CNPD (Luxembourg) - Délibération n° 13FR/2023
From GDPRhub
| CNPD - 13FR/2023 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 5(1)(b) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 26.05.2021 |
| Decided: | 21.09.2023 |
| Published: | 07.11.2023 |
| Fine: | 2500 EUR |
| Parties: | Public organisation A Public organisation B |
| National Case Number/Name: | 13FR/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | CNPD decision (in FR) |
| Initial Contributor: | lszabo |
The Luxembourgish DPA issued a fine of €2,500 to two public bodies due to their usage of geolocation systems to track vehicles used by their employees. The DPA found a violation of Article 5(1)(b) GDPR, Article 5(1)(c) GDPR and Article 13 GDPR.
English Summary
Facts
Following a visit to the premises of two public bodies (the joint controllers), the agents of the Luxembourgish DPA found that the controllers applied a geo-localisation system on the companies' service vehicles and construction machines. Even though the system was not connected to the drivers, through the timesheets, which indicated which driver used which vehicle or machine, it was easy to find out which employee used which vehicle on which day.
On 13 December 2022, at the end of the investigation, a statement of objection was published by the rapporteur detailing breaches of Article 13 GDPR, Article 5(1)(c) GDPR and Article 5(1)(b) GDPR. Following this, the joint controllers submitted observations, and on 13 June 2023, the rapporteur and the joint controllers presented oral observations to the DPA.
Holding
Regarding the obligation to provide information, pursuant to Article 13 GDPR, the DPA considered that for data processing by an employer to be considered lawful, the data subjects must be informed of the monitoring, in accordance with Article 12 GDPR and Article 13 GDPR.
The joint controller had provided the employees information notes and e-mails in French and German in the vehicles and machines and on the Intranet. However, the DPA found that there had been non-compliance with Article 13 GDPR as the joint controllers did not provide all compulsory information. Namely the identity of the controllers and the DPO, the legal basis, the legitimate interests followed, the appropriate safeguards applied, and the rights of the data subjects to receive a copy and to submit a complaint to the supervisory authority. The information notes also contained the Privacy Shield as the legal basis for the transfer of personal data to the US - even though it was invalidated by the Court of Justice. Moreover, the content of the French and German versions was not identical.
Secondly, in relation to Article 5(1)(c) GDPR, the DPA found that the joint controllers did not comply with the principle of data minimisation. The geolocation system was installed to track staff working in dangerous conditions or alone, to prevent the theft of vehicles and machines and to verify employees' working time. However, the system was used both during and outside working hours and did not have a deactivation button.
In addition, it found that the controllers did not comply with the principle of purpose limitations under Article 5(1)(b) GDPR. The joint controllers' reasoning that the materials transported by the machines and vehicles, dirt and rocks, were of a special nature could not justify the use of geolocation.
The DPA issued a fine of €2,500. It took into account the gravity of the violation, its duration (as the tracking system was deactivated during the proceedings) and the number of data subjects concerned (one-third of the employees). It also considered that the violation was not intentional, that interim measures had been taken and that the joint controllers did not financially benefit from the violation.
Comment
Interestingly, there apparently was a transfer of personal data to the US, and this information was taken into account in determining the missing information given to the data subjects. However, no reference was made to the legal basis of transfers before the Transatlantic Data Privacy Framework entered into force.
Moreover, it was established that the purpose of securing and monitoring the materials transported for data processing was not legitimate, breaching the principle of purpose limitation. The authority requested for this purpose to be removed from the information notice to the data subjects. However, it can also be noted how no safeguards were ordered to prevent the geo-localisation data from being used for this illegitimate purpose.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
Deliberation No. 13FR/2023 of September 21, 2023
The National Commission for Data Protection sitting in restricted formation,
composed of Mrs. Tine A. Larsen, president, and Messrs. Thierry Lallemang and
Alain Herrmann, commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
relating to the protection of individuals with regard to the processing of data
personal character and the free movement of such data, and repealing the Directive
95/46/EC;
Having regard to the law of August 1, 2018 organizing the National Commission for
data protection and the general regime on data protection, in particular
its article 41;
Considering the internal regulations of the National Commission for the Protection of
data adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its
article 10.2;
Having regard to the regulation of the National Commission for Data Protection relating to the
investigation procedure adopted by decision no. 4AD/2020 dated January 22, 2020,
in particular its article 9;
Considering the following:
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B 1/38I. Facts and procedure
1. During its deliberation session of March 10, 2021, the National Commission
for data protection sitting in plenary session had decided to open a
investigation of Public Body A and Public Body B based on Article 38
of the law of August 1, 2018 organizing the National Commission for the protection
data and the general regime on data protection (hereinafter: the “law of 1
August 2018") and to appoint Mr. Marc Lemmer as head of investigation.
2. The said decision clarified that the investigation carried out by the National Commission
for data protection (hereinafter: the “CNPD” or the “National Commission”)
was intended to “[c]ontrol the application and compliance with the GDPR[] (and legal texts
providing for specific provisions regarding the protection of personal data
personal) processing implemented by a geolocation system, in
considering in particular the opinion rendered by the CNPD in deliberation no. […] of […]
December 2020 relating to the request for an opinion submitted on the basis of article L.261-1
paragraph (4) of the Labor Code by the staff delegation [of Public Body A
and Public Body B]”.
3. The “[…]” is a […], whose address is: L - […] (hereinafter: “Public body
HAS ").
Public body A [performs missions of general interest].
4. The “[…]” is a […], whose address is: L - […] (hereinafter: “Public body
B” and together with Public Body A hereinafter: “[…]” or the “controlled”).
Public body B [accomplishes missions of general interest].
5. On May 26, 2021, CNPD agents carried out a visit to
place in the administrative building […] located at […].
6. By two emails of June 2, 2021, those inspected provided the CNPD with
additional information requested during said visit.
1
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of this data, and repealing Directive 95/46/EC (hereinafter: the “GDPR”).
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B 2/38 7. “Report no. [...] relating to the on-site visit carried out on
May 26, 2021 with Public Body A and Public Body B” (hereinafter: the
“minutes relating to the on-site visit”) drawn up by CNPD agents was
sent to those inspected by mail on June 8, 2021.
It follows from this report that:
- those inspected had set up a geolocation system (hereinafter: the
“geolocation system”) of Company C (system […]) in […] vehicles
service and/or construction equipment; 2
- the geolocation system had “the functionalities and characteristics
following:
- Permanent monitoring of Vehicles [service vehicles and/or equipment
construction site] in real time using boxes integrated into each vehicle;
- Connection of said boxes to a central unit;
- Transmission of information via a GPRS network;
- Transmission of information to a third-party server ([…]);
- Event data recorder;
- Data processing software (“[…]”) and access to the location of
vehicles monitored using a control monitor (Appendices 4 and 5, photo
3
[…])” ; And
- the data collected by the geolocation system were “the following:
- Date and time of start and end of the journey;
- Condition of the vehicle (moving or stationary, including any
pauses);
2Minutes relating to the on-site visit, finding 3.
3Minutes relating to the on-site visit, finding 7.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B 3/38 - Vehicle positioning data (within two meters) and route of the
vehicle ;
- Driving time and mileage traveled; And
- Abnormal movement of the vehicle due to the day (Saturday or
Sunday) or the schedule (“Geo-fencing” function)”; 4
- the geolocation system was associated with service vehicles, respectively
to construction machinery, and not to employees, the overlap between geolocation
of a service vehicle or construction machine and the employee driving it being possible,
by cross-referencing with employee work sheets, the latter
indicating which vehicle was used on which day by each employee. 5
8. Those inspected produced written observations on the report relating to
the on-site visit by email of June 9, 2021.
9. Subsequently, those inspected and the CNPD investigation service carried out
an exchange of letters. 6
10. At the end of his investigation, the head of investigation notified those inspected on
December 13, 2022 a statement of objections (hereinafter: the “statement of objections
initial") detailing the shortcomings that he considered constituted in this case in relation to the
requirements prescribed by Article 13 of the GDPR (right to information), […] and Article 5.1.c) and
b) GDPR (principles of minimization and limitation of purposes).
