CNPD (Luxembourg) - Délibération n° 11FR/2021

From GDPRhub
CNPD (Luxembourg) - Délibération n° 11FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 5(1)(e) GDPR
Article 13 GDPR
Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 08.04.2021
Published: 07.06.2021
Fine: 2800 EUR
Parties: n/a
National Case Number/Name: Délibération n° 11FR/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: n/a

The Luxembourg DPA fined a controller €2800 for processing geolocation data from their fleet of company vehicles without an adequate retention period and without providing all the necessary information to their employees.

English Summary

Facts

The Luxembourg DPA (CNPD) launched an investigation on a company that was using a geolocation system in their fleet of vehicles. Such vehicles were used by their employees for home to office transport and to travel with clients.

According to the controller, the geolocation purposes were geographic identification, protection of company assets, tracking of transported goods, optimal fleet management, optimisation of the work process, responding to customer complaints, proof of service customer complaints, the provision of proof of services, invoicing of services, and the monitoring of the working time of employees on the move.

The DPA also found that the geolocation data had been stored for a period of 2 years and 4 months.

Holding

According to the CNPD, the retention period exceeded what was necessary for the purposes of the processing. Because of this, the CNPD considered that the controller had violated Article 5(1)(e) GDPR.

The DPA also noted that the storage period should not only be adequate in sight of the purposes of the processing, but should also be individualised per each purpose.

The authority also found that the controller had not properly informed their employees about the processing of geolocation data. The only information provided to the employees consisted on a sticker on the vehicles and a plastic sheet attached to the vehicle documentation. There was also not enough information about the system on their privacy note.

The CNPD therefore considered that the controller had infringed Article 13.

For these violations, the DPA fined the controller €2800, and ordered them to implement a policy for providing the necessary information to the employees, as well as to implement adequate retention periods. Additionally, the DPA ordered the controller to implement, in accordance with Article 32(1) GDPR, access measures to the geolocation data, with a system that allows the data subject to authenticate themselves in order to access it.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision of the National Commission sitting in restricted formation

    on the outcome of survey No. [...] conducted with "Company A"



                       Deliberation n ° 11FR / 2021 of April 8, 2021






The National Commission for Data Protection sitting in a restricted body
composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc

Lemmer, commissioners;



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
relating to the protection of individuals with regard to the processing of personal data

personal character and on the free movement of such data, and repealing the Directive

95/46 / EC;


Having regard to the law of 1 August 2018 on the organization of the National Commission for

data protection and the general data protection regime, in particular

its article 41;


Having regard to the internal regulations of the National Commission for the Protection of

data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its

article 10 point 2;


Having regard to the regulation of the National Commission for Data Protection relating to

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020,

in particular Article 9;



Considering the following:







   _____________________________________________________________

             Decision of the National Commission sitting in restricted formation on the outcome of
                             the survey n ° [...] conducted with "Company A"


                                                                                                  1 / 26I. Facts and procedure



      During its deliberation session of February 14, 2019, the National Commission for

data protection sitting in plenary session (hereinafter: "Plenary session

") Had decided to open an investigation with the ABC group on the basis of Article 37 of the

Law of 1 August 2018 on the organization of the National Commission for the Protection

data and the general data protection regime (hereinafter "Law of 1 August

2018 ") and to appoint Mr. Christophe Buschmann as head of the investigation.



      According to the decision of the Plenary Panel, the investigation carried out by the

National Commission for Data Protection (hereafter: "CNPD") had as

purpose of verifying compliance with the provisions of the regulation on the protection of
natural persons with regard to the processing of personal data and the

free movement of such data, and repealing Directive 95/46 / EC (hereinafter "GDPR")

and the law of August 1, 2018, in particular through the establishment of

video surveillance and geolocation, where applicable, installed by the three companies of the

ABC group.



      On February 20, 2019, CNPD agents visited the

ABC group premises. Since the report no. […] Relating to the said mission

on-site investigation only mentions that, among the three ABC group companies, as
                                                               2
responsible for the controlled processing company "Company A", the decision of the Commission

national body for data protection sitting in a restricted group on the outcome of

the investigation (hereinafter: "Restricted Training") will be limited to controlled treatments
by CNPD agents and carried out by the company "Company A".



       "Company A" is a […] registered in the Trade and Companies Register of

Luxembourg under number […], with registered office at L- […] (hereinafter “the controlled”). The




1 And more specifically with companies: Company A, registered in the Trade and
Luxembourg companies under number […], with registered office at L- […]; Company B, registered at
Luxembourg Trade and Companies Register under number […], with registered office at L-
[…] And Company C, registered in the Luxembourg Trade and Companies Register under number

[…], With registered office at L- […].
2 See in particular report no. […] Relating to the on-site fact-finding mission carried out to date
of February 20, 2019 with the company Company A.
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey n ° [...] conducted with "Company A"


                                                                                                         2 / 26contrôlé's activity is to provide consultancy, installation and
                                     3
maintenance in technology […].



