CNPD (Luxembourg) - Délibération n° 11FR/2021
CNPD (Luxembourg) - Délibération n° 11FR/2021 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 5(1)(e) GDPR Article 13 GDPR Article 32(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 08.04.2021 |
Published: | 07.06.2021 |
Fine: | 2800 EUR |
Parties: | n/a |
National Case Number/Name: | Délibération n° 11FR/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | CNPD (in FR) |
Initial Contributor: | n/a |
The Luxembourg DPA fined a controller €2800 for processing geolocation data from their fleet of company vehicles without an adequate retention period and without providing all the necessary information to their employees.
English Summary
Facts
The Luxembourg DPA (CNPD) launched an investigation on a company that was using a geolocation system in their fleet of vehicles. Such vehicles were used by their employees for home to office transport and to travel with clients.
According to the controller, the geolocation purposes were geographic identification, protection of company assets, tracking of transported goods, optimal fleet management, optimisation of the work process, responding to customer complaints, proof of service customer complaints, the provision of proof of services, invoicing of services,and the monitoring of the working time of employees on the move.
The DPA also found that the geolocation data had been stored for a period of 2 years and 4 months.
Holding
According to the CNPD, the retention period exceeded what was necessary for the purposes of the processing. Because of this, the CNPD considered that the controller had violated Article 5(1)(e) GDPR.
The DPA also noted that the storage period should not only be adequate in sight of the purposes of the processing, but should also be individualised per each purpose.
The authority also found that the controller had not properly informed their employees about the processing of geolocation data. The only information provided to the employees consisted on a sticker on the vehicles and a plastic sheet attached to the vehicle documentation. There was also not enough information about the system on their privacy note.
The CNPD therefore considered that the controller had infringed Article 13.
For these violations, the DPA fined the controller €2800, and ordered them to implement a policy for providing the necessary information to the employees, as well as to implement adequate retention periods. Additionally, the DPA ordered the controller to implement, in accordance with Article 32(1) GDPR, access measures to the geolocation data, with a system that allows the data subject to authenticate themselves in order to access it.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of survey No. [...] conducted with "Company A" Deliberation n ° 11FR / 2021 of April 8, 2021 The National Commission for Data Protection sitting in a restricted body composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc Lemmer, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data personal character and on the free movement of such data, and repealing the Directive 95/46 / EC; Having regard to the law of 1 August 2018 on the organization of the National Commission for data protection and the general data protection regime, in particular its article 41; Having regard to the internal regulations of the National Commission for the Protection of data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its article 10 point 2; Having regard to the regulation of the National Commission for Data Protection relating to investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular Article 9; Considering the following: _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 1 / 26I. Facts and procedure During its deliberation session of February 14, 2019, the National Commission for data protection sitting in plenary session (hereinafter: "Plenary session ") Had decided to open an investigation with the ABC group on the basis of Article 37 of the Law of 1 August 2018 on the organization of the National Commission for the Protection data and the general data protection regime (hereinafter "Law of 1 August 2018 ") and to appoint Mr. Christophe Buschmann as head of the investigation. According to the decision of the Plenary Panel, the investigation carried out by the National Commission for Data Protection (hereafter: "CNPD") had as purpose of verifying compliance with the provisions of the regulation on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC (hereinafter "GDPR") and the law of August 1, 2018, in particular through the establishment of video surveillance and geolocation, where applicable, installed by the three companies of the ABC group. On February 20, 2019, CNPD agents visited the ABC group premises. Since the report no. […] Relating to the said mission on-site investigation only mentions that, among the three ABC group companies, as 2 responsible for the controlled processing company "Company A", the decision of the Commission national body for data protection sitting in a restricted group on the outcome of the investigation (hereinafter: "Restricted Training") will be limited to controlled treatments by CNPD agents and carried out by the company "Company A". "Company A" is a […] registered in the Trade and Companies Register of Luxembourg under number […], with registered office at L- […] (hereinafter “the controlled”). The 1 And more specifically with companies: Company A, registered in the Trade and Luxembourg companies under number […], with registered office at L- […]; Company B, registered at Luxembourg Trade and Companies Register under number […], with registered office at L- […] And Company C, registered in the Luxembourg Trade and Companies Register under number […], With registered office at L- […]. 2 See in particular report no. […] Relating to the on-site fact-finding mission carried out to date of February 20, 2019 with the company Company A. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 2 / 26contrôlé's activity is to provide consultancy, installation and 3 maintenance in technology […]. During the aforementioned visit of February 20, 2019 by CNPD agents in the controlled premises, Mr X, Director of Human Resources for the controlled, confirmed to CNPD officers that a geolocation device is installed in a part of the vehicles in the controlled fleet, but that the latter does not use 4 a video surveillance system. According to the explanations provided to the CNPD agents, the persons concerned by geolocation are employees of the company who use the vehicles for their travel to customers and on their business trip between their home and head office social control. Mr. X also confirmed to the CNPD agents that each vehicle is assigned to a specific employee and that part of the vehicles that can be used by employees for private purposes is not equipped with a 5 geolocation. At the end of his investigation, the head of investigation notified the inspectorate on 9 August 2019 a statement of objections detailing the shortcomings he considered constituted in this case, and more specifically a non-compliance with the prescribed requirements by Article 13 of the GDPR with regard to employees, a non-compliance with measures prescribed by Article 32.1 of the GDPR, as well as non-compliance with the requirements prescribed by Article 5.1.e) of the GDPR. The request for a meeting by the controlled of August 13, 2019 was accepted by the chief of inquiry and the meeting was held on August 20, 2019. 6 3 According to the information provided on its own website: […]. 4See report no. […] Relating to the on-site fact-finding mission carried out on February 20 2019 from Company A; see also the email from Company A of March 1, 2019 and the letter of March 29, 2019. 5See finding 1 of report no. […] Relating to the on-site fact-finding mission carried out to date of February 20, 2019 with the company Company A. 6 See the report of the meeting of August 20, 2019 with the company Société A. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 3/26 On October 7, 2019, the inspected produced written observations on the statement of objections. A letter additional to the statement of objections was sent to the inspectorate dated August 17, 2020. In this letter, the head of the investigation proposed to the Formation Restricted from taking three different corrective measures, as well as inflicting the controlled an administrative fine in the amount of EUR 4,000. By letter of September 24, 2020, the inspected produced written observations on the additional letter to the statement of objections. The president of the Restricted Training informed the control by letter of 9 October 2020 that his case would be registered for the Restricted Training session of 17 November 2020. The inspected confirmed their presence at the said meeting on October 20 2020. During the Restricted Training session on November 17, 2020, the chef investigation and the inspector reiterated their written observations orally and responded to questions asked by the Restricted Training. The controlled had the floor last. II. Place II. 1. As to the grounds for the decision A. On the breach linked to the principle of limitation of retention 1. On the principles In accordance with Article 5.1.e) of the GDPR, personal data must be kept "in a form permitting the identification of persons concerned for a period not exceeding that necessary for the purposes for which they are processed […] ”. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 4/26 According to recital (39) of the GDPR "personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, to ensure that the duration of data retention is limited to the strict minimum. Personal data personnel should only be processed if the purpose of the processing cannot be reasonably achieved by other means. In order to ensure that the data is not not kept longer than necessary, time limits should be set by the controller for their erasure or for periodic review […]. " 2. In this case During the on-site investigation, it was explained to CNPD officials that the purposes of geolocation are as follows: "geographical identification, protection of company assets, monitoring of transported goods, optimal fleet management, optimizing the work process, providing responses to complaints from customers, the provision of proof of services, invoicing of services as well as the monitoring of the working time of employees on the move ”. 7 Regarding the retention period of data from the geolocation, it appears from the findings of CNPD agents that the oldest data dated October 14, 2016, i.e. the retention period of 8 data was 2 years and 4 months. According to the head of the investigation, the said retention period for geolocation of 2 years and 4 months exceeded that which was necessary for the realization of the aforementioned purposes and for which the geolocation system had been implemented square. For this reason, he was of the opinion that a non-compliance with the requirements of Article 5.1.e) of the GDPR is to be retained (see statement of objections, Ad.A.3). 7See finding 5 of report no. […] Relating to the on-site fact-finding mission carried out to date of February 20, 2019 with the company Company A. 8See finding 4 of report no. […] Relating to the on-site fact-finding mission carried out to date of February 20, 2019 with the company Company A. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 5/26 By letter of March 29, 2019, the inspected for his part reiterated the comments contained in his email of March 1, 2019, specifying that the retention period data from the “[…]” geolocation system had been adapted to 12 months, limit that was already in place for the "historical" component but not yet for the "General reports". 