CNPD (Luxembourg) - Délibération n°16FR/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Luxembourg |DPA-BG-Color= |DPAlogo=LogoLU.png |DPA_Abbrevation=CNPD (Luxembourg) |DPA_With_Country=CNPD (Luxembourg) |Case_Number_Name=Délib...")
 
Line 56: Line 56:
=== Facts ===
=== Facts ===
in progress
in progress
=== Dispute ===
=== Holding ===
=== Holding ===
in progress
in progress

Revision as of 14:18, 10 June 2021

CNPD (Luxembourg) - Délibération n°16FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 5(1)(c) GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 12.05.2021
Published: 07.06.2021
Fine: 1000 EUR
Parties: n/a
National Case Number/Name: Délibération n°16FR/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: n/a

in progress

English Summary

Facts

in progress

Holding

in progress

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision of the National Commission sitting in restricted formation

    on the outcome of survey No. […] conducted with "Company A".



                       Deliberation n ° 16FR / 2021 of May 12, 2021


The National Commission for Data Protection sitting in a restricted body

composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc

Lemmer, commissioners;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

relating to the protection of individuals with regard to the processing of personal data

personal character and on the free movement of such data, and repealing the Directive
95/46 / EC;



Having regard to the law of 1 August 2018 on the organization of the National Commission for

data protection and the general data protection regime, in particular
its article 41;



Having regard to the internal regulations of the National Commission for the Protection of

data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its
article 10 point 2;



Having regard to the regulation of the National Commission for Data Protection relating to

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020,
in particular Article 9;



Considering the following:




I. Facts and procedure


      1. During its deliberation session of February 14, 2019, the National Commission

for data protection sitting in plenary session (hereinafter: "Training

   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                            survey no. […] carried out with "Company A".


                                                                                                  1 / 22Plenary ") had decided to open an investigation with company" Company A "on the basis of

of article 37 of the law of 1 August 2018 on the organization of the National Commission

for data protection and the general data protection regime (here-

after “law of August 1, 2018”) and to designate Mr. Christophe Buschmann as

head of investigation.


      2. According to the decision of the Plenary Panel, the investigation carried out by the

National Commission for Data Protection (hereafter: "CNPD") had as

purpose of verifying compliance with the provisions of the regulation on the protection of

natural persons with regard to the processing of personal data and the

free movement of such data, and repealing Directive 95/46 / EC (hereinafter "GDPR")
and the law of August 1, 2018, in particular through the establishment of

video surveillance and geolocation, where applicable, installed by "Company A".


      3. On March 22, 2019, CNPD agents visited the

premises of the company "Company A". The decision of the National Commission for

data protection sitting in restricted formation on the outcome of the investigation (hereafter:

"Restricted training") will be limited to processing operations controlled by CNPD agents

and carried out by "Company A".


      4. "Company A" is a […] registered in the Trade and Companies Register of

Luxembourg under number […] and having its registered office at […] (hereinafter “the controlled”).

The controlled develops and produces […]. 1




      5. During the aforementioned visit of March 22, 2019 by CNPD agents in the

premises of the inspected, it was confirmed to the CNPD agents that the inspected uses a

CCTV system composed of fourteen cameras, twelve of which were in working order

operation, but that it has not installed a geolocation device in its
vehicles. 2






1According to the information provided on its own website: […].
2
 See report no. […] Relating to the on-site fact-finding mission carried out on March 22, 2019 to
of the Company A.

   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of

                              survey no. […] carried out with "Company A".


                                                                                                          2/22 6. By letter of April 25, 2019, the inspected replied to the report drawn up by

CNPD agents. As it was not possible for the CNPD agents to

carry out on-site verification of the oldest records due to a

problem on the server, the inspected appended to said mail, among other things, a capture

screen of the surveillance video recording configurator confirming the
                                         4
retention of images for a maximum of 7 days.


      7. At the end of his investigation, the head of investigation notified the inspectorate on the 28th

August 2019 a statement of objections detailing the shortcomings he considered
constituted in this case, and more specifically a non-compliance with the prescribed requirements

by Article 13 of the GDPR with regard to employees and customers, suppliers,

service providers and visitors (hereinafter: "third parties"), as well as a

non-compliance with the requirements of article 5.1.c) of the GDPR.