The head of investigation proposed to the National Commission sitting in restricted formation
(hereinafter: the “Restricted Training”) to adopt four different corrective measures,
as well as to impose on those inspected an administrative fine in the amount of […] euros.
11. By letter dated February 2, 2023, those inspected expressed their
observations relating to the initial statement of objections.
4Minutes relating to the on-site visit, finding 8.
5Minutes relating to the on-site visit, finding 10.
6
See point 12 of the statement of objections for a detailed list of exchanges throughout
investigation.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
4/38 12. In response, the head of investigation notified those inspected on February 15, 2023
a new statement of objections amending the initial statement of objections (hereinafter
after: the “statement of objections”).
The head of investigation maintained the failings that he considered to exist in this case, as well as
than the corrective measures he proposed.
However, on the basis of the information transmitted under the terms of the mail of those inspected in
date of February 2, 2023, it considered that the shortcomings identified in the communication
initial grievances had not been committed intentionally, but were part of a
gross negligence. Therefore, it reduced the amount of the administrative fine
offered at […] euros.
The ability to formulate their written observations on the statement of objections was
offered to those inspected. The latter did not communicate observations to the chief
investigation.
13. The president of the Restricted Training informed the controlled by mail
dated April 18, 2023 that their case would be listed at the Training session
Restricted from June 13, 2023 and that they were offered the opportunity to be heard there. By email
of June 6, 2023, those inspected confirmed their presence at the said session.
During this session the head of investigation […], and those inspected, represented by […],
presented their oral observations in support of their written observations and responded to the
questions asked by the Restricted Training. The Restricted Training gave the
controlled the possibility of sending additional information until June 28, 2023
requested during said session. Those controlled had the last word.
14. By emails of June 21 and 29, 2023, those inspected provided the information
additional information requested from Restricted Training. The controls had informed the
Restricted Training in their email of June 21, 2023 that the results of the year 2022 of
Public Body B was being finalized and could only be sent to it at most
early in the next fortnight.
15. The decision of the Restricted Panel on the outcome of the investigation will be based on:
- on the processing of personal data resulting from geolocation
service vehicles and construction equipment made available to employees of the
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
5/38 controlled using the geolocation system and controlled by agents of the
CNPD;
- Deliberation No. […] of […] December 2020 of the National Commission for
data protection relating to the request for an opinion submitted on the basis of
article L.261-1 paragraph (4) of the Labor Code by the staff delegation of
Public Body A and Public Body B; And
- on the legal and regulatory provisions taken into account by the head of investigation
in the statement of objections.
II. Place
II. 1. On the reasons for the decision
A. On the determination of the controller
1. On the principles
16. Under the terms of article 4.7 of the GDPR, the data controller is “the
natural or legal person, public authority, service or other body which,
alone or jointly with others, determines the purposes and means of the processing”.
Under the terms of article 26.1 of the GDPR “[w]hen two or more data controllers
jointly determine the purposes and means of processing, they are the
joint controllers”.
17. The concept of joint controllers was explained by the Committee
European Data Protection Authority (hereinafter: the “EDPS”) in the “Guidelines
guidelines 07/2020 concerning the notions of data controller and subcontractor
in the GDPR”, version 2.0, adopted on July 7, 2021 (hereinafter: the “Guidelines
07/2020").
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
6/38 Under these guidelines “[t]he joint responsibility for processing should
be assessed on the basis of a factual rather than formal analysis of the real influence
exercised on the purposes and means of processing. 7
“Joint participation in determining ends and means implies that
more than one entity has a determining influence on whether and how
treatment takes place.” In practice, joint participation can take several forms.
forms, such as a joint decision taken by two or more entities or decisions
convergent principles adopted by two or more entities regarding ends and means
essential to treatment. Joint participation resulting from a common decision
means that the parties decide together and assumes a common intention. Of the
decisions can be considered convergent as long as they complement each other
and are necessary for carrying out the processing so that they have a concrete effect on
the determination of the purposes and means of the processing (“[…] the processing by each
9
of the parts is inseparable from that of the other, that is to say inextricably linked. ").
2. In the present case
18. The CNPD in “Deliberation No. […] of […] December 2020 of the
National Commission for Data Protection relating to the request for opinion
introduced on the basis of article L.261-1 paragraph (4) of the Labor Code by the delegation
10
of the staff of Public Body A and Public Body B” (hereinafter: the “notice of
the CNPD) had held that “Public Body A and Public Body B must be
considered as joint controllers of the processing, within the meaning of Articles 4 point (7)
and 26 […] [of the GDPR], insofar as they seem to jointly determine the purposes
and means of the treatment in question. 11
19. In the statement of objections, the head of investigation considered that those inspected
were to be considered joint controllers within the meaning of the GDPR for
processing implemented by a geolocation system. 12
20. In fact, those inspected had themselves declared that they considered themselves
joint controllers concerning the processing carried out within the framework of the system of
7
8Guidelines 07/2020, point 52.
Guidelines 07/2020, point 54.
9Guidelines 07/2020, point 55.
10Exhibit 1 of the head of investigation.
11CNPD opinion, second paragraph.
12Statement of objections point 23.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
7/38geolocation during the on-site visit of CNPD agents on May 26, 2021. They
had specified in particular that […].
[…]
28. In view of these circumstances, the Restricted Panel considers that the controlled
had jointly determined for what purposes and how the geolocation data
were treated.
29. She therefore agrees with the opinion of the head of investigation and concludes that those controlled were
to qualify as joint controllers for the processing covered by the
this decision.
B. On the failure linked to the obligation to inform the persons concerned
1. On the principles
30. Under the terms of article 12.1 of the GDPR, the “data controller takes
appropriate measures to provide any information referred to in Articles 13 and 14 as well as
that to carry out any communication under Articles 15 to 22 and Article 34 in
regarding the processing to the data subject in a concise, transparent manner,
understandable, easily accessible, in clear and simple terms […]. Information
are provided in writing or by other means including, where appropriate, by
electronic. When the data subject requests it, the information may
be provided orally, provided that the identity of the person concerned is demonstrated
by other means. »
31. Article 13 of the GDPR provides as follows:
“1. When personal data relating to a data subject are
collected from this person, the data controller provides them, at the time
where the data in question is obtained, all of the following information:
a) the identity and contact details of the data controller and, where applicable, the
representative of the data controller;
b) where applicable, the contact details of the data protection officer;
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
8/38c) the purposes of the processing for which the personal data are intended as well as
that the legal basis of the processing;
(d) where the processing is based on Article 6(1)(f), the legitimate interests
pursued by the data controller or a third party;
e) the recipients or categories of recipients of the personal data,
if they exist; And
f) where applicable, the fact that the controller intends to carry out a transfer
of personal data to a third country or to an international organization,
and the existence or absence of an adequacy decision issued by the Commission or, in
the case of transfers referred to in Article 46 or 47, or in Article 49(1), second
paragraph, the reference to appropriate or adapted guarantees and the means of obtaining one
copy or the place where they were made available;
2. In addition to the information referred to in paragraph 1, the controller shall provide
the data subject, at the time the personal data is obtained,
the following additional information which is necessary to ensure
fair and transparent treatment:
a) the duration of retention of personal data or, where this is not
possible, the criteria used to determine this duration;
b) the existence of the right to request from the controller access to the data to be
personal nature, the rectification or erasure thereof, or a limitation of the
processing relating to the data subject, or the right to object to the processing and
right to data portability;
(c) where the processing is based on point (a) of Article 6(1) or Article 9,
paragraph 2(a), the existence of the right to withdraw consent at any time,
without affecting the lawfulness of processing based on consent carried out before the
withdrawal thereof;
d) the right to lodge a complaint with a supervisory authority;
(e) information on whether the requirement to provide data to
personal character has a regulatory or contractual character or if it conditions the
conclusion of a contract and whether the data subject is obliged to provide the data to
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
9/38personal character, as well as the possible consequences of non-provision of
those data ;
(f) the existence of automated decision-making, including profiling, referred to in
Article 22, paragraphs 1 and 4, and, at least in such cases, useful information
regarding the underlying logic, as well as the importance and intended consequences
of this processing for the data subject.
