CNPD (Luxembourg) - Délibération n° 21FR/2021: Difference between revisions

From GDPRhub
 
(6 intermediate revisions by 3 users not shown)
Line 10: Line 10:
|ECLI=
|ECLI=


|Original_Source_Name_1=Décision de la Commission nationale siégeant en formation restreinte sur l’issue de l’enquête n° [...]menée auprès de la Société A
|Original_Source_Name_1=CNPD
|Original_Source_Link_1=https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2021/Decision-21FR-2021-sous-forme-anonymisee.pdf
|Original_Source_Link_1=https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2021/Decision-21FR-2021-sous-forme-anonymisee.pdf
|Original_Source_Language_1=French
|Original_Source_Language_1=French
Line 48: Line 48:
|Initial_Contributor=rem
|Initial_Contributor=rem
|}}
|}}
 
The Luxembourg DPA fined a controller €7600 for failing to comply with the principle of data minimisation and for failing to provide data subjects with required information about their video surveillance system.
The Luxembourg DPA fined a controller €7,600 for violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] and Article 13 GDPR by failing to comply with data minimisation and information of data subjects requirements regarding video surveillance.  


== English Summary ==
== English Summary ==
Line 64: Line 63:
The CNPD received a document entitled "Information to workers - Privacy protection" as an appendix of a letter from the company indicating that it will be placed on the internal network so that it can be updated regularly.
The CNPD received a document entitled "Information to workers - Privacy protection" as an appendix of a letter from the company indicating that it will be placed on the internal network so that it can be updated regularly.
=== Holding ===
=== Holding ===
Regarding the videocameras, the NCPD held that non-compliance with Article 5(1)(c) GDPR in respect of the two above-mentioned cameras was established on the day of the on-site visit, even if the controller changed the range of vision to make it compliant afterwards.
Regarding the video cameras, the NCPD held that non-compliance with Article 5(1)(c) GDPR in respect of the two above-mentioned cameras was established on the day of the on-site visit, even if the controller changed the range of vision to make it compliant afterwards.


In the same way, the CNPD considered that non-compliance with Article 5(1)(c) GDPR in respect of the six other cameras was established too.  
In the same way, the CNPD considered that non-compliance with Article 5(1)(c) GDPR in respect of the six other cameras was established too.  


Regarding the information of the cameras, the CNPD held that the pictogram did not contain the required elements of the first level of information (essential informations) for either employees or third-parties. Furthermore, the CNPD held that the document entitled "Information to workers - Privacy protection" did not contain all the information required by Article 13 GDPR.
Regarding the information of the cameras, the CNPD held that the pictogram did not contain the required elements of the first level of information (essential information) for either employees or third-parties, since it only informed about the recording but did not provide any more of the information required by Article 13 GDPR. Furthermore, the CNPD held that the document entitled "Information to workers - Privacy protection" did not contain all the information required by Article 13 GDPR.


Therefore, the CNPD concludes that at the time of the on-site visit of the CNPD officers, the company was not compliant with Article 13 GDPR.  
Therefore, the CNPD concludes that at the time of the on-site visit of the CNPD officers, the company was not compliant with Article 13 GDPR.  
Line 74: Line 73:
The CNPD held that the controller infringed Article 5(1)(c) GDPR and [[Article 13 GDPR]] and decided to:
The CNPD held that the controller infringed Article 5(1)(c) GDPR and [[Article 13 GDPR]] and decided to:


- impose an administrative fine of 7,600 euros on the controller,  
- impose an administrative fine of €7,600 on the controller,  


- issue an injunction to the controller to bring the processing into compliance with the provisions of Article 13 of the RGPD, within a period of two months following notification of the decision, with proof of compliance to be sent to the CNPD at the latest, within this period.
- issue an injunction to the controller to bring the processing into compliance with the provisions of Article 13 of the RGPD, within a period of two months following notification of the decision, with proof of compliance to be sent to the CNPD at the latest, within this period.

Latest revision as of 13:13, 20 July 2021

CNPD (Luxembourg) - 21FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 5(1)(c) GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 11.06.2021
Published: 01.07.2021
Fine: 7600 EUR
Parties: n/a
National Case Number/Name: 21FR/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: rem

The Luxembourg DPA fined a controller €7600 for failing to comply with the principle of data minimisation and for failing to provide data subjects with required information about their video surveillance system.

English Summary

Facts

On 22 November 2018, the Luxembourg DPA (National Commission for Data Protection, "CNPD") decided to open an investigation on a group of companies and their GDPR compliance, especially regarding video surveillance and geolocation systems implemented by the affiliates.

During the on-site investigation of one of the companies, CNPD officers found that the range of vision of two cameras included parts of the public highway, while six cameras allowed for continuous monitoring of the workstations of the employees working there.

