CNIL (France) - MED-2019-025
CNIL - MED-2019-027 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 5(1)(c) GDPR |
Type: | Investigation |
Outcome: | Violation found |
Decided: | n/a |
P
ublished:||5.12.2019 | |
Fine: | None |
Parties: | BOUTIQUE.AERO |
National Case Number: | MED-2019-027 |
European Case Law Identifier: | n/a |
Appeal: | Conseil d'Etat |
Original Language: |
French |
Original Source: | CNIL (in FR) |
The CNIL issued an order against BOUTIQUE.AERO for the excessive video surveillance of its employees
English Summary
Facts and questions arising
In July 2018, the southern-west DIRECCTE (regional office for undertakings, competition and consumers) warned the CNIL that cameras of the company BOUTIQUE.AERO – the data controller - were constantly scanning the workstations of certain employees. Following this warning, the CNIL carried out some investigations.
Holding
The CNIL found that the surveillance cameras were recording personal data which were not adequate, relevant nor limited to what it was necessary. Thus, the data controller violated Article 5(1)(c) GPDR. The French DPA found as well that no information had been given to the data subjects regarding the collection of their personal data and the storage limitation periods. Thus, the CNIL determined that the data controller had violated Article 13 GDPR. In addition, the CNIL stated that the IT service provider for cameras maintenance could be qualified as a data processor. However, the contract between the data processor and the data controller did not include any measure providing for sufficient guarantees regarding the security of the processing. Also, the personal data recorded by the cameras and consulted through the data controller ‘s management software were not encrypted and were easily accessible. Therefore, the data controller violated both Articles 28 and 32 GDPR. Finally, the CNIL decided that the data controller did not comply with the obligation to create a record of processing activities, as required by Article 30(1) GDPR.
As a consequence, the CNIL addressed a formal notice to the data controller and let a two-months period to comply with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the French original for more details.
decision's page under reconstruction, not available yet.