      8. On September 11, 2019, the inspected filed written observations on the

statement of objections.



      9. A letter supplementing the statement of objections was sent to

checked on August 3, 2020. In this letter, the head of the investigation proposed to the
Restricted training to adopt four different corrective measures, as well as to impose

at the control an administrative fine in the amount of EUR 1,000.



      10. By letter of September 7, 2020, the inspected produced written observations

on the additional letter to the statement of objections.



      11. The president of the Restricted Training informed the control by letter of 16

October 2020 that his case would be registered for the Restricted Training session on 4
December 2020. The inspected confirmed their presence at the said meeting on October 19

2020.








3See finding 8 of report no. […] Relating to the on-site fact-finding mission carried out on 22 March
2019 with Company A.
4See appendix 4 of the letter of April 25, 2019.
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. […] carried out with "Company A".


                                                                                                        3/22 12. During the Restricted Training session on December 4, 2020, the leader

investigation team and the inspector presented their oral observations in support of their

written observations and answered questions posed by the Restricted Training. The

controlled spoke last.



II. Place


II. 1. As to the grounds for the decision


A. On the breach linked to the principle of data minimization



    1. On the principles


      13. In accordance with Article 5.1.c) of the GDPR, personal data

must be "adequate, relevant and limited to what is necessary with regard to

purposes for which they are processed (data minimization) ”.


      14. The principle of data minimization in video surveillance

implies that it should only be filmed what appears strictly necessary to achieve

the purpose (s) pursued and that the processing operations must not be

disproportionate. 5


      15. Article 5.1.b) of the GDPR provides that personal data must

be "collected for specific, explicit and legitimate purposes, and not be

further processed in a manner incompatible with these purposes; […] (Limitation of

purposes) ”.


      16. Before installing a video surveillance system, the person in charge of

processing must define, precisely, the purpose (s) it wishes to achieve in

using such a system, and cannot then use the personal data
                                          6
personal data collected for other purposes.




5 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
6 See CNPD Guidelines, available at: https://cnpd.public.lu/fr/dossiers-

thematic / videosurveillance / necessity-proportionality.html.

   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of

                               survey no. […] carried out with "Company A".


                                                                                                            4/22 17. The necessity and proportionality of video surveillance can be analyzed on a case-by-case basis.

case and, in particular, with regard to criteria such as the nature of the place to be placed under
                                                                          7
video surveillance, its situation, configuration or attendance.


    2. In this case


      18. During the on-site visit, it was explained to CNPD officers that the

the purposes of setting up the video surveillance system are the protection of property,

securing access to private and risky places, as well as user safety
                                 8
and accident prevention.


      19. During the said visit, the CNPD agents noted that the field of vision

a camera "allows the surveillance of an access road to buildings belonging to the

public domain ". 9


      20. The head of the investigation was of the opinion that the aforementioned purposes "may find a

or several bases of lawfulness under article 6, the surveillance of the public highway and

neighboring land is, however, to be considered disproportionate. Indeed, in view

of the aforementioned purposes for which the video surveillance is operated, it is not

necessary to include parts of the public road or neighboring land in the

fields of view of the cameras listed under point l hereof. "

(statement of objections, Ad. A.3.).


      21. The inspected for his part explained in his reply letter to the

statement of objections of 10 September 2019 that the field of view of the camera

litigation was reoriented to exclude the public highway in the background and it annexed a

photo of the changed field of view. 10 However, as the inspected did not present

elements of mitigation on this subject in its response of April 25, 2019 to the minutes

drawn up by CNPD agents, such as a reorientation of the field of vision of the





7 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
8
 See report 6 of report no […] relating to the on-site fact-finding mission carried out on 22 March
2019 with Company A.
9See report 7 of report no […] relating to the on-site fact-finding mission carried out on 22 March
2019 with Company A.
10
  See appendix 3 of the response letter to the statement of objections of September 10, 2019.
   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. […] carried out with "Company A".



                                                                                                           5/22 litigious camera or blurring of the public road and neighboring land, the chief

investigation concluded that the non-compliance with Article 5.1.c) of the GDPR was clear

of the on-site visit.


