CNPD (Luxembourg) - Délibération n° 17FR/2021
From GDPRhub
CNPD (Luxembourg) - Délibération n° 17FR/2021 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(e) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 12.05.2021 |
Published: | 07.06.2021 |
Fine: | 1900 EUR |
Parties: | n/a |
National Case Number/Name: | Délibération n° 17FR/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | CNPD (in FR) |
Initial Contributor: | n/a |
in progress
English Summary
Facts
in progress
Dispute
Holding
in progress
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of survey No. [...] conducted with "Company A" Deliberation n ° 17FR / 2021 of May 12, 2021 The National Commission for Data Protection sitting in a restricted body composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc Lemmer, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data personal character and on the free movement of such data, and repealing the Directive 95/46 / EC; Having regard to the law of 1 August 2018 on the organization of the National Commission for data protection and the general data protection regime, in particular its article 41; Having regard to the internal regulations of the National Commission for the Protection of data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its article 10 point 2; Having regard to the regulation of the National Commission for Data Protection relating to investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular Article 9; Considering the following: _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 1 / 18I. Facts and procedure 1. During its deliberation session of February 14, 2019, the National Commission for data protection sitting in plenary session (hereinafter: "Training 1 Plenary ") had decided to open an investigation with the ABCD group on the basis of the article er 37 of the law of 1 August 2018 on the organization of the National Commission for data protection and the general data protection regime (hereinafter "the law of August 1, 2018 ”) and to appoint Mr. Christophe Buschmann as chef of investigation. 2. According to the decision of the Plenary Panel, the investigation carried out by the National Commission for Data Protection (hereafter: "CNPD") had as purpose of verifying compliance with the provisions of the regulation on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC (hereinafter "GDPR") and the law of August 1, 2018, in particular through the establishment of video surveillance and geolocation, if applicable, installed by the four companies of the ABCD group. 3. On September 27, 2019, CNPD agents visited at the premises of Company A at the administrative headquarters of [S1] and at the site of [S2]. Being given that the report no. […] Relating to the said on-site fact-finding mission mentions that, among the four companies of the ABCD group, as head of treatment controlled the company "Company A", the decision of the National Commission for data protection sitting in restricted formation on the outcome of the investigation (here- after: "Restricted Training") will be limited to the treatments controlled by the agents of the CNPD and carried out by the company "Company A". 1 And more specifically with the companies Société B, registered in the Trade and Companies Register of Luxembourg under number […], with registered office at L- […]; Company A, registered in the Trade Register and Luxembourg Companies under number […], with registered office at L- […]; Company C, entered in the register of Commerce and Companies of Luxembourg under number […], with registered office at L- […] and Company D, registered in the Luxembourg Trade and Companies Register under number […], with registered office at L- […]. 2Cf. in particular the report no. […] Relating to the on-site visit carried out on September 27, 2019 with Company A. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 2/18 4. “Company A” is a […] registered in the Trade and Companies Register Luxembourg under number […], with registered office at L- […] (hereinafter “the controlled”). 3 […]. 5. During the aforementioned visit of September 27, 2019 by CNPD agents to the premises of the inspected at the administrative headquarters of [S1] and at the site of [S2], the "delegate to data protection ”of the inspected confirmed to CNPD agents that the inspected uses two video surveillance systems. A first system is installed in the buildings at the administrative headquarters of [S1] and a second system is operated from the site of [S2]. The video surveillance system installed at the administrative headquarters of [S1] is composed of eight cameras which operate continuously (24 hours a day) and the system of 6 video surveillance installed on the [S2] site is made up of one to five cameras per [...] ([…]) And the cameras also operate continuously (24 hours a day). 8 6. The “data protection officer” of the inspected confirmed that the controlled does not use a geolocation device. 9 7. As for the administrative headquarters of [S1], it was explained to the CNPD agents that the video surveillance system is managed by Company B as a subcontractor for the 10 account of the inspected who is to be considered as data controller. He was confirmed that the purposes of setting up the video surveillance system are the protection of company assets and access security. 11 8. As for the site of [S2], it was explained to the CNPD agents that the purposes of the implementation of the video surveillance system are the protection of property 3According to the information provided on its own website: […] 4 5The address of the administrative headquarters of [S1]: […]. The site address of [S2]: […]. 