      During the aforementioned visit of February 20, 2019 by CNPD agents in the

controlled premises, Mr X, Director of Human Resources for the controlled,

confirmed to CNPD officers that a geolocation device is installed in a

part of the vehicles in the controlled fleet, but that the latter does not use
                                    4
a video surveillance system.



      According to the explanations provided to the CNPD agents, the persons concerned

by geolocation are employees of the company who use the vehicles for their

travel to customers and on their business trip between their home and head office

social control. Mr. X also confirmed to the CNPD agents that each

vehicle is assigned to a specific employee and that part of the vehicles that can be

used by employees for private purposes is not equipped with a
                 5
geolocation.


      At the end of his investigation, the head of investigation notified the inspectorate on 9

August 2019 a statement of objections detailing the shortcomings he considered

constituted in this case, and more specifically a non-compliance with the prescribed requirements

by Article 13 of the GDPR with regard to employees, a non-compliance with

measures prescribed by Article 32.1 of the GDPR, as well as non-compliance with the requirements

prescribed by Article 5.1.e) of the GDPR.



      The request for a meeting by the controlled of August 13, 2019 was accepted by the chief

of inquiry and the meeting was held on August 20, 2019. 6







3
 According to the information provided on its own website: […].
4See report no. […] Relating to the on-site fact-finding mission carried out on February 20
2019 from Company A; see also the email from Company A of March 1, 2019 and

the letter of March 29, 2019.
5See finding 1 of report no. […] Relating to the on-site fact-finding mission carried out to date
of February 20, 2019 with the company Company A.
6
 See the report of the meeting of August 20, 2019 with the company Société A.
   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of

                                the survey n ° [...] conducted with "Company A"


                                                                                                           3/26 On October 7, 2019, the inspected produced written observations on the
statement of objections.



      A letter additional to the statement of objections was sent to the inspectorate

dated August 17, 2020. In this letter, the head of the investigation proposed to the Formation
Restricted from taking three different corrective measures, as well as inflicting the controlled

an administrative fine in the amount of EUR 4,000.



      By letter of September 24, 2020, the inspected produced written observations
on the additional letter to the statement of objections.



      The president of the Restricted Training informed the control by letter of 9

October 2020 that his case would be registered for the Restricted Training session of 17
November 2020. The inspected confirmed their presence at the said meeting on October 20

2020.


      During the Restricted Training session on November 17, 2020, the chef

investigation and the inspector reiterated their written observations orally and responded to

questions asked by the Restricted Training. The controlled had the floor last.




II. Place



II. 1. As to the grounds for the decision


A. On the breach linked to the principle of limitation of retention



1. On the principles


      In accordance with Article 5.1.e) of the GDPR, personal data

must be kept "in a form permitting the identification of persons
concerned for a period not exceeding that necessary for the purposes

for which they are processed […] ”.


   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                             the survey n ° [...] conducted with "Company A"


                                                                                                  4/26 According to recital (39) of the GDPR "personal data should

be adequate, relevant and limited to what is necessary for the purposes for

which they are processed. This requires, in particular, to ensure that the duration of

data retention is limited to the strict minimum. Personal data

personnel should only be processed if the purpose of the processing cannot be

reasonably achieved by other means. In order to ensure that the data is not
not kept longer than necessary, time limits should be set by the

controller for their erasure or for periodic review […]. "



2. In this case



      During the on-site investigation, it was explained to CNPD officials that the purposes

of geolocation are as follows: "geographical identification, protection of

company assets, monitoring of transported goods, optimal fleet management,
optimizing the work process, providing responses to complaints from

customers, the provision of proof of services, invoicing of services as well as the

monitoring of the working time of employees on the move ”. 7



      Regarding the retention period of data from the

geolocation, it appears from the findings of CNPD agents that the oldest

data dated October 14, 2016, i.e. the retention period of
                                   8
data was 2 years and 4 months.


      According to the head of the investigation, the said retention period for

geolocation of 2 years and 4 months exceeded that which was necessary for the realization of

the aforementioned purposes and for which the geolocation system had been implemented

square. For this reason, he was of the opinion that a non-compliance with the requirements of Article 5.1.e)

of the GDPR is to be retained (see statement of objections, Ad.A.3).







7See finding 5 of report no. […] Relating to the on-site fact-finding mission carried out to date
of February 20, 2019 with the company Company A.
8See finding 4 of report no. […] Relating to the on-site fact-finding mission carried out to date

of February 20, 2019 with the company Company A.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey n ° [...] conducted with "Company A"


                                                                                                        5/26 By letter of March 29, 2019, the inspected for his part reiterated the comments contained

in his email of March 1, 2019, specifying that the retention period

data from the “[…]” geolocation system had been adapted to 12 months,

limit that was already in place for the "historical" component but not yet for the
"General reports". 9



      During the hearing of the Restricted Training on November 17, 2020, the inspector

clarified that the retention period of 12 months was justified, among other things, by the fact that

location data is used for billing customers for services

carried out by its employees.