3. When he intends to carry out further processing of personal data
personal data for a purpose other than that for which the personal data
have been collected, the data controller first provides the person with
concerned information about this other purpose and any other information
relevant referred to in paragraph 2.
4. Paragraphs 1, 2 and 3 do not apply when and to the extent that the person
concerned already has this information. »
32. Communication to the persons concerned of information relating to the
processing of their data is an essential element in respecting the
general transparency obligations within the meaning of the GDPR. Said obligations were
explained by the Article 29 Working Group in its guidelines on the
transparency within the meaning of Regulation (EU) 2016/679, the revised version of which has been adopted
on April 11, 2018 (hereinafter: “WP 260 rev.01”).
33. Note that the EDPS took up and reapproved the documents adopted by the said
Group between May 25, 2016 and May 25, 2018, as specifically the guidelines
mentioned above on transparency.
2. In the present case
34. With regard to the information obligation, the CNPD, in its observations
formulated at the end of its opinion delivered at the request of the staff delegation of
Public Body A and Public Body B, had considered that one of the conditions of
lawfulness of the “processing envisaged by the employer” was that “the persons concerned
13See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR.
14 See decision Endorsement 1/2018 of the EDPS of May 25, 2018, available under:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
10/38must be informed of the surveillance carried out in accordance with the provisions of the
articles 12 and 13 of the GDPR as well as article L.261-1 paragraph (2) of the Code of
15
Work " .
35. During the on-site visit of May 26, 2021, those inspected declared to the
CNPD agents that
- the staff delegations of those inspected had been informed in advance of the
implementation of the geolocation system; and 16
- the employees concerned had been informed of the processing implemented by the
geolocation system using displays in service vehicles and
construction machinery, by an information note (also included in the intranet), as well as
as a memo and during a meeting. 17
Those controlled had given the CNPD agents a copy of the memo dated
18 19
of February 17, 2021, as well as an information notice relating to geolocation.
36. Subsequently, those inspected sent several documents to the CNPD
of information :
37. By email of June 2, 2021, those inspected had transmitted to the CNPD “[…]
report] between the staff delegation and management […], repeating the first mention
of the GPS system, as well as the report […] with a more in-depth discussion regarding the
subject of GPS; […]; an image of the information note in our vehicles [ ]; [and the
information notices displayed in our localities (one copy in AL and FR […])
[ ]”.
38. By email of October 15, 2021, those inspected sent another copy
of the information notice. In addition, they had explained that their employees had been
informed of the geolocation “orally and in writing […] on June 9, 2020. The information
15CNPD opinion, page 15.
16Minutes relating to the on-site visit, finding 4.
17
Minutes relating to the on-site visit, finding 11.
18Exhibit 9 of the head of investigation.
19Exhibit 19 of the head of investigation.
20Exhibit 22 of the head of investigation.
21Exhibits 20 and 21 from the head of investigation.
22
Exhibit 14 of the head of investigation.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
11/38 were displayed in the […] [premises of the controlled] for several months, in German
and in French and for the two […] [controlled]. ".
39. By email of March 24, 2022, those inspected sent the CNPD a
copy of the renewed memo dated January 11, 2022. They also had
confirmed that with regard to the four copies of the information notice, previously
transmitted to the CNPD, namely a copy given during the on-site visit on May 26, 2021,
two copies attached to their email of June 2, 2021 and one copy attached to their email
of October 15, 2021, it “is the same information note, just in German and French,
signed and unsigned. We used this note to inform staff.”
40. By letter dated February 2, 2023, those inspected sent the CNPD the
copy of an email dated June 9, 2020 titled “GPS” and another copy of the notice
information .4
41. Finally, those inspected inserted a copy of the above-mentioned email from
June 9, 2020 below their email of June 21, 2023 to La Formation Restricte. They have
also attached four copies of the information notice and they clarified that the email
of June 9, 2020 had been “sent to all staff at the start of commissioning
of the geolocation system with the corresponding annexes”.
42. In the statement of objections, the head of investigation after examining the
25
documentation submitted to CNPD agents by those inspected during the investigation,
as well as the three information notices which had been communicated to the CNPD in the
framework of the request for an opinion submitted on the basis of article L.261-1.4 of the Labor Code, 26
noted that on the day of the on-site visit, non-compliance with certain provisions of
Article 13 of the GDPR was acquired. More particularly, he was of the opinion that on the day of the visit
on site those inspected had failed in their obligation:
- to inform the persons concerned of the identity of the data controller,
arising from article 13.1.a) of the GDPR, given that the controlled were not
23
24Exhibits 10 and 25 of the head of investigation.
Exhibit 9 of the controls.
25 In particular, the information notices (Exhibits 14, 19, 20 and 21 from the head of investigation), the
photograph of the information poster in the vehicles (exhibit 22 of the head of investigation) and the notes
of service (exhibits 24 and 25 of the head of investigation).
26Exhibits 11 to 13 of the head of investigation.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
12/38 indicated as joint controllers in the documents sent to
their employees;7
- to inform the persons concerned of the identity of the data protection delegate
data, arising from article 13.1.b) of the GDPR, because the existence of the delegate
did not appear in the documents sent to their employees; 28
- to inform the data subjects of the legal basis justifying the processing,
arising from article 13.1.c) of the GDPR, as information notices do not
did not mention a relevant legal basis under Article 6 of the GDPR; 29
- to inform the persons concerned as to the legitimate interests pursued, arising
of article 13.1.d) of the GDPR, given that the legitimate interests pursued by the
controlled did not appear in the documents sent to their employees, although
during the on-site visit, those inspected declared that they based the treatments on the interest
legitimate ;0
- to inform the people concerned about the appropriate guarantees put in place,
as well as the means of obtaining a copy or the place where they are made available.
provision, arising from article 13.1.f) of the GDPR, because although the notices
information mentioned “a transfer of data to a third country within the meaning of
GDPR (in this case the United States of America)”, documents transmitted to employees
did not mention the measures taken to guarantee an adequate level of protection
and the information notices mentioned that this transfer was supervised by the “[EU-
U.S.] Privacy Shield [Framework]” while this adequacy decision had been
31 32
invalidated by the Court of Justice of the European Union;
- to inform the persons concerned of their right to lodge a complaint
with the CNPD, arising from article 13.2.d) of the GDPR, such as this mention
33
did not appear in the documents sent to employees.
27Statement of Objections, points 39 to 44.
28Statement of Objections, points 45 to 50.
29Statement of Objections, points 51 to 55.
30
31Statement of Objections, points 56 to 60.
CJEU, Case C-311/18, judgment of July 16, 2020.
32Statement of objections, points 61 to 66.
33Statement of Objections, points 67 to 69.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
13/38 43. The Restricted Training would first like to point out that article 13 of the GDPR
refers to the obligation imposed on the controller to “provide” all information
information mentioned there. The word “provide” is crucial here and it “means
that the controller must take concrete measures to provide the
information in question to the data subject or to actively direct the person
concerned to the location of said information (for example by means of a link
34
direct, a QR code, etc.) » .