9 During the hearing of the Restricted Training on November 17, 2020, the inspector clarified that the retention period of 12 months was justified, among other things, by the fact that location data is used for billing customers for services carried out by its employees. Restricted Training reminds that it is the responsibility of the data controller determine, depending on each specific purpose, a retention period appropriate and necessary in order to achieve said purpose. Thus, as the system of geolocation set up by the controlled pursues several purposes, the durations of conservation are to be individualized for each specific purpose. The Restricted Training considers that the control should in particular have differentiated between the retention period of location data for the purpose of geographical identification, monitoring of goods transported and optimal management of its fleet, on the one hand, and the data relating to the working time of employees having precisely the purpose of monitoring the working time of employees on the move, on the other hand. As mentioned above, during the hearing of the Restricted Panel, the inspector has by elsewhere specified that the geolocation data is also intended for invoicing to customers of services provided by its employees. As a result, the Restricted Formation believes that an appropriate retention period should have been determined in order to achieve said purpose. With regard to the geolocation of employee vehicles, the Training Restricted considers that the personal data obtained by the geolocation can in principle only be kept for a period maximum of two months under the aforementioned principle of Article 5.1.e) of the GDPR. 9 Regarding the different functionalities of “[…]”, see the explanations of the inspected in his letter of October 7, 2019. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" However, it considers that if the said data is used by the person in charge of the processing for the purposes of proof for invoicing the services provided for its customers, the data necessary for such invoicing may be kept for a duration of one year, provided that it is not possible to provide proof of benefits by other means. 10 In the event that the geolocation device is installed for the purpose of verifying the working time (when this is the only possible means), the Restricted Training considers that the personal data obtained by geolocation which allows to check the working time can nevertheless be kept for a period of time maximum of three years in accordance with the limitation period set out in Article 2277 paragraph 1st of the Civil Code in matters of action for the payment of employee compensation. In the event of an incident, the Restricted Training is of the opinion that the data may however, be kept beyond the pre-mentioned deadlines within the framework of the transmission of data to the competent judicial authorities and authorities law enforcement agencies competent to ascertain or prosecute criminal offenses. It also wishes to point out that the data obtained by geolocation may also be kept beyond the aforementioned periods, if these have previously made anonymous, that is to say that it is no longer possible to make a link - direct or indirect - between these data and a specific employee. In its former authorization no. […], On which the inspected, among others, is based to justify that employees were already informed of the implementation of the geolocation, the CNPD had already imposed as a condition that the data of geolocation could not be kept beyond two months, respectively three years for data relating to working time. Based on all of these elements, the Restricted Training concludes that Article 5.1.e) of the GDPR was not complied with by the inspectorate. 10See in this context the article of the National Commission for Computing and Liberties (CNIL): “The geolocation of employee vehicles”, available at: https://www.cnil.fr/fr/la- geolocation-of-employee-vehicles. " _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 7 / 26B. On the breach related to the obligation to inform the persons concerned 1. On the principles Pursuant to paragraph 1 of Article 12 of the GDPR, the "controller take appropriate measures to provide any information referred to in Articles 13 and 14 as well as to make any communication under Articles 15 to 22 and Article 34 with regard to the processing to the data subject in a concise manner, transparent, understandable and easily accessible, in clear and simple terms […]. " Article 13 of the GDPR provides the following: "1. When personal data relating to a data subject are collected from this person, the controller provides them, at the time where the data in question is obtained, all of the following information: a) the identity and contact details of the controller and, where applicable, of the representative of the controller; b) where applicable, the contact details of the data protection officer; c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; d) where the processing is based on Article 6 (1) (f), the legitimate interests pursued by the controller or by a third party; e) the recipients or the categories of recipients of the personal data, if they exist; and f) where applicable, the fact that the controller intends to carry out a transfer of personal data to a third country or to an organization _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 8/26 international, and the existence or absence of an adequacy decision issued by the Commission or, in the case of transfers referred to in Article 46 or 47, or in Article 49, paragraph 1, second subparagraph, the reference to appropriate or adapted guarantees and the how to obtain a copy or where it was made available; 2. In addition to the information referred to in paragraph 1, the controller shall provide to the data subject, when the personal data are obtained, the following additional information which is necessary to guarantee fair and transparent treatment: a) the retention period of personal data or, when this is not possible, the criteria used to determine this duration; b) the existence of the right to request from the controller access to data at personal character, rectification or erasure thereof, or a limitation of the processing relating to the data subject, or the right to object to the processing and right to data portability; c) where the processing is based on Article 6 (1) (a) or on Article 9, paragraph 2 (a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of the processing based on consent made before the withdrawal of it; d) the right to lodge a complaint with a supervisory authority; e) information on whether the requirement to provide data to personal character has a regulatory or contractual character or if it conditions the conclusion of a contract and whether the data subject is obliged to provide the data to personal character, as well as the possible consequences of the non-provision of those data; f) the existence of automated decision-making, including profiling, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" Underlying logic, as well as the significance and expected consequences of this processing for the person concerned. 