CNIL (France) - SAN-2023-021

From GDPRhub
CNIL - SAN-2023-021
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(c) GDPR
Article 6(1)(f) GDPR
Article 12 GDPR
Article 13 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started: 26.09.2019
Decided: 07.12.2023
Published: 23.01.2024
Fine: 32,000,000 EUR
Parties: Amazon France Logistique
National Case Number/Name: SAN-2023-021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: nzm

The French DPA, by conducting on-site inspections in Amazon France Logistique warehouses, found violations of Article 6, 5(1)(c),12, 13 and 32 GDPR in the context of extensive workplace surveillance and issued a €32 million fine.

English Summary

Facts

In November 2019, the French DPA ("CNIL") carried out inspections on the premises of Amazon France Logistique (“controller”) to apprehend the processing of employee's personal data via scanners and video surveillance.

The CNIL discovered that when an employee was assigned to a direct task, they were equipped with a scanner, enabling them to identify themselves, receive instructions, scan labels of the items they were processing etc. This allowed the controller to continuously collect data relating to the activity of employees assigned to direct tasks making it possible to measure the employee’s activity, in particular by counting the number of units they process over a given period.

Inactivity indicators were reported in real time for each employee. One of the indicators named Stow Gun Machine allowed the controller to monitor each gesture performed by the employee in each direct task assigned to them, by associating with it an error indicator each time their speed was less than 1,25 seconds. These indicators were stored for 31 days and could be consulted both via raw data and in the form of statistics. Weekly performance reports were drawn up for each employee on the basis of the indicators collected, and contained weekly, daily and hourly statistics on compliance with quality procedures and productivity.

Following the on-site inspections, numerous exchanges took place between the CNIL and the controller, from November 2019 to January 2021. The CNIL started a sanctioning procedure against the controller on 28 January 2021.

Holding

Preliminarily, the CNIL established that Amazon France Logistique was the controller under Article 4(7) GDPR. The DPA considered that the determination of processing was linked to Amazon’s French human resources management. Although the employee management process is based on a common framework for the entities of Amazon group, they are subject to local adaptations decided autonomously by the local branches of the controller. The CNIL considered that Amazon France Logistique was free to adapt the criteria developed at a group level to assess the performance of employees working and to install video surveillance cameras in its warehouses and was therefore the controller.

The processing was not cross-border meaning that the French DPA did not have to invoke Article 60 GDPR and were competent to decide the decision on their own. The French DPA considered themselves competent because (i) the processing of employees’ personal data was carried out in the context of the activities of the activities of the controller, which has its registered office in France and (ii) the processing in question was carried out in the context of the controller's activities and it affects or is likely to affect only employees working in the company's warehouses located in France.

Firstly, Article 6(1)(f) GDPR establishes that processing is lawful if it is necessary for the legitimate interests pursued by the controller, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject. The CNIL noted that given the nature of the processing in question the legal bases provided by Article 6(1)(a) to (e) GDPR could not apply. Consent could not apply in this case because of the imbalance in the employer-employee relationship. Therefore, the DPA indicated that the data processing could only be based on legitimate interest, as long as it did not disproportionately affect the rights, freedoms and interests of employees.

The CNIL noted that the Stow Gun Machine indicator processing was likely to have moral repercussions on the employees and the inactivity indicators were linked to the identity of each employee which, in practice, forced employees to be able to justify any time considered to be non-productive. The DPA considered that these measures were highly intrusive and therefore could not be based on Article 6(1)(f) GDPR.

Secondly, Article 5(1)(c) GDPR indicates that personal data should be adequate, relevant and limited to what is necessary regarding the purposes (data minimisation). The CNIL also noted that the processing failed to comply with Article 5(1)(c) GDPR regarding the processing of quality and productivity indicators for the purposes of reassigning and coaching employees in real time, the processing carried out for week planning purposes and the processing for the purpose of employee assessments. The CNIL considered that keeping and accessing all this raw data used for these purposes was not necessary.

Thirdly, the controller had violated the informational requirements contained in Article 12 GDPR and Article 13 GDPR. The CNIL noted that until April 2020, temporary workers were not given the privacy policy applicable in human resources, nor were they invited to familiarize themselves with it on the intranet. The DPA considered that putting the information regarding processing on the intranet for employees working in warehouses who were not intended to work on an office computer did not constitute a satisfactory means of information.

Fourthly, the CNIL considered that the data controller failed to comply with Article 13 GDPR regarding video surveillance since the controller did not provide an indication of how long the data would be kept, the right to lodge a complaint with the CNIL and the contact details of the DPO.

Furthermore, Article 32 GDPR states that the controller must ensure a level of security appropriate to the risk. Regarding video surveillance, the CNIL considered that the lack of access traceability due to the use of a shared account complicated investigation work in the event of a fraudulent access, deterioration or deletion of images. The DPA added that the password for accessing the video surveillance software was insufficiently robust and could lead to attacks by unauthorized parties. The CNIL also noted that the authentication of authorized persons to an individual Windows account prior to their connection to the video surveillance software was not sufficient to compensate for the vulnerabilities resulting from the access to the software from a shared account and using an insufficiently robust password. Consequently, the CNIL considered these facts to constitute a breach of Article 32 GDPR.

In view of all the violations, the CNIL decided to impose an administrative fine of €32 million.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of restricted training no. SAN-2023-021 of December 27, 2023 concerning the company AMAZON FRANCE LOGISTIQUE

The National Commission for Information Technology and Liberties, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Ms. Christine MAUGÜÉ and Mr. Alain DRU, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data (hereinafter "the GDPR" or "the Regulation") ;

Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;

Having regard to Decree No. 2019-536 of May 29, 2019 as amended taken for the application of Law No. 78-17 of January 6, 1978 relating to computing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;

Having regard to referral no. […];

Having regard to decision No. 2019-187C of September 26, 2019 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing of personal data carried out implemented for the company AMAZON FRANCE LOGISTIQUE (hereinafter “the company” or “AFL”) or on its behalf;

Having regard to the decision of the President of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated January 28, 2021;

Having regard to the report of Mr. François PELLEGRINI, commissioner rapporteur, notified to the company AFL on April 4, 2022;

Considering the written observations submitted by the company AFL on June 20, 2022;

Considering the hearing of the AFL company dated November 9, 2022;

Considering the rapporteur's response to the company's observations, notified on December 6, 2022 to the AFL company;

Considering the written observations submitted by the company AFL on May 23, 2023;

Having regard to the letter of September 22, 2023, addressed by the AFL company to the president of the restricted formation;

Considering the other documents in the file;

Were present during the restricted training session on September 14, 2023:

- Mr. François PELLEGRINI, commissioner, heard in his report;

As representatives of the AFL company:

- […];

- […];

- […];

- […];

- […];

- […];

- […];

- […];

- […];

The AFL company having had the last word;

The restricted formation adopted the following decision:

I. Facts and procedure

1. The company AFL, a simplified joint stock company registered in the trade and companies register on January 3, 2000, is located at 67 boulevard du général Leclerc in Clichy (92110). Its turnover amounted to 1.135 billion euros in 2021, for a net profit of 58.9 million euros.

2. The company AFL is directly owned by the company Amazon EU SARL located in Luxembourg, itself 100% owned by the company Amazon.com Inc., located in the United States.

3. The company provides logistics support services as part of its parcel distribution activity in France. It thus manages large distribution centers in France, within which it receives, stores items and prepares packages for delivery. As of November 2019, the company had approximately 6,200 employees on permanent contracts. For the year 2019, it used 21,582 temporary workers.

4. In November 2019, pursuant to decision no. 2019-187C of the President of the Commission of September 26, 2019, several on-site inspection missions were carried out in the administrative premises occupied by several French entities of Amazon and at within society. The first two control missions, carried out on November 5 and 6, 2019, allowed the CNIL services to understand the processing of personal data implemented by the entities of the Amazon group in France with regard to its employees. . The last three control missions on November 13, 14 and 19, 2019, carried out in the Lauwin-Planque and Montélimar warehouses, focused on the processing implemented by the company AFL, namely, processing relating to monitoring of employee activity as well as the video surveillance systems implemented by the company. These missions gave rise to the establishment of minutes no. 2019-187.1, 2019-187.2, 2019-187.4, 2019-187.5 and 2019-187.6.

5. Following the on-site inspections, a written investigation continued and numerous exchanges took place between the CNIL services and the company from November 2019 to January 2021.

6. For the purposes of examining these elements, the President of the Commission, on January 28, 2021, appointed Mr. François PELLEGRINI as rapporteur on the basis of Article 22 of Law No. 78-17 of January 6 1978 relating to computing, files and freedoms (hereinafter "the law of January 6, 1978 as amended" or "the Data Protection Act").

7. At the end of his investigation, the rapporteur, on April 4, 2022, notified the company of a report detailing the breaches of articles 5-1-a), 5-1-c), 6, 12, 13 and 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter "the Regulation" or the "GDPR") which he considered constituted in this case. This report proposed that the restricted panel impose an administrative fine on the company. He also proposed that this decision be made public but that it would no longer be possible to identify the company by name after a period of two years from its publication.

8. On June 20, 2022, the company produced its observations in response to the sanction report.

9. On November 9, 2022, the company was heard at its request in order to provide clarification on the data processing implemented with regard to its employees. This hearing resulted in the drawing up of minutes on which the company made comments sent to the Commission and the rapporteur on November 14, 2022. The company also sent the rapporteur, by email of November 16, 2022, answers to the questions listed in the hearing minutes.

10. The rapporteur responded to the company's observations on December 6, 2022.

11. On May 23, 2023, the company produced new observations in response to those of the rapporteur.

12. By letter dated July 20, 2023, the rapporteur informed the company and the president of the restricted panel of the closure of the investigation.

13. On July 24, 2023, the president of the restricted panel sent the company a notice to attend the session of the restricted panel on September 14, 2023.