6 See report 9 of report no. […] Relating to the on-site visit carried out on September 27, 2019 with Company A. 7The CNPD agents inspected the images transferred by the cameras installed on the sites of […] (see report no. […]). 8 See report 14 of report no. […] Relating to the on-site visit carried out on September 27, 2019 with Company A. 9 Cf. in particular report no. […] Relating to the on-site visit carried out on September 27, 2019 with Company A. 10Cf. finding 7 of report no. […] Relating to the on-site visit carried out on September 27, 2019 with Company A. 11 See report 8 of report no. […] Relating to the on-site visit carried out on September 27, 2019 with Company A. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 3/18 the company, securing access and preventing accidents. 12 Training Restricted assumes that this video surveillance system is managed by the inspected as data controller. 9. At the end of his investigation, the head of investigation notified the inspector on 3 February 2020 a statement of objections detailing the shortcomings he considered constituted in this case, and more specifically a non-compliance with the requirements of Article 5.1.c) of the GDPR and non-compliance with the requirements of article 5.1.e) of the GDPR. 10. On February 28, 2020, the inspected filed written observations on the statement of objections. 11. A letter supplementing the statement of objections was sent to checked on August 10, 2020. In this letter, the head of the investigation proposed to the Restricted training to adopt two different corrective measures, as well as to inflict at the control an administrative fine in the amount of 1,900 EUR. 12. By letter August 25, 2020, the inspected produced written observations on the letter supplementing the statement of objections. 13. The president of the Formation Restricted informed the control by letter of the 16 October 2020 that his case would be registered for the Restricted Training session of the 27 November 2020. The inspected confirmed their presence at the said meeting on 13 November 2020. 14. During the Restricted Training session on November 27, 2020, the leader investigation team and the inspector presented their oral observations in support of their written observations and answered questions posed by the Restricted Training. The controlled spoke last. II. Place II. 1. As to the grounds for the decision A. On the breach linked to the principle of data minimization 12Cf. finding 15 of report no. […] Relating to the on-site visit carried out on September 27, 2019 with Company A. ______ ______________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 4/181. On the principles In accordance with Article 5.1.c) of the GDPR, personal data must be "adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization) ”. The principle of data minimization in video surveillance involves that it should only be filmed what appears strictly necessary to reach the purpose (s) pursued and that processing operations must not be 13 disproportionate. Article 5.1.b) of the GDPR states that personal data must be "collected for specific, explicit and legitimate purposes, and not be further processed in a manner incompatible with these purposes; […] (Limitation of purposes) ”. Before installing a video surveillance system, the data controller must define, in a precise manner, the purpose (s) he wishes to achieve by using such a system, and cannot then use the personal data collected for other purposes. 14 The necessity and proportionality of video surveillance is analyzed on a case-by-case basis and, in particular, with regard to criteria such as the nature of the place to be placed under video surveillance, its situation, configuration or attendance. 15 2. In this case 13 See CNPD guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers- thematic / videosurveillance / necessity-proportionality.html. 14 See CNPD guidelines, available at: https://cnpd.public.lu/fr/dossiers- thematic / videosurveillance / necessity-proportionality.html. 15 Cf. CNPD guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers- thematic / videosurveillance / necessity-proportionality.html. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 5/18 15. As for the site of [S2], it was explained to the CNPD agents that the purposes of the implementation of the video surveillance system are the protection of property the company, securing access and preventing accidents. 16. When investigating the site of [S2] and looking at the monitoring monitors to which are transmitted the images captured by the cameras installed on the […], The CNPD agents noted that i) on the site of [S3], the fields of vision of several cameras include parts of the public thoroughfare and surrounding land; and6 ii) on the site of [S4], the field of view of a camera includes parts from the public road and neighboring land. 7 17. The head of the investigation was of the opinion that "(...) the surveillance of the public highway and of neighboring land is however to be considered as disproportionate. Indeed, at in view of the aforementioned purposes for which video surveillance is operated, it is not necessary to include parts of the public road or neighboring land in the fields of view of the cameras listed under points A.1. and A.2. of this. " (statement of objections, Ad. A.1. and Ad. A.2.) 