CNPD (Luxembourg) - Délibération n°24FR/2021

From GDPRhub
CNPD (Luxembourg) - Délibération n°24FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 5(1)(c) GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 29.06.2021
Published: 13.07.2021
Fine: 12500 EUR
Parties: n/a
National Case Number/Name: Délibération n°24FR/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: n/a

The Luxembourg DPA fined a controller €12,500 for violating the data minimisation principle by recording public areas and permanently monitoring employees with its video surveillance system, and for failing to provide the necessary information regarding the processing of data by the system.

English Summary[edit | edit source]

Facts[edit | edit source]

The Luxembourg DPA (CNPD) opened an investigation on a controller and carried out an on-premises investigation.

The DPA found that the controller was using a surveillance system around and within its buildings. During the on-site investigation, the DPA noted that the scope of vision of a camera allowed the surveillance of part of the public highway adjoining the building.

According to the controller, the purposes of setting up the video surveillance system were the protection of property, the securing of the access to private places, user safety and accident prevention.

Additionally, the DPA found that there were ten cameras inside the building which scope of vision allowed for permanent monitoring of the workstations of employees working in the premises.

Regarding the information to third parties and employees, the DPA noted that there were posters showing a pictogram of a camera with the mention "for your safety this site is under surveillance" in the exits and entrances to the building.

Holding[edit | edit source]

With regards to the range of vision of the cameras, the DPA concluded that the principle of data minimization in video surveillance implies that only what is strictly necessary to achieve the purposes of the processing should be filmed and that the processing operations must not be disproportionate.

The CNPD noted that the cameras that were intended to monitor an access point (entrances and exits, thresholds, porches, doors, halls, etc.) must have only had a field of vision limited to the area strictly necessary to visualize people preparing to access it. The cameras that were filming exterior accesses must not have filmed the entire width of the sidewalk or the public roads adjacent to it. Additionally, the outdoor cameras installed near or around the building must have been configured so as not to capture the public thoroughfare, nor the surroundings, entrances, accesses and interiors of other neighbouring buildings.

The DPA considered that in view of the purposes of the video surveillance a system, it was not necessary to encompass parts of the public space or neighbouring grounds in the fields of view of the cameras, and that even if it would have been impossible to install the camera without including in its field of vision part of the public space, the controller should have implemented masking or blurring techniques in order to limit the field of vision of the cameras to what is strictly necessary.

With respect to the cameras allowing for a permanent monitoring of the employees, the DPA stated that a permanent monitoring of employees on their workstations is to be considered as disproportionate.

The DPA remarked that such permanent monitoring can create significant psychological pressure for employees who feel and know that they are being observed, especially since the surveillance will last over time. The fact that the employees do not have a way of avoiding this surveillance from time to time is also an aggravating factor to this pressure. Permanent monitoring is considered as disproportionate to the purposes of the processing and constitutes an excessive interference with the private sphere of employees.

In this case, the rights and fundamental freedoms of employees must prevail over the interests pursued by the employer. Even if it may appear necessary for a controller install a video surveillance system in the workplace, the controller must respect the principle of proportionality and must use the most protective means of surveillance for the employee's private sphere. For example, by limiting the cameras' fields of vision to the area necessary to achieve the perused purpose.

The CNPD therefore concluded that the controller had violated Article 5(1)(c), as it had not respected the minimization principle.

With regards to the obligation of information, the DPA found that the pictograms did not offer the necessary and basic information that shall be offered in the first level of information, such as details of the purpose of the processing, the identity of the controller and the existence of the rights of the data subjects, as well as the information with the greatest impact on the processing or any processing information likely to surprise the data subjects.

Additionally, regarding the second level of information the DPA stated that the controller must take concrete measures to provide the information to the data subject or to actively direct the persons concerned to the location of said information. For example, by means of a direct link, a QR code, etc., directing to the privacy policy of the company, or by sending an email to employees.

The controller had sent such email to their employees during the course of the investigation but had no complied with the rest of the requirements.

Therefore, the CNPD concluded that the controller had violated Article 13.

For all this, the DPA fined the controller €12,500 and ordered it to put in place adequate measures to comply with the information obligation and to process only data that is relevant, adequate and limited to what is necessary for the purposes of the protection of their property, the securing of access to private places, the security of users and accident prevention and, in particular, to adapt the system so as not to film employees at their workstation, for example by removing or reorienting some of the cameras.