14. The rapporteur and the company presented oral observations during this session.

II. Reasons for decision

A. On the complaint based on the irregularity of the holding of the session

15. During the hearing before the restricted panel, the president of the restricted panel, in accordance with article 13 of the CNIL's internal regulations, requested the hearing of an agent who participated in the controls. All the agents who participated in the controls having left the Commission's services, the floor was given to […], an agent who participated in part of the controls carried out within Amazon distribution centers in France.

16. The company claims that a procedural irregularity would result from the hearing of a CNIL agent, questioned about facts that he could have observed as part of the series of controls carried out in November 2019 within Amazon entities in France, to the extent that this agent did not participate in the controls carried out within the AFL company. This notes that this agent only participated in controls within the administrative premises occupied by several French entities of Amazon and in the warehouse of another company in the group, […].

17. The restricted training notes that the agent heard, auditor of information systems, indicated that he considered that the tools and methods for monitoring the activity of employees within other French entities of Amazon are the same as within the AFL company. Furthermore, the intervention of the agent did not provide any new information on the processing implemented in warehouses and this decision is not based on an element indicated by this agent.

18. Consequently, the complaint based on the irregularity of the holding of the session must, in any event, be dismissed.

B. On the presentation of the treatments implemented using scanners and their purposes

1. On the processing of individual indicators relating to the quality of work, productivity and periods of inactivity

19. Employees working in the company's warehouses are responsible, on the one hand, for receiving and storing items from suppliers (inventory) and, on the other hand, for picking and packaging these items, with a view to of their sending to customers as part of the execution of their orders. To do this, they are assigned to positions corresponding to the activity concerned (“reception”, “storage”, “picking” and “packing”). These positions largely correspond, according to Amazon terminology, to "direct processes" or "direct tasks", that is to say tasks on which the production volume can be measured using scanners which are provide employees. The scanners are small boxes equipped with a screen allowing the employee to identify themselves and receive instructions, as well as a barcode reader allowing them to scan the labels of the articles they are processing, or even the locations from which he stores or removes the articles. Employees may also be assigned to "indirect tasks", which are not or not entirely carried out using the scanners (for example, transporting bins to picking areas, checking for process errors, or training staff). new employees to basic processes). Employees may be required to occupy separate positions during the same working day.

20. By means of scanners, the company continuously collects data relating to the activity of employees assigned to direct tasks: the scans carried out by each employee thus make it possible not only to follow the good progress of each item throughout the various stages of preparation and distribution, but also to measure the employee's activity, by counting the number of units he processes over a given period, by counting the periods of time during which he does not process any units and by analyzing the level of quality with which these units are processed, with regard to detailed criteria. The use of scanners also makes it possible to identify errors, or error probabilities.

21. All of this activity data collected continuously using scanners is associated with the identity of the employee in the form of productivity and quality indicators relating to periods of inactivity. A very large part of this data therefore constitutes personal data. These indicators are accessible within computer activity monitoring tools. It follows from the documents in the file that the term indicator refers, in Amazon terminology, to different forms in which the data appears in the tools: it thus covers the raw data collected and the statistics which are continuously drawn from it (according to cases, hourly, daily or semi-daily, weekly, for example: Furthermore, the company also uses the term indicator to refer to specific types of indicators, divided into the three categories described below.

22. The company thus uses 43 "quality indicators" which correspond to "actions of employees likely to cause quality errors", such as putting an item in stock in a location other than that recommended or scanning too quickly articles. These indicators make it possible to report probable or proven errors by the employee in the item delivery process.

23. The company also produces indicators relating to the productivity of each employee, which it distinguishes from "quality indicators" and which include in particular the number of articles processed per hour, the last scans carried out and their exact time, the type of item, size and quantity.

24. The company finally deals with indicators intended to monitor employee interruptions during their working time on direct tasks. Thus, the fact that no data is received by the scanner for a certain time is indicated by different "indicators" in the tools. In particular, the "Inferred time" indicator (inferred time of scanner inactivity), collected by default after ten consecutive minutes of scanner inactivity, can correspond to several situations, including "idle time". , which is a period of inactivity with no apparent justification. Another indicator records any “latency time of less than ten minutes at critical times of the day”, i.e. at the start and end of a work session as well as before and after breaks.

25. Note that if the company designates all the data under the term "indicator", the restricted training will sometimes distinguish, in this decision, the raw data and the other statistical indicators, which are calculated from this raw data.

26. It is specified that indirect tasks are not monitored as closely as direct tasks.

27. This decision concerns the treatments thus described in all of the company's warehouses where they are carried out in France, since it appears from the documents in the file that these are treatments defined for all of France. On the other hand, the video protection processing also in question only relates to the Lauwin-Planque and Montélimar warehouses.

2. On the periodicity of the processing of indicators and their accessibility in the tools

28. The restricted training notes that, firstly, the three categories of indicators processed by the company (quality, productivity, periods of inactivity) are reported in real time, for each employee, within the activity monitoring tools. the disposition of hierarchical superiors. Thus, the latter have access, in particular and for each employee they supervise, to the latest errors made, to the time of each scan carried out, to the number of articles processed during the last hour, to details of working time of the employee on a given process and at any time of interruption of his scanner.

29. Secondly, all of these indicators relating to the activity of each employee are kept in the tools for 31 days and can thus be consulted, both via raw data and in the form of statistics, for example over an hour or half a day.

30. Third and finally, weekly performance reports are established for each employee based on indicators collected continuously. They contain weekly, daily and hourly statistics relating to compliance with quality procedures and productivity as well as raw data relating to quality errors. Finally, idle times, which do not appear in these performance reports, are nevertheless counted every week and are sometimes the reason for sending awareness letters.

31. The activity monitoring tools identified as part of the procedure are the following:

- […] provides access to nominal employee productivity indicators, including details of their working time on the same process. […] also makes it possible to monitor aggregated indicators (overall productivity of a site by type of activity). This data is accessible in real time and over the last 31 days.

- […] is used to monitor the nominal quality indicators associated with the performance of direct tasks by employees. It also provides access to aggregated quality indicators (by error category or by position, for example). This data is accessible in real time and over the last 31 days.

- […] allows you to view the details of the tasks carried out by the employee (including their inactivity time). This detail is accessible in real time and over the last 31 days.

- […] is a work supervision tool which includes […], […] and […].

- […] provides quality and productivity statistics for each employee (per week, per day or per hour) and raw data concerning quality errors.

3. On the purposes of processing nominal indicators

32. The company indicates that the processing of indicators pursues the purposes of quality and safety assurance, management of warehouses and their workload (including for the purposes of reassigning employees in real time), and work planning. , employee evaluation, coaching (or support) and individual training as well as management of employee obligations regarding respecting working time. It specifies that the three categories of indicators are not all processed together for all purposes.

33. The rapporteur considers that several of the purposes put forward by the company cover very similar realities and, consequently, groups them into two sets, namely, on the one hand, the management of orders in real time and, on the other hand , work planning and performance evaluation in the broad sense.

34. In this regard, the restricted panel notes that the first set of purposes defined by the rapporteur, relating to the management of orders in real time in the warehouse, brings together the issues of inventory management (reception and storage) and orders (picking, packaging, shipping) in compliance with quality and safety requirements. The company emphasizes that these processes involve identifying any anomalies as quickly as possible, giving advice and providing real-time support to employees (coaching) and sometimes reassigning them in real time. She considers that this grouping of issues linked to the real-time management of inventory, orders and, by extension, the employees who process them, is relevant. Finally, it underlines that if this purpose relates to real-time management during work in warehouses, it is based both on real-time data, corresponding to the current working day, and on a historical 31 days past data.

35. The restricted training observes that the second set of purposes brings together all uses of data which are not carried out in real time during the inventory and order management processes. This concerns everything relating, on the one hand, to ex ante work planning, which consists in particular of deciding on the assignments of employees for a working day based on their past performance, and, on the other hand, part, to the evaluation of performance in the broad sense, ex post which includes the control of working time, weekly evaluation and individual training of employees. She considers that the grouping of this second set of purposes, which use all the employee's performance evaluation data to make decisions that do not concern the management of operational processes in real time, is relevant for the examination of the file. . It further notes that this second set of purposes, as opposed to the first, is based mainly on past data, except for the purpose relating to the control of working time, which is done both for the past and through access in real time to the processed indicators.

36. Therefore, the restricted panel considers that it is appropriate to follow the grouping of purposes made by the rapporteur within the two sets identified.

C. On the quality of the company with regard to the processing in question

37. Under Article 4 (7) of the GDPR, the data controller is defined as "the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing.

38. The rapporteur considers that the company AFL acts as controller of the processing in question, in that it determines the purposes and means of processing the performance data of its employees using scanners, as well as the processing of video surveillance.

39. The company shares the rapporteur’s analysis on this point.

40. The restricted training emphasizes that the processing implemented by the company for the purposes of monitoring the activity and evaluating the performance of its employees are linked to human resources management and are therefore, essentially , carried out on behalf of the said company as a beneficiary of the work provided by its employees. The restricted training further notes that if the employee management processes (recruitment, dismissal) are based on a framework common to the entities of the Amazon group, these are declined and operated at the national level and in compliance with each national legislation; in addition, these “are subject to local adaptations, decided autonomously by society”. The restricted training therefore considers that the company is autonomous in the individual management of its employees, just as it is free to locally adapt the criteria developed at group level to evaluate the performance of employees working in its warehouses.

41. With regard to the video surveillance processing implemented by the company in its Lauwin-Planque and Montélimar warehouses, the restricted training notes that the guide relating to the legal framework for the installation of video surveillance cameras in the group's premises Amazon, established for the Europe zone and containing specifications by country, provides that each company in the group decides, taking into account the legal framework, the installation of these surveillance cameras for the legitimate purposes that it determines.

42. It follows from the above that the company AFL acts as responsible for processing data for monitoring the activity and evaluating the performance of its employees using scanners, as well as video surveillance processing.

43. It is therefore up to the restricted panel to examine, with regard to this quality, the complaints formulated by the rapporteur against the company.