18. The inspected for his part explained that the main purposes of the video surveillance were the prevention of accidents (for their staff and for external persons) and protection […]. In addition, the inspected explained that the visualization of a small space around the fence was necessary to be able to act in a preventive and not curative manner and that the detection of movements upstream of the fence allowed, on the one hand, the triggering of systems [...] which were intended to deter intrusion attempts and, on the other hand, on-site intervention faster. Nevertheless, the inspector claimed to have adapted the fields of vision of disputed cameras on the site of [S3] and also of the disputed camera on the site of 18 [S4] by blurring the parts of the public road and the surrounding land. 16 17 Communication of Grievances, A.1. 18 Communication of Grievances, A.2. C______ ________________________ __________ the communication of __ ______________er 2020. Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 6/18 19. The Restricted Formation notes that the annexes to the letter from the February 28, 2020 contain photos of the fields of view of the disputed cameras which show that public roads and / or neighboring land are now blurred. 20. In his letter of 25 August 2020, the inspected reiterated that he had already corrected the fields of view of the disputed cameras after receipt of the statement of objections and that he had ensured, during a review of all cameras installed, so that these cameras do not film the public road. 21. The Restricted Training would like to remind you that the cameras intended to monitor a place or the surroundings of a building or a site must have a limited field of vision on the surface strictly necessary to visualize the people about to access it. Cameras installed around or around a building must be configured to so as not to capture the public thoroughfare, nor the surroundings, entrances, accesses and interiors of others neighboring buildings possibly falling within their field of vision. In terms of the configuration of the premises, it is sometimes impossible to install a camera that does not would not include in his field of vision part of the public road, surroundings, entrances, entrances and interiors of other buildings. In such a case, the CNPD considers that the controller must implement masking techniques or blurring in order to limit the field of vision to its property. 19 22. In view of the foregoing, the Restricted Formation agrees with the findings of the chief investigation according to which the non-compliance with Article 5.1.c) of the GDPR was established the site visit by CNPD agents. B. On the breach linked to the principle of limitation of retention 1. On the principles 23. In accordance with Article 5.1.e) of the GDPR, personal data must be kept "in a form permitting the identification of persons 19 Cf. CNPD guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers- thematic / videosurveillance / necessity-proportionality.html. 20 Communication of grievances, Ad. A.1. and Ad.A.2. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 7/18concerned for a period not exceeding that necessary with regard to the purposes for which they are processed […] ”. 24. According to recital (39) of the GDPR "personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, to ensure that the duration of data retention is limited to the strict minimum. Personal data personnel should only be processed if the purpose of the processing cannot be reasonably achieved by other means. In order to ensure that the data is not not kept longer than necessary, time limits should be set by the controller for their erasure or for periodic review […]. ". 2. In this case 25. As for the administrative headquarters of [S1], it was explained to CNPD agents during the on-site investigation that the video surveillance system is managed by Company B in as a subcontractor on behalf of the inspected who is to be considered responsible processing. It was confirmed that the purposes of the establishment of the 22 video surveillance is used to protect company assets and secure access. 26. With regard to the retention period of the images recorded by the CCTV cameras, it emerges from the findings of CNPD agents that the oldest data dated June 28, 2019, i.e. the duration of 23 data retention was three months. 27. According to the head of the investigation, the said retention period for three months of video surveillance exceeded that necessary to carry out the the aforementioned purposes and for which the video surveillance system had been put in square. For this reason, the head of the investigation was of the opinion that a non-compliance with the prescribed of Article 5.1.e) of the GDPR was acquired on the day of the on-site visit (see communication of grievances, Ad.A.3.). Therefore, he proposed to the Restricted Training to order the controlled 21Cf. finding 7 of report no. […] Relating to the on-site visit carried out on September 27, 2019 with Company A. 22Cf. finding 8 of report no. […] Relating to the on-site visit carried out on September 27, 2019 with Company A. 23 See report 12 of report no. […] Relating to the on-site fact-finding mission carried out on the 27th Sep_________ _ _____ ___ _______________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 8/18 to implement a retention period policy for personal data staff in accordance with Article 5.1.e) of the GDPR, in particular by not keeping the 24 images of the video stream for a duration exceeding one week. 28. By letter of February 28, 2020, the inspector specified that after verification with his subcontractor, the latter had found a programming error in the system video surveillance as the source of the problem of erasing records. The inspected confirmed that his subcontractor had, consequently, rescheduled the shelf life to a maximum of 30 days and henceforth 30 day old records will be automatically deleted. 