44. She further considers that a multi-level approach to communicating
transparency information to data subjects may be used in a
offline or non-digital context, i.e. in a real environment such as
example of personal data collected by means of a system of
geolocation. The first level of information (warning sign, note
information, etc.) should generally include the most
essential, namely the details of the purpose of the processing, the identity of the person responsible for the
processing and the existence of the rights of the data subjects, as well as the information
having the greatest impact on the treatment or any treatment likely to surprise
the people concerned. The second level of information, that is to say all of the
information required under Article 13 of the GDPR, could be provided or made available
provision by other means, such as a copy of the policy
confidentiality sent by e-mail to employees.35
45. Regarding the first level of information, Restricted Training
notes that on the sticker which was affixed to service vehicles and machinery
site of the inspected, a photo of which was annexed to the email of the inspected
June 2, 2021, the words “GPS überwacht mit […]” and “Monitored by GPS with
[…]”, a reference to “[…].com”, as well as the “[…]” and “Made in
Luxembourg”. However, she noted that this sticker did not contain the information
required within the meaning of Article 13 of the GDPR and not even the elements required by the first
level of information. In particular, details of the purpose of the processing were missing,
the identity of the joint controllers and the existence of the rights of the individuals
concerned.
34
35Cf. WP 260 rev.01, point 33.
See WP260 rev.01, point 38.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. […] carried out with Public Body A and Public Body B 14/38 46. The Restricted Panel also notes the copy of the “Memorandum
concerning the use of GPS installed in machines and vehicles […] [of those controlled]”
dated February 17, 2021 which had been given to CNPD agents during the visit to
place of May 26, 2021 .36
The said note specified certain practical aspects of the use of the system of
geolocation such as the person responsible for the system, retention periods
geolocation data and access to the system.
The Restricted Panel notes, however, that this note did not contain the
elements required by the first level of information. In particular, details were missing.
of the purpose of the processing, the identity of the joint controllers of the processing and the existence
rights of the persons concerned.
Furthermore, the documentation submitted to the Restricted Training does not contain any evidence
that the information note had actually been transmitted individually to the
employees of those inspected before the on-site visit by CNPD agents.
47. Regarding the second level of information, Restricted Training
take note
- of the three information notices which had been communicated to the CNPD within the framework
of the request for an opinion submitted on the basis of article L.261-1.4 of the Labor Code.7
Two of these documents were in French, dated June 9, 2020 and entitled
“Information notice concerning the implementation of vehicle geolocation
professionals”. Public Body A or Public Body B were identified
as data controllers.
39
The third document was in German, dated June 2, 2020 and titled
« Informationsblatt bezüglich des Einsatzes eines Geolokalisierungssystems in
Dienstfahrzeugen”. Public Body A was identified as responsible for the
treatment ;
36Exhibits 9 and 24 of the head of investigation.
37Exhibit 17 of the head of investigation.
38Exhibits 11 and 13 of the head of investigation.
39Exhibit 12 of the head of investigation.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
15/38- of the information notice entitled “Informationsblatt bezüglich des Einsatzes eines
Geolokalisierungssystems in Dienstfahrzeugen” which had been handed over to the agents of the
CNPD during the on-site visit on May 26, 2021. It was in German, no
dated and identified Public Body B as the controller;
- the two information notices that those inspected had attached to their email of
June 2, 2021.
A document was in French and entitled “Notice of information concerning the
41
implementation of geolocation of professional vehicles”. The other document
was in German and entitled “Informationsblatt bezüglich des Einsatzes eines
Geolokalisierungssystems in Dienstfahrzeugen » . None of these documents were
date. The French version identified Public Body B as responsible for the
processing and the German version Public Body A. Indeed, it appeared from the page
cover, with which these documents were accompanied, that these were projects of
models that Company C had made available to its customers together with
certain other legal information to prepare an “information note […] to
provide to the employees concerned”;
- the information notice entitled “Informationsblatt bezüglich des Einsatzes eines
43
Geolokalisierungssystems in Dienstfahrzeugen” which the inspected had annexed to
their email of October 15, 2021 and which was in German and dated
June 9, 2020. She informed Public Body B as responsible for the processing;
- a copy of the information notice entitled “Information notice concerning the implementation
in place of geolocation of professional vehicles” which was annexed to the
letter from those inspected dated February 2, 2023 and which was in French and dated
June 9, 2020. It identified Public Body A as the controller;
- the four copies of the information notice which were annexed to the email of the
controlled from June 21, 2023 to Restricted Training and which were dated June 9, 2020.
Two of these documents were in French and entitled “Notice d’information
concerning the implementation of geolocation of professional vehicles”.
40Exhibit 19 of the head of investigation.
41Exhibit 21 of the head of investigation.
42Exhibit 20 of the head of investigation.
43Exhibit 14 of the head of investigation.
44
Exhibit 9 of the controls.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
16/38 Public Body B or Public Body A were identified as responsible
of treatment.
The other two documents were in German and titled “Informationsblatt
bezüglich des Einsatzes eines Geolokalisierungssystems in Dienstfahrzeugen”.
Public Body B or Public Body A were identified as responsible
of treatment.
The Restricted Panel considers that, with the exception of divergent information on the
controller and the legal basis for the processing in the different versions
linguistic, the content of the aforementioned information notices was almost
identical.
45
48. She also observes that the email of June 9, 2020 that those inspected
inserted below their email of June 21, 2023 and the four information notices there
annexed, had been sent to their employees individually, namely to their addresses
professional emails.
49. However, it notes that the aforementioned information notices do not
did not contain all of the information provided for in Article 13 of the GDPR.
Thus, they did not mention the joint controllers (article 13.1.a)
of the GDPR), the data protection officer of the controlled (article 13.1.b) of the GDPR),
information relating to the relevant legal basis under Article 6 of the GDPR
(article 13.1.c) of the GDPR), the legitimate interests pursued by the joint controllers
processing (article 13.1.d) of the GDPR), details of transfers to third countries and more
precisely relevant information on the existence or absence of a decision
of adequacy, the appropriate or adapted guarantees and the means of obtaining a copy
or the place where they were made available (article 13.1.f) of the GDPR) and the information
regarding the right to lodge a complaint with the supervisory authority (article 13.2.d)
of the GDPR), in this case the CNPD.
50. It also notes that the information notices combined with
display in service vehicles and construction machinery and/or service note
did not contain all the information required by Article 13 of the GDPR either.
45[…].
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. […] carried out with Public Body A and Public Body B 17/38 51. Those inspected also claimed to have provided oral information to the
employees during a meeting.
The Restricted Panel notes that it does not result from the reports relating to the meetings between
[…] [the staff delegation and management], copies of which were attached to the email
of the inspections of June 2, 2021, that the representatives of the staff delegations had
been informed of all the information required by Article 13 of the GDPR. She considers
moreover that information from the staff delegation could at most be
qualified as collective information, and not as individual information of
employees.
Therefore, the Restricted Panel notes that the documentation submitted by those inspected
does not contain any proof attesting that the employees of those inspected had been validly
informed, before the on-site visit of CNPD agents, orally in accordance with
Article 13 of the GDPR.
52. In view of the above, the Restricted Panel agrees with the opinion of the chief
investigation and concludes that non-compliance with Article 13 of the GDPR was acquired on the day of
the on-site visit of CNPD agents.
VS. […]
[…]
D. On the breach linked to the principle of data minimization
1. On the principles
62. In accordance with article 5.1.c) of the GDPR, personal data
must be “adequate, relevant and limited to what is necessary with regard to the
purposes for which they are processed (data minimization)”.
63. Article 5.1.b) of the GDPR also provides that personal data
personal data must be “collected for specific, explicit and legitimate purposes,
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
18/38and not be subsequently processed in a manner incompatible with these purposes; […]
(limitation of purposes)”.
2. In the present case
64. Regarding the principle of minimization, the CNPD, in its observations
formulated at the end of its opinion, had considered that one of the conditions of lawfulness of “processing
envisaged by the employer” was that “the geolocation of construction equipment cannot
be activated only outside working hours, except for employees working alone and
performing dangerous tasks in remote areas, in which case activation of
geolocation must be done by employees” .6
65. During the on-site visit, those inspected declared to CNPD agents
that
- the geolocation system installed in service vehicles or equipment
sites inspected were not provided with a deactivation button; 47
- service vehicles and construction equipment could not be used for purposes
private ;8
- those inspected feared that in the case of installing a deactivation button,
the geolocation system is not reactivated in the evening, due to forgetting, so that the
machines are not protected against theft; 49
- the geolocation system was used for several purposes, namely security and
health of employees, monitoring and verification of employees' working time, issuing
invoices, optimization of the work process and the safety of service vehicles
and construction machinery;50
46CNPD opinion, page 15.