Afterwards, the NCPD received proof that the range of vision of the two cameras have been modified so that they no longer target the public highway.

Regarding Article 13 GDPR, the CNPD notes that during the on-site visit by the CNPD officers, third-parties and employees were informed of the presence of the video surveillance system by a pictogram consisting of a video-camera symbol and bearing the words "Local under video surveillance".

The CNPD received a document entitled "Information to workers - Privacy protection" as an appendix of a letter from the company indicating that it will be placed on the internal network so that it can be updated regularly.

Holding

Regarding the video cameras, the NCPD held that non-compliance with Article 5(1)(c) GDPR in respect of the two above-mentioned cameras was established on the day of the on-site visit, even if the controller changed the range of vision to make it compliant afterwards.

In the same way, the CNPD considered that non-compliance with Article 5(1)(c) GDPR in respect of the six other cameras was established too.

Regarding the information of the cameras, the CNPD held that the pictogram did not contain the required elements of the first level of information (essential information) for either employees or third-parties, since it only informed about the recording but did not provide any more of the information required by Article 13 GDPR. Furthermore, the CNPD held that the document entitled "Information to workers - Privacy protection" did not contain all the information required by Article 13 GDPR.

Therefore, the CNPD concludes that at the time of the on-site visit of the CNPD officers, the company was not compliant with Article 13 GDPR.

The CNPD held that the controller infringed Article 5(1)(c) GDPR and Article 13 GDPR and decided to:

- impose an administrative fine of €7,600 on the controller,

- issue an injunction to the controller to bring the processing into compliance with the provisions of Article 13 of the RGPD, within a period of two months following notification of the decision, with proof of compliance to be sent to the CNPD at the latest, within this period.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision of the National Commission sitting in restricted formation

      on the outcome of survey no. [...] conducted with Company A



                       Deliberation n ° 21FR / 2021 of June 11, 2021


The National Commission for Data Protection sitting in a restricted body

composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc

Lemmer, commissioners;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

relating to the protection of individuals with regard to the processing of personal data

personal character and on the free movement of such data, and repealing the Directive
95/46 / EC;



Having regard to the law of 1 August 2018 on the organization of the National Commission for

data protection and the general data protection regime, in particular
its article 41;



Having regard to the internal regulations of the National Commission for the Protection of

data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its
article 10 point 2;



Having regard to the regulation of the National Commission for Data Protection relating to

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020,
in particular Article 9;



Considering the following:











   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                  1 / 22I. Facts and procedure



      1. During its deliberation session of November 22, 2018, the National Commission

for data protection sitting in plenary session (hereinafter: "Training

Plenary ") had decided to open an investigation with the ABC group on the basis of the article

37 of the law of 1 August 2018 on the organization of the National Commission for

data protection and the general data protection regime (hereinafter "the law
      er
of August 1, 2018 ”) and to appoint Mr. Christophe Buschmann as chef

of investigation.



      2. According to the decision of the Plenary Panel, the investigation carried out by the

National Commission for Data Protection (hereafter: "CNPD") had as
purpose of verifying compliance with the provisions of the regulation on the protection of

natural persons with regard to the processing of personal data and the

free movement of such data, and repealing Directive 95/46 / EC (hereinafter "GDPR")

and the law of August 1, 2018, in particular through the establishment of

video surveillance and geolocation, if applicable, installed by the four companies of the

group.


      3. On December 12, 2018, CNPD agents visited

in the premises of the ABC group. Given that the minutes relating to the said mission

on-site investigation only mentions that, among the four companies in the ABC group, as

responsible for the controlled processing Company A, the decision of the National Commission

for data protection sitting in restricted formation on the outcome of the investigation

(hereinafter: "Restricted Training") will be limited to the treatments controlled by the agents

of the CNPD and carried out by Company A.







1 And more specifically with companies A, registered in the Luxembourg Trade and Companies Register
under number […], with registered office at L- […]; Company B, registered in the Trade and Companies register
of Luxembourg under number […], with registered office at L- […]; Company C, registered in the Commercial Register
and Luxembourg Companies under number […], with registered office at L- […]; Company D, entered in the register
du Commerce et des Sociétés de Luxembourg under number […], with registered office at L- […].
2 See in particular the minutes relating to the on-site inspection mission carried out on 12 December

2018 with Company A.

   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of

                                survey no. [...] conducted with Company A


                                                                                                          2/22 4. Company A is a […] registered in the Trade and Companies register of

Luxembourg under number […], with registered office at L- […] (hereinafter “the controlled”). The

Controlled is a car dealership in Luxembourg […]. 3


      5. During the aforementioned visit of 12 December 2018 by CNPD agents to

the premises of the inspected, it was confirmed to the CNPD agents that the inspected resorted to

a video surveillance system composed of thirty cameras, but which he did not install

of geolocation device in its vehicles. CNPD agents noted

that many cameras were no longer operational and this was due to the fact that the

system had become obsolete and should be modernized soon. 5


      6. To his reply letter of January 31, 2019 to the minutes drawn up by the

CNPD agents, the inspected annexed a note entitled "Information to workers

- Protection of privacy "by indicating that it will be placed on the internal network in order to

to be able to update it regularly.