25 29. By letter of 25 August 2020, the inspected explained that the ABCD group had set the retention period for video recordings for all its entities at 30 days this to protect people and property from any incident that would cause damage, but also to preserve the evidence necessary for an action in justice. In addition, the inspector indicated that the declaration of infringements required a certain time and that the timeframe for opening an investigation was well over one week in the majority of cases. In addition, in the context of the legitimate interest of the ABCD group to protect his property, acts of vandalism were not always immediately detected, but during […] or a periodic building inspection. Thus, the delay of a week did not allow the controlled to be able to gather the evidence essential for a request for reparation. The inspected also considered that, in practice, the access procedures put in place ensured that the recordings would not be used for purposes other than those declared, so that a period of retention of 30 days was a period necessary to fulfill the aforementioned purposes. 30. During the hearing of the Restricted Formation of November 27, 2020, the chief investigation explained once again that the one-week shelf life is referred only to the administrative headquarters of [S1] where the inspectorate's offices are located, because he considered that for the controlled offices a retention period of 30 days would not be justified, unlike the sites […]. The controlled reiterated his remarks contained in his letter of August 25, 2020 insisting that a retention period images from CCTV cameras a week would not be 24Cf. letter supplementing the statement of objections. 25See also the photo of the programming extract sent by mail from the inspected on February 28, 2020. _____________ __ _ _____________ ______ _____________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 9/18 sufficient, but that a shelf life of 30 days would be more realistic, especially for what are the security issues. 31. Restricted Training reminds that it belongs to the controller to determine, depending on each specific purpose, a retention period appropriate and necessary in order to achieve said purpose. As mentioned above, the controlled believes that a 30-day retention period is necessary in order to achieve the purposes pursued, that is to say to protect the assets of the inspected and secure access to its premises. 32. With regard to video surveillance, the CNPD considers that the images can be kept in principle for up to 8 days by virtue of the aforementioned principle of Article 5.1.e) of the GDPR. The data controller may exceptionally, for reasons duly justified, keep the images for a period of 30 days. A duration of retention greater than 30 days is generally considered to be 26 disproportionate. 33. In the event of an incident or violation, Restricted Training is of the opinion that the images may be kept beyond this period and, if necessary, be communicated to the competent judicial authorities and law enforcement authorities competent to ascertain or prosecute criminal offenses. 34. While Restricted Training may understand the need for the controlled keep the images from video surveillance for 30 days, she notes however, during the on-site visit by CNPD agents, the duration was three months which largely exceeded the time necessary to achieve the purposes pursued. 35. Based on all of these elements, the Restricted Training concludes that at at the time of the site visit by CNPD officials, Article 5.1.e) of the GDPR was not not respected by the controlled. II. 2. On corrective measures and fines 26 Cf. CNPD guidelines (Point 4.7.), Available at: https://cnpd.public.lu/fr/dossiers- thematic / videosurveillance / necessity-proportionality.html. ___________ ____________ __________ _________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 10/181. The principles er 36. In accordance with article 12 of the law of August 1, 2018, the CNPD has the power to adopt all the corrective measures provided for in Article 58.2 of the GDPR: "(A) notify a controller or processor that data processing operations treatment envisaged are likely to violate the provisions of these regulations; b) call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of this Regulation; c) order the controller or processor to comply with the requests presented by the data subject in order to exercise their rights under the this regulation; d) order the controller or processor to put the data processing operations processing in accordance with the provisions of this Regulation, where applicable, of in a specific way and within a specific timeframe; e) order the controller to communicate to the data subject a personal data breach; f) impose a temporary or permanent restriction, including a ban, of processing; g) order the rectification or erasure of personal data or the restriction of processing in application of Articles 16, 17 and 18 and the notification of these measures to the recipients to whom the personal data have been disclosed in accordance with Article 17, paragraph 2, and Article 19; h) withdraw a certification or order the certification body to withdraw a certification issued in application of Articles 42 and 43, or order the certification not to issue certification if the requirements for certification are not or no longer satisfied; _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 11/18 (i) impose an administrative fine in application of Article 83, in addition to or the place of the measures referred to in this paragraph, depending on the characteristics specific to each case; j) order the suspension of data flows addressed to a recipient located in a third country or to an international organization. " 37. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose administrative fines as provided for in Article 83 of the GDPR, except against state or municipalities. 38. Article 83 of the GDPR provides that each supervisory authority ensures that administrative fines imposed are, in each case, effective, proportionate and dissuasive, before specifying the elements that must be taken into account in deciding whether to impose an administrative fine and to decide on the amount of this fine: "(A) the nature, gravity and duration of the breach, taking into account the nature, extent or the purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered; (b) whether the violation was committed willfully or negligently; c) any measures taken by the controller or processor to mitigate the damage suffered by the persons concerned; d) the degree of responsibility of the controller or processor, account taking into account the technical and organizational measures they have implemented under Articles 25 and 32; e) any relevant breach previously committed by the controller or the subcontractor ; f) the degree of cooperation established with the supervisory authority in order to remedy the violation and mitigate any negative effects; _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 12 / 18g) the categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the breach, in particular whether, and to what extent the controller or processor has notified the breach; (i) where measures referred to in Article 58 (2) have previously been ordered against the controller or the processor concerned for the same object, compliance with these measures; j) the application of codes of conduct approved in accordance with Article 40 or certification mechanisms approved under Article 42; and k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation ”. 39. The Restricted Training would like to point out that the facts taken into account in the framework of this decision are those noted at the start of the investigation. Any changes relating to the processing of data subject to the investigation later, even if they make it possible to fully or partially establish the compliance, do not retroactively cancel a breach found. 40. Nevertheless, the steps taken by the inspected to get into compliance with the GDPR during the investigation process or to remedy shortcomings identified by the head of investigation in the statement of objections, are taken taken into account by the Restricted Training in the context of any corrective measures to pronounce. 2. In this case 2.1. As for the imposition of an administrative fine _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 13/18 41. In his additional letter to the statement of objections of 10 August 2020, the head of the investigation proposed to the Restricted Formation to impose a fine administrative control in the amount of 1,900 euros. 42. In its response to the additional letter of August 10, 2020, the inspected claimed in particular that he had promptly taken all corrective measures recommended subject to the 30-day retention period and that he misunderstood why he would be liable to an administrative fine. 43. In order to decide whether to impose an administrative fine and to decide, if applicable, the amount of this fine, the Restricted Training takes into account the elements provided for in Article 83.2 of the GDPR: As to the nature and seriousness of the violation (article 83.2.a) of the GDPR), the Restricted Training notes that with regard to breaches of articles 5.1.c) and e) of the GDPR, they constitute breaches of the principles fundamental principles of the GDPR (and of data protection law in general), to know the principles of data minimization and limitation of retention of data devoted to Chapter II “Principles” of the GDPR. As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Training notes that these shortcomings have lasted over time, at least since May 25, 2018 and until the day of the on-site visit. The Restricted Training recalls here that two years have separated the entry into force of the GDPR from its entry into application to allow data controllers to comply with obligations incumbent on them, even if the obligations to respect principles of minimization and limitation of conservation already existed in application of Articles 4.1. b) and d) of the repealed law of 2 August 2002 on the protection of individuals with regard to the processing of personal data staff. As for the number of data subjects (article 83.2.a) of the GDPR), the Restricted Training notes that o with regard to the breach of Article 5.1.c) of the GDPR in relation to at the sites of [S3] and [S4], are concerned, on the one hand passers-by using _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 14/18 public roads, and on the other hand land owners neighbors; o with regard to the breach of Article 5.1.e) of the GDPR in relation to at the administrative headquarters of [S1], all employees working at the administrative headquarters, as well as all third parties, that is to say customers, suppliers, service providers and visitors visiting said site. As to the question of whether the breaches were deliberately committed or not (by negligence) (article 83.2.b) of the GDPR), the Restricted Training recalls that "not willfully" means that there was no intention to commit the violation, although the controller or processor has not complied with its duty of care under the law. In this case, the Restricted Training is of the opinion that the facts and the breaches observed do not reflect a deliberate intention to violate the GDPR in the chief of the controlled. As for the degree of cooperation established with the supervisory authority (Article 83.2.f) of RGPD), the Restricted Training takes into account the statement of the head of the investigation that the cooperation of the controlled throughout the investigation was good, thus that of its desire to comply with the law as soon as possible. 