CNIL - MED-2019-025

From GDPRhub
CNIL - MED-2019-025
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(c) GDPR

Article 13 GDPR

Article 30(1) GDPR

Article 32 GDPR

First Decision type: Investigation
Outcome: Violation found
Decided: 5.11.2019
Published: 10.12.2019
Fine: None
Parties: BOUTIQUE.AERO
National Case Number: MED-2019-025
European Case Law Identifier: n/a
Follow-up with termination decision: Yes
Outcome: Compliance
Decided: 9. 4.2020
Published: 9. 4.2020
Original Language:

French

Original Source: first CNIL's order (in FR)and CNIL's termination decision (in FR)

The Commission Nationale de l'Informatique et des Libertés (CNIL) followed the measures implemented by BOUTIQUE.AERO to prevent the excessive video surveillance of its employees and found that the controller was compliant with the GDPR. The CNIL closed the case.

English Summary[edit | edit source]

Facts and questions arising[edit | edit source]

In July 2018, the southern-west DIRECCTE (regional office for undertakings, competition and consumers) warned the CNIL that cameras of the company BOUTIQUE.AERO – the data controller - were constantly scanning the workstations of certain employees. Following this warning, the CNIL carried out some investigations.

Holding[edit | edit source]

The CNIL found that the surveillance cameras were recording personal data which were not adequate, relevant nor limited to what it was necessary. Thus, the data controller violated Article 5(1)(c) GPDR. The French DPA found as well that no information had been given to the data subjects regarding the collection of their personal data and the storage limitation periods. Thus, the CNIL determined that the data controller had violated Article 13 GDPR. In addition, the CNIL stated that the IT service provider for cameras maintenance could be qualified as a data processor. However, the contract between the data processor and the data controller did not include any measure providing for sufficient guarantees regarding the security of the processing. Also, the personal data recorded by the cameras and consulted through the data controller ‘s management software were not encrypted and were easily accessible. Therefore, the data controller violated both Articles 28 and 32 GDPR. Finally, the CNIL decided that the data controller did not comply with the obligation to create a record of processing activities, as required by Article 30(1) GDPR.

As a consequence, the CNIL addressed a formal notice to the data controller and let a two-months period to comply with the GDPR.

Termination of the case after the two months period[edit | edit source]

The controller had two months to comply with Articles 5(1)(c), 13, 28, 30(1) and 32 GDPR. In its latest order, the CNIL hold that keeping a register of processing activities, informing employees about the video-surveillance system and concluding a contract with your subcontractors was enough to comply with the aforementioned GDPR Articles.

As a consequence, the CNIL issued a termination decision.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the first order[edit | edit source]

The decision below is a machine translation of the original. Please refer to the French original for more details.

Commission Nationale de l'Informatique et des Libertés (National Commission for Information Technology and Civil Liberties)
Decision n°MED-2019-025 of November 5, 2019
Decision n° MED 2019-025 of November 5, 2019 giving formal notice to the company BOUTIQUE.AERO
Status: EFFECTIVE

The President of the National Commission for Information Technology and Liberties,

Having regard to Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data ;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data ;

Having regard to the Criminal Code ;

Having regard to the amended law n° 78-17 of 6 January 1978 relating to data processing, files and liberties, in particular articles 20 and following;

Having regard to decree n° 2019-536 of 29 May 2019 taken for the application of the law
No. 78-17 of 6 January 1978 as amended relating to information technology, files and freedoms;

Having regard to deliberation n° 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Data Processing and Liberties;

Considering Decision n° 2019-015C of 20 December 2018 of the President of the National Commission for Data Processing and Liberties to instruct the Secretary General to carry out or have carried out a verification mission at the company BOUTIQUE.AERO ;

Considering the audit report n° 2019-015/1 of March 20, 2019;

Considering the other documents of the file ;

The company BOUTIQUE.AERO (hereafter the company), located at 6 allée Henry Potez in Blagnac (31700), is a simplified joint-stock company with a single shareholder specialized in the activity sector of wholesale trade of aeronautical supplies and equipment. It has 7 employees and a turnover of €1,751,700.00 in 2017.