47
48Minutes relating to the on-site visit, finding 9.
Same.
49Idem.
50Minutes relating to the on-site visit, finding 12.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
19/38- in the past, emergency situations in which immediate identification of
vehicles had been necessary (for example […]) were managed on the basis of
51
information available to those controlled in specific situations;
- service vehicles and construction equipment had been the subject of attempted theft
52
(travel).
66. The head of investigation noted in the statement of objections that the system
geolocation system was “in particular installed on construction equipment” and that it was not
not equipped with a deactivation button. 53
67. He also recalled that “concerning construction equipment, the Opinion of the
CNPD establishes that “with regard to the monitoring of construction machinery […] [of
controlled], the National Commission is of the opinion that geolocating these during the hours
of work would amount to monitoring the employees of data controllers in a manner
quasi-permanent. Indeed, as indicated by […] [the controlled] in […] [their] mail
of October 2, 2020, the personnel […] [of those controlled] often work alone or in very
small teams. It is therefore easy to link a particular machine to its user. [...] There
National Commission nevertheless understands the need for […] [those controlled] to be able
protect your construction equipment against theft and also be able to track the time of
work of employees. In this regard, the National Commission is of the opinion that geolocation
construction machinery activated only outside working hours, and deactivated
by employees when they start using a particular machine, would make it possible to achieve
these two purposes, while being less detrimental to the private lives of employees […] [of
controlled]. In addition, the National Commission recognizes that geolocation of machines
construction site during working hours could be useful, or even necessary, to ensure
the safety of employees who carry out dangerous tasks alone (for example, […])
in remote places. [...] Consequently, with regard to the sometimes dangerous activities
carried out by employees […] [of the controlled], in spaces […] which can be very
remote areas, the National Commission is of the opinion that the geolocation of construction equipment
could nevertheless be activated during working hours, when these are used
by employees working alone in very remote […] spaces (for example, […]) and
51Minutes relating to the on-site visit, finding 12 (i).
52Minutes relating to the on-site visit, finding 12 (v).
53
Statement of Objections, points 81 and 82.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
20/38performing tasks of a dangerous nature. Activation should then be carried out by the
employee himself. » » .4
68. He considered “that none of the elements obtained during the on-site visit […]
[was] likely to influence the argument developed in the CNPD Opinion” and
that no element of the documentation submitted to the CNPD contained evidence
55
opposites. It therefore found that non-compliance with article 5.1.c) of the GDPR was
acquired on the day of the on-site visit.
69. Those controlled by email of June 2, 2021 had specified that in the past
vehicles had been moved to a construction site, but had not been stolen and that this
incident had not been reported to the police.
70. Subsequently, those inspected explained in their letter of February 2, 2023
that the geolocation system had been installed to comply with a request from the
staff who had justified the request “in the interests of personal security. »
They had explained in particular that “the workers […] working partly alone
outside and potentially far from homes, […] with equipment more or less
heavy. Faced with the ever-present risk of accident, employees wanted insurance
that their exact position is known in order to avoid unnecessary waste of time in case
a rescue intervention should prove necessary” and that “[t]herefore, a
system allowing the worker to turn it off or on according to his needs, such as
proposed by the CDG, would always carry the risk of forgetting to put it into service at
when he needed it. Such a module would clearly defeat the purpose
sought by employees and would reduce the interest of such a system. »
In addition, they explained that although an opinion had been requested from the CNPD by the
staff delegation, the employees concerned would at no time have felt
personally bothered by geolocation and any invasion of their privacy would be
remained “purely theoretical”.
54Statement of Objections, paragraphs 83.
55Statement of Objections, paragraphs 84.
56Statement of Objections, paragraph 85.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
21/38They also stressed that permanent surveillance of employees was not necessary.
at no time the purpose sought by the geolocation system.
In order to confirm the above, those inspected had annexed to their aforementioned letter
57
two testimonial certificates from employees of those inspected, as well as […] [that several
reports of the meetings of their governing bodies]. The Restricted Panel notes that these
documents mentioned employee safety as one of the purposes of implementing
location of the geolocation system.
71. During the Restricted Training session, the controls reiterated these
remarks and they also confirmed that contrary to what was indicated in the
58
information notices, service vehicles and construction equipment were reserved for
strictly professional use. They also explained that tracking time
work was currently carried out by clocking in the technical room […] for the workers
and that the use of the geolocation system was an alternative means that could be
employed in order to allow workers to go directly (by their private means)
on construction sites and to those inspected to verify at the same time the declarations of working times
written work (via the geolocation system for construction equipment).
72. Considering the explanations on the purposes of the processing provided by those inspected
in their letter of February 2, 2023 and during the Restricted Training session, as well as
that the confirmation that the construction machinery was reserved for use strictly
professional, Restricted Training considers that the geolocation system can
be used to ensure the safety of workers working alone in isolated locations
during working hours, without requiring that a separate activation button not be
is installed, and to verify the workers' written working time declarations
authorized to go directly to the construction sites.
73. In view of these circumstances, the Restricted Panel considers that there is no need
to identify a breach of article 5.1.c) of the GDPR.
57Exhibit 1 of the controls.
58
The information notices stated the following: “The geolocation system can be
disabled on vehicles that may be used outside of working hours for reasons
private” or “Das Geolokalisierungssystem cann bei den Fahrzeugen deaktiviert werden, die
außerhalb der Arbeitszeiten für private Zwecke genutzt werden dürfen”.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
22/38E. On the breach linked to the obligation to limit purposes
1. On the principles
74. Article 5.1.b) of the GDPR provides that personal data
must be “collected for specific, explicit and legitimate purposes, and not
be subsequently processed in a manner incompatible with these purposes; […] (limitation
purposes)”.
75. Article 6.1 of the GDPR provides that processing is only lawful if, and in the context of
provided that at least one of the six legal bases listed in this article applies.
76. Furthermore, article L. 261-1.1 of the Labor Code provides that “treatment
of personal data for the purposes of monitoring employees in the context of
labor relations can only be implemented by the employer in the cases referred to
er
in Article 6, paragraph 1, letters a) to f) » of the GDPR, and in accordance with the provisions
of this article.
77. Regarding the requirement that the purpose be “legitimate”, the Working Group
Work Article 29 in its opinion 03/2013 on limitation of purpose, adopted on April 2, 2013
(hereinafter: “WP 203”), clarified that in order for a purpose to be legitimate, the processing must,
at any stage and at any time, be based on at least one of the legal bases provided for by
Article 7 of Directive 95/46/EC and Article 6.1(b) of that Directive further requires
that the purposes must comply with all the provisions of protection law
applicable data, as well as any other applicable legislation, such as the law of
61
labor, general contract law, consumer law, etc. .
78. Regarding this opinion, the EDPS clarified in his “Guidelines 4/2019
relating to Article 25 Data protection by design and data protection
by default”, version 2.0 of which was adopted on October 20, 2020, that the “working group
59“Opinion 03/2013 on purpose limitation”. This notice is only available in English.
60 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 relating to
protection of natural persons with regard to the processing of personal data and
to the free circulation of this data and which was repealed by the GDPR.