D. On the competence of the CNIL

44. Under the terms of Article 55.1 of the GDPR, “[e]ach supervisory authority is competent to exercise the missions and powers with which it is vested in accordance with this Regulation in the territory of the Member State to which it belongs”.

45. Article 4 (23) defines cross-border processing as:

"a) processing of personal data which takes place in the Union in the context of the activities of establishments in several Member States of a controller or a subcontractor where the controller or subcontractor -processor is established in several Member States; or

(b) processing of personal data which takes place in the Union in the context of the activities of a single establishment of a controller or processor, but which materially affects or is likely to affect significantly affected persons in several Member States.

46. Therefore, the restricted panel considers that the CNIL is competent to control the processing operations in question, which do not have a cross-border nature within the meaning of Article 4 (23) of the aforementioned GDPR.

47. In application of article 55.1 of the GDPR, the restricted committee considers that the CNIL is competent to initiate a sanction procedure concerning the processing of personal data implemented by the company falling within the scope of the GDPR, provided that these treatments are linked to its territorial jurisdiction.

48. In this regard, the restricted training firstly notes that the processing of employees' personal data is carried out within the framework of the activities of an establishment of a data controller on the territory of the EU within the meaning of article 3 of the GDPR. Indeed, the processing of employees' personal data is implemented within the framework of the activities of the company AFL, which has its head office in France.

49. Next, the restricted panel notes that the processing in question is carried out within the framework of the activities of the company AFL and that it affects or is likely to affect exclusively employees working in the company's warehouses located in France. Consequently, they do not have a cross-border nature within the meaning of Article 4 (23) of the GDPR and the cooperation procedure between supervisory authorities provided for in Chapter VII of the GDPR is therefore not intended to apply in this case. .

50. This analysis is not contested by the company.

51. Therefore, the restricted panel considers that the CNIL is competent to control the processing operations in question.

E. On the shortcomings relating to the processing of data for monitoring activity and evaluating employee performance

1. On the applicable legal framework

52. Firstly, Article 5.1.c) of the GDPR provides that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (minimization of data )". It follows from these provisions that it is illegal to process employees' personal data for certain purposes if these can be achieved without recourse to it.

53. Secondly, on the one hand, under the terms of Article 6. 1. f) of the GDPR, "the processing is only lawful if, and to the extent that, at least one of the following conditions is met: (…) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless overridden by the interests or fundamental rights and freedoms of the data subject which require data protection. personal character […] ".

54. Recital 47 of the GDPR specifies that “[t]he legitimate interests of a controller […] may constitute a legal basis for processing, unless the interests or fundamental rights and freedoms of the data subject are overridden. prevail, taking into account the reasonable expectations of data subjects based on their relationship with the controller. […] In any event, the existence of a legitimate interest should be carefully assessed, in particular in order to to determine whether a data subject can reasonably expect, at the time and in the context of the collection of personal data, that they will be processed for a given purpose. […] "

55. In its opinion 06/2014 on the notion of legitimate interest pursued by the data controller within the meaning of Article 7 of Directive 95/46/EC, adopted on April 9, 2014, the working group of Article 29 (known as "G29", now the European Data Protection Board - EDPS) emphasized that a broad interpretation should be given to the notions of "interests" and "rights", in the sense that “all relevant interests of the data subject should be taken into account.” The G29 also clarified that when assessing the impact of the treatment, "in addition to the negative consequences which may be specifically anticipated, one must also take into account the moral repercussions, such as irritation, fear and distress which may result from the loss of control exercised by the data subject over his or her personal information, or from the discovery of misuse […] of this information […]. […] The term “impact”, such as it is used in this notice, covers all possible consequences (potential or actual) of the data processing".

56. Finally, recital 75 of the GDPR provides details on the risks to the rights and freedoms of natural persons that may be induced by certain processing operations, the degree of seriousness and probability of which varies, and which may result in physical, material or moral damage. Among these risks, the recital mentions in particular those resulting from processing which targets vulnerable individuals and/or concerns a large volume of data.

57. The restricted panel notes that given the nature of the processing in question, the legal bases provided for by the provisions of Article 6.1 b), c), d) and e) of the GDPR and linked to the execution of a contract, compliance with a legal obligation, the protection of the vital interests of the data subject or another natural person and the execution of a mission in the public interest do not apply. It is therefore up to the restricted panel to examine whether the company can rely on its legitimate interest to carry out the processing in question, this legal basis being the only one likely to be used.

58. Under the terms of Article L. 1121-1 of the Labor Code: “No one may place restrictions on the rights of individuals and individual and collective freedoms that are not justified by the nature of the task to be accomplished nor proportionate. to the desired goal. The rights and freedoms protected are, in particular, the right to private and personal life, the protection of personal data, the right to the protection of one's physical and mental integrity. It results from consistent case law of the Court of Cassation that if the employer has the right to monitor its employees, it must do so by means proportionate to the objectives pursued (see for example Cass. Soc., June 23, 2021, n ° 19-13.856).

59. It follows from all of the aforementioned provisions that the processing of personal data such as that implemented with regard to the company's employees or temporary workers in the context of the management of its distribution centers cannot be based, for the application of article 6 of the GDPR, only on the legal basis of legitimate interest, provided that it does not cause a disproportionate attack on the rights, freedoms and interests of employees.

2. On shortcomings related to the purpose of managing stocks and orders in real time in the warehouse: reception of items, storage of inventory, preparation of orders, shipping of packages, including coaching to employees and their reassignment

60. As a preliminary point, the restricted training notes that the company claims that it manages processes of extreme complexity since, to offer each of its customers an optimal purchasing experience, it receives, controls the quality, stores , picks, packs, sorts, prepares and ships approximately […] and employing a large number of employees (4,372 employees employed on the Lauwin-Planque site in 2019). The daily preparation and shipping of these millions of items of various nature must be carried out within the deadlines corresponding to the expectations of the company's customers and, in the case of Amazon Prime customers, to the service they have specifically paid for, e.g. example a delivery during the day. The company argues that its employees are at the heart of these operations and that automated processing in its distribution centers is therefore essential to support their work, in order to control stocks and processed packages, guarantee safety, quality and availability. efficiency of operations both at the individual and collective level. They are, according to the company, also designed to ensure that operational flow is maintained at an appropriate pace.

61. In Amazon's warehouses, objects are not classified but arranged as they go on the shelves, where there are spaces available, which makes it crucial that each handling of each object is traced in the warehouse information system using scanners. The company stressed that the slightest error could have significant consequences on the tracking of orders, the quality of service provided and potentially, on the safety of employees. It is therefore necessary to identify and be able to react in real time to the slightest error or deviations from objectives.

62. The restricted training does not call into question the fact that the service provided by Amazon to its customers entails exceptional constraints, due to the volumes processed and the objectives of short delivery times, which makes very precise monitoring necessary, in real time, of all manipulations of objects in the warehouse and of the situation of each workstation, therefore of each employee. This tracking involves the processing of a very large amount of data, including a lot of personal data in real time, each time the package is handled by an employee as part of direct tasks.

63. Following the position of the rapporteur, the restricted training therefore does not generally call into question the real-time processing by the company of the raw data and indicators described above for the proper management of stocks and orders. However, it considers, as will be explained below, that some of the indicators used ignore the GDPR, as well as the fact of keeping all the data reported by the scanners for 31 days and using this set of data and all the indicators extracted from it.

64. The analyzes developed in this decision relate to both employees and temporary workers, even if for convenience of language, reference will often only be made to employees.

2.1. On the illegality of the processing of three indicators for the management of stocks and orders

65. The rapporteur criticizes the company for processing Stow Machine Gun indicators, idle times and latency times of less than ten minutes and thus disregarding Article 6 of the GDPR, since it causes a disproportionate impact the rights of employees to privacy, the protection of their personal data, working conditions that respect their safety, health and dignity, and in particular the right not to be subject to excessive surveillance in application of article L. 1121-1 of the labor code.

2.1.1. On the processing of raw quality data linked to the speed of execution of a task (Stow Machine Gun indicator)

66. The indicator whose processing is examined in this sub-part is the raw quality data corresponding to the Stow Machine Gun indicator, attached to each employee assigned to a direct task and accessible in real time in the monitoring tool quality errors […].

67. The rapporteur observes that, among the 43 quality indicators processed by the company, there is the Stow Machine Gun indicator, which signals "the storage of an article within (sic) 1.25 seconds of the storage of the previous article ". The rapporteur notes that this indicator linked to the speed of execution of a task is collected in real time for each employee in the quality error monitoring tool. However, he considers that the processing of this data is disproportionate since it leads to excessive computer surveillance of the employee with regard to the objectives pursued.

68. In defense, the company argues that the processing of this indicator is based on its legitimate interest in ensuring safety and quality in its warehouses. It indicates that the process of putting away items requires the employee to carry out several actions (scan of the item, scan of the location, etc.) and that if an interval as short as 1.25 seconds is reached during successive putting away of several articles, this would almost systematically indicate a quality error, likely to create a safety risk or inventory errors.

69. In this regard, the restricted training notes that the interest of the company, as an employer, in ensuring the quality and safety of its processes in its logistics centers, both for the customer and the employee, constitutes a legitimate interest within the meaning of Article 6.1. f) GDPR.

70. In this case, the restricted panel does not dispute that the Stow Machine Gun indicator makes it possible to ensure that too rapid successions of scans do not cause an error.

71. However, the interest of society in ensuring safety and quality in its logistics centers must be weighed against the interests or fundamental freedoms and rights of the persons concerned, taking into account their reasonable expectations, based on their relationship with the data controller, in accordance with Article 6.1.f) of the GDPR, read in the light of recital 47 and the aforementioned opinion on the notion of legitimate interest.