On 29 October 2018, the regional directorate of companies, competition, consumption, labour and employment in Occitania (DIRECCTE) reported to the National Commission for Information Technology and Civil Liberties (hereinafter CNIL or the Commission) the presence, in the store of the company BOUTIQUE.AERO, a video surveillance system, some cameras of which continuously film the workstations of employees.

Pursuant to Decision no. 2019-015C of December 20, 2018 of the President of the French National Commission for Information Technology and Civil Liberties, a delegation from the CNIL carried out an on-site inspection at the Company on March 20, 2019. The purpose of the mission was to verify the compliance of all personal data processing operations carried out by the Company with the amended Act of 6 January 1978 on Data Processing, Data Files and Individual Liberties (hereinafter the "Data Protection Act" or the "amended Act"), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation"), Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 and the provisions of Articles L. 251-1 et seq. of the French Internal Security Code.

During this check, the delegation was informed that the company BOUTIQUE.AERO has, since 2010, been implementing a video surveillance system comprising fourteen cameras in its shop selling aeronautical products.

The delegation noted that :

    three cameras (X1, E1, R3) were deactivated on the day of the inspection;
    eight cameras (B2, B3, B4, B6, B7, B5, R2, R1) were filming the sales area open to the public;
    two cameras (B1 and E1) continuously filmed a work station corresponding to the cash desk of the store and a location for preparing orders, which was not open to the public;
    one camera (C1) filmed an area not open to the public corresponding to a corridor serving several employee offices.

The company informed the delegation that it had applied for prefectoral authorization to install the device on 10 February 2019.

It specified that the purpose of the processing is to prevent damage to employees and property and to locate employees.

She also informed the delegation that no register of processing was kept.

The delegation noted that the images from the video-surveillance cameras were accessible in real time from a connection to the management software accessible internally and also externally from the URL [...]. The persons authorised to access the images are the manager of the company and all employees. Access can be made from each computer station in the store using passwords pre-recorded from a generic account and an individual account. It can also be accessed from a connection from an external computer station using its identifiers.

The video images from the cameras can be accessed by the company's employees through the connection to the management software, including from outside the company's internal computer network.

The delegation found that the access to the abovementioned software is carried out using an http protocol.

The company also informed the delegation that the service provider in charge of IT maintenance is aware of the connection identifiers for this software and can access the images remotely.

In addition, the company informed the delegation that information relating to the presence of a video protection device is provided to employees by means of an entry in their employment contract.

Failure to collect adequate, relevant and limited data

Article 5(1)(c) of the Regulation provides that personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization).

On the one hand, the company informed the delegation that it was implementing the video-surveillance system, in particular for the purposes of locating employees.

Indeed, the manager of the company told the delegation that he wanted to be able to locate employees when he was not on site. He specified that he could consult the images remotely from his home. The delegation noted that it was possible to connect to the company's management software from outside the internal network in order to consult the video surveillance images.

In particular, the delegation noted that the camera called Entrepôt Stock (E1) allows the viewing of a working place not open to the public for order picking.

This video-surveillance system means that the employee occupying the post concerned is under permanent surveillance.

While the use of the video device to prevent damage to property and people may be considered legitimate, this is not the case for the location of employees by the manager for surveillance purposes. The Commission consistently considers that employees have a right to privacy in the workplace. Placing employees under permanent surveillance for tracking purposes is an invasion of their privacy. Thus the continuous filming of an employee's workstation is disproportionate, unless there are special circumstances relating, for example, to the nature of the task to be performed. This is the case when an employee handles objects of high value or when the controller is able to justify theft or damage committed in these areas.

In the present case, the controller does not mention any specific circumstances such as theft, damage or assault that would justify keeping employees under constant surveillance for location purposes. Such a measure constitutes an interference in the private life of employees at their place of work and infringes their individual freedom.

Moreover, article L. 1121-1 of the Labour Code provides in this regard that no one may place restrictions on the rights of individuals and individual and collective freedoms that are not justified by the nature of the task to be performed or proportionate to the aim sought.