      Restricted Training reminds that it is the responsibility of the data controller

determine, depending on each specific purpose, a retention period

appropriate and necessary in order to achieve said purpose. Thus, as the system of

geolocation set up by the controlled pursues several purposes, the durations of
conservation are to be individualized for each specific purpose.



      The Restricted Training considers that the control should in particular have differentiated

between the retention period of location data for the purpose of

geographical identification, monitoring of goods transported and optimal management of its fleet,

on the one hand, and the data relating to the working time of employees having precisely
the purpose of monitoring the working time of employees on the move, on the other hand.

As mentioned above, during the hearing of the Restricted Panel, the inspector has by

elsewhere specified that the geolocation data is also intended for invoicing

to customers of services provided by its employees. As a result, the Restricted Formation

believes that an appropriate retention period should have been determined in order to achieve

said purpose.


      With regard to the geolocation of employee vehicles, the Training

Restricted considers that the personal data obtained by the

geolocation can in principle only be kept for a period

maximum of two months under the aforementioned principle of Article 5.1.e) of the GDPR.

9
 Regarding the different functionalities of “[…]”, see the explanations of the inspected in
his letter of October 7, 2019.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey n ° [...] conducted with "Company A"


                                                                                                      However, it considers that if the said data is used by the person in charge of the

processing for the purposes of proof for invoicing the services provided for its

customers, the data necessary for such invoicing may be kept for a
duration of one year, provided that it is not possible to provide proof of benefits

by other means. 10



      In the event that the geolocation device is installed for the purpose of verifying the

working time (when this is the only possible means), the Restricted Training considers
that the personal data obtained by geolocation which allows to

check the working time can nevertheless be kept for a period of time

maximum of three years in accordance with the limitation period set out in Article 2277 paragraph

1st of the Civil Code in matters of action for the payment of employee compensation.


      In the event of an incident, the Restricted Training is of the opinion that the data may

however, be kept beyond the pre-mentioned deadlines within the framework of the

transmission of data to the competent judicial authorities and authorities

law enforcement agencies competent to ascertain or prosecute criminal offenses.


      It also wishes to point out that the data obtained by geolocation

may also be kept beyond the aforementioned periods, if these have

previously made anonymous, that is to say that it is no longer possible to make a link

- direct or indirect - between these data and a specific employee.


      In its former authorization no. […], On which the inspected, among others, is based

to justify that employees were already informed of the implementation of the

geolocation, the CNPD had already imposed as a condition that the data of

geolocation could not be kept beyond two months, respectively three

years for data relating to working time.


      Based on all of these elements, the Restricted Training concludes that

Article 5.1.e) of the GDPR was not complied with by the inspectorate.



10See in this context the article of the National Commission for Computing and Liberties
(CNIL): “The geolocation of employee vehicles”, available at: https://www.cnil.fr/fr/la-
geolocation-of-employee-vehicles. "
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] conducted with "Company A"



                                                                                                      7 / 26B. On the breach related to the obligation to inform the persons concerned



1. On the principles


      Pursuant to paragraph 1 of Article 12 of the GDPR, the "controller

take appropriate measures to provide any information referred to in Articles 13 and 14

as well as to make any communication under Articles 15 to 22 and Article
34 with regard to the processing to the data subject in a concise manner,

transparent, understandable and easily accessible, in clear and simple terms […]. "



      Article 13 of the GDPR provides the following:


"1. When personal data relating to a data subject are

collected from this person, the controller provides them, at the time
where the data in question is obtained, all of the following information:



a) the identity and contact details of the controller and, where applicable, of the

representative of the controller;


b) where applicable, the contact details of the data protection officer;



c) the purposes of the processing for which the personal data are intended as well
as the legal basis for the processing;



d) where the processing is based on Article 6 (1) (f), the legitimate interests

pursued by the controller or by a third party;


e) the recipients or the categories of recipients of the personal data,

if they exist; and


f) where applicable, the fact that the controller intends to carry out a

transfer of personal data to a third country or to an organization
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] conducted with "Company A"


                                                                                                      8/26 international, and the existence or absence of an adequacy decision issued by the
Commission or, in the case of transfers referred to in Article 46 or 47, or in Article 49,

paragraph 1, second subparagraph, the reference to appropriate or adapted guarantees and the

how to obtain a copy or where it was made available;


2. In addition to the information referred to in paragraph 1, the controller shall provide

to the data subject, when the personal data are

obtained, the following additional information which is necessary to guarantee

fair and transparent treatment:


a) the retention period of personal data or, when this is not

possible, the criteria used to determine this duration;


b) the existence of the right to request from the controller access to data at

personal character, rectification or erasure thereof, or a limitation of the

processing relating to the data subject, or the right to object to the processing and
right to data portability;



c) where the processing is based on Article 6 (1) (a) or on Article 9,

paragraph 2 (a), the existence of the right to withdraw consent at any time,
without affecting the lawfulness of the processing based on consent made before the

withdrawal of it;



d) the right to lodge a complaint with a supervisory authority;


e) information on whether the requirement to provide data to

personal character has a regulatory or contractual character or if it conditions the

conclusion of a contract and whether the data subject is obliged to provide the data to
personal character, as well as the possible consequences of the non-provision of

those data;


f) the existence of automated decision-making, including profiling, referred to in Article

22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the


   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] conducted with "Company A"


                                                                                                      Underlying logic, as well as the significance and expected consequences of this processing

for the person concerned.