72. In this case, the restricted panel notes that collecting the Stow Machine Gun indicator amounts in practice to monitoring the speed of succession of the employee's actions, in each of the gestures he performs on a direct task, by associating an error indicator each time this speed is less than 1.25 seconds. However, the restricted training notes that this information reveals the behavior of the employee in the way in which he carries out his direct tasks and is likely to exercise on him continuous monitoring of the deadlines associated with each of his actions on direct tasks, with a measure of the order of a second. It therefore considers that this indicator has a significant intrusive nature and that its processing is likely to have negative moral repercussions on the employee, which may result from this continuous monitoring that it allows of their activity on direct tasks. The restricted training also notes that the processing of this indicator concerns a large number of people, since it targets all employees working in its warehouses.

73. Furthermore, the restricted training considers that surveillance of such precision exceeds the reasonable expectations of employees who, if they can expect, as employees of the company, that their work does the subject to a certain amount of surveillance, cannot however reasonably expect that their actions carried out with the scanners will be followed to the nearest second.

74. Therefore, the restricted panel considers that the processing of this indicator exceeds what is necessary for the purposes of the legitimate interests of the company in ensuring quality and safety in its logistics centers, since it excessively undermines the rights and interests employees working in warehouses - in particular those to the protection of their private and personal lives, as well as their right to working conditions that respect their health and safety.

75. Consequently, the restricted panel considers that the processing of the Stow Machine Gun indicator attached to the identity of the employee has no legal basis, in breach of Article 6 of the GDPR.

76. The restricted panel notes that in its latest written observations, the company announced the upcoming cessation of processing of the Stow machine gun indicator. It notes, however, that this measure is not effective on the day of the meeting and that it cannot in any case exonerate the company from its responsibility for the past.

2.1.2. On the processing of idle times and latency times less than ten minutes

77. The indicators whose treatment is examined in this sub-part are two indicators relating to periods of inactivity collected via the scanners, namely idle times, qualified from inferred times which record any latency time of a scanner greater than ten minutes and latency times less than ten minutes for employees assigned to a direct task, whether they are accessible in real time or over the last 31 days. Idle time records times of more than ten minutes of inactivity on a direct task without any apparent justification and latency time of less than 10 minutes measures, as its name indicates, times of less than ten minutes "at critical moments of the day", i.e. at the start and end of the work session as well as before and after breaks.

78. The rapporteur notes, on the one hand, that it appears from the investigations that the company processes idle times, which appear in the tools in the form of a blue bar after a period of ten minutes of inactivity of a to scan. He notes that depending on the company, an idle time can materialize three situations: (1) the employee encounters a technical problem preventing the proper execution of his direct task, (2) the employee does not sufficiently master a direct process and needs of specific support, (3) the employee does not perform his or her direct duties due to excessive unauthorized breaks outside of break times. The rapporteur also notes that it also emerges from the company's investigations and latest observations that the latter processes an indicator relating to scanner inactivity periods of less than ten minutes (latency times less than ten minutes) , also appearing in the tools in the form of a blue bar. He notes that according to the company, this indicator would reflect "latency times at critical times of the day", that is to say when all employees take or leave their workstation on a direct task, i.e. at the start or end of work session or just before or after the break.

79. The rapporteur considers that the nominative treatment of idle time and latency times of less than ten minutes is disproportionate for the purposes of managing inventories and orders in real time, including in order to provide advice or support to an employee who encounters a problem on a task. Furthermore, given the size of the teams managed by supervisors, which can include up to 250 people, the rapporteur questions the ability of a supervisor to detect such low latency times for an employee in his team. and to intervene immediately to verify that there are no problems.

80. In defense, the company argues that the processing of idle times is necessary for the management of warehouses and their workflows, in that it would make it possible to quickly reveal and resolve a problem in a direct process. Regarding the indicator relating to latency times of less than ten minutes, the company maintains that it would aim to identify and resolve practical problems encountered by an employee likely to disrupt transitions between teams or job resumptions, in a context where visual control by supervisors is impossible.

81. The restricted training observes that the objective of the warehouse management company and its workload corresponds more concretely to the management of inventories and orders in real time while respecting quality and safety requirements and that it constitutes a legitimate interest within the meaning of Article 6.1. f) GDPR. It notes that the objective of coaching an employee who encounters difficulties in carrying out a task also constitutes a legitimate interest within the meaning of this provision.

82. However, on the one hand, the restricted training firstly notes that supervisors have access to numerous aggregated (non-nominative) quality indicators (by error category, by cause, by position, etc.) and productivity (by type of activity, by team) to manage warehouses and their workflows. She emphasizes that these aggregated indicators allow them to identify in real time variations in productivity that need to be remedied immediately or error rates likely to significantly impact the smooth running of the warehouse. In addition, the restricted training emphasizes that the rapporteur does not dispute the need to access the quality indicators of each employee to detect and resolve problems that hinder the proper circulation of items in the warehouse and the execution of orders in the compliance with quality and safety requirements (errors, delays, flows, etc.). Thus, the restricted training notes that supervisors can in particular, as is already the case, establish a link between the employee and a quality error committed in real time in order to resolve it and avoid slowdowns or blockages in the chain. treatment.

83. Next, the restricted training notes that the treatment of idle times linked to the identity of each employee presents a significant intrusive nature, since it forces in practice the employee to be able to justify any time considered non-productive. Thus, the restricted training considers that although employees can expect to see their quality indicators used to ensure the secure and qualitative management of articles and packages in real time in the warehouse, they cannot however reasonably expect potentially having to justify very short interruptions at any time, time considered non-productive, when they occur. It considers that the treatment of idle times for employee coaching purposes is also disproportionate, for these same reasons. The restricted training considers in fact that the treatment of this indicator is likely to have negative repercussions on the employee, possibly resulting from the continuous monitoring that it allows very short times on direct tasks considered as non-productive.

84. Consequently, the restricted training considers that, given the excessively tight control of the employee that it allows and with regard to the monitoring of difficulties already made possible by access to the individual quality indicators of each employee and to the aggregated quality indicators and productivity, the treatment of nominative idle times is disproportionate with regard to the legitimate interests of the company aiming, on the one hand, to ensure qualitative and secure management of articles and packages in real time in the warehouse and, on the other hand , to provide immediate advice or support to the employee. She specifies that the use of this indicator for monitoring compliance with obligations relating to working time, as well as for the evaluation and training of employees, will be examined later.

85. On the other hand, for identical reasons, the restricted panel considers that the treatment of the indicator relating to latency times of less than ten minutes entails, a fortiori, an excessive infringement of the rights of employees with regard to the interests legitimate qualitative and secure management of packages and items in real time. The restricted training notes that this indicator makes it possible in particular to know how many minutes (between one and ten) have passed "between the moment when an employee badged at the entrance to the site and the moment when he carried out his first scan of the day ". However, on the one hand, supervisors can already rely on numerous aggregated productivity and quality indicators, as well as certain individual indicators, to detect and immediately resolve problems hindering the proper execution of orders. On the other hand, the processing of this indicator leads the employee to potentially have to justify, each time they arrive on site, transition or return to work, any latency time of their scanner of less than ten minutes. It therefore presents, like idle times, a strong intrusive nature likely to have the same negative repercussions on the employee.

86. The restricted panel notes that in its latest observations, the company announces that it will increase to 30 minutes the threshold beyond which information relating to inferred time will be recorded in the tools and that this information will be accessible to supervisors not no longer in real time, but after a two-hour delay. During the restricted training session, the company affirmed that the increase in the duration triggering the recording of inferred times would apply to all the scenarios they cover.

87. In view of the above, the restricted training considers that the processing of idle times in order to manage inventory and orders in the warehouse in real time and for the purposes of providing advice or support to employees (coaching) is disproportionate with regard to the interests and fundamental rights of employees, in particular their right to the protection of their private and personal lives as well as their right to working conditions which respect their health and safety. The same applies to the processing of latency times of less than ten minutes implemented for the secure and qualitative management of inventory and orders in the warehouse in real time.

88. Therefore, the processing of these two indicators has no legal basis, in breach of Article 6 of the GDPR.

2.2. On the processing of quality and productivity indicators for the purposes of reassignment and advice/support (coaching) of employees in real time

89. The indicators whose processing is examined in this sub-part are the raw and statistical data of quality and productivity of each employee collected and accessible both in real time and over the last 31 days.

90. The rapporteur notes that in order to reassign employees in real time in the warehouse, the company accesses the quality and productivity indicators of each employee in real time and over a period of 31 days. He believes that in order to reassign employees with the aim of adjusting at any time to flows, to demand or to ensure a fair distribution of work, weekly individual statistics, which are added to the numerous other data available on warehouse activity in real time, are sufficient and even more suitable for this purpose. It also notes that the company does not need to access these same indicators for the purposes of coaching employees in real time, to the extent that a need for coaching can be identified on the basis of weekly data aggregated per employee.

91. In defense, the company considers that in order to identify the best performers among them and reassign them or distribute them differently if necessary, it must be able to access in real time, for each employee, the quality indicators and productivity, which includes the latest quality errors reported or committed, details of the last items processed (time, size, type, quantity etc.) and the total number of items processed in the last hour. The company also highlights the need to rely on detailed nominal indicators from the last 31 days, since they would offer line managers "a reliable and complete view of the performance of a particular employee on a specific process when they need to "Quickly assign someone with experience to this process." According to the company, these indicators would allow supervisors to examine employees' previous quality and productivity levels after leave, to explain the causes of individual variations in productivity and to detect whether certain processes need to be improved. .

92. Regarding coaching, the company asserts, firstly, that supervisors must access both the quality and productivity indicators of each employee in real time and those of the last 31 days to be able to provide immediate support to the employee , for example if he encounters difficulties with a process, in order to know if he has already encountered this type of problem and to decide on the appropriateness and nature of the support. However, she admits that coaching can be provided later regarding less urgent difficulties, as part of the weekly assessment. The company contends that aggregated weekly data would only provide general trends and would not be precise enough to identify specific employee issues and their context.