      22. The Restricted Training would like to remind you that the cameras intended to monitor

an access point (entrance and exit, threshold, porch, door, awning, hall, etc.) must have a

field of vision limited to the area strictly necessary to visualize people
preparing to access it. Those who film exterior accesses must not signpost

the entire width of a sidewalk running alongside, where applicable, the building or public roads

adjacent. Likewise, outdoor cameras installed near or around a

building must be configured so as not to capture the public thoroughfare, nor the surroundings,

entrances, accesses and interiors of other neighboring buildings possibly entering
                       11
their field of vision.


      23. The Restricted Training nevertheless admits that depending on the configuration of

places, it is sometimes impossible to install a camera that does not include in its
field of vision part of the public thoroughfare, surroundings, entrances, entrances and interiors

other buildings. In such a case, it considers that the controller should

implement masking or blurring techniques in order to limit the field of

vision to his property. 12


      24. Restricted Training notes that the inspected had an authorization

prerequisite n ° […] of the CNPD in terms of video surveillance. One of the conditions of grant

of said authorization was already that "the outdoor cameras must be configured from
so as not to capture the public thoroughfare, nor the surroundings, entrances, accesses and interiors of others

buildings, where applicable, within their field of vision. "


      25. The Restricted Training also notes that Annex 3 of the inspected letter

of September 10, 2019 contains a photo showing that the camera's field of view

litigation has been reoriented to exclude the public highway in the background. During the hearing

of December 4, 2020, the inspected specified that the said camera was filming a road belonging to




11 See CNPD Guidelines (Point 4.1.), Available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
12 See CNPD Guidelines (Point 4.1.), Available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
   _____________________________________________________________

               Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. […] carried out with "Company A".


                                                                                                          6/22 at the control, but indeed, a small part of the public road was in his field

of vision. He explained that from then on the disputed camera was replaced and the field

disputed masked.

                                                                                    13
      26. In view of the foregoing, the Restricted Formation agrees with the findings of the chief
investigation according to which the non-compliance with Article 5.1.c) of the GDPR was established

the site visit by CNPD agents.


B. On the breach related to the obligation to inform the persons concerned



1. On the principles


      27. Pursuant to paragraph 1 of Article 12 of the GDPR, the "controller

take appropriate measures to provide any information referred to in Articles 13 and 14

as well as to make any communication under Articles 15 to 22 and Article

34 with regard to the processing to the data subject in a concise manner,

transparent, understandable and easily accessible, in clear and simple terms […]. "


      28. Article 13 of the GDPR provides the following:



"1. When personal data relating to a data subject are

collected from this person, the controller provides them, at the time
where the data in question is obtained, all of the following information:



a) the identity and contact details of the controller and, where applicable, of the

representative of the controller;


b) where applicable, the contact details of the data protection officer;



c) the purposes of the processing for which the personal data are intended as well

as the legal basis for the processing;





13
  Statement of objections, Ad. A.3.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                             survey no. […] carried out with "Company A".


                                                                                                       7 / 22d) where the processing is based on Article 6 (1) (f), the legitimate interests
pursued by the controller or by a third party;



e) the recipients or the categories of recipients of the personal data,

if they exist; and


f) where applicable, the fact that the controller intends to carry out a

transfer of personal data to a third country or to an organization

international, and the existence or absence of an adequacy decision issued by the
Commission or, in the case of transfers referred to in Article 46 or 47, or in Article 49,

paragraph 1, second subparagraph, the reference to appropriate or adapted guarantees and the

how to obtain a copy or where it was made available;


2. In addition to the information referred to in paragraph 1, the controller shall provide

to the data subject, when the personal data are

obtained, the following additional information which is necessary to guarantee
fair and transparent treatment:



a) the retention period of personal data or, when this is not

possible, the criteria used to determine this duration;


b) the existence of the right to request from the controller access to data at

personal character, rectification or erasure thereof, or a limitation of the

processing relating to the data subject, or the right to object to the processing and
right to data portability;



c) where the processing is based on Article 6 (1) (a) or on Article 9,

paragraph 2 (a), the existence of the right to withdraw consent at any time,
without affecting the lawfulness of the processing based on consent made before the

withdrawal of it;


d) the right to lodge a complaint with a supervisory authority;




   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                             survey no. […] carried out with "Company A".