3. When he intends to carry out further processing of personal data

personal for a purpose other than that for which the personal data

have been collected, the data controller provides the person with
concerned information about this other purpose and any other information

relevant referred to in paragraph 2.



4. Paragraphs 1, 2 and 3 do not apply when and to the extent that the person

concerned already has this information. "



      Communication to data subjects of information relating to the processing

of their data is an essential element in the context of compliance with obligations
general transparency within the meaning of the GDPR. 11 These obligations have been explained

by the Article 29 Working Group in its guidelines on transparency in the sense

of Regulation (EU) 2016/679, the revised version of which was adopted on April 11, 2018 (here-

after: "WP 260 rev.01").



      Note that the European Data Protection Board (hereafter: "EDPS

»), Which replaced the Article 29 Working Group on May 25, 2018, took over and

re-approved the documents adopted by the said Group between May 25, 2016 and May 25
2018, as precisely the aforementioned guidelines on transparency. 12



2. In this case



      According to the head of the investigation, the employees of the inspected were not validly informed

on the precise elements of articles 13.1 and 2 of the GDPR (see statement of objections,

page 2, Ad.A.1.).






11See in particular articles 5,1, a) and 12 of the GDPR, see also recital (39) of the GDPR.
12 See EDPS Endorsement 1/2018 decision of 25 May 2018, available at:

https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] conducted with "Company A"


                                                                                                    10/26 By letter of March 29, 2019, the inspected for his part reiterated the comments contained

in his email of March 1, 2019, specifying that already before the visit on

CNPD site, a plastic sheet was added to the vehicle documents

equipped with a geolocation system specifying that the vehicle is equipped with such
system, on the one hand, and that said vehicles had a label on the rear door

informing the driver of the presence of said system, on the other hand.



      The inspected attached to the aforementioned letter of March 29, 2019 a declaration from the

staff delegation dated March 27, 2019 and certifying that it was informed of

the implementation of a geolocation system in certain vehicles of the ABC group.


      By letter of October 7, 2019, the inspector also sent the head of the investigation

a copy of the information note intended for all staff on the

geolocation and which has been displayed since October 4, 2019 on the controlled site, as well

than a photo of its display.


      Finally, in his letter of September 24, 2020, the inspected added that in [...],

a geolocation authorization had been issued by the CNPD and that already

at that time, the employees had been informed of the implementation of the

geolocation, in particular via staff delegation. The controlled specified having

asked the ABC group staff delegations to certify that
the information to the staff was actually given in 2009.



      The Restricted Training first of all wishes to point out that Article 13 of the GDPR makes

reference to the obligation imposed on the controller to "provide" all

the information mentioned therein. The word "provide" is crucial here and it "means

that the controller must take concrete measures to provide the
information in question to the data subject or to actively direct the person

concerned to the location of said information (for example by means of a link

direct, a QR code, etc.). ”(WP260 rev. 01. paragraph 33).







13See deliberation no. […].
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey n ° [...] conducted with "Company A"


                                                                                                       11/26 The declaration of the staff delegations of Company A and Company B of the

March 27, 2019 certifies in this context that they were informed of the establishment of a

geolocation system in certain vehicles of the ABC group, while

the joint statement of September 14, 2020 from said delegations indicates that they were

"Duly informed by the controller of the establishment of a
geolocation in company vehicles. It should be noted that the delegations of

staff have been informed of this since it was set up in 2009. […]. "



      Nevertheless, the Restricted Training considers that a simple declaration,

respectively a certificate by the delegation of inspected personnel indicating that they have

been informed of the presence of the geolocation device does not ensure that employees
of the company have been validly informed in accordance with Articles 13.1 and 2 of the GDPR,

Especially since the said documents are dated after the on-site visit by the agents of the

CNPD.



      Moreover, as mentioned above, the inspected indicates in its position paper of 24

September 2020 that, as he had an authorization from the CNPD of [...], the

employees had already been informed at that time of the implementation of the
geolocation, in particular via staff delegation.



      The only possible derogation from the information obligations referred to in Article 13 of

GDPR of a controller is in effect "when and to the extent that the
                                                           14
data subject already has this information ”. The principle of responsibility

however requires controllers to demonstrate (by documenting)

what information was already in the possession of the data subject, how and
when it has received them and no changes have been made to this information

likely to make them obsolete. 15



      The Restricted Training however notes that no documentation submitted by

the control does not contain proof that the information of employees has in fact taken place





14According to article 13.4 of the GDPR.
15
  See WP260 rev. 01, paragraph 56.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] conducted with "Company A"


                                                                                                    12/26 in 2009, at least in relation to the requirements provided for by the legislation in force in

the time .6



      Then, the Restricted Training would like to note that there is in the GDPR a

"Inherent conflict between, on the one hand, the requirement to communicate to the persons concerned
the complete information that is required under the GDPR and, on the other hand, the requirement

to do so in a concise, transparent, understandable and easily accessible manner. "

(WP260 rev. 01, para. 34) Prioritize the information to be provided to individuals

concerned and determine what levels of detail and methods are appropriate for the

communication of information is not always easy.