93. The restricted training examines, at this stage of its decision, the use of personal data collected via the scanners for the purposes of reassignment and advice or support (coaching) of employees, in real time, during the hours of work. It appears from the documents in the file that, beyond the good management of objects (reception, storage, recovery for an order, packaging, shipping) enabled by the data collected by the scanners, the operational conduct of Amazon's activity requires identifying in real time employees having difficulty carrying out the tasks and objectives assigned to them by the company, or peaks of activity in certain locations requiring the assignment of new high-performance employees. If it is up to the company to ensure that these objectives and the pace are compatible with the requirements of labor law, the restricted training reminds that it is not up to it to examine this point. It considers that the purposes of optimizing work processes, through the reassignment of employees or through advice and support (coaching) provided in real time, are legitimate.

94. For these purposes of reassignment and advice/support (coaching) of employees working on direct processes in the warehouse, the company uses all the raw and statistical data on quality and productivity of each employee. The data accessible is both real-time data and data from the last 31 days.

95. The restricted training notes that the company illustrates the implementation of processing for the purposes of reassigning employees in real time by relying on a few examples relating to the need for assignment or reassignment of particularly efficient employees to a task to ensure on-time delivery or to improve overall center productivity. She observes that according to the company's declarations, reassignments only actually take place "two to three times a day" and emphasizes that the company already carries out planning allowing for anticipation of needs.

96. Restricted training does not call into question the operational need consisting of being able to identify in real time any need for advice/support or reassignment, then that of being able to determine the best advice or support, or the best reassignment by having data available. on the relative skills and performances of its employees. However, it considers, for the following reasons, that these needs do not require retaining and using all the raw data from scanners and indicators relating to direct tasks over a depth of 31 days.

97. On the one hand, the restricted training recalls that, with the exception of the three indicators considered disproportionate and mentioned above, it does not call into question the ability, for the company, to view all the raw data and indicators on real-time activity relating to direct tasks, in order to best manage inventory storage and order management. Data feedback makes it possible in particular to identify in real time any anomaly, any unexpected peak in activity or the fact that operational objectives are not achieved, in order to be able to immediately adopt appropriate corrective measures. Among these measures is the provision of advice or support to an employee, or their reassignment.

98. On the other hand, it is also legitimate, in order to be able to carry out this advice/support (coaching) or this reassignment, to have elements of evaluation of the employees, in particular to be able to choose the employee(s) to be reassigned. This may lead to viewing personal data on their respective performances.

99. However, the restricted panel considers that retention and access to all data used for these purposes for 31 days is not necessary. Regarding the examples given by the company relating to the need to provide advice/support (coaching) to employees in difficulty on certain tasks, or the need to assign or reassign particularly efficient employees to a task to guarantee delivery on time or to improve the overall productivity of the center, the restricted training notes that the company has individual weekly statistics relating to productivity and quality to rely on in the event of the need to quickly reassign an experienced person. For example, these statistics allow us to know that an employee has made no or very few quality errors on a job or to know the number of items he has packed during the week. There is therefore no need to access the slightest detail of the raw data or its indicators over the last 31 days, from the most general to the finest (up to statistics over one hour) to identify a particularly efficient employee. or to know its particular qualities. Correlatively, the restricted training notes that the company uses individual weekly statistics making it possible to note a drop in performance for a given employee. To the extent that these weekly statistics exist - which do not exclude the possibility that the company could design other forms of statistics that are clearly more limited than all the data and indicators currently used - the restricted training considers that the company has a representative view of an employee's performance in order to provide them with the best advice/support (coaching) during their working hours or to decide on their possible reassignment. The restricted training therefore considers that the conservation and access to raw data and details of quality and productivity indicators over a depth of 31 days is not necessary.

100. Regarding the examples cited by the company, relating to the case of an employee assigned for too long to the processing of bulky items or the incorrect storage of dangerous items, what would the current processing of indicators make it possible to detect in order to decide respectively a reassignment or immediate support, the restricted training considers that the identification of these situations does not require keeping and accessing such a precise history of the direct tasks of each employee over 31 days: the sole consultation of the data and indicators of the working day, in real time, appears sufficient. Once this situation has been identified, it is possible to remedy it by using certain data to assess the relative capabilities of employees, without needing to keep and use all of the data in question over a period of 31 days. Access for one month to such a wealth of personal data relating to each action of each employee by means of a scanner or to statistics established over very short periods relating to these actions is not necessary to determine the right advice to give or to decide on the right reassignment. A selection of aggregated data, in particular weekly or in another form, in addition to data describing the situation in real time during the working day, is sufficient.

101. Therefore, the restricted training considers that by processing individual quality and productivity indicators over a period of 31 days for the purposes of reassignment and advice/support (coaching) of employees, the company failed to do so. principle of minimization provided for in Article 5. 1. c) of the GDPR, to the extent that these indicators are not necessary in this case. Thus, if supervisors can rely on individual data to reassign employees or to provide them with advice/support (coaching), the granularity and methods of consulting the indicators collected are inappropriate.

2.3. On the effects of the changes announced by the company regarding the purposes of employee reassignment and real-time coaching

102. The restricted panel notes that in its latest observations, the company announces that it will soon implement a measure to reduce from 31 to 7 days the past period during which individual productivity and quality data are accessible to supervisors in the tools and, beyond this period, it will carry out data aggregation. During the restricted training session, the company specified that this aggregation would take the form of an aggregation of data over the week. In addition, as has already been indicated, the company announces the increase to 30 minutes of the threshold beyond which information relating to inferred time will be recorded in the tools and specifies that supervisors will not access this information in the tools only after a delay of two hours.

103. The restricted panel notes that these positive changes, announced at the end of more than three years of procedure, are not yet effective on the day of the meeting and that they do not exempt the company from its responsibility for the pass.

3. On shortcomings related to work planning and employee evaluation

104. The following facts are examined in light of Article 5.1.c) and Article 6.1. f) GDPR.

3.1. On processing implemented for work planning purposes

105. The indicators whose processing is examined in this sub-part are the raw data and productivity statistics of each employee accessible over the last 31 days.

106. The rapporteur notes that for the purposes of planning work in the warehouse, the company accesses the details of the productivity indicators of each employee over the last 31 days. According to the rapporteur, access to such granularity of data is not necessary, to the extent that indicators aggregated per employee over the week are sufficient to have a representative view of their individual productivity and to plan work in the warehouse .

107. In defense, the company asserts that access to productivity indicators for the last 31 days for each employee is necessary in order to constitute teams in a relevant manner taking into account the abilities and experience of employees on a given task, these have not necessarily received training on certain specific processes. It argues in particular that access to the types of articles processed by employees would make it possible to verify their level of mastery of a task and to designate those most capable of carrying it out (for example, for the processing of dangerous articles ). Data aggregated by week would not provide differentiated information taking into account the articles processed.

108. The restricted training considers, like the rapporteur, that work planning in the warehouse can be carried out on the basis of productivity statistics aggregated over the week per employee, which offer an objective view of the direct tasks carried out by the employee (number of times he has processed a certain type of article, overall time he spent on a given position during the previous week), and thus making it possible to assess his level of mastery of the different tasks and to compose relevant teams. The restricted training considers that weekly statistics are not the only ones legally usable, other systems being possible, but it notes that planning can be carried out by processing significantly less data. Therefore, it considers that the detailed productivity data for the last 31 days of each employee is not limited to what is necessary to establish the warehouse's work planning.

109. Regarding the company's argument that not all employees are trained in specific tasks or processes, which would make it necessary to have access to detailed indicators displaying the type of items processed in the past, restricted training emphasizes that the information according to which an employee has been trained on a specific task is distinct from the question of processing productivity indicators from the last 31 days, which are not intended to specifically provide such information.

110. Consequently, the restricted training considers that access to detailed productivity indicators of employees over the last 31 days for work planning purposes constitutes a breach of Article 5. 1. c) of the GDPR.

3.2. On the processing implemented for employee evaluation purposes

111. The restricted training recalls that the purposes covered by the evaluation of employees in the broad sense include the control of working time, weekly evaluation and individual training of employees.

3.2.1. On the specific question of processing idle times in order to control actual work during working time

112. The rapporteur notes that the company processes idle times in order to ensure that employees respect their working time obligations. According to him, these indicators are not necessary for the purposes of monitoring employees' working time. Indeed, he considers that the monitoring of the time spent at work enabled by the clocking system on arrival and departure of the day for the control of working hours (system […]) is sufficient for this purpose. In any event, it considers that the treatment of this indicator for this purpose is disproportionate.

113. In defense, the company asserts that idle time is necessary for this purpose. In particular, it would make it possible to detect that an employee does not carry out their direct tasks during significant periods and outside of authorized breaks. According to the company, idle time would not be analyzed in real time but over longer periods and would not have the same purpose as the system […]. In its latest written observations, the company distinguishes two objectives, namely, on the one hand, "management of the employee's obligations in terms of respecting working time" (which would be pursued by the treatment of idle times) and , on the other hand, that aimed at “monitoring the employee’s working time” (which would be pursued by the system […]).

114. The restricted panel considers that the processing of personal data strictly necessary for the purposes of monitoring the employee's working time and their actual work during these periods constitutes a legitimate interest of the company within the meaning of Article 6 1. f) of the GDPR. Idle time processing effectively contributes to this control to the extent that it makes it possible to identify any interruption of a certain duration in the processing of direct tasks. However, the restricted training considers that the use of this indicator in this context is disproportionate, since it forces the employee to be able to justify any time considered non-productive and thus amounts to computer monitoring of his interruptions throughout the his working day when working on direct tasks. The processing of idle times to monitor compliance with the employee's working time is therefore likely to have negative repercussions on the latter, induced by the pressure that may result from having to constantly justify interruption times for their scanner, even when they are brief.

115. Therefore, the restricted panel considers that the processing of the idle times of each employee for the purposes of monitoring actual work during this working time does not rest on any legal basis, in breach of Article 6 of the GDPR.

