CNPD (Luxembourg) - Délibération n° 16FR/2022: Difference between revisions
mNo edit summary |
No edit summary |
||
| Line 79: | Line 79: | ||
After receiving the minutes of this visit, the Company wrote a letter in which it explained that distinction should be made between two types of locations filmed, depending on their economic and strategic sensitivity: the counters and the safe room on one hand, and other locations on the other. It also considered that employees were not filmed permanently since they could avoid the cameras' field of vision. Company A also argued that the presence of certain cameras was justified in relation to the purpose : | After receiving the minutes of this visit, the Company wrote a letter in which it explained that distinction should be made between two types of locations filmed, depending on their economic and strategic sensitivity: the counters and the safe room on one hand, and other locations on the other. It also considered that employees were not filmed permanently since they could avoid the cameras' field of vision. Company A also argued that the presence of certain cameras was justified in relation to the purpose : | ||
* This is the case, for example, of a camera positioned in the safe where one of the employees was stationed and where precious metals and physical securities | * This is the case, for example, of a camera positioned in the safe where one of the employees was stationed and where the company kept precious metals and physical securities. The company stressed that the room is locked for security reasons and that the camera made it possible to see if the employee was "feeling unwell". The company also explained that this is an ''ad hoc'' workstation, subject to patrols, which means that the employee working there was not filmed at all times. | ||
* Another case is the counters. The company explains that employees are only filmed from behind and that their hands, faces, private or professional equipment were not targeted. According to the company, the presence of these cameras was therefore necessary and proportionate to the aims pursued. | * Another case is the counters. The company explains that employees are only filmed from behind and that their hands, faces, private or professional equipment were not targeted. According to the company, the presence of these cameras was therefore necessary and proportionate to the aims pursued. | ||
Revision as of 14:16, 14 February 2023
| CNPD - 16FR/2022 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 14.02.2019 |
| Decided: | 07.07.2022 |
| Published: | 24.01.2023 |
| Fine: | 10,000 |
| Parties: | n/a |
| National Case Number/Name: | 16FR/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | CNPD (in FR) |
| Initial Contributor: | ls |
The Luxembourg DPA fined a bank institution €10,000 for using surveillance cameras without sufficiently informing the data subjects and filming some of them continuously. The DPA held that it was a violation of Article 5(1)(c) and Article 13 GDPR.
English Summary
Facts
On 14 February 2019, the Luxembourg DPA decided to open an investigation into the companies of Group A and particularly into Company A, a bank institution (controller). The purpose of this investigation was to verify the compliance with the GDPR of the video surveillance and potential geolocation of company cars systems installed by the company.
The investigation showed that surveillance cameras were indeed in place filming the interior of the Company A’s building as well as the public highway. This could be problematic from the point of view of the principle of data minimisation (Article 5(1)(c)) and from the point of view of the information obligation (Article 13). It also showed that no geolocation system was in place.
The data minimisation principle (Article 5(1)(c))
During the investigators’ visit at Company A, it was explained that purposes of the video surveillance were the protection of property, securing access to private places and places at risk, the safety of users and the prevention of accidents. The investigators found that the cameras’ fields of view included safe rooms, meeting rooms, the reception desk, the cash desk, offices, a computer room and a room where employees take breaks.
The head of the investigation considered this to be permanent surveillance of employees at their workplace, which could create psychological pressure. He described the surveillance as “disproportionate to the purpose” and an “excessive intrusion into the employees’ private sphere”. He added that employees had no way of escaping the surveillance.
Following the visit of the investigators, Company A explained that it had taken masking measures for cameras filming sensitive areas (e.g. work surfaces).
After receiving the minutes of this visit, the Company wrote a letter in which it explained that distinction should be made between two types of locations filmed, depending on their economic and strategic sensitivity: the counters and the safe room on one hand, and other locations on the other. It also considered that employees were not filmed permanently since they could avoid the cameras' field of vision. Company A also argued that the presence of certain cameras was justified in relation to the purpose :
- This is the case, for example, of a camera positioned in the safe where one of the employees was stationed and where the company kept precious metals and physical securities. The company stressed that the room is locked for security reasons and that the camera made it possible to see if the employee was "feeling unwell". The company also explained that this is an ad hoc workstation, subject to patrols, which means that the employee working there was not filmed at all times.
- Another case is the counters. The company explains that employees are only filmed from behind and that their hands, faces, private or professional equipment were not targeted. According to the company, the presence of these cameras was therefore necessary and proportionate to the aims pursued.
With regard to the surveillance of the public highway, the investigation showed, among other things, that buildings not belonging to the company were filmed. The company argued that this was necessary to effectively protect their building. The head of the investigation however considered this surveillance to be disproportionate.
The obligation to inform data subjects (Article 13)
The investigation showed that data subjects were informed about the use of surveillance cameras by a pictogram and an old CNPD authorisation sticker at the entrance door and at a passageway closed to the public. According to the head of the investigation, this information was incomplete because it did not provide, among other things, the following elements: the retention period, the purposes of the processing, the right to rectification and erasure... The GDPR intranet section did not contain sufficient information either.
In its letter in response to the minutes of the visit, the company explained that the pictograms were the first step of a various steps information which included the GDPR intranet section and mandatory trainings on data privacy. The company also reported that it had initiated the replacement of the pictograms and would indicate the missing information in the future.
With regard to third parties, the agents noted that a sign was installed containing a camera image and the words "locals under video surveillance".) The company considered that informing third parties was not an absolute obligation under Article 13 (which states that it is not required when communication is impossible or would require disproportionate effort).
Holding
The DPA generally agreed with the opinion of the head of the investigation. It considered that Company A failed to comply with Article 5(1)(c), i.e. the principle of data minimisation, and with Article 13, which imposes an obligation to provide information. In accordance with Article 83(2), it therefore imposed a fine of €10,000.
Taking into account the measures already taken by Company A, the DPA also ordered corrective measures: in particular 1) to stop filming the employees' workplans and, if this cannot be avoided at all, to arrange for their faces to be blurred, and 2) to obscure the public area within the cameras' field of vision. Another measure is the obligation to have a single place where all the information required by Article 13 is available.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