                                                                                                      8/22 (e) information on whether the requirement to provide data to

personal character has a regulatory or contractual character or if it conditions the

conclusion of a contract and whether the data subject is obliged to provide the data to
personal character, as well as the possible consequences of the non-provision of

those data;



f) the existence of automated decision-making, including profiling, referred to in Article

22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the
underlying logic, as well as the significance and expected consequences of this processing

for the person concerned.



3. When he intends to carry out further processing of personal data

personal for a purpose other than that for which the personal data
have been collected, the data controller provides the person with

concerned information about this other purpose and any other information

relevant referred to in paragraph 2.



4. Paragraphs 1, 2 and 3 do not apply when and to the extent that the person
concerned already has this information. "



      29. Communication of information relating to the

processing of their data is an essential element in the context of compliance with
                                                             14
general transparency obligations within the meaning of the GDPR. The said obligations were
clarified by the Article 29 Working Group in its guidelines on

transparency within the meaning of Regulation (EU) 2016/679, the revised version of which has been adopted

April 11, 2018 (hereafter: "WP 260 rev.01").



      30. Note that the European Data Protection Board (hereafter:
"EDPS"), which replaced the Article 29 Working Party since 25 May 2018, took over







14See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR.


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                             survey no. […] carried out with "Company A".


                                                                                                     9/22 and re-approved the documents adopted by the said Group between May 25, 2016 and May 25

2018, as precisely the aforementioned guidelines on transparency. 15



2. In this case


      31. With regard to informing third parties about the system of

video surveillance, CNPD agents noted during their on-site visit that they

are informed only by a panel "Surveillance by cameras", as well as by

a pictogram representing a video camera and an old sticker of the CNPD
posted at the main entrance of the company. In addition, the head of the investigation considered that

even if the inspected annexed a new poster to his letter of April 25, 2019

information, the latter was not such as to fulfill the conditions of Article 13 of

RGPD and that therefore the non-compliance with article 13 of the RGPD was acquired on the day of the

site visit with regard to third parties (statement of objections,

Ad.A.1).


      32. As regards the information of employees about the system of

video surveillance, the head of the investigation found that they were informed, to some extent

measurement by a panel "Surveillance by cameras", as well as by a pictogram
showing a video camera and an old CNPD sticker located at the entrance

principal of the company, as well as by an information notice sent by email and / or

mail to all employees. However, he considers that this information was not

not complete and that therefore the non-compliance with Article 13 of the GDPR was acquired by

day of the on-site visit for employees (statement of objections,

Ad.A.2).


      33. By letter of April 25, 2019, the inspector specified that the installation of the cameras

supervision dates back more than 15 years and that the staff delegation had been

informed at the time, but that he had not kept the meeting reports due to the
10-year "legal" archiving period. In addition, he specified that a notice

information was sent by email to administrative and technical staff and by





15 See EDPS Endorsement 1/2018 decision of 25 May 2018, available at:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.

   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                             survey no. […] carried out with "Company A".


                                                                                                     10/22 postal mail to the operating staff dated [...] 2018 and an acknowledgment of receipt
                                                                      16
had been requested from each staff member. Concerning the
third parties, the inspected specified that, after the on-site visit of the agents, they had modified

of the CNPD, the display located next to the surveillance cameras. 17



      34. By letter of September 10, 2019, the inspected responded to the communication
grievances from the head of the investigation, stating that the old CNPD vignettes were

withdrawn and that a new bilingual poster has been affixed to each camera

video surveillance and at every possible entrance to the site. He further explained in said

letter that the information notice sent to employees had been completed and that it

would be redistributed to all staff with a request for surrender of an accused

reception and reading. 19


      35. The Restricted Training would first like to point out that Article 13 of the GDPR

refers to the obligation imposed on the controller to "provide" all

information mentioned therein. The word "provide" is crucial here and it "means

that the controller must take concrete measures to provide the

information in question to the data subject or to actively direct the person

concerned to the location of said information (for example by means of a link

direct, a QR code, etc.). ”(WP260 rev. 01. paragraph 33).