At the end of the proceeding, the controller confirmed that they had changed the set up of the cameras so all cameras only target corridors, passages, freezers or raw material depots and that no employee is in the field of vision permanently.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision of the National Commission sitting in restricted formation

      on the outcome of survey no. [...] conducted with Company A



                       Deliberation n ° 24FR / 2021 of June 29, 2021


The National Commission for Data Protection sitting in a restricted body

composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc

Lemmer, commissioners;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

relating to the protection of individuals with regard to the processing of personal data

personal character and on the free movement of such data, and repealing the Directive
95/46 / EC;



Having regard to the law of 1 August 2018 on the organization of the National Commission for

data protection and the general data protection regime, in particular
its article 41;



Having regard to the internal regulations of the National Commission for the Protection of

data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its
article 10 point 2;



Having regard to the regulation of the National Commission for Data Protection relating to

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020,
in particular Article 9;



Considering the following:











   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                  1 / 23I. Facts and procedure



      1. During its deliberation session of February 14, 2019, the National Commission

for data protection sitting in plenary session (hereinafter: "Training

Plenary ") had decided to open an investigation with the ABC group on the basis of the article

37 of the law of 1 August 2018 on the organization of the National Commission for

data protection and the general data protection regime (hereinafter: "law
      er
of August 1, 2018 ”) and to appoint Mr. Christophe Buschmann as chef

of investigation.


      2. According to the decision of the Plenary Panel, the investigation carried out by the

National Commission for Data Protection (hereafter: "CNPD") had as

purpose of verifying compliance with the provisions of Regulation (EU) 2016/679 of the Parliament

European Union and of the Council of 27 April 2016 on the protection of natural persons

with regard to the processing of personal data and the free movement of such

data, and repealing Directive 95/46 / CE (hereinafter: "RGPD") and the law of August 1
2018, in particular by setting up video surveillance systems and

geolocation if necessary installed by the two companies of the ABC group.


      3. On March 18, 2019, CNPD agents visited the

ABC group premises. Given that the minutes relating to the said fact-finding mission

on the spot only mentions, among the two companies of the ABC group, as responsible

of the controlled processing of Company A, the decision of the National Commission for

data protection sitting in restricted formation on the outcome of the investigation (hereafter:

"Restricted training") will be limited to processing operations controlled by CNPD agents

and carried out by Company A.










1 And more specifically with the companies Company A, registered in the Trade and Companies Register
Luxembourg under number […], with registered office at L- […] and Company B, registered in the Trade Register and
Luxembourg Companies under number […], with registered office L- […].
2 See in particular the minutes […] relating to the on-site fact-finding mission carried out on March 18

2019 with the ABC group.

   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of

                                survey no. [...] conducted with Company A


                                                                                                          2/23 4. Company A is a […] registered in the Trade and Companies Register of

Luxembourg under number […], with registered office at L- […] (hereinafter “the controlled”). The

controlled [is active in the field of bread and fresh pastry making]. "3


      5. During the aforementioned visit of March 18, 2019 by CNPD agents in the

premises of the inspected, it was confirmed to the CNPD agents that the inspected uses a

video surveillance system around its buildings and within its building,
                                                                           4
but that it does not use any geolocation device.


      6. To his reply letter of April 18, 2019 to the minutes drawn up by the agents

of the CNPD, the inspector attached photos of information posters present at the
of each entry and exit, a copy of the register of processing activities and

letters from its suppliers […] and […].


      7. At the end of his investigation, the head of investigation notified the inspectorate on the 28th

August 2019 a statement of objections detailing the shortcomings he considered

constituted in this case, and more specifically a non-compliance with the prescribed requirements

by Article 13 of the GDPR with regard to employees and customers, suppliers,

service providers and visitors (hereinafter: "third parties") and a non-

compliance with the requirements of Article 5.1.c) of the GDPR.


      8. On 21 November 2019, the inspected filed written observations on the

statement of objections.



      9. A letter supplementing the statement of objections was sent to

checked on August 3, 2020. In this letter, the head of the investigation proposed to the

Restricted training to adopt two different corrective measures, as well as to inflict

at the control an administrative fine in the amount of 17,000 euros.


      10. By letter of August 12, 2020, the inspected produced written observations on

the additional letter to the statement of objections.





3 […].
4See minutes relating to the on-site fact-finding mission carried out on March 18, 2019 to the
ABC group.
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A


                                                                                                        3/23 11. The president of the Restricted Formation informed the control by letter of 5

January 2021 that his case would be registered for the Restricted Training session on 11

February 2021. The inspected confirmed their presence at the said meeting on January 11
2021.



      12. During the Restricted Training session on February 11, 2021, the leader

investigation team and the inspector presented their oral observations in support of their

written observations and answered questions posed by the Restricted Training. The

president asked the controlled to send information to the Restricted Training
additional information on the distribution of people working on each site, including

the production site, within a week. The controlled had the floor last.