61
WP 203, pages 19 to 20; original text in English: “In order for the purposes to be legitimate, the
processing must - at all different stages and at all times - be based on at least one of the legal
grounds provided for in Article 7 […]. However, the requirement that the purposes must be legitimate
is broader than the scope of Article 7. In addition, Article 6(1)(b) also requires that the purposes
must be in accordance with all provisions of applicable data protection law, as well as other
applicable laws such as employment law, contract law, consumer protection law, and so on”.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
23/38 “Article 29” provided guidance on the interpretation of the principle of limitation of
purposes within the framework of Directive 95/46/EC” and that “[a]lthough this opinion has not been
adopted by the committee, it can nevertheless retain its relevance, given that the
principle is worded in the same way in the GDPR. 62
2. In the present case
79. The CNPD at the end of its opinion observed that it was its understanding that
those inspected wished to implement the envisaged processing, among other things, to
“ensure the tracking of goods due to their particular nature (materials
dangerous, foodstuffs) » . 63
80. The head of investigation noted in the statement of objections that “it appears from the
Information notes (EXHIBITS 11, 12, 13 and 14) that one of the purposes of the Processing is the
“Guarantee of tracking of goods due to their particular nature (materials
dangerous, foodstuffs, etc.)", respectively in the German versions
“The terms of the Warehouse Verfolgung aufgrund der besonderen Art der
transportierten Waren (gefährliche Stoffe, Lebensmittel,…) » » 64 and that “the transport of
goods does not appear [however] in any of the corporate objects appearing in the statutes
65
controls " .
81. He considered that “[i]f the transport of goods can constitute in itself and in
certain cases a legitimate purpose, this cannot be the case if this purpose does not cover
66
an operational reality. Thus, after having noted that “it in no way emerges from
the investigation that the Controlled would actually engage in a transport activity of
goods”, he held that the purpose relating to the transport of goods was
devoid of legitimacy 67 so that non-compliance with article 5.1.b) of the GDPR was
acquired on the day of the on-site visit.8
82. During the Restricted Training session, the controls clarified in this respect
which concerns the transport of goods that in order to carry out their projects, they were
62Cf. footnote 34.
63
64CNPD opinion, page 15.
Statement of Objections, paragraph 89.
65Statement of Objections, paragraph 90.
66Statement of Objections, paragraph 91.
67Idem.
68Statement of Objections, paragraph 93.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
24/38 required to transport earth and stones, as well as other similar materials
which they consider to be commodities.
83. The Restricted Formation recalls that for a purpose to be legitimate, the
processing must in particular be based on a relevant legal basis under the
Article 6 of the GDPR.
84. She notes that the tracking of goods due to their particular nature
was mentioned as one of the purposes of the processing in the information notices
that the inspected had sent to their employees and that during the on-site visit the
monitored invoked their legitimate interests as the legal basis for the processing
(article 6.1.f) of the GDPR).9
85. The Restricted Panel has already noted that those controlled did not have
mentioned in the information notices the legitimate interests pursued by the
joint controllers (article 13.1.d) of the GDPR) (see point 49 of this
70
decision) […] .
86. She nevertheless expresses her doubts concerning the qualification of the lands and
stones transported by controlled elements that merit monitoring due to
of their particular nature as the CNPD understands it, that is to say that they are
dangerous materials or perishable or particularly valuable goods.
Thus, the activities in which those controlled actually engaged did not correspond
not to the activities that the CNPD had considered in its opinion. In fact, it is only then
of the investigation that it turned out that the purpose of tracking the goods did not reflect a
operational reality.
87. It considers that the tracking of goods due to their nature
particular purpose did not constitute a real and therefore legitimate purpose, and therefore could not
justify the use of geolocation on the basis of article 6.1.f) of the GDPR for this
purpose.
88. In view of the above, the Restricted Formation agrees with the opinion of the chief
investigation and concludes that non-compliance with article 5.1.b) of the GDPR was acquired on the day
of the on-site visit by CNPD agents.
69Minutes relating to the on-site visit, finding 13.
70[…].
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B 25/38II. 2. On the fine and corrective measures
1. On the principles
89. In accordance with article 12 of the law of August 1, 2018, the National Commission
has the powers provided for in article 58.2 of the GDPR:
“a) notify a controller or a processor of the fact that the processing operations
envisaged processing are likely to violate the provisions of this regulation;
b) call to order a controller or a processor when the
processing operations have resulted in a violation of the provisions of this regulation;
(c) order the controller or processor to comply with requests
presented by the data subject in order to exercise their rights pursuant to the
this regulation;
(d) order the controller or processor to put the processing operations
processing in accordance with the provisions of this Regulation, where applicable, of
specific manner and within a specific time frame;
(e) order the controller to communicate to the data subject a
personal data breach;
f) impose a temporary or permanent restriction, including a ban, on processing;
g) order the rectification or erasure of personal data or the
limitation of processing pursuant to Articles 16, 17 and 18 and the notification of these
measures to recipients to whom personal data have been disclosed
pursuant to Article 17, paragraph 2, and Article 19;
(h) withdraw a certification or order the certification body to withdraw a
certification issued pursuant to articles 42 and 43, or order the body to
certification not to issue certification if the requirements applicable to the certification
are not or no longer satisfied;
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no […] carried out with Public Body A and Public Body B 26/38i) impose an administrative fine pursuant to Article 83, in addition to or in addition to
the place of the measures referred to in this paragraph, depending on the characteristics
specific to each case;
j) order the suspension of data flows addressed to a recipient located in a
third country or to an international organization. »
er
90. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose
administrative fines as provided for in article 83 of the GDPR, except against
of the state or municipalities.
91. Article 83.1 of the GDPR provides that each supervisory authority ensures that
the administrative fines imposed are, in each case, effective, proportionate
and dissuasive.
92. Article 83.2 of the GDPR specifies the elements which must be taken into account
to decide whether to impose an administrative fine and to decide the amount
of this fine:
“a) the nature, seriousness and duration of the violation, taking into account the nature, scope
or the purpose of the processing concerned, as well as the number of data subjects
affected and the level of damage they have suffered;
(b) the fact that the violation was committed deliberately or negligently;
(c) any measures taken by the controller or processor to mitigate the
damage suffered by the persons concerned;
d) the degree of responsibility of the controller or processor, taking into account
taken into account the technical and organizational measures that they have implemented under the
articles 25 and 32;
e) any relevant breach previously committed by the controller or
the subcontractor ;
(f) the degree of cooperation established with the supervisory authority with a view to remedying the violation
and to mitigate possible negative effects;
g) the categories of personal data affected by the violation;
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no […] carried out with Public Body A and Public Body B 27/38h) the manner in which the supervisory authority became aware of the violation, in particular if,
and to what extent the controller or processor has notified the breach;
(i) where measures referred to in Article 58(2) have previously been
ordered against the controller or processor concerned for the
same object, compliance with these measures;
(j) the application of codes of conduct approved pursuant to Article 40 or
certification mechanisms approved pursuant to Article 42; And
k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as financial benefits obtained or losses avoided, directly or
indirectly, as a result of the violation.”
93. The imposition of administrative fines was explained by the Group of
Labor Article 29 in its “Guidelines on the application and setting of fines
administrative measures for the purposes of Regulation (EU) 2016/679” adopted on October 3, 2017. These
The guidelines have been taken up and re-approved by the EDPS. Restricted Training
underlines that these guidelines have been supplemented by the “Guidelines 04/2022 on the
calculation of administrative fines under the GDPR” of the EDPS, version 2.1 of which has been
adopted on May 24, 2023.72
94. The Restricted Panel would like to point out that the facts taken into account in the
framework of this decision are those noted at the start of the investigation. The possible
modifications relating to the data processing subject to the investigation that have taken place
subsequently, even if they make it possible to fully or partially establish the
compliance, do not allow retroactive cancellation of a noted breach.
95. Nevertheless, the steps taken by those inspected to put themselves in
compliance with the GDPR during the investigation procedure or to remedy the
shortcomings noted by the head of investigation in the statement of objections, are taken
taken into account by the Restricted Training as part of any corrective measures
to be pronounced and/or the setting of the amount of a possible administrative fine to be
pronounce.
71
See decision Endorsement 1/2018 of the EDPS of May 25, 2018, available under:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
72The guidelines on calculating fines are currently only available in English.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B 28/382. In this case
2.1 As for the imposition of an administrative fine
96. In the statement of objections, the head of investigation proposed to the Panel
Restricted from imposing an administrative fine of one
amount of […] euros “for the payment of which the Controlled will be jointly and severally
held » .3
97. The controlled in their letter of February 2, 2023, by which they had taken
position in relation to the initial statement of objections, had first raised
the incompetence of the CNPD to pronounce an “administrative sanction” […].