      7. At the end of his investigation, the head of investigation notified the inspector on the 16th

September 2019 a statement of objections detailing the shortcomings he considered

constituted in this case, and more specifically a non-compliance with the prescribed requirements
by Article 13 of the GDPR with regard to employees and customers, suppliers,

service providers and visitors (hereinafter: "third parties") and a non-

compliance with the requirements of Article 5.1.c) of the GDPR.



      8. On 7 October 2019, the inspected filed written observations on the

statement of objections.



      9. A letter supplementing the statement of objections was sent to

checked on August 3, 2020. In this letter, the head of the investigation proposed to the

Restricted training to adopt three different corrective measures, as well as to impose

at the control an administrative fine in the amount of 7,600 euros.



3According to the information provided on its own website: […].
4See minutes relating to the on-site control mission carried out on December 12, 2018 with

of the Company A.
5 Observation 19 of the minutes relating to the on-site inspection mission carried out on December 12
2018 with Company A.
   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of

                                 survey no. [...] conducted with Company A


                                                                                                          3/22 10. By letter of 27 August 2020, the inspected produced written observations on

the additional letter to the statement of objections.


      11. The president of the Restricted Training informed the control by letter of 16

October 2020 that his case would be registered for the Restricted Training session of the 27

November 2020. The inspected confirmed their presence at the said meeting on 12

November 2020.



      12. During the Restricted Training session on November 27, 2020, the leader
investigation team and the inspector presented their oral observations in support of their

written observations and answered questions posed by the Restricted Training. The

controlled spoke last.



II. Place


II. 1. As to the grounds for the decision


A. On the breach linked to the principle of data minimization


1. On the principles


      13. In accordance with Article 5.1.c) of the GDPR, personal data

must be "adequate, relevant and limited to what is necessary with regard to

purposes for which they are processed (data minimization) ”.


      14. The principle of data minimization in video surveillance

implies that it should only be filmed what appears strictly necessary to achieve

the purpose (s) pursued and that the processing operations must not be
disproportionate. 6


      15. Article 5.1.b) of the GDPR provides that personal data must

be "collected for specific, explicit and legitimate purposes, and not be



6
  See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                      4/22 subsequently processed in a manner incompatible with these purposes; […] (Limitation of

purposes) ”.


       16. Before installing a video surveillance system, the person in charge of

processing must define, precisely, the purpose (s) it wishes to achieve in

using such a system, and cannot then use the personal data
personal data collected for other purposes. 7



       17. The necessity and proportionality of video surveillance is analyzed on a case-by-case basis.

case and, in particular, with regard to criteria such as the nature of the place to be placed under
                                                                             8
video surveillance, its situation, configuration or attendance.


2. In this case


       18. It was explained to CNPD officials that the purposes of setting up the

CCTV system are the protection of company property, securing

access, as well as user safety and accident prevention. As for the finality

monitoring of the various receptions, the inspector specified that it would consist of
                                                                         9
securing payment checkouts located in these areas.


       19. During the on-site investigation, CNPD officers noted that the scope of

vision of two cameras included parts of the public road, while six cameras

allowed the permanent monitoring of the workstations of the employees who were there

busy.


       20. The head of the investigation considered that "in view of the aforementioned purposes for which is

operated the video surveillance, it is not necessary to encompass parts of the track

public or neighboring grounds in the fields of view of the cameras listed

under point A.3. of this. ”(Statement of objections, Ad. A.3.). It was thus of opinion

that the non-compliance with article 5.1.c) of the GDPR was acquired on the day of the on-site visit





7 See CNPD Guidelines, available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
8 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
9
  See findings 8 and 18 of the minutes relating to the on-site control mission carried out on 12
December 2018 with Company A.
   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of
                                  survey no. [...] conducted with Company A



                                                                                                              5/22 and that the documentation submitted to the CNPD by the letter of January 31, 2019 did not contain

no evidence against this non-compliance.


      21. Furthermore, he considered that "permanent monitoring is considered

disproportionate to the purpose sought and constitutes an excessive interference with the sphere
deprivation of employees employed in their workstations. In this case, the rights and freedoms

fundamentals of employees must prevail over the interests pursued by the employer. "

With regard to monitoring a checkout area, it was considered that the "cameras

must therefore be configured so that the employees behind the

checkout counters are not targeted. The documentation submitted to the CNPD by letter
of January 31, 2019 does not contain any evidence against this non-compliance, nor

no explanation as to the possible need for such surveillance measures. "

Thus, the head of the investigation held that the non-compliance with Article 5.1.c) of the GDPR was

acquired on the day of the on-site visit (statement of objections, Ad. A.4.).