II. Place


II. 1. As to the grounds for the decision


A. On the breach linked to the principle of data minimization



1. On the principles


      13. In accordance with Article 5.1.c) of the GDPR, personal data

must be "adequate, relevant and limited to what is necessary with regard to
purposes for which they are processed (data minimization) ”.


      14. The principle of data minimization in video surveillance

implies that it should only be filmed what appears strictly necessary to achieve

the purpose (s) pursued and that the processing operations must not be
                   5
disproportionate.


      15. Article 5.1.b) of the GDPR provides that personal data must

be "collected for specific, explicit and legitimate purposes, and not be





5
  See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                      4/23 subsequently processed in a manner incompatible with these purposes; […] (Limitation of

purposes) ”.


       16. Before installing a video surveillance system, the person in charge of

processing must define, precisely, the purpose (s) it wishes to achieve in

using such a system, and cannot then use the personal data
                                          6
personal data collected for other purposes.


       17. The necessity and proportionality of video surveillance is analyzed on a case-by-case basis.

case and, in particular, with regard to criteria such as the nature of the place to be placed under
                                                                            7
video surveillance, its situation, configuration or attendance.


2. In this case


       18. It was explained to CNPD officials that the purposes of setting up the

video surveillance system are the protection of property, securing access to

private places, user safety and accident prevention. 8


    2.1. Regarding the field of view of the camera filming the public road



       19. During the on-site investigation, CNPD officers noted that the scope of

vision of a camera named by the inspected "[...]" and in the report drawn up
by CNPD agents "[…]" allows the surveillance of part of the public highway

adjoining the controlled store.



       20. The head of the investigation considered that "in view of the aforementioned purposes for which is

operated the video surveillance, it is not necessary to encompass parts of the track

public or neighboring grounds in the fields of view of the cameras listed

under point I hereof. ”(Statement of objections, Ad. A.3.). It was thus of opinion
that the non-compliance with article 5.1.c) of the GDPR was acquired on the day of the on-site visit






6
    See CNPD Guidelines, available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
7 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
8
 See report 5 of the minutes relating to the on-site fact-finding mission carried out on March 18, 2019
with the ABC group.
   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of
                                  survey no. [...] conducted with Company A



                                                                                                              5/23 and that the documentation submitted to the CNPD by the letter of April 18, 2019 did not contain

no evidence against this non-compliance.


      21. In its reply letter to the statement of objections of 21 November

2019, the inspected for his part explained that adjustments to the fields of vision of

active CCTV cameras were made and he appended screenshots

audit mail.


      22. The Restricted Training would like to remind you that the cameras intended to monitor

an access point (entrance and exit, threshold, porch, door, awning, hall, etc.) must have a

field of vision limited to the area strictly necessary to visualize people

preparing to access it. Those who film exterior accesses must not signpost

the entire width of a sidewalk running alongside, where applicable, the building or public roads

adjacent. Likewise, outdoor cameras installed near or around a
building must be configured so as not to capture the public thoroughfare, nor the surroundings,

entrances, accesses and interiors of other neighboring buildings possibly entering

their field of vision. 9


      23. The Restricted Training nevertheless admits that depending on the configuration of

places, it is sometimes impossible to install a camera that does not include in its

field of vision part of the public thoroughfare, surroundings, entrances, entrances and interiors

other buildings. In such a case, it considers that the controller should

implement masking or blurring techniques in order to limit the field of
                       10
vision to his property.


      24. The Restricted Training noted that the letter from the inspectorate of 21 November

2019 contains a photo showing that the field of view of the camera referred to as

“[…]” Was masked so as not to target the public highway.


      25. In view of the foregoing, the Restricted Formation nevertheless agrees with the observation
                    11
the head of the investigation according to which the non-compliance with Article 5.1.c) of the GDPR with regard to



9 See CNPD Guidelines (Point 4.1.), Available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
10
   See CNPD Guidelines (Point 4.1.), Available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
11 Communication of grievances, Ad. A.3.
   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of

                                 survey no. [...] conducted with Company A


                                                                                                          6/23 concerns the aforementioned camera was acquired on the day of the on-site visit of the agents

of the CNPD.


    2.2. Regarding the field of vision of cameras filming employees


      26. During the on-site investigation, CNPD officers noted that the scope of
vision of ten cameras allowed permanent monitoring of workstations

employees working in the “[…]”, “[…]”, “[…]”, “[…]” and “

[…] ”.12


      27. In addition, the head of the investigation considered that a permanent monitoring of

employees on their workstations is “to be considered as disproportionate. Indeed,

such permanent monitoring can create significant psychological pressure
for employees who feel and know that they are being observed, especially since the

surveillance will last over time. The fact that the employees concerned do not have

a way of avoiding this surveillance from time to time is also to

nature to aggravate this pressure. Such permanent monitoring is considered

as disproportionate to the intended purpose and constitutes an excessive interference with the
private sphere of employees employed at their workstations. In this case, the rights and

fundamental freedoms of employees must prevail over the interests pursued by

the employer. "Thus, he held that the non-compliance with article 5.1.c) of the GDPR was

acquired on the day of the on-site visit and that the documentation submitted to the CNPD by the

letter of April 18, 2019 did not contain any evidence against this non-compliance, nor
no explanation as to the possible need for such monitoring measures

(statement of objections, Ad. A.4.).