44. The Restricted Panel notes that the other criteria of Article 83.2 of GDPR are neither relevant nor likely to influence his decision on taxation of an administrative fine and its amount. 45. The Restricted Training also notes that while several measures have been implemented placed by the inspected in order to remedy in whole or in part certain shortcomings, these were only adopted following the control of CNPD agents on September 27, 2019. 46. Therefore, the Restricted Panel considers that the imposition of a fine administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for breaches of Articles 5.1.c) and e) of the GDPR. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 15/18 47. Regarding the amount of the administrative fine, the Restricted Training recalls that paragraph 3 of Article 83 of the GDPR provides that in the event of violations multiple, as is the case in this case, the total amount of the fine may not exceed the amount set for the most serious violation. Insofar as breaches of Article 5 of the GDPR is criticized for the inspectorate, the maximum amount of the fine being to be retained amounts to 20 million euros or 4% of global annual turnover, the the higher amount being withheld. 48. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the Restricted Training considers that the pronouncement of a fine of 1,900 euros appears both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR. 2.2. Regarding the taking of corrective measures 49. The adoption of the following corrective measures was proposed by the Chief investigation into the Restricted Training in its additional letter to the statement of objections: "A) Order the controller to process only data relevant, adequate and limited to what is necessary for the purposes of protecting property and securing access and, in particular, adapting the video device so as not to film the public road, for example by "blackening" partially the cameras named "[…]", "[…]", "[…]" and "[…]" installed on the site of [S3] and the camera named "[…]" installed on the site of [S4]. b) Order the controller to implement a policy of retention period for personal data in accordance with provisions of e) of article 5 of the GDPR, not exceeding the time necessary for purposes for which they are collected, and in particular by not keeping the images of the video stream for a period exceeding one week. " 50. The Restricted Training takes into account the steps taken by the controlled, following the visit of CNPD agents, in order to comply with the Articles 5.1.c) and e) of the GDPR, as detailed in his letters of February 28, 2020 and of 25 August 2020. More particularly, it takes note of the following facts, which were _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 16/18 confirmed by the inspected during the Restricted Training session on November 27 2020: - As for the obligation to process only relevant, adequate and limited to what is necessary for the purposes indicated in accordance with the provisions of Article 5.1.c) of the GDPR, the inspector has adapted the system video surveillance so that the public road and neighboring land are no longer filmed, in particular by blurring the parts of the public road and the grounds neighbors. The appendices to the inspected letter of February 28, 2020 contain photos showing the blurring of the areas in question. - As for the implementation of a data retention period policy personal character in accordance with the provisions of Article 5.1.e) of the GDPR, the controlled adapted, after the on-site visit by CNPD agents, the duration of retention of data from the video surveillance system from 3 months to 30 days. The annexes to the letter of February 28, 2020 from the inspected contain a photo showing that the parameters of the video surveillance system have been amended so that the retention period was limited to 30 days. 51. In consideration of the compliance measures taken by the inspectorate in the species, the Restricted Formation considers that there is no need to pronounce measures corrective measures with regard to it. In view of the foregoing developments, the National Commission sitting in restricted formation and deliberating unanimously decides: - to pronounce against the company "Company A" an administrative fine of one amount of one thousand nine hundred euros (1,900 euros), with regard to the violation of articles 5.1.c) and e) of the GDPR. So decided in Belvaux on May 12, 2021. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 17/18 For the National Commission for Data Protection sitting in formation restraint Tine A. Larsen Thierry Lallemang Marc Lemmer President Commissioner Commissioner Indication of remedies This administrative decision may be the subject of an appeal for reformation in the three months following its notification. This appeal is to be brought before the administrative court. and must be introduced through a lawyer at the Court of one of the Orders of lawyers. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with "Company A" 18/18