      36. The Restricted Training noted that during the on-site visit by the agents of the

CNPD, third parties were informed of the presence of the

video surveillance by a panel "Surveillance by cameras", as well as by a

pictogram representing a video camera and a former CNPD thumbnail

located at the main entrance of the company.


      37. The Restricted Formation notes, however, that the sign, the pictogram and

the old CNPD sticker did not contain the required information within the meaning of







16
  See appendix 1 of the inspected letter of April 25, 2019.
17See appendix 2 of the inspected letter of April 25, 2019.
18See appendix 1 of the inspected letter of September 10, 2019.
19
  See appendix 2 of the controlled letter of September 10, 2019.
   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. […] carried out with "Company A".



                                                                                                          11/22 Article 13 of the GDPR and no other information notice was available (for example

on the website), during the on-site visit, to third parties.


      38. With regard to the employees, the Restricted Training noted that during the visit

on site by CNPD agents, they were informed of the presence of the

video surveillance by the sign, the pictogram and the old CNPD sticker

as mentioned above, as well as by an information notice sent by email or post

dated […] 2018.


      39. Restricted Training believes that a multi-level approach to

communicating transparency information to data subjects can be

used in an offline or non-digital context, that is to say in an environment

real, such as personal data collected by means of a

video surveillance system. The first level of information should in such a way
general include the most essential information, i.e. details of the purpose of the

processing, the identity of the controller and the existence of the rights of individuals

concerned, as well as the information having the greatest impact on the processing or

any processing likely to surprise the data subjects. 20 The second

level of information, i.e. all the information required under the article

13 of the GDPR, could be provided or made available by other means, such as

for example a copy of the confidentiality policy sent by e-mail to employees

or a link on the website to an information notice regarding
                                  21
non-salaried third parties.


      The Restricted Training, however, notes that the sign, the pictogram and

the old CNPD sticker in place during the on-site visit did not contain the

required elements of the first level of information, whether for employees or
non-salaried third parties and that the information notice sent to employees 22 does not

did not contain all of the elements required by Articles 13.1 and 2 of the GDPR.







20 See WP 260 rev.01 and EDPS Guidelines 3/2019 on the processing of personal data
Personal Via Video Devices, Version 2.0, adopted January 29, 2020.
21
  See WP260 rev. 01 (point 38).
22See appendix 2 of the inspected letter of April 25, 2019.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of

                              survey no. […] carried out with "Company A".


                                                                                                        12/22 40. In view of the above, the Restricted Formation concludes that at the time of the

site visit by CNPD agents, Article 13 of the GDPR was not respected by the
control.


II. 2. On corrective measures and fines



1. The principles


      41. In accordance with article 12 of the law of August 1, 2018, the CNPD has the

power to adopt all the corrective measures provided for in Article 58.2 of the GDPR:



"(A) notify a controller or processor that data processing operations

treatment envisaged are likely to violate the provisions of these regulations;


b) call to order a controller or a processor when the

processing operations have resulted in a violation of the provisions of this Regulation;


c) order the controller or processor to comply with the requests

presented by the data subject in order to exercise their rights under the

this regulation;



d) order the controller or processor to put the data processing operations
processing in accordance with the provisions of this Regulation, where applicable, of

in a specific way and within a specific timeframe;



e) order the controller to communicate to the data subject a

personal data breach;


f) impose a temporary or permanent restriction, including a ban, of processing;



g) order the rectification or erasure of personal data or the
restriction of processing in application of Articles 16, 17 and 18 and the notification of these

measures to the recipients to whom the personal data have been disclosed

in accordance with Article 17, paragraph 2, and Article 19;

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                             survey no. […] carried out with "Company A".


                                                                                                    13 / 22h) withdraw a certification or order the certification body to withdraw a
certification issued in application of Articles 42 and 43, or order the

certification not to issue certification if the requirements for certification

are not or no longer satisfied;



i) impose an administrative fine in application of Article 83, in addition to or
the place of the measures referred to in this paragraph, depending on the characteristics

specific to each case;



j) order the suspension of data flows addressed to a recipient located in a
third country or to an international organization. "



      42. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose

administrative fines as provided for in Article 83 of the GDPR, except against

state or municipalities.