      28. Restricted Training would like to remind you that employees have the right not to

be subject to continuous and permanent surveillance in the workplace. To reach

the purposes pursued, it may appear necessary for a controller

to install a video surveillance system in the workplace. On the other hand, respecting
the principle of proportionality, the controller must have recourse to the means of

monitoring the most protective of the employee's private sphere and, for example, limiting




12 See findings 6, 7, 9, 10, 11 and 14 of the minutes relating to the on-site fact-finding mission carried out to date
of March 18, 2019 with the ABC group. These are the cameras called: "[...]", "[...]", "[...]", "[...]
”,“ […] ”,“ […] ”,“ […] ”,“ […] ”,“ […] ”,“ […] ”.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A


                                                                                                       7 / 23Camera of vision of the cameras to the only surface necessary to reach the

purpose (s) pursued.


      29. The Restricted Formation notes that in its letter of November 21, 2019,

the inspected said he had made adjustments to his CCTV cameras
and there are screenshots attached.


      30. In view of the foregoing, the Restricted Formation nevertheless agrees with the observation

of head of investigation 13 according to which the non-compliance with Article 5.1.c) of the GDPR concerning

the ten cameras which allowed permanent surveillance of the workstations of

employees employed there was acquired on the day of the on-site visit.


B. On the breach related to the obligation to inform the persons concerned


1. On the principles



      31. Pursuant to paragraph 1 of Article 12 of the GDPR, the "controller

take appropriate measures to provide any information referred to in Articles 13 and 14
as well as to make any communication under Articles 15 to 22 and Article

34 with regard to the processing to the data subject in a concise manner,

transparent, understandable and easily accessible, in clear and simple terms […]. "



      32. Article 13 of the GDPR provides the following:


      "1. When personal data relating to a person

concerned are collected from this person, the data controller

provides, at the time the data in question is obtained, all the information

following:


a) the identity and contact details of the controller and, where applicable, of the

representative of the controller;






13
  Statement of objections, Ad. A.4.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                      8 / 23b) where applicable, the contact details of the data protection officer;


c) the purposes of the processing for which the personal data are intended as well

as the legal basis for the processing;


d) where the processing is based on Article 6 (1) (f), the legitimate interests

pursued by the controller or by a third party;



e) the recipients or the categories of recipients of the personal data,
if they exist; and



f) where applicable, the fact that the controller intends to carry out a

transfer of personal data to a third country or to an organization
international, and the existence or absence of an adequacy decision issued by the

Commission or, in the case of transfers referred to in Article 46 or 47, or in Article 49,

paragraph 1, second subparagraph, the reference to appropriate or adapted guarantees and the
how to obtain a copy or where it was made available;



      2. In addition to the information referred to in paragraph 1, the controller

provides the data subject, at the time the personal data is
obtained, the following additional information which is necessary to guarantee

fair and transparent treatment:



a) the retention period of personal data or, when this is not
possible, the criteria used to determine this duration;



b) the existence of the right to request from the controller access to data at

personal character, rectification or erasure thereof, or a limitation of the
processing relating to the data subject, or the right to object to the processing and

right to data portability;


c) where the processing is based on Article 6 (1) (a) or on Article 9,

paragraph 2 (a), the existence of the right to withdraw consent at any time,


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                      9/23 without affecting the lawfulness of the processing based on the consent made before the

withdrawal of it;


d) the right to lodge a complaint with a supervisory authority;



e) information on whether the requirement to provide data to

personal character has a regulatory or contractual character or if it conditions the

conclusion of a contract and whether the data subject is obliged to provide the data to
personal character, as well as the possible consequences of the non-provision of

those data;



f) the existence of automated decision-making, including profiling, referred to in Article

22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the
underlying logic, as well as the significance and expected consequences of this processing

for the person concerned.



      3. When he intends to carry out further processing of personal data

personal for a purpose other than that for which the personal data
have been collected, the data controller provides the person with

concerned information about this other purpose and any other information

relevant referred to in paragraph 2.