      It is for this reason that a multi-level approach to communicating

information on transparency to data subjects can be used in a

offline or non-digital context, that is to say in a real environment such as

for example personal data processed by means of a

geolocation. The first level of information should generally include

the most important information, namely details of the purpose of processing, identity

of the controller and the existence of the rights of the data subjects, as well
that the information having the greatest impact on the treatment or any treatment

likely to surprise those concerned. The second level of information,

That is to say the other information required under Article 13 of the GDPR, could

be provided later and by other means, such as a copy
                                                     17
of the privacy policy sent by e-mail.



      Finally, the joint attestation of the delegations of company personnel
Company A and Company B of September 14, 2020 indicates that said delegations have to

were again informed during the publication of the information note on the

geolocation intended for all staff as of October 4, 2019. Exhibit

appended to the audit observations of September 24, 2020 contains the said note

information and a photo of its display.




16 In accordance with article 26 of the repealed law of 2 August 2002 on the protection of
people with regard to the processing of personal data.
17
  See WP260 rev. 01 (point 38).
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] conducted with "Company A"


                                                                                                    13/26 The Restricted Training nonetheless notes that the plastic sheet added to the

vehicle documents indicating only that the vehicle "is equipped with a

geolocation ", as well as the label affixed to the rear door of the vehicle
mentioning "Monitored by GPS with […]" do not even meet the requirements of the

mandatory content of the first level of information. In addition, the control failed

to its obligation to put in place a confidentiality policy which contains all

information required in accordance with Articles 13.1 and 13.2 of the GDPR.


      In view of the above, the Restricted Training concludes that Article 13 of the GDPR

was not respected by the controlled.



C. The breach linked to the obligation to guarantee appropriate safety


1. On the principles



      Under Article 32.1 of the GDPR and "given the state of knowledge,

implementation costs and the nature, scope, context and purposes of the

treatment as well as risks, which vary in likelihood and severity, for
rights and freedoms of natural persons, the controller and the processor

implement the appropriate technical and organizational measures in order to

guarantee a level of security adapted to the risk including, among other things, according to the needs:



a) pseudonymization and encryption of personal data;


b) the means to guarantee the confidentiality, integrity, availability and

continued resilience of treatment systems and services;



c) the means to restore the availability of personal data
and access to them within an appropriate timeframe in the event of a physical or technical incident;



d) a procedure for regularly testing, analyzing and evaluating the effectiveness of

technical and organizational measures to ensure the security of the processing. "



18Y is also a link to the website of the developer of said software….
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey n ° [...] conducted with "Company A"



                                                                                                     14/262. In this case


      The head of the investigation examined the security aspect of data access

appearing in the geolocation system. As access to the operating software of the

geolocation device was only secured by means of identification

unique, i.e. a unique username and password, which is used by

all persons authorized to access the software, it held against the controlled
non-compliance with the measures prescribed by Article 32.1 of the GDPR (see

statement of objections, Ad.A.2).



       The inspected defends himself based on his written observations of October 7, 2019

relating to the email he sent in this context on August 21, 2019 to the
person who manages access to user accounts of the geolocation system.

In said letter, the inspected asks the person who manages access to the accounts

users to create custom logins and passwords for
                                    19
people who have access to "[...]" and to delete existing logins, on the one hand, and on

ensure that passwords are regularly updated and not shared with
third parties, on the other hand. In addition, it is specified that the "perimeter to which they have access

remains unchanged (so only the vans of the service for which these people

working) ".



      The Restricted Training noted that on the day of the visit by CNPD agents
in the premises of the controlled, the policies of access to the geolocation software do not

did not meet the minimum necessary security requirements, i.e.

have individual accounts in place by means of a username and password

for people authorized to access it as part of the performance of their

missions.


      In view of the above, the Restricted Training concludes that Article 32.1 of the GDPR

was not respected by the controlled.





19This is the name of the geolocation software developed by […].
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] conducted with "Company A"



                                                                                                    15/26 II. 2. On corrective measures and fines


1. The principles



      In accordance with article 12 of the law of August 1, 2018, the CNPD has the power

to adopt all the corrective measures provided for in Article 58.2 of the GDPR:


"(A) notify a controller or processor that data processing operations

treatment envisaged are likely to violate the provisions of these regulations;



b) call to order a controller or a processor when the
processing operations have resulted in a violation of the provisions of this Regulation