In the alternative, those inspected had contested the amount of the administrative fine
proposed by the head of investigation in the initial statement of objections, in particular in
given previous decisions taken by the Restricted Formation. They also have
contested any intention on their part to commit the breaches identified in the
initial statement of objections.
98. The head of investigation in his letter dated February 15, 2023 by which he
notified to the auditees the statement of objections set out “[w]hen the arguments relating to
to the incompetence of the National Commission for Data Protection to pronounce
an administrative sanction […]” that “the latter are rejected and, therefore, not
likely to modify the CDG”.
99. During the Restricted Training session of June 13, 2023, those controlled were
reiterated the above-mentioned remarks.
2.1.1 On the competence of the CNPD to impose an administrative fine
er
100. […] given that the exemption from article 48.1 of the law of August 1, 2018
only targets “the State and municipalities” and not legal entities under public law
in general, the Restricted Panel considers that it is competent to impose
administrative fines […] [to Public Bodies A and B].
101. […]
73Statement of Objections, paragraph 125.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. […] carried out with Public Body A and Public Body B 29/382.1.2 On the advisability of imposing an administrative fine
102. In order to decide whether it is appropriate to impose an administrative fine, the
Restricted Training analyzes the criteria set by article 83.2 of the GDPR.
103. As for the nature and seriousness of the violation (article 83.2.a) of the GDPR), it
notes that with regard to the breach of article 5.1.b) of the GDPR, it is constitutive
of a breach of a fundamental principle of the GDPR (and of the law of protection of
data in general), namely the principle of limitation of purposes devoted to the
Chapter II “Principles” of the GDPR.
As for the failure to comply with the obligation to inform the persons concerned in accordance
in article 13 of the GDPR, it recalls that information and transparency relating to the
processing of personal data are essential obligations weighing on
data controllers, so that people are fully aware of
the use that will be made of their personal data, once these
collected. A breach of Article 13 of the GDPR therefore constitutes an infringement of
rights of the persons concerned. This right to information has also been strengthened in
terms of the GDPR, which demonstrates its particular importance.
104. As for the duration criterion (article 83.2.a) of the GDPR), the Training
Restricted notes that these failures have lasted over time, at least since
[…] March 2021 and until the day of the on-site visit. In fact, those inspected explained
during the Restricted Training session that the geolocation system had been
deactivated pending a return from the CNPD. However, the mail […] that the controlled
attached to their email to the Restricted Training of June 21, 2023 specifies that the system
geolocation […] [was] reactivated after those controlled had become aware of
the opinion of the CNPD and before the on-site visit of CNPD agents dated May 26
2021.
105. As for the number of affected persons and the level of
damage they have suffered (article 83.2.a) of the GDPR), the Restricted Formation notes
that this concerns all employees of those inspected who have used service vehicles and machinery
of construction sites equipped with the geolocation system. In this regard, it takes into account the
explanations provided by those inspected during the Restricted Training session according to
which the people concerned by geolocation were the […] employees-workers
who left daily with the service vehicles and used the equipment of
site, as well as their […] other employees who occasionally used one of the vehicles
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
30/38 service. La Formation Restricte notes that only a third of the employees were not
capable of being constantly monitored.
106. As to the question of whether the breaches were committed
deliberately or negligently (article 83.2.b) of the GDPR), Restricted Training reminds
that “intent”, that is to say an offense committed deliberately, includes both the
knowledge and will in relation to the characteristics of an offense, while
“not deliberately” (negligently) means that there was no intention to commit
the violation, although the controller or processor has not complied
the duty of care incumbent upon it under the legislation.
The controlled in their aforementioned letter of February 2, 2023 had explained that they
were initially suspicious of the geolocation system, but that the said system had
nevertheless been installed at the request of employees for reasons mainly of
security. They also stressed that at no time was permanent surveillance
of employees would not have been the purpose sought by the geolocation system (cf.
point 70 of this decision).
The Restricted Panel also takes into account the assertions of the head of investigation according to
which “the Controlled have had a certain number of internal discussions regarding the
way of concretely adapting the CNPD Opinion to their needs (PIECES 28 and
29)” which “at no time […] indicate any desire to ignore the
74
recommendations of the CNPD Opinion”.
While the Restricted Panel is of the opinion that the facts and the shortcomings observed
do not reflect a deliberate intention to violate the GDPR on the part of those inspected,
it nevertheless considers that the breaches were committed through negligence.
107. As for the measures taken by those inspected or their subcontractor to
mitigate the damage suffered by the persons concerned (article 83.2.c) of the GDPR), the
Restricted Training takes into account the measure taken by those controlled and refers to the
Chapter II.2, Section 2.2 of this decision for the related explanations.
Those inspected had also explained in their letter of February 2, 2023, as well as
during the Restricted Formation session that they had appointed a delegate to the
external data protection, namely Company D, already before the request for an opinion
74Statement of Objections, paragraph 115.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B 31/38 addressed to the CNPD and that the latter “had the particular mission of ensuring the implementation
in compliance of […] [of the inspected] with the rules of the GDPR”. However, like this
appointment 75 had not resulted in a mitigation of the damage, the Formation
Restricted cannot take it into account as a mitigating factor.
This also applies to the aforementioned deactivation of the geolocation system,
given that those controlled had reactivated the system after receiving the notice from the
CNPD and before the on-site visit of CNPD agents (see point 104 of this
decision).
108. As for the degree of cooperation established with the supervisory authority
(article 83.2.f) of the GDPR), the Restricted Training takes into account the assertion of the head
investigation according to which “the Controlled showed good cooperation”. 76
109. As for the categories of personal data concerned by the
violation (article 83.2.g) of the GDPR), this is the date and time of the start and end of the
journey, the state of the vehicle (moving or stationary, including any possible
breaks), vehicle positioning data (within two meters) and route of the
vehicle, driving time and mileage traveled and start-up
abnormality of the vehicle due to the day (Saturday or Sunday) or the schedule (function
77
“Geo-fencing”). The controlled persons declared during the on-site visit of the agents of the
CNPD that the geolocation system was associated with service vehicles and machines
site and not to employees. However, the overlap between the geolocation of the vehicle and
the employee driving it was possible, by cross-referencing the work sheets
employees, to the extent that they documented which vehicle was used
which day by which employee.
110. As for any other aggravating or mitigating circumstance applicable to
circumstances of the case (article 83.2.k) of the GDPR), the Restricted Training takes into account
assertions by the head of investigation according to which “the violations identified are not
75
Exhibits 26 and 27 of the head of investigation according to which the declaration forms of delegate to the
data protection were transmitted to the CNPD by email of November 9, 2020 (Organization
public B) and email of November 16, 2020 (Public body A).
76Statement of Objections, paragraph 118.
77Minutes relating to the on-site visit, finding 8.
78Minutes relating to the on-site visit, finding 10.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
32/38 a priori not likely to bring an economic benefit to the Controlled. The head of investigation
79
furthermore, did not find any elements allowing us to conclude that losses were avoided.
111. The Restricted Panel notes that the other criteria of article 83.2 of the
GDPR are neither relevant nor likely to influence its decision regarding taxation
an administrative fine and its amount.
112. Therefore, the Restricted Panel considers that the imposition of a fine
administrative is justified with regard to the criteria set by article 83.2 of the GDPR for
breach of articles 5.1.b) and 13 of the GDPR.
2.1.3 On the amount of the fine
113. Those controlled transmitted to the Restricted Training by emails from 21 and
June 29, 2023 their respective accounts for the year 2022.
114. Regarding the amount of the administrative fine, the Restricted Panel
recalls that article 83.3 of the GDPR provides that in the event of multiple violations, as is
in the present case, the total amount of the fine cannot exceed the maximum amount set
for the most serious violation. To the extent that a breach of Articles 5 and 13 of the
RGPD is blamed on those inspected, the maximum amount of the fine that can be withheld
amounts to 20 million euros or 4% of global annual turnover, the highest amount
high being retained, in accordance with article 83.5 of the GDPR.
