CNIL (France) - MED-2019-025
| CNIL - MED-2019-027 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 5(1)(c) GDPR |
| Type: | Investigation |
| Outcome: | Violation found |
| Decided: | n/a |
| P
ublished:||5.12.2019 | |
| Fine: | None |
| Parties: | BOUTIQUE.AERO |
| National Case Number: | MED-2019-027 |
| European Case Law Identifier: | n/a |
| Appeal: | Conseil d'Etat |
| Original Language: |
French |
| Original Source: | CNIL (in FR) |
The CNIL issued a order against BOUTIQUE.AERO for excessive video surveillance of employees
English Summary
Facts and questions arising
In July 2018, the southern-west DIRECCTE (regional office for undertakings, competition and consumers) warned the CNIL that cameras of the undertaking BOUTIQUE.AERO – the data controller - were constantly scanning the workstations of certain employees. Following this warning, the CNIL carried out some investigations.
Holding
The CNIL found that the surveillance cameras were recording personal data which were not adequate, relevant nor limited to what it is necessary. Thus, the data controller violated Article 5(1)(c) GPDR. It found as well that no information has been given to the data subjects regarding the collection of their personal data and the storage limitation period. Thus, the data controller violated Article 13 GDPR. In addition, the CNIL stated that the IT service provider for cameras maintenance could be qualified as a data processor. However, the contract between the data processor and the data controller did not include any measure providing for sufficient guarantees regarding the security of the processing. Also, the personal data recorded by the cameras and consulted through the data controller ‘s management software were without encryption and easily accessible. Therefore, the data controller violated both Articles 28 and 32 GDPR. Finally, the data controller did not comply with the obligation to create a record of processing activities, as required by Article 30(1) GDPR.
As a consequence, the CNIL addressed a formal notice to the data controller and let a two-months period to comply with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the French original for more details.
decision's page under reconstruction, not available yet.