;



c) order the controller or processor to comply with the requests

presented by the data subject in order to exercise their rights under the
this regulation;



d) order the controller or processor to put the data processing operations

processing in accordance with the provisions of this Regulation, where applicable, of
in a specific way and within a specific timeframe;



e) order the controller to communicate to the data subject a

personal data breach;


f) impose a temporary or permanent restriction, including a ban, of processing;



g) order the rectification or erasure of personal data or the

restriction of processing in application of Articles 16, 17 and 18 and the notification of these

measures to the recipients to whom the personal data have been disclosed
in accordance with Article 17, paragraph 2, and Article 19;



h) withdraw a certification or order the certification body to withdraw a

certification issued in application of Articles 42 and 43, or order the
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of

                               the survey n ° [...] conducted with "Company A"


                                                                                                      16/26 certification not to issue certification if the requirements applicable to the certification

are not or no longer satisfied;


i) impose an administrative fine in application of Article 83, in addition to or

the place of the measures referred to in this paragraph, depending on the characteristics

specific to each case;


j) order the suspension of data flows addressed to a recipient located in a

third country or to an international organization. "


                                                er
      In accordance with article 48 of the law of August 1, 2018, the CNPD may additionally impose
administrative fines as provided for in Article 83 of the GDPR, except against

state or municipalities.



      Article 83 of the GDPR provides that each supervisory authority ensures that

administrative fines imposed are, in each case, effective, proportionate and
dissuasive, before specifying the elements that must be taken into account in deciding

whether to impose an administrative fine and to decide on the amount of this

fine:


"(A) the nature, gravity and duration of the breach, taking into account the nature, extent

or the purpose of the processing concerned, as well as the number of data subjects

affected and the level of damage they suffered;



(b) whether the violation was committed willfully or negligently;


c) any measures taken by the controller or processor to mitigate the

damage suffered by the persons concerned;



d) the degree of responsibility of the controller or processor, account
taking into account the technical and organizational measures that they have implemented by virtue of

Articles 25 and 32;




   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of

                              the survey n ° [...] conducted with "Company A"


                                                                                                    17/26 e) any relevant breach previously committed by the controller or
the subcontractor ;



f) the degree of cooperation established with the supervisory authority in order to remedy the violation

and mitigate any negative effects;


g) the categories of personal data affected by the breach;



h) the manner in which the supervisory authority became aware of the breach, in particular whether,
and to what extent the controller or processor has notified the breach;



(i) where measures referred to in Article 58 (2) have previously been

ordered against the controller or the processor concerned for the
same object, compliance with these measures;



j) the application of codes of conduct approved in accordance with Article 40 or
certification mechanisms approved under Article 42; and



k) any other aggravating or mitigating circumstance applicable to the circumstances of

the species, such as financial benefits obtained or losses avoided, directly or
indirectly, as a result of the violation ”.



      The Restricted Training would like to point out that the facts taken into account in the

of this decision are those noted at the start of the investigation. Any
changes relating to the processing of data subject to the investigation

later, even if they make it possible to fully or partially establish the

compliance, do not retroactively cancel a breach found.


      However, the steps taken by the inspected to comply

with the GDPR during the investigation procedure or to remedy breaches

noted by the head of investigation in the statement of objections, are taken into account by
Restricted Training as part of any corrective measures to be taken

and / or fixing the amount of a possible administrative fine.


   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] conducted with "Company A"


                                                                                                    18/262. In this case


2.1. As for the imposition of an administrative fine



      In its additional letter to the statement of objections of August 17, 2020,
the head of the investigation proposed to the Restricted Formation to impose an administrative fine

to the control relating to the amount of 4,000 euros, taking into account the elements

following:



     "The fact that clear and complete information to the people concerned about the

       processing (s) carried out by the controller constitutes a

       essential condition for these data subjects to know

       the existence of said treatment, but also grasp its scope. Do not provide these
       information or providing it in an incomplete manner will not only prevent

       data subjects to understand what will happen to their data at

       personal character, but will effectively deprive them of exercising all

       remedies granted by the GDPR.


     The fact that partial information of the persons concerned has actually been
       performed.


     The scale of the geolocation system, installed in at least 191 vehicles.


     The good cooperation of the company throughout the investigation as well as its willingness

       to comply with the law as soon as possible. "


      In its response to the additional letter of September 24, 2020, the inspected

maintained in particular that the concrete criteria taken into account by the head of the investigation

resulted in the quantum determination were unclear and he did not understand on which
objective elements the proposal for the fine would have been made.



      In order to decide whether to impose an administrative fine and to decide, the

if applicable, of the amount of this fine, the Restricted Training analyzes the criteria
posed by Article 83.2 of the GDPR:

   _____________________________________________________________

             Decision of the National Commission sitting in restricted formation on the outcome of
                             the survey n ° [...] conducted with "Company A"


                                                                                                19/26  As to the nature and seriousness of the violation (article 83.2.a) of the GDPR), the
     Restricted Training notes that with regard to the breach of Article 5.1.e)

     of the GDPR, it constitutes a breach of one of the fundamental principles of

     GDPR (and data protection law in general), namely in principle

     of the limitation of data retention devoted to Chapter II "Principles
     Of the GDPR.