3. When he intends to carry out further processing of personal data personal for a purpose other than that for which the personal data have been collected, the data controller provides the person with concerned information about this other purpose and any other information relevant referred to in paragraph 2. 4. Paragraphs 1, 2 and 3 do not apply when and to the extent that the person concerned already has this information. " Communication to data subjects of information relating to the processing of their data is an essential element in the context of compliance with obligations general transparency within the meaning of the GDPR. 11 These obligations have been explained by the Article 29 Working Group in its guidelines on transparency in the sense of Regulation (EU) 2016/679, the revised version of which was adopted on April 11, 2018 (here- after: "WP 260 rev.01"). Note that the European Data Protection Board (hereafter: "EDPS »), Which replaced the Article 29 Working Group on May 25, 2018, took over and re-approved the documents adopted by the said Group between May 25, 2016 and May 25 2018, as precisely the aforementioned guidelines on transparency. 12 2. In this case According to the head of the investigation, the employees of the inspected were not validly informed on the precise elements of articles 13.1 and 2 of the GDPR (see statement of objections, page 2, Ad.A.1.). 11See in particular articles 5,1, a) and 12 of the GDPR, see also recital (39) of the GDPR. 12 See EDPS Endorsement 1/2018 decision of 25 May 2018, available at: https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 10/26 By letter of March 29, 2019, the inspected for his part reiterated the comments contained in his email of March 1, 2019, specifying that already before the visit on CNPD site, a plastic sheet was added to the vehicle documents equipped with a geolocation system specifying that the vehicle is equipped with such system, on the one hand, and that said vehicles had a label on the rear door informing the driver of the presence of said system, on the other hand. The inspected attached to the aforementioned letter of March 29, 2019 a declaration from the staff delegation dated March 27, 2019 and certifying that it was informed of the implementation of a geolocation system in certain vehicles of the ABC group. By letter of October 7, 2019, the inspector also sent the head of the investigation a copy of the information note intended for all staff on the geolocation and which has been displayed since October 4, 2019 on the controlled site, as well than a photo of its display. Finally, in his letter of September 24, 2020, the inspected added that in [...], a geolocation authorization had been issued by the CNPD and that already at that time, the employees had been informed of the implementation of the geolocation, in particular via staff delegation. The controlled specified having asked the ABC group staff delegations to certify that the information to the staff was actually given in 2009. The Restricted Training first of all wishes to point out that Article 13 of the GDPR makes reference to the obligation imposed on the controller to "provide" all the information mentioned therein. The word "provide" is crucial here and it "means that the controller must take concrete measures to provide the information in question to the data subject or to actively direct the person concerned to the location of said information (for example by means of a link direct, a QR code, etc.). ”(WP260 rev. 01. paragraph 33). 13See deliberation no. […]. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 11/26 The declaration of the staff delegations of Company A and Company B of the March 27, 2019 certifies in this context that they were informed of the establishment of a geolocation system in certain vehicles of the ABC group, while the joint statement of September 14, 2020 from said delegations indicates that they were "Duly informed by the controller of the establishment of a geolocation in company vehicles. It should be noted that the delegations of staff have been informed of this since it was set up in 2009. […]. " Nevertheless, the Restricted Training considers that a simple declaration, respectively a certificate by the delegation of inspected personnel indicating that they have been informed of the presence of the geolocation device does not ensure that employees of the company have been validly informed in accordance with Articles 13.1 and 2 of the GDPR, Especially since the said documents are dated after the on-site visit by the agents of the CNPD. Moreover, as mentioned above, the inspected indicates in its position paper of 24 September 2020 that, as he had an authorization from the CNPD of [...], the employees had already been informed at that time of the implementation of the geolocation, in particular via staff delegation. The only possible derogation from the information obligations referred to in Article 13 of GDPR of a controller is in effect "when and to the extent that the 14 data subject already has this information ”. The principle of responsibility however requires controllers to demonstrate (by documenting) what information was already in the possession of the data subject, how and when it has received them and no changes have been made to this information likely to make them obsolete. 15 The Restricted Training however notes that no documentation submitted by the control does not contain proof that the information of employees has in fact taken place 14According to article 13.4 of the GDPR. 15 See WP260 rev. 01, paragraph 56. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 12/26 in 2009, at least in relation to the requirements provided for by the legislation in force in the time .6 Then, the Restricted Training would like to note that there is in the GDPR a "Inherent conflict between, on the one hand, the requirement to communicate to the persons concerned the complete information that is required under the GDPR and, on the other hand, the requirement to do so in a concise, transparent, understandable and easily accessible manner. " (WP260 rev. 01, para. 34) Prioritize the information to be provided to individuals concerned and determine what levels of detail and methods are appropriate for the communication of information is not always easy. It is for this reason that a multi-level approach to communicating information on transparency to data subjects can be used in a offline or non-digital context, that is to say in a real environment such as for example personal data processed by means of a geolocation. The first level of information should generally include the most important information, namely details of the purpose of processing, identity of the controller and the existence of the rights of the data subjects, as well that the information having the greatest impact on the treatment or any treatment likely to surprise those concerned. The second level of information, That is to say the other information required under Article 13 of the GDPR, could be provided later and by other means, such as a copy 17 of the privacy policy sent by e-mail. Finally, the joint attestation of the delegations of company personnel Company A and Company B of September 14, 2020 indicates that said delegations have to were again informed during the publication of the information note on the geolocation intended for all staff as of October 4, 2019. Exhibit appended to the audit observations of September 24, 2020 contains the said note information and a photo of its display. 16 In accordance with article 26 of the repealed law of 2 August 2002 on the protection of people with regard to the processing of personal data. 17 See WP260 rev. 01 (point 38). _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 13/26 The Restricted Training nonetheless notes that the plastic sheet added to the vehicle documents indicating only that the vehicle "is equipped with a geolocation ", as well as the label affixed to the rear door of the vehicle mentioning "Monitored by GPS with […]" do not even meet the requirements of the mandatory content of the first level of information. In addition, the control failed to its obligation to put in place a confidentiality policy which contains all information required in accordance with Articles 13.1 and 13.2 of the GDPR. In view of the above, the Restricted Training concludes that Article 13 of the GDPR was not respected by the controlled. C. The breach linked to the obligation to guarantee appropriate safety 1. On the principles Under Article 32.1 of the GDPR and "given the state of knowledge, implementation costs and the nature, scope, context and purposes of the treatment as well as risks, which vary in likelihood and severity, for rights and freedoms of natural persons, the controller and the processor implement the appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk including, among other things, according to the needs: a) pseudonymization and encryption of personal data; b) the means to guarantee the confidentiality, integrity, availability and continued resilience of treatment systems and services; c) the means to restore the availability of personal data and access to them within an appropriate timeframe in the event of a physical or technical incident; d) a procedure for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing. " 18Y is also a link to the website of the developer of said software…. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 14/262. In this case The head of the investigation examined the security aspect of data access appearing in the geolocation system. As access to the operating software of the geolocation device was only secured by means of identification unique, i.e. a unique username and password, which is used by all persons authorized to access the software, it held against the controlled non-compliance with the measures prescribed by Article 32.1 of the GDPR (see statement of objections, Ad.A.2). The inspected defends himself based on his written observations of October 7, 2019 relating to the email he sent in this context on August 21, 2019 to the person who manages access to user accounts of the geolocation system. In said letter, the inspected asks the person who manages access to the accounts users to create custom logins and passwords for 19 people who have access to "[...]" and to delete existing logins, on the one hand, and on ensure that passwords are regularly updated and not shared with third parties, on the other hand. In addition, it is specified that the "perimeter to which they have access remains unchanged (so only the vans of the service for which these people working) ". The Restricted Training noted that on the day of the visit by CNPD agents in the premises of the controlled, the policies of access to the geolocation software do not did not meet the minimum necessary security requirements, i.e. have individual accounts in place by means of a username and password for people authorized to access it as part of the performance of their missions. In view of the above, the Restricted Training concludes that Article 32.1 of the GDPR was not respected by the controlled. 19This is the name of the geolocation software developed by […]. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 15/26 II. 2. On corrective measures and fines 1. The principles In accordance with article 12 of the law of August 1, 2018, the CNPD has the power to adopt all the corrective measures provided for in Article 58.2 of the GDPR: "(A) notify a controller or processor that data processing operations treatment envisaged are likely to violate the provisions of these regulations; b) call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of this Regulation ; c) order the controller or processor to comply with the requests presented by the data subject in order to exercise their rights under the this regulation; d) order the controller or processor to put the data processing operations processing in accordance with the provisions of this Regulation, where applicable, of in a specific way and within a specific timeframe; e) order the controller to communicate to the data subject a personal data breach; f) impose a temporary or permanent restriction, including a ban, of processing; g) order the rectification or erasure of personal data or the restriction of processing in application of Articles 16, 17 and 18 and the notification of these measures to the recipients to whom the personal data have been disclosed in accordance with Article 17, paragraph 2, and Article 19; h) withdraw a certification or order the certification body to withdraw a certification issued in application of Articles 42 and 43, or order the _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 16/26 certification not to issue certification if the requirements applicable to the certification are not or no longer satisfied; i) impose an administrative fine in application of Article 83, in addition to or the place of the measures referred to in this paragraph, depending on the characteristics specific to each case; j) order the suspension of data flows addressed to a recipient located in a third country or to an international organization. " er In accordance with article 48 of the law of August 1, 2018, the CNPD may additionally impose administrative fines as provided for in Article 83 of the GDPR, except against state or municipalities. Article 83 of the GDPR provides that each supervisory authority ensures that administrative fines imposed are, in each case, effective, proportionate and dissuasive, before specifying the elements that must be taken into account in deciding whether to impose an administrative fine and to decide on the amount of this fine: "(A) the nature, gravity and duration of the breach, taking into account the nature, extent or the purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered; (b) whether the violation was committed willfully or negligently; c) any measures taken by the controller or processor to mitigate the damage suffered by the persons concerned; d) the degree of responsibility of the controller or processor, account taking into account the technical and organizational measures that they have implemented by virtue of Articles 25 and 32; _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 17/26 e) any relevant breach previously committed by the controller or the subcontractor ; f) the degree of cooperation established with the supervisory authority in order to remedy the violation and mitigate any negative effects; g) the categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the breach, in particular whether, and to what extent the controller or processor has notified the breach; (i) where measures referred to in Article 58 (2) have previously been ordered against the controller or the processor concerned for the same object, compliance with these measures; j) the application of codes of conduct approved in accordance with Article 40 or certification mechanisms approved under Article 42; and k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation ”. The Restricted Training would like to point out that the facts taken into account in the of this decision are those noted at the start of the investigation. Any changes relating to the processing of data subject to the investigation later, even if they make it possible to fully or partially establish the compliance, do not retroactively cancel a breach found. However, the steps taken by the inspected to comply with the GDPR during the investigation procedure or to remedy breaches noted by the head of investigation in the statement of objections, are taken into account by Restricted Training as part of any corrective measures to be taken and / or fixing the amount of a possible administrative fine. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 18/262. In this case 2.1. As for the imposition of an administrative fine In its additional letter to the statement of objections of August 17, 2020, the head of the investigation proposed to the Restricted Formation to impose an administrative fine to the control relating to the amount of 4,000 euros, taking into account the elements following: "The fact that clear and complete information to the people concerned about the processing (s) carried out by the controller constitutes a essential condition for these data subjects to know the existence of said treatment, but also grasp its scope. Do not provide these information or providing it in an incomplete manner will not only prevent data subjects to understand what will happen to their data at personal character, but will effectively deprive them of exercising all remedies granted by the GDPR. The fact that partial information of the persons concerned has actually been performed. The scale of the geolocation system, installed in at least 191 vehicles. The good cooperation of the company throughout the investigation as well as its willingness to comply with the law as soon as possible. " In its response to the additional letter of September 24, 2020, the inspected maintained in particular that the concrete criteria taken into account by the head of the investigation resulted in the quantum determination were unclear and he did not understand on which objective elements the proposal for the fine would have been made. In order to decide whether to impose an administrative fine and to decide, the if applicable, of the amount of this fine, the Restricted Training analyzes the criteria posed by Article 83.2 of the GDPR: _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 19/26 As to the nature and seriousness of the violation (article 83.2.a) of the GDPR), the Restricted Training notes that with regard to the breach of Article 5.1.e) of the GDPR, it constitutes a breach of one of the fundamental principles of GDPR (and data protection law in general), namely in principle of the limitation of data retention devoted to Chapter II "Principles Of the GDPR. As for the failure to inform people in accordance with Article 13 of the GDPR, the Restricted Training recalls that the information and transparency relating to the processing of personal data are essential obligations incumbent on data controllers so that people are fully aware of the use that will be made of their personal data, once collected. A breach of Article 13 of the GDPR thus constitutes an infringement of the rights of individuals concerned. This right to information has also been strengthened under the terms of GDPR, which testifies to their particular importance. As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Training notes that these shortcomings have lasted over time, at least since May 25, 2018. The Restricted Formation recalls here that two years have separated the entrance of the GDPR when it comes into effect to allow data controllers to comply with their obligations and this even if a comparable information obligation existed in application of Article 26 of the repealed law of August 2, 2002 relating to the protection of persons with regard to the processing of personal data. Regarding the retention period of data, the Restricted Training would like to recall that already in its authorization n ° […], the CNPD had imposed as a condition that personal data cannot be kept beyond two months, respectively three years for data relating to working time. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 20/26 As for the number of data subjects (article 83.2.a) of the GDPR), such as the controlled specified that each vehicle is allocated to a specific employee, the number of persons concerned corresponds to the number of vehicles equipped with a geolocation system. During the hearing of the Restricted Training of November 17, 2020, the inspected confirmed that the "ABC" group has a total of 191 vehicles equipped with geolocation system, as the head of the investigation also retained in his additional letter to the statement of objections of August 17, 2020. Nevertheless, he clarified that the company "Company A" only has 92 vehicles equipped with a geolocation system. As the head of the investigation limited the scope of the investigation to one of the three companies of the “ABC” group and more specifically of the “Company A” company, Formation Restricted only retains 92 vehicles, unlike 191 vehicles mentioned by the head of the survey, corresponding to 92 people who are concerned by the processing implemented by the geolocation system. As to the question of whether the breaches were deliberately committed or not (by negligence) (article 83.2.b) of the GDPR), the Restricted Training recalls that "not willfully" means that there was no intention to commit the violation, although the controller or processor has not complied with its duty of care under the law. In this case, the Restricted Training is of the opinion that the facts and the breaches observed do not reflect a deliberate intention to violate the GDPR in the chief of the controlled. As for the degree of cooperation established with the supervisory authority (Article 83.2.f) of RGPD), the Restricted Training takes into account the statement of the head of the investigation that the cooperation of the controlled throughout the investigation was good, thus that of its desire to comply with the law as soon as possible. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 21/26 As to the mitigating circumstances applicable to the circumstances in the present case (article 83.2.k) of the GDPR), the Restricted Training takes into account the elements following: o partial information has been provided to the persons concerned, in particular by the plastic sheet added to the on-board documents indicating that the vehicle "is equipped with a geolocation system", as well as the label affixed to the rear door of the vehicle mentioning " Monitored by GPS with […] ”; o taking measures to comply with Articles 12 and 13 of the RGPD, in particular by the development and posting on its site of a note information on the geolocation system for the entire staff ; o reducing the retention periods for data contained in the 2-year and 4-month to 12-month geolocation system. The Restricted Training notes that the other criteria of Article 83.2 of the GDPR are neither relevant nor likely to influence his decision to impose a administrative fine and its amount. Regarding the breach of the obligation to ensure data security, in application of Article 32 of the GDPR, the Restricted Training considers that in view of the measures taken by the company, in particular the efforts made to create logins and personalized passwords for people who have access to "[…]" and remove existing logins and ensure that passwords are regularly updated and not communicated to third parties, it has shown good faith in connection with of the procedure. Consequently, the Restricted Training considers that with regard to circumstances of the case, there is no need to base his fine on the basis of this breach, although it is characterized. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 22/26 The Restricted Training also notes that although several measures have been implemented placed by the inspected in order to remedy in whole or in part certain shortcomings, these were only adopted following the control of CNPD agents on February 20, 2019. Therefore, the Restricted Panel considers that the imposition of a fine administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for breach of Articles 5 and 13 of the GDPR. Regarding the amount of the administrative fine, the Restricted Training recalls that paragraph 3 of Article 83 of the GDPR provides that in the event of multiple violations, as is the case here, the total amount of the fine cannot exceed the amount set for the most serious violation. Insofar as a breach of Articles 5 and 13 of the GDPR is criticized for the inspectorate, the maximum amount of the fine that may be retained amounts to 20 million euros or 4% of global annual turnover, the amount the highest is retained. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the Restricted Training considers that the pronouncement of a fine of 2,800 euros appears both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR. 2.2. Regarding the taking of corrective measures The adoption of the following corrective measures was proposed by the head of the investigation to the Restricted Training in its additional letter to the communication of grievances: "A) Order the controller to put in place information measures intended for people affected by geolocation, in accordance with provisions of Article 13, paragraphs (1) and (2) of the GDPR, in particular by providing the identity and contact details of the controller, where applicable, contact details of the data protection officer, the purposes of the processing and its basis _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" Legal, the categories of data processed, the legitimate interests pursued by the controlled, the recipients, the retention period of the data as well as the the data subject and how to exercise them, and the right to introduce a complaint to a supervisory authority; b) Order the controller to take all security measures in the framework of the use of the operating software of the geolocation device, in particular (i) define authorizations to access the geolocation operating software at only persons for whom it is strictly necessary for the accomplishment of their missions and (ii) to create individual accounts using a username and a password for the persons authorized above; c) Order the data controller to implement a duration policy retention of personal data in accordance with the provisions of e) of Article 5 of the GDPR, not exceeding the time necessary for the purposes for which they are collected, and in particular by not keeping location data for more than two months and data relating to working time for a maximum of three years. " As for the establishment of a data retention period policy personal character in accordance with the provisions of article 5.2.e) of the GDPR, the inspector has adapted after the on-site visit of CNPD agents the retention period of data from the geolocation system from 2 years and 4 months to 12 months. The Restricted Training considers, however, that the retention periods for data from the geolocation system must be adapted according to the different purposes pursued. As for information intended for people concerned by geolocation, in accordance with the provisions of article 13.1 and 13.2 of the GDPR, the inspected maintains that they have developed and posted since October 4, 2019 on its website an information note on the geolocation system for all staff. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 24/26 The Restricted Training considers, however, that the information note does not include not all of the rights enjoyed by data subjects under the GDPR. Thus, the right of objection (Article 21 of the GDPR) is not mentioned. Otherwise, Information on the retention period of data must be updated. As for the obligation to put in place policies for access to geolocation under article 32.1 of the GDPR, the Restricted Training considers that despite the efforts made by the inspectorate, the latter must, by virtue of the principle of accountability implement mechanisms and internal procedures to demonstrate compliance with Article 32.1 of the GDPR. In view of the foregoing developments, the National Commission sitting in restricted formation and deliberating unanimously decides: - to pronounce against Company A an administrative fine of one amount of two thousand and eight hundred euros (2,800 euros), in view of the breaches constituted in Articles 5.1.e) and 13 of the GDPR; - to issue an injunction against Company A to bring into compliance processing with the provisions of Articles 5.1.e), 13 and 32.1 of the GDPR, within a two months following the notification of the decision of the Restricted Panel, the supporting documents the compliance must be sent to the Restricted Training, at the latest, within this period; and especially : 1.with regard to the breach of the obligation to implement a term policy retention of personal data in accordance with the provisions of article 5.1.e) of the GDPR: adapt the retention periods for personal data obtained by geolocation according to the different purposes pursued, and in particular by not keeping the personal data obtained by the geolocation beyond two months, the personal data obtained by the geolocation used for proof purposes for invoicing the services provided _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 25/26 for customers beyond one year and personal data obtained by the geolocation which makes it possible to check working time beyond three years; 2. with regard to the failure to inform the persons concerned of the processing of their personal data in accordance with Article 13 of the GDPR: inform the persons concerned in a clear and complete manner, in accordance with the provisions of Article 13 of the GDPR, in particular by providing information relating to the duration of data retention according to the purposes pursued and to all rights people ; 3.with regard to the failure to take any appropriate security measures in the framework of the use of the operating software of the geolocation device under Article 32 of the GDPR, create individual accounts using a username and a word password only for people for whom access to the geolocation is strictly necessary for the accomplishment of their missions. So decided in Belvaux on April 8, 2021. For the National Commission for Data Protection sitting in formation restraint Tine A. Larsen Thierry Lallemang Marc Lemmer President Commissioner Commissioner Indication of remedies This administrative decision may be the subject of an appeal for reformation in the three months following its notification. This appeal is to be brought before the administrative court. and must be introduced through a lawyer at the Court of one of the Orders of lawyers. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with "Company A" 26/26