3.2.2. On the processing of indicators implemented for weekly performance evaluation purposes and for individual training purposes

116. The indicators whose treatment is examined in this subpart are, for each employee:

 raw data and statistical quality and productivity data from the last 31 days;

 data counted in individual weekly performance reports, namely statistical quality and productivity data per week, per day and/or per hour, as well as raw data concerning quality errors;

 idle times recorded each week.

117. The rapporteur notes, on the one hand, that in order to evaluate the employee, the company establishes individual weekly performance reports intended for the employees' hierarchical superiors and containing statistical data on quality and productivity per week, but also per day or per hour, as well as raw data regarding quality errors. In addition, for the purposes of individual training and employee evaluation, the employees' hierarchical superiors can also access and use all of the raw and statistical quality and productivity data of each employee, which are kept for 31 days. . However, the rapporteur considers that all of these data are not necessary and that the establishment of quality and productivity statistics per employee, aggregated for example over the week, is sufficient to evaluate the employee, both from generally and to determine a possible training need. On the other hand, the rapporteur considers that the treatment of idle times, counted each week, is disproportionate both for the purposes of evaluation and individual training of the employee.

118. In defense, the company asserts that the rapporteur's proposal to rely on weekly individual quality and productivity statistics would make reliable evaluations of employees impossible. She maintains that access to the raw details of quality errors and their cause would be necessary, as well as access to productivity data by day and by hour, in order to allow the employee and his hierarchical superior to identify fine variations and to exchange on bases allowing a reliable evaluation. In its latest observations, the company specifies that it also accesses detailed indicators from the last 31 days for employee evaluation purposes, but reaffirms that it does not process idle time for this purpose and that the rapporteur's conclusions on this point must be set aside. Regarding training needs more specifically, the company argues that detailed indicators from the last 31 days are necessary, in particular as they make it possible to follow the learning curve of employees being trained from the start and to decide whether or not it should continue. After making contradictory statements regarding the processing of idle times for training purposes, the company finally indicated, during the session before the restricted training, that these indicators were in principle not processed within this framework but could be in particular cases.

119. Restricted training does not call into question the ability to carry out regular individual assessments, in particular in order to identify possible areas for improvement or training needs, relying on individual data to do so. However, like the rapporteur, she considers unnecessary and, at the very least, disproportionate the conservation and use of data as detailed and rich as the raw data reported by scanners and statistical data, including on short periods (one hour) and over a depth of 31 days. In this regard, the restricted training notes that the company already has individual weekly quality and productivity statistics making it possible to assess, on the one hand, the productivity of an employee, by means of accounting for the total number of articles processed over the week on the different processes (with sub-distinctions, by type of article processed for example) with regard to the time worked and, on the other hand, the quality of their work, via indicators having a high incidence for an employee in a given week. As for the interest alleged by the company in recording the raw details of each quality error to identify its causes, the restricted panel notes that during the session, the company confirmed that it was already establishing individual statistics. weekly reports on the causes of errors reported by the scanners. The restricted training therefore considers that such statistics are sufficient to identify a possible recurrence in the causes of errors committed by an employee over a week. Therefore, these statistical data are sufficient to make a reliable and objective assessment of the employee's performance over the week. Likewise, it considers, like the rapporteur, that the identification of training needs can be based on data aggregated over periods of time making it possible to provide a representative overview of the employee's work, for example over a week, and that access to all of the raw and statistical data, quality and productivity, from the last 31 days of each employee is therefore not necessary. Regarding the need invoked by the company to follow the progression curve of an employee, the restricted training notes that several quality errors of the same type or having the same cause, committed during the previous week on a process by a employee currently training or recently trained on this process, are sufficient to determine whether the training must be continued or completed. She observes that the company has not specified the average duration of the training but considers that, whatever this duration (a few hours, days or weeks), the weekly evaluation is an opportunity to examine whether the practical training has been sufficient. In any case, the restricted training considers that such a quantity of raw data and indicators is not necessary to monitor the progress of an employee throughout their training period.

120. Finally, the restricted panel notes that idle times are, in fact, processed for employee evaluation purposes since they are counted every week and are sometimes the origin of the sending of awareness letters. Likewise, she considers that given the equivocal explanations provided by the company during the session before the restricted training regarding the processing of idle times for individual training purposes – the company indicated that it did not process them in principle for this purpose but that they could be for particular cases - there is reason to consider that these indicators are well treated in this framework. However, first of all, the restricted training considers that the processing of personal data strictly necessary for the purposes of evaluation and individual training of employees constitutes a legitimate interest of the company. However, the restricted training notes, on the one hand, that the processing of idle times is not necessary for these purposes, since both the realization of a reliable evaluation of the employee's performance and the identification of a possible need employee training on a poorly controlled process are already made possible by the processing of relevant productivity and quality indicators aggregated over the week, as noted above. On the other hand and in any case, the restricted training observes that the processing of idle times in this context leads to computerized inventory of all interruption times of an employee greater than ten minutes on direct tasks and to accumulate them over the week, which thus causes an excessive infringement, in particular, of the employee's right to private and personal life as well as his right to working conditions which respect his health and safety.

121. Therefore, the restricted training considers that by evaluating its employees on the basis of all the raw data and statistical productivity and quality data from the last 31 days accessed by the supervisors as well as, with regard to the purpose of evaluation, on the basis of the very detailed data contained in the weekly performance reports, the company failed to fulfill its obligations under the principle of minimization of article 5. 1. c) of the GDPR and, in any event, disproportionately infringed on the employee's rights contrary to Article 6 of the GDPR. Furthermore, the processing of idle times for these purposes disproportionately affects the rights and interests of employees and therefore has no legal basis, in breach of Article 6 of the GDPR.

3.3. On the effects of the changes announced by the company regarding the purposes of work planning and employee evaluation

122. The restricted training recalls that in its latest observations, the company announced the reduction from 31 to 7 days of the past period during which employee productivity and quality data will be accessible to supervisors in the tools. Beyond that, the data will be aggregated over the week, as the company clarified during the session. In addition, the company announced the increase to 30 minutes of the recording threshold of inferred time and the postponement of its appearance in the tools by two hours.

123. The restricted committee recalls that these changes, positive but announced late, are not yet effective on the day of the session and that they do not in any case remedy the shortcomings made in the past.

4. On the disproportionate nature of the retention of all personal data relating to "direct tasks" carried out by employees over 31 days, with regard to all the purposes pursued

124. The indicators whose treatment is examined in this subpart are, for each employee:

 raw data and statistical quality and productivity data from the last 31 days;

 idle times recorded each week.

125. After examining the different uses that are made of employees' personal data, the restricted panel considers it appropriate, as invited by the rapporteur, to consider globally the fact that the company permanently retains a considerable mass of data to personal character on its employees, for the various purposes mentioned.

126. The restricted training reminds that the company keeps, for each employee, all the raw data and indicators corresponding to the direct tasks detected by the scanners, over a period of 31 days. Furthermore, all the purposes put forward by the company correspond, abstractly, to its legitimate interests. However, it follows from what has been explained above that the restricted panel considers that such a mass of data, as precise and detailing each action (and inaction) of employees for direct tasks carried out during 31 days, is not not necessary to achieve the various purposes, whether planning work in warehouses or evaluating employee performance. Likewise, for the real-time management of object storage, inventory management and order shipping processes, it does not appear necessary to keep such a mass of data over the previous 31 days to take the decisions allowing the operational management of the warehouse and the resolution of possible difficulties.

127. Furthermore, the retention of such a mass of data on warehouse employees is particularly intrusive. As the rapporteur notes, the company's IT tools allow hierarchical superiors to consult all of the detailed activity and performance data collected and kept for each, including details of working time within the company. the same process, with a depth of 31 days.

128. Next, the restricted training notes that according to the company, the data processing in question only concerns the execution of direct tasks and indirect tasks represent 43% of the tasks carried out in the warehouses. Assuming this figure is correct - it does not emerge from the documents in the file - it is clear that the company stores data relating to a considerable number of actions carried out by warehouse employees during their working hours. In addition, the restricted training emphasizes that, without being of the same nature as that of direct tasks, monitoring of indirect tasks is also possible using data reported from the scanners. In particular, like the time spent on a direct task, the time spent on an indirect task is counted in the working time tracking tool and is included there. This allows the supervisor who consults the activity monitoring tools to know the exact moment and for what duration an employee worked on indirect tasks.

129. Finally, the restricted training notes that these treatments exceed the reasonable expectations of employees, since if they can expect a certain monitoring of their daily tasks in order to ensure smooth management of the warehouse, they cannot on the other hand, expect to see all of their actions recorded in IT tools and consultable in their smallest details over a depth of the last 31 days, whether to follow inventory and orders, their working time, decide coaching or reassignment, train or evaluate them.

130. In view of all of these elements, the restricted panel considers that the retention and access to such a quantity of data per employee over the last 31 days constitutes a form of disproportionate computer surveillance of employees, which appears excessive in with regard to the economic and commercial interests pursued by the company through these treatments. Indeed, the restricted panel considers that such processing constitutes a disproportionate attack on the protection of the private and personal lives of employees as well as their right to working conditions which respect their health and safety.

131. In conclusion, if the restricted training does not call into question, except for three of the indicators, the collection and use of real-time data for the daily and operational management of Amazon's inventories and deliveries, it generally considers unnecessary and disproportionate the fact of retaining all of this data for 31 days, since, according to its previously developed analysis, this retention did not prove necessary with regard to any of the purposes put forward by the company. These processing operations are carried out in disregard of Articles 5.1.c) and 6 of the GDPR, since they ignore the principle of minimization and exceed what is authorized by the pursuit of the legitimate interests of the company. The restricted panel specifies that it does not accept here an independent breach, but draws general conclusions from the analysis of the processing purposes by purpose.

5. On the failure to comply with the obligation to inform temporary workers

132. Under Article 12 of the GDPR, “the data controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 […] regarding the processing to the data subject in a concise manner, transparent, understandable and easily accessible.