      43. Article 83 of the GDPR provides that each supervisory authority ensures that

administrative fines imposed are, in each case, effective, proportionate and

dissuasive, before specifying the elements that must be taken into account in deciding
whether to impose an administrative fine and to decide on the amount of this

fine:



"(A) the nature, gravity and duration of the breach, taking into account the nature, extent

or the purpose of the processing concerned, as well as the number of data subjects
affected and the level of damage they suffered;



(b) whether the violation was committed willfully or negligently;



c) any measures taken by the controller or processor to mitigate the
damage suffered by the persons concerned;






   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                             survey no. […] carried out with "Company A".


                                                                                                    14 / 22d) the degree of responsibility of the controller or processor, account
taking into account the technical and organizational measures they have implemented in accordance with the

Articles 25 and 32;



e) any relevant breach previously committed by the controller or
the subcontractor ;



f) the degree of cooperation established with the supervisory authority in order to remedy the violation

and mitigate any negative effects;


g) the categories of personal data affected by the breach;



h) the manner in which the supervisory authority became aware of the breach, in particular whether,
and to what extent the controller or processor has notified the breach;



(i) where measures referred to in Article 58 (2) have previously been
ordered against the controller or the processor concerned for the

same object, compliance with these measures;



j) the application of codes of conduct approved in accordance with Article 40 or
certification mechanisms approved under Article 42; and



k) any other aggravating or mitigating circumstance applicable to the circumstances of

the species, such as financial benefits obtained or losses avoided, directly or
indirectly, as a result of the violation ”.



      44. The Restricted Training would like to point out that the facts taken into account in the

framework of this decision are those noted at the start of the investigation. Any
changes relating to the processing of data subject to the investigation

later, even if they make it possible to fully or partially establish the

compliance, do not retroactively cancel a breach found.


      45. Nevertheless, the steps taken by the inspected to get into

compliance with the GDPR during the investigation process or to remedy
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                             survey no. […] carried out with "Company A".


                                                                                                    15/22 breaches noted by the head of investigation in the statement of objections, are taken
taken into account by the Restricted Training in the context of any corrective measures

to pronounce.



2. In this case


2.1. As for the imposition of an administrative fine



      46. In his additional letter to the statement of objections of 3 August
2020, the head of the investigation proposed to the Restricted Formation to impose a fine

administrative control relating to the amount of 1,000 euros.



      47. In its response to that additional letter of September 7, 2020, the
controlled argued in particular that he believed he had fulfilled all the conditions to avoid

a fine and that he had done everything to ensure that the GDPR violation ceased as much as possible

quickly possible. The inspected thus asked in the said letter if the proposal regarding
the imposition of a fine by the head of investigation could be reconsidered.



      48. In order to decide whether to impose an administrative fine and to decide,

if applicable, the amount of this fine, the Restricted Training takes into account
the elements provided for in Article 83.2 of the GDPR:



     As to the nature and seriousness of the violation (article 83.2.a) of the GDPR), the

       Restricted Training notes that with regard to the breach of Article 5.1.c)
       of the GDPR, it constitutes a breach of the fundamental principles of

       GDPR (and data protection law in general), namely in principle

       data minimization devoted to Chapter II “Principles” of the GDPR.


       As for the breach of the obligation to inform the persons concerned

       in accordance with Article 13 of the GDPR, the Restricted Training recalls that

       information and transparency relating to the processing of personal data

       personnel are essential obligations incumbent on those responsible for
       treatment so that people are fully aware of the use that

       will be made of their personal data, once it has been collected. A
   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                            survey no. […] carried out with "Company A".


                                                                                                 16/22 breach of Article 13 of the GDPR thus constitutes an infringement of rights
     of the people concerned. This right to information has also been strengthened at

     terms of the GDPR, which testifies to their particular importance.