      22. In its response letter to the statement of objections of 7 October 2019,

the inspector explained that the orientations of the two cameras have been changed
so that parts of the public road are no longer filmed and no

work would not yet be subject to permanent surveillance, because all cameras

contentious issues have been redirected or disabled.


      23. The Restricted Training would like to remind you that the cameras intended to monitor

an access point (entrance and exit, threshold, porch, door, awning, hall, etc.) must have a
field of vision limited to the area strictly necessary to visualize people

preparing to access it. Those who film exterior accesses must not signpost

the entire width of a sidewalk running alongside, where applicable, the building or public roads

adjacent. Likewise, outdoor cameras installed near or around a

building must be configured so as not to capture the public thoroughfare, nor the surroundings,
entrances, accesses and interiors of other neighboring buildings possibly entering

their field of vision. 10







10
   See CNPD Guidelines (Point 4.1.), Available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A


                                                                                                        6/22 24. The Restricted Training nevertheless admits that depending on the configuration of

places, it is sometimes impossible to install a camera that does not include in its

field of vision part of the public thoroughfare, surroundings, entrances, entrances and interiors

other buildings. In such a case, it considers that the controller should

implement masking or blurring techniques in order to limit the field of
vision to his property.11


      25. The Restricted Training noted that the controlled letter of October 7, 2019

contains photos showing that the fields of view of the two disputed cameras

have been modified to no longer target the public highway.


      26. In view of the foregoing, the Restricted Formation agrees with the findings of the chief

investigation 12 according to which the non-compliance with Article 5.1.c) of the GDPR with regard to

the two aforementioned cameras was acquired on the day of the on-site visit of the

the CNPD.


      27. In addition, Restricted Training would like to remind you that employees have the right

not to be subjected to continuous and permanent surveillance in the workplace.
To achieve the objectives pursued, it may appear necessary for a person responsible for

treatment to install a video surveillance system in the workplace. On the other hand, in

respecting the principle of proportionality, the controller must have recourse to

most protective means of surveillance of the employee's private sphere and, for example,

limit the fields of view of the cameras to the only area necessary to reach the

or the purpose (s) pursued.


      28. In its letter of response to the statement of objections of 7 October 2019,

the inspected explained that no more workstations would yet be subject to a
permanent surveillance, because all six disputed cameras have been reoriented

or disabled.







11
   See CNPD Guidelines (Point 4.1.), Available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
12 Communication of grievances, Ad. A.3.

   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A


                                                                                                         7/22 29. In view of the foregoing, the Restricted Formation agrees with the findings of the chief
          13
investigation according to which the non-compliance with Article 5.1.c) of the GDPR concerning the six

The aforementioned cameras were acquired on the day of the on-site visit by CNPD agents.


B. On the breach related to the obligation to inform the persons concerned


1. On the principles



      30. Pursuant to paragraph 1 of Article 12 of the GDPR, the "controller

take appropriate measures to provide any information referred to in Articles 13 and 14
as well as to make any communication under Articles 15 to 22 and Article

34 with regard to the processing to the data subject in a concise manner,

transparent, understandable and easily accessible, in clear and simple terms […]. "



      31. Article 13 of the GDPR provides the following:


      "1. When personal data relating to a person

concerned are collected from this person, the data controller

provides, at the time the data in question is obtained, all the information

following:


a) the identity and contact details of the controller and, where applicable, of the

representative of the controller;



b) where applicable, the contact details of the data protection officer;


c) the purposes of the processing for which the personal data are intended as well

as the legal basis for the processing;



d) where the processing is based on Article 6 (1) (f), the legitimate interests
pursued by the controller or by a third party;





13
  Statement of objections, Ad. A.4.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                      8/22 (e) the recipients or the categories of recipients of the personal data,
if they exist; and



f) where applicable, the fact that the controller intends to carry out a

transfer of personal data to a third country or to an organization
international, and the existence or absence of an adequacy decision issued by the

Commission or, in the case of transfers referred to in Article 46 or 47, or in Article 49,

paragraph 1, second subparagraph, the reference to appropriate or adapted guarantees and the

how to obtain a copy or where it was made available;