These facts constitute a breach of the obligations under article 5 (1) (c) of the Regulation.

Failure to inform individuals of the following

Article 13 of the Regulation requires the controller to provide, at the time of collection of the data, information relating to his or her identity and contact details, those of the Data Protection Officer, the purposes of the processing operation and its legal basis, the recipients of the personal data, where applicable transfers of personal data, the period for which personal data are kept, the rights of individuals and the right to complain to a supervisory authority.

The delegation noted that no specific information is given to employees concerning the implementation of the video system which leads to the collection and processing of their personal data.

Indeed, the information given to them in their employment contract relates only to the presence of the video protection device for the purposes of protection against theft. In particular, the employee's employment contract, which is filmed continuously in an area not open to the public, contains the following statement: Mr. X acknowledges having been informed that the company's establishments and premises are under video protection and that it is the duty of everyone to use this device to combat theft and report any abnormal facts.

The employment contract or any document annexed thereto does not contain all the information required by Article 13 of the Regulation.

This constitutes a failure to comply with the obligations under Article 13 of the Regulation.

Failure to comply with the obligation to ensure the security of personal data processed by a processor

Article 28 of the Regulation provides that processing carried out by a processor for a controller shall be governed by a contract stipulating, inter alia, that the processor shall process personal data only on the basis of documented instructions from the controller and shall ensure that the persons authorised to process personal data undertake to keep them confidential or are subject to an appropriate legal obligation of confidentiality .

The company informed the delegation that the IT service provider is aware, for the purposes of its missions, of the identifiers for connection to the company's management software and can access video images remotely.

The delegation noted that the company has not entered into a contract with the service provider in charge of computer maintenance that includes the obligations contained in Article 28 of the Regulation.

The relationship between the company and the IT service provider is therefore not governed by any contractual clause guaranteeing the security and confidentiality of data by the service provider, nor by a clause relating to the obligation for the service provider to act only on the company's instructions.

These facts constitute a breach of the obligations under Article 28 of the Regulation.

Failure to establish a register of processing activities

Article 30(1) of the Regulation stipulates that the controller must keep a register of the processing activities carried out under its responsibility which must include information on the :

    the name and contact details of the controller,
    to the purposes of the treatment,
    a description of the categories of data subjects and categories of personal data,
    the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations,
    the time limits for the deletion of categories of data,
    a general description of the technical and organisational security measures referred to in Article 32 (1).

Article 30 specifies that these obligations do not apply to an undertaking with fewer than 250 employees, unless the processing is not occasional.

The company informed the delegation that it does not keep records of the processing activities carried out under its responsibility.

However, the delegation noted that on the day of the audit the company has been using a video device in its shop since 2010 to locate employees and prevent damage to employees and property. In this respect, it processes personal data that is not occasional.

These facts therefore constitute a breach of the obligations under Article 30 of the Regulations.

Failure to ensure the security and confidentiality of data

Article 32 of the Regulation provides in particular that the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Firstly, the delegation noted that all employees can access the live camera footage from the connection to the company's management software.

All employees can thus access the video images even though access to this data is not strictly necessary for the performance of their duties.

However, the company needs to define authorization profiles to limit user access to only the data they need, since all employees do not have to access the video images in real time.

Secondly, the delegation also noted that the connection to the management software can be made from each computer workstation in the store, after logging on to a generic account and then an individual account.

However, the passwords and identifiers of the generic and individual accounts are pre-registered and automatically completed.

Any user can therefore access the computer stations and the connection to the company's management software without prior authentication, as the pre-registration of passwords and identifiers is equivalent to a lack of passwords and identifiers.

As a result, user authentication is not assured, which can lead to unauthorized third parties gaining access to personal data, such as video images.

Thirdly, the delegation noted that the connection to the company's management software is made without encryption via the http protocol.

Access to the video images of the cameras through the connection to the company's management software is based on an unencrypted connection, which allows the unencrypted reading of the streams containing personal data transmitted between the user and the server hosting the site. The implementation of an encryption protocol is therefore intended to ensure the security of personal data during flows transmitted between the user and the server hosting the site.