133. Article 13 of the GDPR also provides that the data controller provides the person concerned by the processing, at the time when personal data is obtained from them, several pieces of information listed in the same article. The Regulation does not prescribe the form in which this information must be provided. In practice, this information is generally grouped together in a confidentiality policy.

134. The rapporteur notes that, in the context of discussions following the on-site inspections, the company indicated to the delegation that its confidentiality policy applicable to human resources was available to temporary workers on the intranet. The rapporteur considers that temporary workers were not correctly informed of the processing carried out on them using the scanners since they were not directly given said policy and were not invited to read it either. in any way. However, it notes that, since April 2020, the company has ensured that temporary workers are informed, by requiring temporary agencies to submit an additional confidentiality policy relating to performance indicators against acknowledgment of receipt.

135. In defense, the company contests the breach. She argues in particular that the provision of information to temporary workers via the intranet was sufficient and that the CNIL itself recommends the use of the intranet as a valid means of communication. In any case, the company emphasizes that it now documents the communication of information to temporary workers and considers that assuming the breach has been established, the restricted training should distinguish the amount of the fine attributed to this breach from the total amount. and reduce it to take into account the improvements adopted.

136. The restricted training recalls that the provision to the persons concerned by the data controller of the information provided for in Article 13 of the GDPR must be made at the latest at the time when their personal data are collected, in a form which is accessible . However, as noted by the rapporteur, until April 2020, in a context where temporary workers were not provided with the confidentiality policy applicable to human resources and were not invited to read it on the intranet, this sole provision of this document on the company's intranet did not make it possible to satisfy these obligations by ensuring, in particular, that each temporary worker had been given the opportunity to read this document prior to the collection of personal data.

137. The restricted panel observes that temporary workers are in an identical situation to that of employees with regard to the processing carried out on them using scanners and must be informed thereof. Regarding the argument according to which the CNIL itself recommends the intranet as a valid means of communication, the restricted training notes that the CNIL recommends that the information be made "according to the most appropriate methods depending on the "organization and operation of the company". In this case, it considers that information on the intranet intended for employees working daily in warehouses and not intended to work in an office on a computer, without any incentive to go there, does not does not constitute a satisfactory method of information.

138. Therefore, the restricted panel considers that a breach of Articles 12 and 13 of the GDPR has occurred for the period prior to April 2020.

F. On the breaches relating to video surveillance processing

1. On the failure to comply with the obligation to inform individuals

139. Under Article 13 of the GDPR, the data controller must provide the data subject with certain information at the latest when the data is obtained directly from them. Among this information, Article 13.1 of the GDPR provides that “the contact details of the data protection officer” must be provided. Furthermore, under Article 13.2 of the GDPR, where necessary to ensure fair and transparent processing, "the duration of data retention" and "the right to lodge a complaint with a supervisory authority.

140. The rapporteur notes that at the date of the inspections (in November 2019), the information panels relating to the implementation of video surveillance devices, displayed in the Lauwin-Planque and Montélimar warehouses to inform employees and potential visitors, did not indicate the contact details of the data protection officer, nor the duration of data retention, nor the right to lodge a complaint with the CNIL. It further notes that the missing information was not provided in any other medium or document.

141. In defense, the company denies having been in violation on the date of the inspections. It argues that several documents contained information relating to video surveillance processing and that the signs displayed in its warehouses complied with the recommendations of the CNIL at the time. She relies in particular on a press release from the CNIL dated 2015 (and available on June 12, 2018 on its website) and the fact that the EDPS guidelines on video surveillance were only adopted in January 2020, i.e. after the controls. She specifies that since the adoption of the EDPS Guidelines, the information panels and the information notice have been updated in accordance with the aforementioned guidelines. In any case, it indicates that it brought its information panels into compliance during the procedure.

142. The restricted training notes that at the date of the controls, i.e. November 2019, the GDPR had been applicable for a year and a half and that its article 13 contained the information that must be provided to the persons concerned at the time of collection of their personal data. It notes that the guidelines on transparency within the meaning of Regulation (EU) 2016/679, adopted on 29 November 2017 by the G29 which provided for the possibility of a multi-level approach for the provision of the mandatory information of Article 13 of the GDPR, already underlined their equal importance and the fact that they must be provided to the data subject. The CNIL communicated about these guidelines on July 16, 2019, emphasizing that “Prioritizing does not mean transmitting incomplete information to the people concerned: it is about highlighting essential information and offering simple and accessible access. immediately to other information" (https://www.cnil.fr/fr/conformite-rgpd-information-des-personnel-et-transparence). In terms of video surveillance, it is in fact usual that the information panels, to remain concise and understandable, only include the main information on the processing, but this is on condition that they refer to the documents containing the additional information obligatory.

143. The restricted panel notes that the CNIL press release dated 2015 had not yet been updated less than three weeks after the entry into force of the GDPR. Regarding the EDPS guidelines on video surveillance, these have certainly formalized the possibility of providing the mandatory information of Article 13 of the GDPR in two stages. However, their aim was not to set new obligations in this area but to enlighten stakeholders on how to apply the GDPR in the context of video surveillance processing. Consequently, the company cannot be exonerated from its liability.

144. In this case, the restricted panel notes, as the rapporteur has pointed out, that several pieces of information required by Article 13 of the GDPR, such as the indication of the duration of data retention, the right to make a complaint to the CNIL and the contact details of the data protection officer, were not provided by the company either on the panels themselves, or on any other support or document. First of all, it notes that the confidentiality policy applicable to human resources was limited to mentioning the existence of video surveillance processing involving the processing of security data and images. The internal regulations, posted within the warehouse concerned, indicated, in a section devoted to "entries and exits" from the site, that "employees must submit to entry and exit control measures" from the site, including video surveillance. Finally, the welcome booklet was limited to informing the employee of the existence of a video surveillance system for their own security and that of property, and of the fact that each exit is subject to control. Furthermore, the restricted panel noted that it did not appear from any of the elements in the file that information additional to the information panels was provided – or made available to external visitors. As for the video surveillance installation guide, mentioned by the company in its observations, the restricted panel observes that the content of this document, written in English, relates to the internal procedure for installing and using video surveillance and that it is clearly not intended for employees.

145. Therefore, the restricted panel considers that the company failed in its obligation to provide the contact details of the data protection officer, in breach of Article 13.1 of the GDPR. In addition, the company also breached Article 13.2 of the same regulation by not informing the persons concerned of the duration of data retention and their right to lodge a complaint with the CNIL, information which was however necessary to guarantee fair and transparent treatment, with regard to processing leading to the permanent filming of employees in their workplace.

146. The restricted panel notes that in the context of this procedure, the company has justified having taken measures to comply with Article 13 of the GDPR, which does not call into question the fact that the breach is constituted for the past.

2. On breaches of the obligation to ensure the security of personal data

147. Under the terms of Article 32 of the GDPR, “1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks , the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security appropriate to the risk, including including, among other things, as needed:

a) pseudonymization and encryption of personal data;

(b) means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services; […] ".

148. The rapporteur notes, on the one hand, that the access account to the video surveillance software which manages two thirds of the cameras installed on the Montélimar site was common to all people authorized to access video surveillance images and , on the other hand, that the password associated with this account consisted of twelve characters, comprising only lowercase letters and numbers and that it was therefore insufficiently robust.

149. In defense, the company does not contest the breach. However, it argues that it is the result of isolated bad practices, which it attributes to the software supplier. Concerning in particular the sharing of accounts, the company maintains in its latest observations that it would fall under one of the exceptional situations in which sharing would be authorized by the CNIL and the National Information Systems Security Agency. (“ANSSI”), namely one in which its supplier misconfigured the software and made sharing inevitable. Regarding the software access password, she adds that its insufficient robustness would have been compensated for by other measures, such as prior Windows authentication to access the video surveillance software.

150. The restricted training recalls that it follows from the provisions of Article 32 of the GDPR that the data controller is required to ensure that the automated data processing that it implements is sufficiently secure. The sufficiency of security measures is assessed, on the one hand, with regard to the characteristics of the processing and the risks it induces, and on the other hand, taking into account the state of knowledge and the cost of the measures.

151. Firstly, with regard to the sharing of accounts, the restricted training recalls that the prohibition of shared accounts is among the essential precautions in order to guarantee effective traceability of access and actions carried out in an information system. The restricted training also reminds us for clarification that the CNIL was already specifying good practices in this area at the time of the controls. Thus, in the 2018 edition of its guide relating to the security of personal data, the CNIL noted, under the basic precautions to be taken for user authentication purposes, the fact of "Defining a unique identifier per user and prohibiting accounts shared between several users" (https://www.cnil.fr/sites/cnil/files/atoms/files/cnil_guide_securite_personnelle.pdf). This requirement was recalled at several stages of the guide, in particular in the sections relating to how to guarantee proper management of authorizations and securing servers.

152. In this case, such a lack of traceability of access makes it much more difficult to account for an action on the computer system and complicates the investigation work in the event of fraudulent access, deterioration or deletion of images . Regarding the company's argument relating to the inevitability of sharing, the restricted panel notes that this sharing is not a technical impossibility but a software configuration problem and that it belonged to the company to have this modified by the supplier.

153. It follows that these facts constitute a breach of Article 32 of the GDPR.

154. Secondly, with regard to the password for access to video surveillance software, the restricted panel considers that overly permissive password complexity rules, which authorize the use of insufficiently robust passwords, can lead to attacks by unauthorized third parties, such as "brute force" or "dictionary" attacks, which consist of successively and systematically testing numerous passwords and thus lead to a compromise of associated accounts and the personal data they contain.

155. The restricted panel notes, in this regard, that the need for a strong password is recommended both by ANSSI and by the Commission in its deliberation no. 2017-012 of January 19, 2017, a requirement confirmed in its deliberation No. 2022-100 of July 21, 2022. In particular, it recalls that in deliberation No. 2017-012, the CNIL recommended, in the absence of blocking measures, that the password be composed of at least twelve characters and contains four sets of characters (lowercase, uppercase, numbers and special characters). When a measure to restrict access to the account was planned, the CNIL recommended that the password be composed of at least eight characters and include three of the four series of characters mentioned above.