      2. In addition to the information referred to in paragraph 1, the controller

provides the data subject, at the time the personal data is

obtained, the following additional information which is necessary to guarantee
fair and transparent treatment:



a) the retention period of personal data or, when this is not
possible, the criteria used to determine this duration;



b) the existence of the right to request from the controller access to data at

personal character, rectification or erasure thereof, or a limitation of the
processing relating to the data subject, or the right to object to the processing and

right to data portability;



c) where the processing is based on Article 6 (1) (a) or on Article 9,
paragraph 2 (a), the existence of the right to withdraw consent at any time,

without affecting the lawfulness of the processing based on consent made before the

withdrawal of it;


d) the right to lodge a complaint with a supervisory authority;



e) information on whether the requirement to provide data to
personal character has a regulatory or contractual character or if it conditions the

conclusion of a contract and whether the data subject is obliged to provide the data to


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                      9/22 personal nature, as well as the possible consequences of the non-provision of

those data;



f) the existence of automated decision-making, including profiling, referred to in Article

22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the

underlying logic, as well as the significance and expected consequences of this processing

for the person concerned.



      3. When he intends to carry out further processing of personal data

personal for a purpose other than that for which the personal data

have been collected, the data controller provides the person with

concerned information about this other purpose and any other information
relevant referred to in paragraph 2.



      4. Paragraphs 1, 2 and 3 shall not apply when, and to the extent that, the

data subject already has this information. "



      32. Communication of information relating to the

processing of their data is an essential element in the context of compliance with
                                                               14
general transparency obligations within the meaning of the GDPR. The said obligations were

clarified by the Article 29 Working Group in its guidelines on

transparency within the meaning of Regulation (EU) 2016/679, the revised version of which has been adopted

April 11, 2018 (hereafter: "WP 260 rev.01").


      33. Note that the European Data Protection Board (hereafter:

"EDPS"), which replaced the Article 29 Working Party since 25 May 2018, took over

and re-approved the documents adopted by said Group between May 25, 2016 and May 25

2018, as precisely the aforementioned guidelines on transparency. 15








14
  See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR.
15 See EDPS Endorsement 1/2018 decision of 25 May 2018, available at:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of

                                survey no. [...] conducted with Company A


                                                                                                       10/222. In this case


      34. With regard to informing third parties about the system of
video surveillance, the head of the investigation noted that the pictogram composed of a

symbol of a video camera and bearing the words "Room under video surveillance"

did not contain the elements required by articles 13.1 and 2 of the GDPR (see communication
of grievances, page 2, Ad.A.1.). He also considered that the letter from the inspector of January 31

2019 did not contain any evidence against this non-compliance, so it

held against the inspected a non-compliance with the requirements of Article 13 of the GDPR

with regard to third parties.

      35. As regards the information of employees about the system of

video surveillance, the head of the investigation noted that the notice entitled "Information to

workers - Protection of privacy ”, sent by the inspected by letter of 31

January 2019, did not contain sufficient evidence to counter a non-
compliance with the requirements of Article 13 with regard to employees (see

statement of objections, page 3 Ad.A.2).


      36. In the aforementioned letter of January 31, 2019, the inspector attached a note

entitled "Information to workers - Protection of privacy", indicating that it
will be placed on the internal network in order to be able to update it regularly.


      37. By letter of October 7, 2019, the inspector sent the head of investigation

photos of a new safety data sheet posted inside and outside the building

of the controlled.


      38. The Restricted Training would first like to point out that Article 13 of the GDPR
refers to the obligation imposed on the controller to "provide" all

information mentioned therein. The word "provide" is crucial here and it "means

that the controller must take concrete measures to provide the

information in question to the data subject or to actively direct the person
concerned to the location of said information (for example by means of a link

direct, a QR code, etc.). ”(WP260 rev. 01, paragraph 33).


      39. The Restricted Training noted that during the on-site visit by the agents of the

CNPD, third parties were informed of the presence of the
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                  Video surveillance with a pictogram consisting of a video camera symbol and

bearing the words "Room under video surveillance".


      40. With regard to employees, the Restricted Training noted that during the visit

on site by CNPD agents, they were informed of the presence of the

video surveillance system with the same pictogram composed of a symbol of a

video camera and bearing the words "Room under video surveillance". Moreover, by
letter of January 31, 2019, the inspector sent the head of the investigation a note entitled

"Information to workers - Protection of privacy" indicating that it will be

placed on the internal network in order to be able to update it regularly.


      41. The Restricted Training considers in this context that an approach involving several

levels to communicate transparency information to people

concerned can be used in an offline or non-digital context, i.e.

in a real environment such as personal data

collected using a video surveillance system. The first level of information
should generally include the most essential information, i.e.

details of the purpose of processing, the identity of the controller and the existence of

rights of data subjects, as well as the information with the greatest impact

on the processing or any processing likely to surprise the data subjects. 16

The second level of information, i.e. all the information required for

under Article 13 of the GDPR, could be provided or made available by other means,
such as for example a copy of the privacy policy sent by e-mail to

employees or a link on the website to an information notice regarding

non-salaried third parties. 17


      42. The Restricted Training however notes that the pictogram in place during

the site visit did not even contain the required first level elements

information whether for employees or non-salaried third parties. For this

concerning the note entitled "Information to workers - Protection of privacy",

the Restricted Training considers that it did not contain all the required elements




16 See WP 260 rev.01 and EDPS Guidelines 3/2019 on the processing of personal data
Personal Via Video Devices, Version 2.0, adopted January 29, 2020.
17 See WP260 rev. 01 (point 38).
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A


                                                                                                       12/22 by Article 13.1 and 2 of the GDPR, especially at the time of the on-site visit by the

CNPD agents, the employees were not yet in possession of the note.