  As for the failure to inform people in accordance with

     Article 13 of the GDPR, the Restricted Training recalls that the information and
     transparency relating to the processing of personal data are

     essential obligations incumbent on data controllers so that

     people are fully aware of the use that will be made of their

     personal data, once collected. A breach of
     Article 13 of the GDPR thus constitutes an infringement of the rights of individuals

     concerned. This right to information has also been strengthened under the terms of

     GDPR, which testifies to their particular importance.



  As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Training

     notes that these shortcomings have lasted over time, at least since

     May 25, 2018. The Restricted Formation recalls here that two years have separated the entrance

     of the GDPR when it comes into effect to allow
     data controllers to comply with their obligations and

     this even if a comparable information obligation existed in application of

     Article 26 of the repealed law of August 2, 2002 relating to the protection of persons

     with regard to the processing of personal data.


     Regarding the retention period of data, the Restricted Training

     would like to recall that already in its authorization n ° […], the CNPD had imposed

     as a condition that personal data cannot be
     kept beyond two months, respectively three years for data

     relating to working time.
_____________________________________________________________

           Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] conducted with "Company A"


                                                                                            20/26  As for the number of data subjects (article 83.2.a) of the GDPR), such as the
     controlled specified that each vehicle is allocated to a specific employee, the

     number of persons concerned corresponds to the number of vehicles equipped with a

     geolocation system.


     During the hearing of the Restricted Training of November 17, 2020, the inspected

     confirmed that the "ABC" group has a total of 191 vehicles equipped with

     geolocation system, as the head of the investigation also retained in his

     additional letter to the statement of objections of August 17, 2020.
     Nevertheless, he clarified that the company "Company A" only has 92

     vehicles equipped with a geolocation system.



     As the head of the investigation limited the scope of the investigation to one of the three companies
     of the “ABC” group and more specifically of the “Company A” company, Formation

     Restricted only retains 92 vehicles, unlike 191 vehicles

     mentioned by the head of the survey, corresponding to 92 people who are

     concerned by the processing implemented by the geolocation system.



  As to the question of whether the breaches were deliberately committed

     or not (by negligence) (article 83.2.b) of the GDPR), the Restricted Training recalls

     that "not willfully" means that there was no intention to commit the
     violation, although the controller or processor has not

     complied with its duty of care under the law.



     In this case, the Restricted Training is of the opinion that the facts and the breaches
     observed do not reflect a deliberate intention to violate the GDPR in the chief

     of the controlled.




  As for the degree of cooperation established with the supervisory authority (Article 83.2.f) of
     RGPD), the Restricted Training takes into account the statement of the head of the investigation

     that the cooperation of the controlled throughout the investigation was good, thus

     that of its desire to comply with the law as soon as possible.

_____________________________________________________________

           Decision of the National Commission sitting in restricted formation on the outcome of
                           the survey n ° [...] conducted with "Company A"


                                                                                              21/26  As to the mitigating circumstances applicable to the circumstances in the present case
       (article 83.2.k) of the GDPR), the Restricted Training takes into account the elements

       following:




           o partial information has been provided to the persons concerned,

              in particular by the plastic sheet added to the on-board documents indicating
              that the vehicle "is equipped with a geolocation system", as well as

              the label affixed to the rear door of the vehicle mentioning "

              Monitored by GPS with […] ”;



           o taking measures to comply with Articles 12 and 13 of the

              RGPD, in particular by the development and posting on its site of a note

              information on the geolocation system for the entire

              staff ;



           o reducing the retention periods for data contained in the

              2-year and 4-month to 12-month geolocation system.


      The Restricted Training notes that the other criteria of Article 83.2 of the GDPR

are neither relevant nor likely to influence his decision to impose a

administrative fine and its amount.


      Regarding the breach of the obligation to ensure data security, in

application of Article 32 of the GDPR, the Restricted Training considers that in view of the

measures taken by the company, in particular the efforts made to create logins and
personalized passwords for people who have access to "[…]" and

remove existing logins and ensure that passwords are regularly

updated and not communicated to third parties, it has shown good faith in connection with

of the procedure. Consequently, the Restricted Training considers that with regard to
circumstances of the case, there is no need to base his fine on the basis of this

breach, although it is characterized.


   _____________________________________________________________

             Decision of the National Commission sitting in restricted formation on the outcome of
                            the survey n ° [...] conducted with "Company A"


                                                                                              22/26 The Restricted Training also notes that although several measures have been implemented
placed by the inspected in order to remedy in whole or in part certain shortcomings,

these were only adopted following the control of CNPD agents on

February 20, 2019.


      Therefore, the Restricted Panel considers that the imposition of a fine

administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for

breach of Articles 5 and 13 of the GDPR.


      Regarding the amount of the administrative fine, the Restricted Training recalls

that paragraph 3 of Article 83 of the GDPR provides that in the event of multiple violations,

as is the case here, the total amount of the fine cannot exceed the amount

set for the most serious violation. Insofar as a breach of Articles 5 and
13 of the GDPR is criticized for the inspectorate, the maximum amount of the fine that may be

retained amounts to 20 million euros or 4% of global annual turnover, the amount

the highest is retained.


