limited to what was necessary to achieve the purpose of the processing, which was violating Article 5(1)(c), i.e. the principle of data minimisation. This was the case for example for cameras filming public area.
Secondly, the DPA found a failure to comply with Article 13, which imposes an obligation to provide information. It considered that multi-level information is not excluded. As regards employees, it held that the first level of information (warning sign) should include the most essential information such as identity of the controller, the purposes of processing and a reference to more detailed information (e.g. via a QR code). As for the third parties (customers, service providers, etc.), the DPA considered the same : first level of information (warning sign) should also include the most essential elements of the processing operation and a reference to the second level of information. In this case, the sign didn't include essential information nor a reference to a second level of information. The DPA underlined the fact that Article 13 requires information to be given at the time the data is obtained, which does not imply that a document must be hand-delivered to all third parties but that a reference to detailed information must be indicated on the signs.
Considering the violations of Article 5(1)(c) and Article 13, the Luxembourg DPA therefore imposed a fine of €10,000 in accordance with Article 83(2).
Taking into account the measures already taken by Company A, the DPA also ordered corrective measures: in particular 1) to stop filming the employees' workplans and, if this cannot be avoided at all, to arrange for their faces to be blurred, and 2) to obscure the public area within the cameras' field of vision. Another measure is the obligation to have a single place where all the information required by Article 13 is available.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.