      4. Paragraphs 1, 2 and 3 shall not apply when, and to the extent that, the
data subject already has this information. "



      33. Communication of information relating to the

processing of their data is an essential element in the context of compliance with
                                                              14
general transparency obligations within the meaning of the GDPR. The said obligations were
clarified by the Article 29 Working Group in its guidelines on

transparency within the meaning of Regulation (EU) 2016/679, the revised version of which has been adopted

April 11, 2018 (hereafter: "WP 260 rev.01").




14
  See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                     10/23 34. Note that the European Data Protection Board (hereafter:

"EDPS"), which replaced the Article 29 Working Party since 25 May 2018, took over

and re-approved the documents adopted by said Group between May 25, 2016 and May 25
                                                                                   15
2018, as precisely the aforementioned guidelines on transparency.


2. In this case



      35. Regarding the information of third parties, as well as of employees
As for the video surveillance system, the head of the investigation noted that the documentation

submitted to the CNPD by letter of April 18, 2019 did not contain sufficient evidence

to counter non-compliance with the requirements of Article 13 of the GDPR. He estimated

that the affixing, after the on-site visit, of posters comprising a pictogram of a

camera with the mention "for your safety this site is under surveillance" is not

such as to fulfill the conditions set by the said article and that therefore the non-compliance with

Article 13 of the GDPR was acquired on the day of the on-site visit (see communication of

grievances, Ad. A.1. and A.2.).


      36. In his aforementioned letter of April 18, 2019, the inspector indicated that the
persons concerned (employees and third parties) are informed of the presence of a

video surveillance through posters at each entrance and exit

and he attached photos of said posters.


      37. By letter of November 21, 2019, the inspector sent the head of the investigation a

personal data protection charter that has been posted on its website, a

information notice on data protection for its employees which has been

presented and approved at a meeting of […] and which is circulated for signature to

its employees, as well as a photo of a new signage pictogram on its sites.


      38. The Restricted Training would first like to point out that Article 13 of the GDPR

refers to the obligation imposed on the controller to "provide" all

information mentioned therein. The word "provide" is crucial here and it "means




15 See EDPS Endorsement 1/2018 decision of 25 May 2018, available at:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A


                                                                                                       11/23 that the controller must take concrete measures to provide the

information in question to the data subject or to actively direct the person

concerned to the location of said information (for example by means of a link

direct, a QR code, etc.). ”(WP260 rev. 01, paragraph 33).


      39. The Restricted Training noted that during the on-site visit by the agents of the

CNPD, third parties and employees were not informed of the presence of the
video surveillance system. In his letter of April 18, 2019, the inspected indicated that

henceforth the persons concerned would be informed by a pictogram of a

camera with the mention "for your safety this site is under surveillance". Otherwise,

by letter of November 21, 2019, the inspected sent a charter for the protection of

personal data, an information notice on data protection for its

employees, as well as a photo of a new signage pictogram on their

Site (s.


      40. The Restricted Training considers in this context that an approach involving several
levels to communicate transparency information to people

concerned can be used in an offline or non-digital context, i.e.

in a real environment such as personal data

collected using a video surveillance system. The first level of information

should generally include the most essential information, i.e.

details of the purpose of processing, the identity of the controller and the existence of
rights of data subjects, as well as the information with the greatest impact

on the processing or any processing likely to surprise the data subjects. 16

The second level of information, i.e. all the information required for

under Article 13 of the GDPR, could be provided or made available by other means,

such as for example a copy of the privacy policy sent by e-mail to

employees or a link on the website to an information notice regarding
                                      17
non-salaried third parties.







16 See WP 260 rev.01 and EDPS Guidelines 3/2019 on the processing of personal data
Personal Via Video Devices, Version 2.0, adopted January 29, 2020.
17 See WP260 rev. 01 (point 38).
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A


                                                                                                       12/23 41. The Restricted Formation notes, however, that the pictogram which has been

place after the on-site visit and the pictogram sent by mail on November 21, 2019
did not even contain the required elements of the first level of information whatsoever

for employees or non-salaried third parties.


      42. Regarding the personal data protection charter

available to third parties […] and sent by letter of 21 November 2019, the
Restricted Training considers that it did not contain all of the required elements

by Article 13.1 and 2 of the GDPR, especially at the time of the site visit by the

CNPD agents, third parties could not yet access the said

charter.


      43. With regard to the information notice on data protection for its
employees, the Restricted Training considers that the said note did not contain

all the elements required by Articles 13.1 and 2 of the GDPR, especially as in

at the time of the site visit by CNPD agents, the employees were not yet

in possession of said note.

      44. In view of the above, the Restricted Formation concludes that at the time of the

site visit by CNPD agents, Article 13 of the GDPR was not respected by the

control.