      In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the

Restricted Training considers that the pronouncement of a fine of 2,800 euros appears

both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1
of the GDPR.





2.2. Regarding the taking of corrective measures


      The adoption of the following corrective measures was proposed by the head of the investigation

to the Restricted Training in its additional letter to the communication of

grievances:


"A) Order the controller to put in place information measures

intended for people affected by geolocation, in accordance with
provisions of Article 13, paragraphs (1) and (2) of the GDPR, in particular by providing

the identity and contact details of the controller, where applicable,

contact details of the data protection officer, the purposes of the processing and its basis
   _____________________________________________________________

             Decision of the National Commission sitting in restricted formation on the outcome of
                             the survey n ° [...] conducted with "Company A"


                                                                                                 Legal, the categories of data processed, the legitimate interests pursued by the
controlled, the recipients, the retention period of the data as well as the

the data subject and how to exercise them, and the right to introduce a

complaint to a supervisory authority;


b) Order the controller to take all security measures in the

framework of the use of the operating software of the geolocation device, in particular

(i) define authorizations to access the geolocation operating software at

only persons for whom it is strictly necessary for the accomplishment of
their missions and (ii) to create individual accounts using a username and a

password for the persons authorized above;



c) Order the data controller to implement a duration policy
retention of personal data in accordance with the provisions of e) of

Article 5 of the GDPR, not exceeding the time necessary for the purposes for which they

are collected, and in particular by not keeping location data for more than
two months and data relating to working time for a maximum of

three years. "



      As for the establishment of a data retention period policy
personal character in accordance with the provisions of article 5.2.e) of the GDPR, the inspector has

adapted after the on-site visit of CNPD agents the retention period of

data from the geolocation system from 2 years and 4 months to 12 months.


      The Restricted Training considers, however, that the retention periods for

data from the geolocation system must be adapted according to the

different purposes pursued.


      As for information intended for people concerned by geolocation,

in accordance with the provisions of article 13.1 and 13.2 of the GDPR, the inspected maintains that they have

developed and posted since October 4, 2019 on its website an information note on the
geolocation system for all staff.




   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] conducted with "Company A"


                                                                                                   24/26 The Restricted Training considers, however, that the information note does not include
not all of the rights enjoyed by data subjects under the

GDPR. Thus, the right of objection (Article 21 of the GDPR) is not mentioned. Otherwise,

Information on the retention period of data must be updated.


      As for the obligation to put in place policies for access to

geolocation under article 32.1 of the GDPR, the Restricted Training considers that

despite the efforts made by the inspectorate, the latter must, by virtue of the principle of

accountability implement mechanisms and
internal procedures to demonstrate compliance with Article 32.1 of the GDPR.




In view of the foregoing developments, the National Commission sitting

in restricted formation and deliberating unanimously decides:



- to pronounce against Company A an administrative fine of one
amount of two thousand and eight hundred euros (2,800 euros), in view of the breaches

constituted in Articles 5.1.e) and 13 of the GDPR;



- to issue an injunction against Company A to bring into compliance
processing with the provisions of Articles 5.1.e), 13 and 32.1 of the GDPR, within a

two months following the notification of the decision of the Restricted Panel, the supporting documents

the compliance must be sent to the Restricted Training, at the latest,

within this period;


and especially :



1.with regard to the breach of the obligation to implement a term policy
retention of personal data in accordance with the provisions of article

5.1.e) of the GDPR: adapt the retention periods for personal data

obtained by geolocation according to the different purposes pursued, and
in particular by not keeping the personal data obtained by the

geolocation beyond two months, the personal data obtained by the

geolocation used for proof purposes for invoicing the services provided
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] conducted with "Company A"


                                                                                                  25/26 for customers beyond one year and personal data obtained by the
geolocation which makes it possible to check working time beyond three years;



2. with regard to the failure to inform the persons concerned of the

processing of their personal data in accordance with Article 13 of the GDPR: inform
the persons concerned in a clear and complete manner, in accordance with the provisions

of Article 13 of the GDPR, in particular by providing information relating to the duration of

data retention according to the purposes pursued and to all rights

people ;


3.with regard to the failure to take any appropriate security measures in the

framework of the use of the operating software of the geolocation device under

Article 32 of the GDPR, create individual accounts using a username and a word
password only for people for whom access to the

geolocation is strictly necessary for the accomplishment of their missions.


So decided in Belvaux on April 8, 2021.



For the National Commission for Data Protection sitting in formation

restraint






Tine A. Larsen Thierry Lallemang Marc Lemmer
  President Commissioner Commissioner





                            Indication of remedies


This administrative decision may be the subject of an appeal for reformation in the

three months following its notification. This appeal is to be brought before the administrative court.
and must be introduced through a lawyer at the Court of one of the Orders of

lawyers.


   _____________________________________________________________

             Decision of the National Commission sitting in restricted formation on the outcome of
                             the survey n ° [...] conducted with "Company A"


                                                                                                 26/26