  As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Training
     notes that these shortcomings have lasted over time, at least since

     May 25, 2018 and until the day of the on-site visit. The Restricted Training recalls

     here that two years have separated the entry into force of the GDPR from its entry into

     application to allow data controllers to comply with
     obligations incumbent on them, even if an obligation to respect the principle

     data minimization, as well as a comparable information obligation

     already existed under Articles 4.1. b), 10.2 and 26 of the repealed law of 2

     August 2002 on the protection of individuals with regard to the processing of
     personal data.



  As for the number of data subjects (article 83.2.a) of the GDPR), the

     Restricted Training notes that these are all employees working on the site
     the inspected, as well as all third parties, i.e. customers,

     suppliers, service providers and visitors to said site.



  As to the question of whether the breaches were deliberately committed
     or not (by negligence) (article 83.2.b) of the GDPR), the Restricted Training recalls

     that "not willfully" means that there was no intention to commit the

     violation, although the controller or processor has not

     complied with its duty of care under the law.


     In this case, the Restricted Training is of the opinion that the facts and the breaches

     observed do not reflect a deliberate intention to violate the GDPR in the chief
     of the controlled.



  As for the degree of cooperation established with the supervisory authority (Article 83.2.f) of

     RGPD), the Restricted Training takes into account the statement of the head of the investigation
     that the cooperation of the controlled throughout the investigation was good, thus

     that of its desire to comply with the law as soon as possible.
_____________________________________________________________
           Decision of the National Commission sitting in restricted formation on the outcome of
                         survey no. […] carried out with "Company A".


                                                                                              17/22 49. The Restricted Panel notes that the other criteria of Article 83.2 of

GDPR are neither relevant nor likely to influence his decision on taxation

of an administrative fine and its amount.


      50. The Restricted Training also notes that although several measures have been implemented
placed by the inspected in order to remedy in whole or in part certain shortcomings,

these were only adopted following the control of CNPD agents on

22 March 2019 (see also point 44 of this decision).


      51. Therefore, the Restricted Panel considers that the imposition of a fine
administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for

breach of Articles 5.1.c) and 13 of the GDPR.


      52. Regarding the amount of the administrative fine, the Restricted Training

recalls that paragraph 3 of Article 83 of the GDPR provides that in the event of violations

multiple, as is the case in this case, the total amount of the fine may not exceed
the amount set for the most serious violation. Insofar as a breach of

Articles 5 and 13 of the GDPR is accused of the inspectorate, the maximum amount of the fine

that can be retained amounts to 20 million euros or 4% of annual turnover
worldwide, whichever is higher.


      53. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the

Restricted Training considers that the pronouncement of a fine of 1,000 euros appears

both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1

of the GDPR.




2.2. Regarding the taking of corrective measures



      54. The adoption of the following corrective measures was proposed by the Chief
of investigation to the Restricted Training in its complementary mail to the communication

grievances:




   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                            survey no. […] carried out with "Company A".


                                                                                                 18/22 "a) Order the controller to complete the information measures
      intended for third parties concerned by video surveillance,

      in accordance with the provisions of Article 13, paragraphs (1) and (2) of the GDPR in

      providing in particular the contact details of the data controller,

      recipients as well as the retention period of the video surveillance images;


      b) Order the controller to complete the information measures

      intended for employees concerned by video surveillance,

      in accordance with the provisions of Article 13, paragraphs (1) and (2) of the GDPR in
      providing in particular the contact details of the data controller,

      recipients as well as the retention period of the video surveillance images;



      c) Order the controller to process only relevant data,
      adequate and limited to what is necessary with regard to the purposes of protection

      property and access security and, in particular, adapting the video system

      so as not to film the public road, for example by removing or reorienting the
      camera called "[…]";



      d) Order the controller to remove or have

      removal of cameras that are inoperative. "

      55. As to the corrective measures proposed by the head of the investigation and by

reference to point 45 of this decision, the Restricted Training takes into account

the procedures carried out by the inspected, following the visit of CNPD agents, in order to

comply with the provisions of Articles 5.1.c) and 13 of the GDPR, as detailed in
his letters of April 25, 2019, September 10, 2019 and September 7, 2020. More

in particular, it takes note of the following facts:


     As for the implementation of information measures intended for people

       concerned by video surveillance, in accordance with the provisions of article

       13.1 and 2 of the GDPR, the inspected submits in his response letter to the
       statement of objections of September 10, 2019 have prepared and posted to

       of each CCTV camera and at each possible entrance to its site

       a new bilingual poster, which for more information on the rights of

   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                            survey no. […] carried out with "Company A".