      43. In view of the above, the Restricted Formation concludes that at the time of the
site visit by CNPD agents, Article 13 of the GDPR was not respected by the

control.


II. 2. On corrective measures and fines



1. The principles


      44. In accordance with article 12 of the law of 1 August 2018, the CNPD has the

power to adopt all the corrective measures provided for in Article 58.2 of the GDPR:


"(A) notify a controller or processor that data processing operations

treatment envisaged are likely to violate the provisions of these regulations;



b) call to order a controller or a processor when the

processing operations have resulted in a violation of the provisions of this Regulation;


c) order the controller or processor to comply with the requests

presented by the data subject in order to exercise their rights under the

this regulation;


d) order the controller or processor to put the data processing operations

processing in accordance with the provisions of this Regulation, where applicable, of

in a specific way and within a specific timeframe;


e) order the controller to communicate to the data subject a

personal data breach;



f) impose a temporary or permanent restriction, including a ban, of processing;





   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    13 / 22g) order the rectification or erasure of personal data or the

restriction of processing in application of Articles 16, 17 and 18 and the notification of these
measures to the recipients to whom the personal data have been disclosed

in accordance with Article 17, paragraph 2, and Article 19;



h) withdraw a certification or order the certification body to withdraw a
certification issued in application of Articles 42 and 43, or order the

certification not to issue certification if the requirements for certification

are not or no longer satisfied;


i) impose an administrative fine in application of Article 83, in addition to or

the place of the measures referred to in this paragraph, depending on the characteristics

specific to each case;


j) order the suspension of data flows addressed to a recipient located in a

third country or to an international organization. "


                                                   er
     45. In accordance with article 48 of the law of 1 August 2018, the CNPD may impose
administrative fines as provided for in Article 83 of the GDPR, except against

the state or municipalities.



     46. Article 83 of the GDPR provides that each supervisory authority ensures that
administrative fines imposed are, in each case, effective, proportionate and

dissuasive, before specifying the elements that must be taken into account in deciding

whether to impose an administrative fine and to decide on the amount of this

fine:


"(A) the nature, gravity and duration of the breach, taking into account the nature, extent

or the purpose of the processing concerned, as well as the number of data subjects

affected and the level of damage they suffered;


(b) whether the violation was committed willfully or negligently;




   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    14 / 22c) any measure taken by the controller or processor to mitigate the
damage suffered by the persons concerned;



d) the degree of responsibility of the controller or processor, account

taking into account the technical and organizational measures they have implemented in accordance with
Articles 25 and 32;



e) any relevant breach previously committed by the controller or

the subcontractor ;


f) the degree of cooperation established with the supervisory authority in order to remedy the violation

and mitigate any negative effects;


g) the categories of personal data affected by the breach;



h) the manner in which the supervisory authority became aware of the breach, in particular whether,
and to what extent the controller or processor has notified the breach;



(i) where measures referred to in Article 58 (2) have previously been

ordered against the controller or the processor concerned for the
same object, compliance with these measures;



j) the application of codes of conduct approved in accordance with Article 40 or

certification mechanisms approved under Article 42; and


k) any other aggravating or mitigating circumstance applicable to the circumstances of

the species, such as financial benefits obtained or losses avoided, directly or

indirectly, as a result of the violation ”.


      47. The Restricted Training would like to point out that the facts taken into account in the

framework of this decision are those noted at the start of the investigation. Any
changes relating to the processing of data subject to the investigation

later, even if they make it possible to fully or partially establish the

compliance, do not retroactively cancel a breach found.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    15/22 48. Nevertheless, the steps taken by the inspected to get into
compliance with the GDPR during the investigation process or to remedy

shortcomings identified by the head of investigation in the statement of objections, are taken

taken into account by the Restricted Training in the context of any corrective measures

to pronounce.


2. In this case



2.1. As for the imposition of an administrative fine


      49. In his letter supplementing the statement of objections of 3 August

2020, the head of the investigation proposed to the Restricted Formation to impose a fine

administrative control in the amount of 7,600 euros.


      50. In its response to the said additional letter of August 27, 2020, the inspected

referred to his response dated October 7, 2019 in which he listed the various
measures taken to meet the requirements of the GDPR and the grievances set out by

the head of investigation in mid-September 2019.