115. With regard to the responsibility of those controlled, their financial capacities
and the relevant criteria of article 83.2 of the GDPR mentioned above in chapter “2.1.2
On the advisability of imposing an administrative fine”, the Restricted Training
considers that the imposition of a fine of two thousand five hundred (2,500) euros appears
both effective, proportionate and dissuasive, in accordance with the requirements of article 83.1 of the
GDPR.
2.2 Regarding taking corrective measures
116. In the statement of objections the head of investigation proposed to the
Training Restricted to adopt the following corrective measures: “within 1
79Statement of Objections, paragraph 121.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. […] carried out with Public Body A and Public Body B 33/38 months from notification to the Auditors of the decision taken by the Panel
Restraint :
Pronounce against the Controlled under article 58.2 d) of the GDPR a
injunction to bring the Processing into compliance with provisions 13.1 a, b, c, d, f
and 13.2 d) of the GDPR and more precisely to complete, respectively rectify the
information measures intended for Employees, by:
- completing the identity of the Data Controller;
- providing the identity of the data protection officer;
- correcting the legal basis of the Processing;
- providing information on the legitimate interests pursued by the Controlled;
- providing information as to the existence or not of an adequacy decision and, where appropriate
where applicable, indicating the existence of appropriate guarantees and the means[s] of
obtain a copy;
- indicating the right to lodge a complaint with the supervisory authority;
- harmonizing the corrected German and French information notes in order to
that they have identical content;
and to communicate any supporting evidence capable of demonstrating compliance with this
injunction.
[…]
Pronounce against the Controlled under article 58.2 d) of the GDPR a
injunction to bring the Processing into compliance with the provisions of article 5.1 c)
of the GDPR and more precisely to provide the geolocation system installed in the
construction machinery with a deactivation button and to communicate any supporting documents to
even to report compliance with this injunction.
Pronounce against the Controlled under article 58.2 d) of the GDPR a
injunction to bring the Processing into compliance with the provisions of article 5.1 b)
of the GDPR and more precisely to remove from the Information Notes the purpose
“Guarantee of tracking of goods due to their particular nature (materials
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
34/38 dangerous, foodstuffs, etc.)", respectively in the versions
German “Sicherstellung der Warennachverfolgung aufgrund der besonderen Art
der transportierten Waren (gefährliche Stoffe, Lebensmittel,…)” and to communicate
any supporting evidence capable of demonstrating compliance with this injunction. ".
117. As for the corrective measures proposed by the head of investigation and by
reference to point 95 of this decision, the Restricted Training takes into account
the steps taken by those inspected in order to comply with the provisions of the
articles 5.1.b) and 13 of the GDPR, as detailed in their letter of February 2, 2023.
More particularly, it takes note of the following facts:
118. In their letter of February 2, 2023, the controlled […]. They had […]
contested that they would have taken no measures to comply with their legal obligations
“after receipt of the CNPD’s opinion”.
Thus, they explained that they initially planned to wait for reception
in the opinion of the CNPD before initiating internal compliance measures and that they
did not expect to be “subject shortly after [receipt of this notice] to a
detailed control”. Otherwise, the necessary measures would have been taken more quickly.
[…]
Then, they emphasized that a memo had been put in place after the
receipt of the “first opinion” from the CNPD and remained in place pending guidance from
the CNPD in the form of its “final opinion”.
In support of their argument they had annexed […] [several reports from
meetings of their governing bodies].
119. During the Restricted Training session of June 13, 2023, the controlled
reiterated their words.
120. As for the first corrective measure proposed by the head of investigation
repeated under point 116 of this decision to put the information measures
intended for employees of those controlled in accordance with the provisions of
articles 13.1.a), b), c), d), f) and 13.2.d) of the GDPR and more precisely to complete,
respectively rectify, said information measures, the Restricted Training holds
80Statement of Objections, paragraph 124.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. […] carried out with Public Body A and Public Body B 35/38 includes the copy of the renewed version of the memo dated
81
January 11, 2022 which was annexed to the controlled email of March 24, 2022, and
mentioned in their aforementioned letter of February 2, 2023.
The Restricted Panel notes, however, that the content of the said note was
substantially identical to that of the memo dated February 17, 2021. Being
given that it has already noted that the latter document did not contain the elements
required by the first level of information (see point 46 of this decision), it
therefore considers that the same observation is necessary for the memo dated
January 11, 2022.
Furthermore, the documentation submitted to the Restricted Training does not contain any evidence
that the renewed information note had indeed been transmitted in a manner
individual to the employees of the controlled.
In consideration of insufficient compliance measures taken by those inspected
in the present case and point 95 of this decision, the Restricted Panel therefore considers
that it is appropriate to pronounce the corrective measure proposed by the head of investigation in this regard.
121. […]
122. As for the third corrective measure proposed by the head of investigation
repeated under point 116 of this decision to bring processing into compliance
with the provisions of article 5.1.c) of the GDPR and more precisely to provide the system
geolocation installed in construction equipment with a deactivation button, the
Restricted Training, given that it did not retain the breach linked to the principle of
minimization retained by the head of investigation (see point 73 of this decision), it considers
that there is also no reason to pronounce the corrective measure proposed by the head
investigation in this regard.
123. As for the fourth corrective measure proposed by the head of investigation
repeated under point 116 of this decision to bring processing into compliance
with the provisions of article 5.1.b) of the GDPR and more precisely to delete
information notes the purpose relating to the tracking of goods, Restricted Training
recalls that it noted that the tracking of goods due to their nature
81Exhibits 10 and 25 of the head of investigation.
82Exhibits 9 and 24 of the head of investigation.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. […] carried out with Public Body A and Public Body B 36/38 did not constitute a legitimate purpose of the processing (see point 87 of this
decision).
In consideration of insufficient compliance measures taken by those inspected
in the present case and point 95 of this decision, the Restricted Panel therefore considers
that it is appropriate to pronounce the corrective measure proposed by the head of investigation in this regard.
Taking into account the foregoing developments, the National Commission sitting
in restricted training, after having deliberated, decides:
- to identify breaches of articles 5.1.b) and 13 of the GDPR;
- to pronounce against Public Body A and Public Body B a
administrative fine in the amount of two thousand five hundred (2,500) euros in respect of
breaches of articles 5.1.b) and 13 of the GDPR;
- to pronounce against Public Body A and Public Body B a
injunction to bring processing into compliance with the obligations resulting from
Article 13.1 and 2 of the GDPR and in particular to individually inform employees of
clearly and precisely on the geolocation system, within two months
following notification of the decision of the Restricted Panel, or by proceeding by
a first and second level, either by providing them in a single location or
in the same document (in paper or electronic format) information on
all the elements required under Article 13 of the GDPR, and more specifically
to complete, respectively rectify, the information measures intended for
employees, in
o completing the identity of the data controllers;
o providing the identity of the data protection officer;
o deleting the purpose of the processing indicated as “tracking of goods in
due to their particular nature (dangerous materials, foodstuffs,
…)” ;
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
37/38 o providing information on the legal basis of the processing in relation to other purposes;
o providing information on the legitimate interests pursued;
o providing information as to the existence or not of an adequacy decision and, where appropriate
where applicable, indicating the existence of appropriate guarantees and the means of
obtain a copy;
o indicating the right to lodge a complaint with the Commission
national for data protection;
o harmonizing the corrected German and French information notes in order to
that they have identical content.
Belvaux, September 21, 2023.
The National Commission for Data Protection sitting in restricted formation
Tine A. Larsen Thierry Lallemang Alain Herrmann
President Commissioner Commissioner
Indication of avenues of appeal
This administrative decision may be the subject of an appeal for reform in the
three months following its notification. This appeal must be brought before the administrative court
and must be introduced through a lawyer to the Court of one of the Orders of
lawyers.
_________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Public Body A and Public Body B
38/38