II. 2. On corrective measures and fines


1. The principles



      45. In accordance with article 12 of the law of August 1, 2018, the CNPD has the

power to adopt all the corrective measures provided for in Article 58.2 of the GDPR:


"(A) notify a controller or processor that data processing operations

treatment envisaged are likely to violate the provisions of these regulations;


b) call to order a controller or a processor when the

processing operations have resulted in a violation of the provisions of this Regulation;



   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    13 / 23c) order the controller or processor to comply with requests

presented by the data subject in order to exercise their rights under the
this regulation;



d) order the controller or processor to put the data processing operations

processing in accordance with the provisions of this Regulation, where applicable, of
in a specific way and within a specific time frame;



e) order the controller to communicate to the data subject a

personal data breach;


f) impose a temporary or permanent restriction, including a ban, of processing;



g) order the rectification or erasure of personal data or the
restriction of processing in application of Articles 16, 17 and 18 and the notification of these

measures to the recipients to whom the personal data have been disclosed

in accordance with Article 17, paragraph 2, and Article 19;


h) withdraw a certification or order the certification body to withdraw a

certification issued in application of Articles 42 and 43, or order the

certification not to issue certification if the requirements for certification

are not or no longer satisfied;


i) impose an administrative fine in application of Article 83, in addition to or

the place of the measures referred to in this paragraph, depending on the characteristics

specific to each case;


j) order the suspension of data flows addressed to a recipient located in a

third country or to an international organization. "


                                                   er
     46. In accordance with article 48 of the law of 1 August 2018, the CNPD may impose
administrative fines as provided for in Article 83 of the GDPR, except against

the state or municipalities.


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    14/23 47. Article 83 of the GDPR provides that each supervisory authority ensures that
administrative fines imposed are, in each case, effective, proportionate and

dissuasive, before specifying the elements that must be taken into account in deciding

whether to impose an administrative fine and to decide on the amount of this

fine:


"(A) the nature, gravity and duration of the breach, taking into account the nature, extent

or the purpose of the processing concerned, as well as the number of data subjects

affected and the level of damage they suffered;


(b) whether the violation was committed willfully or negligently;



c) any measures taken by the controller or processor to mitigate the
damage suffered by the persons concerned;



d) the degree of responsibility of the controller or processor, account
taking into account the technical and organizational measures they have implemented under

Articles 25 and 32;



e) any relevant breach previously committed by the controller or
the subcontractor ;



f) the degree of cooperation established with the supervisory authority in order to remedy the violation

and mitigate any negative effects;


g) the categories of personal data affected by the breach;



h) the manner in which the supervisory authority became aware of the breach, in particular whether,
and to what extent the controller or processor has notified the breach;



(i) where measures referred to in Article 58 (2) have previously been
ordered against the controller or the processor concerned for the

same object, compliance with these measures;


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    15/23 (j) the application of codes of conduct approved in accordance with Article 40 or
certification mechanisms approved under Article 42; and



k) any other aggravating or mitigating circumstance applicable to the circumstances of

the species, such as financial benefits obtained or losses avoided, directly or
indirectly, as a result of the violation ”.



      48. The Restricted Training would like to point out that the facts taken into account in the

framework of this decision are those noted at the start of the investigation. Any
changes relating to the processing of data subject to the investigation

later, even if they make it possible to fully or partially establish the

compliance, do not retroactively cancel a breach found.


      49. Nevertheless, the steps taken by the inspected to get into

compliance with the GDPR during the investigation process or to remedy

shortcomings identified by the head of investigation in the statement of objections, are taken
taken into account by the Restricted Training in the context of any corrective measures

to pronounce.



2. In this case


2.1. As for the imposition of an administrative fine



      50. In his additional letter to the statement of objections of 3 August
2020, the head of the investigation proposed to the Restricted Formation to impose a fine

administrative control in the amount of 17,000 euros.



      51. In his response to the additional letter of August 12, 2020, the inspected
disputed the aforementioned letter from the head of investigation following the corrective changes

made to comply with GDPR rules.


      52. In order to decide whether to impose an administrative fine and to decide,

if applicable, the amount of this fine, the Restricted Training takes into account

the elements provided for in Article 83.2 of the GDPR:
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                 16/23  As to the nature and seriousness of the violation (article 83.2.a) of the GDPR), the

     Restricted Training notes that with regard to the breach of Article 5.1.c)

     of the GDPR, it constitutes a breach of the fundamental principles of

     GDPR (and data protection law in general), namely in principle
     data minimization devoted to Chapter II “Principles” of the GDPR.