      51. In order to decide whether to impose an administrative fine and to decide,
if applicable, the amount of this fine, the Restricted Training takes into account

the elements provided for in Article 83.2 of the GDPR:



     As to the nature and seriousness of the violation (article 83.2.a) of the GDPR), the
       Restricted Training notes that with regard to the breach of Article 5.1.c)

       of the GDPR, it constitutes a breach of the fundamental principles of

       GDPR (and data protection law in general), namely in principle

       data minimization devoted to Chapter II “Principles” of the GDPR.


     As for the failure to inform the persons concerned

       in accordance with Article 13 of the GDPR, the Restricted Training recalls that

       information and transparency relating to the processing of personal data
       personnel are essential obligations incumbent on those responsible for

       treatment so that people are fully aware of the use that
   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                             survey no. [...] conducted with Company A


                                                                                               16/22 will be made of their personal data, once it has been collected. A
     breach of Article 13 of the GDPR thus constitutes an infringement of rights

     of the people concerned. This right to information has also been strengthened at

     terms of the GDPR, which testifies to their particular importance.


  As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Training

     notes that these shortcomings have lasted over time, at least since

     May 25, 2018 and until the day of the on-site visit. The Restricted Training recalls

     here that two years have separated the entry into force of the GDPR from its entry into
     application to allow data controllers to comply with

     obligations incumbent on them, even if the obligations to respect

     principles of minimization and limitation of conservation, as well as a

     comparable information obligation already existed in application of Articles 4.1.
     a) and b), 10.2 and 26 of the repealed law of 2 August 2002 on the protection of

     people with regard to the processing of personal data.



  As for the number of data subjects (article 83.2.a) of the GDPR), the
     Restricted Training notes that these are all employees working on the site

     the inspected, as well as all third parties, i.e. customers,

     suppliers, service providers and visitors to said site.


  As to the question of whether the breaches were deliberately committed

     or not (by negligence) (article 83.2.b) of the GDPR), the Restricted Training recalls

     that "not willfully" means that there was no intention to commit the

     violation, although the controller or processor has not
     complied with its duty of care under the law.



     In this case, the Restricted Training is of the opinion that the facts and the breaches
     observed do not reflect a deliberate intention to violate the GDPR in the chief

     of the controlled.



  As for the degree of cooperation established with the supervisory authority (Article 83.2.f) of
     RGPD), the Restricted Training takes into account the statement of the head of the investigation


_____________________________________________________________
           Decision of the National Commission sitting in restricted formation on the outcome of
                           survey no. [...] conducted with Company A


                                                                                              17/22 that the cooperation of the inspected throughout the investigation was good, thus
       that of its desire to comply with the law as soon as possible.



      52. The Restricted Panel notes that the other criteria of Article 83.2 of

GDPR are neither relevant nor likely to influence his decision on taxation
of an administrative fine and its amount.


      53. The Restricted Training also notes that although several measures have been implemented

placed by the inspected in order to remedy in whole or in part certain shortcomings,

these were only adopted following the control of CNPD agents on 6
March 2019 (see also point 47 of this decision).


      54. Therefore, the Restricted Panel considers that the imposition of a fine

administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for

breach of Articles 5.1.c) and 13 of the GDPR.


      55. Regarding the amount of the administrative fine, the Restricted Training
recalls that paragraph 3 of Article 83 of the GDPR provides that in the event of violations

multiple, as is the case in this case, the total amount of the fine may not exceed

the amount set for the most serious violation. Insofar as a breach of
Articles 5 and 13 of the GDPR is criticized for the inspectorate, the maximum amount of the fine

that can be retained amounts to 20 million euros or 4% of annual turnover

worldwide, whichever is higher.


      56. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the

Restricted Training considers that the pronouncement of a fine of 7,600 euros appears
both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1

of the GDPR.


2.2. Regarding the taking of corrective measures


      57. The adoption of the following corrective measures was proposed by the Chief

investigation into the Restricted Training in its additional letter to the

statement of objections:



   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                 18/22 "a) Order the controller to complete the measures
      information intended for those affected by video surveillance,

      in accordance with the provisions of Article 13, paragraphs (1) and (2) of the GDPR in

      informing in particular the identity of the controller, the purposes of the

      processing and its legal basis, the categories of data processed, the interests
      legitimate pursued by the controlled, the recipients, the retention period of

      data as well as an indication of the rights of the person and how to

      exercise ;


      b) Order the controller to process only data

      relevant, adequate and limited to what is necessary for the purposes of

      protecting property and securing access and, in particular, adapting the

      video device so as not to film employees at their workstation and on the way
      public, for example by deleting or reorienting the cameras called C4

      […], C13 […], C14 […], C15 […], C16 […], C7 […], C10 […] and C12 […];


      c) Order the controller to remove or have

      removal of cameras that are inoperative. "


      58. In his reply letter of August 27, 2020 to the additional letter to the

statement of objections, the inspected referred to its response dated October 7, 2019
in which he had listed with supporting photographs the various measurements carried out

on their own initiative in less than fifteen working days in order to meet the requirements of the

GDPR and the grievances set out by the CNPD in mid-September 2019.