156. The restricted panel emphasizes that it has, for several years, adopted financial sanctions where the characterization of a breach of Article 32 of the GDPR is the result of insufficient measures to guarantee the security of the data processed. Deliberations No. SAN-2019-006 of June 13, 2019, No. SAN-2019-007 of July 18, 2019 and No. SAN-2022-018 of September 8, 2022 target in particular the insufficient robustness of passwords.

157. In the present case, the restricted panel considers that to the extent that the password for access to the video surveillance software only contains two series of characters and where no additional security measure such as a time delay for access to the account after several failures is not implemented, it does not ensure a sufficient level of security and confidentiality of video surveillance images.

158. Finally, the restricted training notes that contrary to what the company argues, the authentication of people authorized to an individual Windows account prior to their connection to the video surveillance software was not sufficient to compensate for the vulnerabilities resulting from the access to this software from a shared account and using an insufficiently strong password. In this regard, the restricted training notes that the video surveillance software is accessible from seven computers and that twenty-two people are authorized to access it. It therefore considers that the sharing of the password for access to the software, which was still insufficiently robust, between all these people, increased the risk of its compromise and altered the traceability of access to the images of the video device. Indeed, the fact that all users of the device are identified by means of the same identifier makes the accountability of actions in the software little or not usable. Therefore, prior authentication using a Windows account was not likely to mitigate the risks resulting from the combination of deficiencies in terms of security linked to the sharing of the access account to the video surveillance software and the using a password that is too weak to connect to this shared account, accessible to many people and from several computers.

159. Consequently, the restricted panel considers that these facts also constitute a breach of the obligations arising from Article 32 of the GDPR.

160. It notes that in the context of this procedure, the company has justified having taken measures to comply with the obligations of Article 32 of the GDPR, which cannot, however, exempt it from its responsibility for the past .

III. On the corrective measure and its publicity

161. Under the terms of III of article 20 of the law of January 6, 1978 as amended:

"When the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Liberties may also , if necessary after having sent him the warning provided for in I of this article or, where applicable in addition to a formal notice provided for in II, refer the matter to the restricted formation of the commission with a view to pronouncement, after adversarial procedure, one or more of the following measures: […] 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of of a company, 2% of the total global annual turnover of the previous financial year, whichever is higher. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 from April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted panel takes into account, in determining the amount of the fine, the criteria specified in the same article 83.

162. Article 83 of the GDPR provides that “Each supervisory authority shall ensure that administrative fines imposed under this article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account when deciding whether to impose an administrative fine and when deciding the amount of this fine.

A. On the imposition of an administrative fine and its amount

163. The rapporteur proposes imposing a public fine against the company. He considers that it is appropriate to determine the maximum amount of fine by reference to the turnover of the company in the sense of economic unit formed by the company and Amazon.com Inc.

164. In defense, the company maintains that the proposed fine is illegal. Arguing that it is the only data controller identified in this case, it considers that the amount of the fine must be determined on the basis of its turnover and not on that of Amazon's turnover. .com Inc., to the extent that the breaches were not previously attributed to the economic unit it forms with Amazon.com Inc. In any event, the company argues that the proposed fine is disproportionate in relation to the alleged breaches as well as its conduct, since it considers that it has fully cooperated with the services of the CNIL and adopted compliance measures.

165. The restricted panel firstly recalls that it must take into account, in deciding whether to impose an administrative fine, the criteria specified in Article 83 of the GDPR.

166. Firstly, the restricted panel emphasizes that it is appropriate, in this case, to apply the criterion provided for in subparagraph a) of Article 83(2) of the GDPR relating to the seriousness of the breaches noted. in connection with data processing implemented for the purposes of monitoring activity and evaluating employee performance, taking into account the scope of the processing and the number of people affected by it.

167. The restricted training considers that the processing of employee data for the purposes of activity monitoring and performance evaluation is so precise that it causes a change of scale compared to activity monitoring methods. classics. She believes that these treatments, which allow extremely precise control of employees, for each action carried out on direct tasks, keep employees under constant surveillance for all tasks carried out with scanners and thus create permanent pressure.

168. Breaches of the principles of minimization and the obligation to have a legal basis therefore result in almost continuous and massive processing of indicators relating to all direct tasks and the performance of employees, which results in a disproportionate computer surveillance of their activity. She recalls that these treatments make it possible to evaluate the employee working on direct tasks by means of detailed consultation of the data in the tools, in order to maintain a certain pace and quality of their activity. She emphasizes that awareness letters can be sent following only one or two quality errors, observed over a week, or a drop in productivity in certain cases of less than 10% and notes that on certain positions, a “underperformance” observed over a single day may give rise to the implementation of coaching. Therefore, it considers that this processing of personal data induces disproportionate pressure on workers, disproportionately affecting their rights and freedoms with regard to the economic and commercial objectives of the company.

169. Concerning the failure to comply with the obligation to inform temporary workers (until April 2020), the restricted panel notes that it is also particularly serious, insofar as the company did not ensure that temporary workers , who often find themselves in precarious professional situations, were able to read information relating to the data processing carried out on them by means of scanners.

170. Secondly, the restricted panel considers that the company demonstrated serious negligence with regard to fundamental principles of the GDPR since the breaches relate to the principle of data minimization, the obligation to have a legal basis , the obligation to inform data subjects of the processing of their personal data. With regard specifically to video surveillance processing, the restricted panel considers that the breach of security resulting from the sharing of the access account to the video surveillance software and the insufficient robustness of the password for access to this account testifies to a certain negligence in the implementation of elementary principles of the GDPR intended to ensure the security of the personal data processed.

171. Thirdly, the restricted training notes the large number of employees affected by the breaches: at the date of the inspections, the Lauwin-Planque and Montélimar sites had a total of 2,714 employees on permanent contracts and around 3,000 temporary workers at this time. date. If the breaches relating to video surveillance only concern these controlled sites, the restricted panel considers that it appears from the documents in the file, and is not contested by the company, that the excessive data processing devices of its employees were implemented implemented on all of the company's six sites in France, which had 6,200 employees on permanent contracts at the time of the inspections, it being noted that the company used a total of 21,000 temporary workers in 2019.

172. Fourthly, the restricted panel emphasizes that the company has adopted partial compliance measures. Regarding the failure to inform temporary workers, she notes that since April 2020, temporary workers have been informed of the processing of their data implemented using scanners. With regard to video surveillance processing, the restricted training takes note of the company's compliance during the procedure, resulting from information panels that are now complete and the camera migration plan for the Montélimar warehouse, which has made it possible to remedy the problems of sharing access accounts to the old software and the insufficient robustness of the access password.

173. The restricted panel also observes that in its latest observations, the company announced significant changes relating to the processing of its employees' data using scanners. The company stressed that it believes that it is not legally bound by these changes and that it is implementing them to take into account the rapporteur's recommendations. The restricted panel notes that the changes made in fact respond to several of the rapporteur's grievances. She also notes that these measures will only be finalized during the first quarter of 2024.

174. Consequently, the restricted panel considers that it is appropriate to impose an administrative fine with regard to the breaches constituted in articles 5-1-c), 6, 12, 13 and 32 of the GDPR.

175. In this regard, the restricted panel notes that the breaches relating to articles 5-1-c), 6, 12 and 13 of the GDPR are breaches of fundamental principles of the GDPR, likely to be subject to, by virtue of Article 83 of the GDPR, an administrative fine of up to 20,000,000 euros and up to 4% of the total annual worldwide turnover achieved by the company during the previous financial year, the highest amount being retained. The company is defined as the economic unit, pursuing a specific economic goal, to which the data controller belongs, regardless of the legal status of this unit.

176. First of all, the restricted panel considers that the economic unit to be taken into account with regard to the activity linked to the processing in question is in this case the company AFL.

177. The restricted panel then recalls that administrative fines must be effective, proportionate and dissuasive. It notes that the company AFL achieved, in 2021, a turnover of 1.135 billion euros, for a net profit of 58.9 million euros.

178. The restricted training considers that the pressure exerted on warehouse employees via these treatments directly contributes to the economic gains generated for the benefit of the company and allows it to benefit from a competitive advantage over other companies in the online sales sector . Therefore, and in view of all the above considerations, the restricted panel considers that a fine of 32,000,000 euros (thirty-two million euros), equivalent to almost 3% of the turnover achieved in 2021 by society, appears justified.

B. On advertising

179. In defense, the company contests the rapporteur's proposal to make this decision public. It argues that the decision would contain business secrets, in particular detailed information concerning the tools it uses and their operation as well as the way in which it manages its relations with its employees. To justify this request for publicity, the rapporteur cites in particular the importance of informing the people concerned of the nature of the failings committed by the company.

180. The restricted panel considers that the publicity of this deliberation is justified in view of the seriousness of the breaches in question, the number and the vulnerability of the people concerned. The restricted training also considers that the publicity of the sanction will make it possible to inform all the people concerned of the consequences of the breaches, but also to inform more broadly any person likely to work in one of the warehouses of the company's practices. as well as the rights he has with regard to his personal data in this context. Finally, with regard to the argument linked to the disclosure of business secrets, the restricted panel notes that numerous press articles have already been published on the data processing implemented by the company with regard to its employees and recalls in any case that information relating to business secrets is hidden from the decisions published by the restricted body.

181. Finally, the measure is proportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

• impose against the company AMAZON FRANCE LOGISTIQUE an administrative fine in the amount of thirty-two million euros (32,000,000 euros) for breaches of articles 5-1-c), 6, 12, 13 and 32 of Regulation (EU) No. 2016/679 of April 27, 2016 relating to data protection;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name at the end of a period of two years from its publication.

President

Alexandre LINDEN

This decision may be the subject of an appeal before the Council of State within two months of its notification.