     As for the breach of the obligation to inform the persons concerned

     in accordance with Article 13 of the GDPR, the Restricted Training recalls that
     information and transparency relating to the processing of personal data

     personnel are essential obligations incumbent on those responsible for

     treatment so that people are fully aware of the use that

     will be made of their personal data, once it has been collected. A
     breach of Article 13 of the GDPR thus constitutes an infringement of rights

     of the people concerned. This right to information has also been strengthened at

     terms of the GDPR, which testifies to their particular importance. To note

     that at the time of the site visit by CNPD agents, no pictogram
     signs, nor any poster or information leaflet could be displayed

     to CNPD agents.



  As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Training
     notes that these shortcomings have lasted over time, at least since

     May 25, 2018 and until the day of the on-site visit. The Restricted Training recalls

     here that two years have separated the entry into force of the GDPR from its entry into
     application to allow data controllers to comply with

     obligations incumbent upon them. Moreover, an obligation to respect the

     principle of minimization, as well as a comparable information obligation

     already existed under Articles 4.1. b), 10.2 and 26 of the repealed law of 2
     August 2002 on the protection of individuals with regard to the processing of

     personal data. Guidance on principles and obligations

     provided for in the said law was available from the CNPD, in particular through

     compulsory prior authorizations for video surveillance.



_____________________________________________________________
           Decision of the National Commission sitting in restricted formation on the outcome of
                           survey no. [...] conducted with Company A


                                                                                             17/23  As for the number of data subjects (article 83.2.a) of the GDPR), the

        Restricted Training notes that these are [...] employees working on the site of the

        controlled who were under constant surveillance by ten different cameras without
        possibility of opting out, as well as all third parties, that is to say

        customers, suppliers, service providers and visitors visiting

        said site.


     As to the question of whether the breaches were deliberately committed

        or not (by negligence) (article 83.2.b) of the GDPR), the Restricted Training recalls

        that "not willfully" means that there was no intention to commit the

        violation, although the controller or processor has not

        complied with its duty of care under the law.


        In this case, the Restricted Training is of the opinion that the facts and the breaches

        observed do not reflect a deliberate intention to violate the GDPR in the chief

        of the controlled.


     As for the degree of cooperation established with the supervisory authority (Article 83.2.f) of

        RGPD), the Restricted Training takes into account the statement of the head of the investigation

        that the cooperation of the controlled throughout the investigation was good, thus

        that of its desire to comply with the law as soon as possible.


      53. The Restricted Panel notes that the other criteria of Article 83.2 of

GDPR are neither relevant nor likely to influence his decision on taxation

of an administrative fine and its amount.


      54. Restricted Training also notes that although several measures have been implemented

placed by the inspected in order to remedy in whole or in part certain shortcomings,
these were only adopted following the control of CNPD agents on

18 March 2019 (see also point 48 of this decision).







18 As indicated by email from the inspected on February 11, 2021.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    18/23 55. Therefore, the Restricted Panel considers that the imposition of a fine
administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for

breach of Articles 5.1.c) and 13 of the GDPR.


      56. Regarding the amount of the administrative fine, the Restricted Training

recalls that paragraph 3 of Article 83 of the GDPR provides that in the event of violations
multiple, as is the case in this case, the total amount of the fine may not exceed

the amount set for the most serious violation. Insofar as a breach of

Articles 5 and 13 of the GDPR is criticized for the inspectorate, the maximum amount of the fine

that can be retained amounts to 20 million euros or 4% of annual turnover
worldwide, whichever is higher.


      57. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the

Restricted Training considers that the pronouncement of a fine of 12,500 euros appears

both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1
of the GDPR.


2.2. Regarding the taking of corrective measures



      58. The adoption of the following corrective measures was proposed by the Chief
investigation into the Restricted Training in its additional letter to the

statement of objections:


      a) Order the controller to put in place the measures

      information intended for those affected by video surveillance,

      in accordance with the provisions of Article 13, paragraphs (1) and (2) of the GDPR in
      informing in particular the identity of the controller, the purposes of the

      processing and its legal basis, the categories of data processed, the interests

      legitimate pursued by the controlled, the recipients, the retention period of
      data as well as an indication of the rights of the person and how to

      exercise ;


      b) Order the controller to process only data

      relevant, adequate and limited to what is necessary for the purposes of
      protection of property, securing access to private places, security of

      users as well as accident prevention and, in particular, adapting the system
   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                19/23 video so as not to film employees at their workstation, for example by

      removing or reorienting cameras called "[…]" "[…]" "[…]" "[…]" "
      […] "" […] "" […] "" […], […], […] And […] ".


