CNIL (France) - SAN-2024-021
| CNIL - SAN-2024-021 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1) GDPR Article 12 GDPR Article 13 GDPR Article 32 GDPR Article 35 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 17.10.2022 |
| Decided: | 19.12.2024 |
| Published: | 04.02.2025 |
| Fine: | 40,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | SAN-2024-021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | Légifrance (in FR) |
| Initial Contributor: | ao |
The DPA fined an employer €40,000 for the excessive surveillance of employees through a software which recorded presumed periods of inactivity and took regular screenshots of their computer screens. Additionally, employees were continuously recorded.
English Summary
Facts
In 2022, the French DPA (Commission nationale de l’informatique et des libertés – CNIL) received complaints about the operators of a real-estate company (the controller) filed by employees of the company. The complaints related to monitoring procedures implemented by the company. The complaints lacked concrete evidence of violations of the GDPR so the CNIL started an investigation.
Investigation
The CNIL found that the company was consistently recording its employees by capturing both image and sound via two cameras which monitored workspace but also recreational spaces. The live footage could be viewed via a mobile phone app on the supervisor’s phone. The controller had put up a sign with a camera pictogram with the words “video-monitored space” on one of the doors. No other information had been supplied to employees.
The controller also implemented a software used when employees worked from home. This software counted working hours and discerned inactivity periods. This meant that the system would register inactivity anytime an employee had not hit the keyboard or used the mouse in more than 3 to 15 minutes. These inactivity periods were registered and if employees failed to compensate for the “time lost”, they were subject to pay deductions.
Additionally, the software recorded whether employees visited “productive” or “unproductive” websites, which were determined as such by the controller. Every 3 to 15 minutes, the software took screenshots of the employees’ screens.
The controller allowed shared access to the administrator account of the software meaning that it was impossible to track who had used the admin account. The admin account had extensive viewing rights and could therefore access large amounts of personal data.
Controller arguments
The controller brought forward that employees could also manually track their working time instead without any negative consequences. It explained that it had orally informed the employees of the functioning of the software. Further, it detailed that it only used the software for two and a half months and then uninstalled it.
Holding
Recordings
The CNIL held that the continuous nature and the capture of sound in the recordings was unjustified. It therefore found a violation of Article 5(1)(c) GDPR.
Lack of information
Beyond that, the CNIL found that the controller hadn’t adequately informed its employees of the video surveillance for example due to the sign containing no further information on the purpose or storage of the recordings. The CNIL here found violations of Articles 12 and 13 GDPR.
A violation of Article 12 GDPR also applied to the insufficient information provided orally to employees about the software and its monitoring functions.
“Inactivity” monitoring and screenshots
The CNIL found that registration of the alleged inactivity periods did not reflect actual working time. Therefore, the CNIL held that the controller could not rely on a legal basis for this data processing. Further, the CNIL found that the practice of regular screenshots proved particularly intrusive monitoring as sensitive personal information could be captured. Therefore, the CNIL found a violation of Article 6 GDPR.
Administrator account
The CNIL found that the shared access to the administrator account made it a prime target for ransomeware attacks and that the controller should have prevented this. Therefore, the CNIL found a violation of Article 32 GDPR.
Data Protection Impact Assessment
The continuous monitoring of employees demonstrated a high risk to their rights and freedoms obliging the controller to have carried out a DPIA before using the software. The CNIL therefore found a violation of Article 35 GDPR.
Fine
The CNIL took into account the relatively small size and the annual turnover of the company in setting the fine. The fine was set at €40,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