All of these facts constitute a breach of the obligations of Article 32 of the Regulation.

    Within ten (10) days from the notification of this decision, and subject to any measures it may have already adopted, :

    cease processing images from the video device for the purpose of locating employees and process only relevant, adequate and limited data as necessary for the purposes of protecting property and persons under the conditions provided for in Article 5-1 of Regulation (EU) 2016/679 ; in particular, adapt the deployed video device so as not to continuously film employees at their workstations, for example by removing or reorienting the cameras ;

    take all security measures for all processing of personal data carried out under the conditions provided for in Article 32 of Regulation (EU) 2016/679 , in particular for access to the video streams of the cameras, so as to safeguard the security of those data and prevent unauthorised third parties from gaining access to them, in particular :
        as regards internal access via the company's management software, by restricting the connection to the company's management software to individual accounts by means of a login and password that are not pre-registered;
        by defining authorizations to access video streams only for those persons for whom this is strictly necessary for the accomplishment of their missions;
        by securing the connection to the company's management software via the use of an encryption protocol (e.g. HTTPS).

    Within two (2) months of notification of this Decision, and subject to any measures it may have already adopted, :

    establish a register of processing activities including all the information provided for in Article 30 of Regulation (EU) 2016/679 ;

    inform data subjects in accordance with the provisions of Articles 12 and 13 of Regulation (EU) No 2016/679, in particular by informing employees of the information relating to the video device, for example in a document annexed to the employment contract or by means of a memorandum which will be given to them against payment or in the updated rules of procedure;

    draw up a contract or other legal act under Union law or the Civil Code with the IT service provider, which governs the processing of personal data by the latter and includes all the information referred to in Article 28(3) of Regulation (EU) 2016/679 ;

    justify to the CNIL that all of the above-mentioned requests have been complied with within the time limits set.

At the end of these deadlines, if the company BOUTIQUE.AERO has complied with this formal notice, it will be considered that this procedure is closed and a letter will be sent to it to this effect.

Conversely, if BOUTIQUE.AERO has not complied with the present formal notice at the end of the respective deadlines, a rapporteur will be appointed who may ask the restricted formation to take one of the corrective measures provided for in Article 20 of the Law of 6 January 1978 as amended.

The President

Marie-Laure DENIS
Date of publication on legifrance: 10 December 2019

English Machine Translation of the termination decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the French original for more details.

Commission Nationale de l'Informatique et des Libertés (National Commission for Information Technology and Civil Liberties)
Decision n°MED-2019-025 of 6 April 2020
Closure of the decision n° MED-2019-025 taken on November 5, 2019 giving formal notice to the company BOUTIQUE.AERO
Status: EFFECTIVE

The President

COMPANY SHOP AERO

MR. PRESIDENT

6 ALLEE HENRY POTEZ

31700 BLAGNAC

Paris, April 6, 2020

By mail: […]

References to be remembered in all correspondence :

N/Ref: XX

Mr. Speaker,

I am following up on decision no. 2019-025 taken on November 5, 2019 giving formal notice to the company BOUTIQUE.AERO, as well as on the exchanges that followed.

With regard to the responses provided to satisfy the second stage of the formal notice and the measures taken with regard to keeping a register of processing activities, informing employees about the video surveillance system and concluding a contract with your subcontractors, I would like to inform you that I have decided to close your file.

As announced in the letter notifying you of the formal notice, this closure will be the subject of the same publicity measure as the formal notice. This letter will therefore be published on the www.legifrance.fr website and on the CNIL website.

Furthermore, I inform you that if the persistence or repetition of the breaches referred to in the formal notice is observed during subsequent verifications, I may refer the matter to the restricted formation of the CNIL, without a new formal notice being sent to you beforehand, so that one or more of the sanctions provided for in Articles 20 and following of the Law of 6 January 1978 may be pronounced, as the case may be.

The services of the Commission (Mrs. X) are at your disposal for any further information.

Yours sincerely

Marie-Laure DENIS

Date of publication on legifrance: 9 April 2020