      59. In his reply letter of August 12, 2020 to the additional letter to the

statement of objections, the inspector referred to the corrective changes made

to comply with the rules of the GDPR. 19


      60. As to the corrective measures proposed by the head of the investigation and by

reference to point 49 of this decision, the Restricted Training takes into account
the procedures carried out by the inspected, following the visit of CNPD agents, in order to

comply with the provisions of Articles 5.1.c) and 13 of the GDPR, as detailed in

his letters of April 18, 2019, November 21, 2019 and August 12, 2020. More

in particular, it takes note of the following facts:


     As for the implementation of information measures intended for people
       non-salaried third parties concerned by video surveillance, in accordance with

       provisions of Article 13.1 and 2 of the GDPR, the inspected posted on its website

       new pictograms [...] allowing said people to access a

       Privacy Policy. A photo of such a pictogram

       and the aforementioned charter were appended to the inspected letter of November 21
       2019.


       The Restricted Training considers that the aforementioned pictogram, combined with the

       aforementioned charter, do not contain all the information required by article 13

       of the GDPR, in particular the precise legal basis for video surveillance,

       recipients or categories of recipients of images from the
       video surveillance, the retention period of the images from the

       video surveillance, as well as the right to lodge a complaint with the

       CNPD.


       As for the implementation of information measures intended for employees

       concerned by video surveillance, in accordance with the provisions of article




19 As detailed in its letter of response to the statement of objections of 21 November 2019.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                 20/23 13.1 and 2 of the RGPD, the inspected indicated in his letter of November 21, 2019
     an information notice on data protection for its employees

     was presented and approved at a meeting […] and which is circulated for signature

     with its employees. Annex 2 of said letter concerns the aforementioned note.


     The Restricted Training considers that the information notice on the protection of
     data intended for the employees of the inspected does not contain all

     information required by article 13 of the GDPR, in particular the legal basis

     precise for video surveillance, recipients or categories of

     recipients of images from the video surveillance system, the existence of
     right to restriction of processing, as well as the right not only to seize,

     but to lodge a complaint with the CNPD.


     In consideration of the compliance measures taken by the inspectorate in

     the species and point 49 of this decision, the Restricted Panel considers
     when it is necessary to pronounce the corrective measure proposed by the chief

     investigation under a).


  As for the obligation to process only relevant, adequate and

     limited to what is necessary with regard to the purposes of protecting property and

     for securing access and, in particular, adapting the video device so as not to
     not film employees at their workstations and on public roads, the inspected

     explained in its reply letter to the statement of objections of 21

     November 2019 have made adjustments to their cameras
     active video surveillance. As employees were present on the catches

     screen annexed to said letter, a related question was asked during

     the hearing of the Restricted Training of February 11, 2021. The controlled specified

     that all cameras henceforth only target corridors, passages,
     freezers or raw material depots and that no employee is in

     the field of vision permanently. In consideration of the wagering measures

     in compliance taken by the inspected in this case and point 49 of this

     decision, the Restricted Training therefore considers that there is no need to
     pronounce the corrective measure proposed by the head of investigation under b).




_____________________________________________________________
           Decision of the National Commission sitting in restricted formation on the outcome of
                           survey no. [...] conducted with Company A


                                                                                            In view of the foregoing developments, the National Commission sitting

in restricted formation and deliberating unanimously decides:




- to retain the breaches of articles 5.1.c) and 13 of the GDPR;



- to pronounce against Company A an administrative fine in the amount of

twelve thousand five hundred euros (12,500 euros), with regard to breaches of
Articles 5.1.c) and 13 of the GDPR;



- to issue an injunction against Company A to bring the

processing with the provisions of Article 13 of the GDPR, within two months
following notification of the decision of the Restricted Panel, the supporting documents for

in conformity to be sent to the Restricted Training, at the latest, within this period;




and especially :




1.inform non-salaried third parties in a clear and complete manner,

in accordance with the provisions of Article 13 of the GDPR, in particular by providing

third parties information on the precise legal basis for the

video surveillance, to the recipients or categories of recipients of images from the
video surveillance system, the retention period of images from the system

video surveillance, as well as the right to lodge a complaint with the CNPD.



2.inform employees individually in a clear and complete manner, in accordance with the
provisions of Article 13 of the GDPR, in particular by providing employees with

information on the precise legal basis for video surveillance, the recipients

or categories of recipients of images from the video surveillance system,
the existence of the right to restriction of processing, as well as the right to introduce

complaint to the CNPD.


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                 As decided in Belvaux on June 29, 2021.


For the National Commission for Data Protection sitting in formation

restraint








Tine A. Larsen Thierry Lallemang Marc Lemmer
  President Commissioner Commissioner





                           Indication of remedies


This administrative decision may be the subject of an appeal for reformation in the

three months following its notification. This appeal is to be brought before the administrative court.

and must be introduced through a lawyer at the Court of one of the Orders of
lawyers.



























   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                23/23