CNIL (France) - MED-2019-025

From GDPRhub
Revision as of 16:45, 20 January 2020 by 10.90.129.8 (talk)
CNIL - MED-2019-027
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(c) GDPR

Article 13 GDPR

Article 30(1) GDPR

Article 32 GDPR

Type: Investigation
Outcome: Violation found
Decided: n/a
P

ublished:||5.12.2019

Fine: None
Parties: BOUTIQUE.AERO
National Case Number: MED-2019-027
European Case Law Identifier: n/a
Appeal: Conseil d'Etat
Original Language:

French

Original Source: CNIL (in FR)

The CNIL issued an order against BOUTIQUE.AERO for the excessive video surveillance of its employees

English Summary

Facts and questions arising

In July 2018, the southern-west DIRECCTE (regional office for undertakings, competition and consumers) warned the CNIL that cameras of the company BOUTIQUE.AERO – the data controller - were constantly scanning the workstations of certain employees. Following this warning, the CNIL carried out some investigations.

Holding

The CNIL found that the surveillance cameras were recording personal data which were not adequate, relevant nor limited to what it was necessary. Thus, the data controller violated Article 5(1)(c) GPDR. The French DPA found as well that no information had been given to the data subjects regarding the collection of their personal data and the storage limitation periods. Thus, the CNIL determined that the data controller had violated Article 13 GDPR. In addition, the CNIL stated that the IT service provider for cameras maintenance could be qualified as a data processor. However, the contract between the data processor and the data controller did not include any measure providing for sufficient guarantees regarding the security of the processing. Also, the personal data recorded by the cameras and consulted through the data controller ‘s management software were not encrypted and were easily accessible. Therefore, the data controller violated both Articles 28 and 32 GDPR. Finally, the CNIL decided that the data controller did not comply with the obligation to create a record of processing activities, as required by Article 30(1) GDPR.

As a consequence, the CNIL addressed a formal notice to the data controller and let a two-months period to comply with the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the French original for more details.

decision's page under reconstruction, not available yet.