                                                                                                19/22 people concerned on the site […] under “[…]”. Moreover, he explained in
     said letter that the information notice has been completed and that it will be

     redistributed to all staff with a request for the surrender of an acknowledgment of

     reception and reading.


     Regarding the information of third parties, Restricted Training
     considers that the aforementioned bilingual poster, combined with the section "[...]" on the

     site [...], do not contain all the information required by Article 13 of

     GDPR. Thus, the contact details of the controller, which must be considered

     as first level information (see point 39 of this decision)
     are not shown on the poster. In addition, any recipients or

     categories of recipients of personal data collected through

     the video surveillance system must be mentioned. In consideration of

     compliance measures taken by the inspected in this case and point 45 of
     this decision, the Restricted Training therefore considers that it is necessary to

     pronounce the corrective measure proposed by the head of investigation under a).


     With regard to employee information, Restricted Training considers

     that the aforementioned bilingual poster, combined with the information leaflet at
     Annex 2 of the inspected letter of September 10, 2019, contain all the

     information required in accordance with Article 13 of the GDPR. The controlled had

     indicated in the said letter that this notice will be redistributed to the entire

     personal, with request for delivery of an acknowledgment of receipt and reading. In
     consideration of the compliance measures taken by the inspected in this case

     and point 45 of this decision, the Restricted Panel therefore considers

     that there is no need to take the corrective measure proposed by the Chief

     investigation under b).

  As for the obligation to process only relevant, adequate and

     limited to what is necessary with regard to the purposes of protecting property and

     for securing access and, in particular, adapting the

     video surveillance so as not to film the public highway, the controlled annexed in
     sound check of September 10, 2019 a photo showing that the field of vision

     of the disputed camera has been reoriented to exclude the rear road -

     plan. During the hearing on December 4, 2020, the inspector presented the same photo
_____________________________________________________________
           Decision of the National Commission sitting in restricted formation on the outcome of
                          survey no. […] carried out with "Company A".


                                                                                               20/22 to the Restricted Formation by confirming that the disputed field of vision has been
       mask. In consideration of the compliance measures taken by the

       controlled in this case and point 45 of this decision, the Restricted Panel

       considers therefore that there is no need to take the proposed corrective measure

       by the head of investigation under c).


     As for the removal of cameras that are inoperative, the
       controlled confirmed during the said hearing of December 4, 2020 that the two

       out-of-service cameras have been removed and replaced and are currently targeting

       only the interior perimeter of the plant. Considering the measures of
       compliance taken by the inspected in this case and point 45 of this

       decision, the Restricted Training therefore considers that there is no need to

       pronounce the corrective measure proposed by the head of investigation under d).




In view of the foregoing developments, the National Commission sitting

in restricted formation and deliberating unanimously decides:


- to pronounce against Company A an administrative fine in the amount of

one thousand euros (1,000 euros), with regard to the violation of articles 5.1.c) and 13 of the GDPR;



- to issue an injunction against Company A to bring the
processing with the provisions of Article 13 of the GDPR, within two months

following notification of the decision of the Restricted Panel, the supporting documents for

in conformity to be sent to the Restricted Training, at the latest, within this period
and especially :

inform non-salaried third parties in a clear and complete manner, in accordance with

the provisions of Article 13 of the GDPR, in particular by providing third parties

information relating to the contact details of the controller and, where applicable,
to the recipients or categories of recipients of personal data.





So decided in Belvaux on May 12, 2021.


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                            survey no. […] carried out with "Company A".


                                                                                                 21/22 For the National Commission for Data Protection sitting in formation
restraint






Tine A. Larsen Thierry Lallemang Marc Lemmer

  President Commissioner Commissioner






                           Indication of remedies



This administrative decision may be the subject of an appeal for reformation in the
three months following its notification. This appeal is to be brought before the administrative court.

and must be introduced through a lawyer at the Court of one of the Orders of

lawyers.






























   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                           survey no. […] carried out with "Company A".


                                                                                               22/22