      59. As to the corrective measures proposed by the head of the investigation and by

reference to point 48 of this decision, the Restricted Training takes into account
the procedures carried out by the inspected, following the visit of CNPD agents, in order to

comply with the provisions of Articles 5.1.c) and 13 of the GDPR, as detailed in

his letters of January 31, 2019, October 7, 2019 and August 27, 2020. More
in particular, it takes note of the following facts:


     As for the implementation of information measures intended for people

       concerned by video surveillance, in accordance with the provisions of article

       13.1 and 2 of the GDPR, the inspected has developed and displayed inside and outside
   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                19/22 its premises with new pictograms and made available to employees on its
     intranet a note entitled “Information to employees - Protection of privacy”.

     The letter of October 7, 2019 from the inspected contains a photo of the new

     pictogram, as well as a copy of the aforementioned note.


     Regarding the information of third parties, Restricted Training
     considers that the aforementioned pictogram does not contain all the information

     required by Article 13 of the GDPR, in particular the precise legal basis for the

     video surveillance, the existence of the right of rectification and erasure, as well as the

     right to object to processing.

     With regard to employee information, Restricted Training considers

     that the aforementioned pictogram, combined with the aforementioned information note, does not

     do not contain all the information required by Article 13 of the GDPR,

     in particular the recipients and the precise legal basis for the video surveillance.


     In consideration of the compliance measures taken by the inspectorate in
     the species and point 48 of this decision, the Restricted Panel considers

     when it is necessary to pronounce the corrective measure proposed by the chief

     investigation under a).


  As for the obligation to process only relevant, adequate and
     limited to what is necessary with regard to the purposes of protecting property and

     for securing access and, in particular, adapting the video device so as not to

     not film employees at their workstations and on public roads, the inspected

     explained in his reply letter to the statement of objections of 7 October
     2019 that the orientations of two cameras (supporting documents submitted) were

     modified so that parts of the public road are no longer filmed and no longer

     no workstation would yet be subject to permanent surveillance, because

     all the disputed cameras have been redirected or deactivated (documents
     in support paid). In consideration of the compliance measures taken by

     the control in this case and point 48 of this decision, the Panel

     Restricted therefore considers that there is no need to pronounce the measure
     corrective measure proposed by the survey leader under b).



_____________________________________________________________
           Decision of the National Commission sitting in restricted formation on the outcome of
                            survey no. [...] conducted with Company A


                                                                                               20/22  Regarding the removal of cameras which are inoperative, the
       controlled affirmed in its letter of August 27, 2020 that no camera "out of state

       of operation ”is installed within its premises. In consideration of

       compliance measures taken by the inspected in this case and point 48 of

       this decision, the Restricted Training therefore considers that there is no
       instead of pronouncing the corrective measure proposed by the head of investigation under c).




In view of the foregoing developments, the National Commission sitting

in restricted formation and deliberating unanimously decides:


- to retain the breaches of articles 5.1.c) and 13 of the GDPR;



- to pronounce against Company A an administrative fine in the amount of
seven thousand six hundred euros (7,600 euros), with regard to breaches of

Articles 5.1.c) and 13 of the GDPR;



- to issue an injunction against Company A to bring the
processing with the provisions of Article 13 of the GDPR, within two months

following notification of the decision of the Restricted Panel, the supporting documents for

in conformity to be sent to the Restricted Training, at the latest, within this period;


and especially :



1.inform non-salaried third parties in a clear and complete manner,
in accordance with the provisions of Article 13 of the GDPR, in particular by providing

third parties information on the precise legal basis for the

video surveillance, the existence of the right to rectification and erasure, as well as the right

to object to processing;


2.inform employees individually in a clear and complete manner, in accordance with the

provisions of Article 13 of the GDPR, in particular by providing employees with

information on the recipients and the precise legal basis for the
video surveillance.

   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                 Thus decided in Belvaux on June 11, 2021.


For the National Commission for Data Protection sitting in formation

restraint






Tine A. Larsen Thierry Lallemang Marc Lemmer

  President Commissioner Commissioner




                           Indication of remedies


This administrative decision may be the subject of an appeal for reformation in the

three months following its notification. This appeal is to be brought before the administrative court.

and must be introduced through a lawyer at the Court of one of the Orders of

lawyers.




























   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                22/22