CNPD (Luxembourg) - Délibération n° 35FR/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Luxembourg |DPA-BG-Color= |DPAlogo=LogoLU.png |DPA_Abbrevation=CNPD (Luxembourg) |DPA_With_Country=CNPD (Luxembourg) |Case_Number_Name=Délib...")
 
 
(5 intermediate revisions by 2 users not shown)
Line 50: Line 50:
}}
}}


The Luxembourg DPA has imposed a fine of EUR 5.300 on a company. The company had installed surveillance cameras on its premises as well as tracking devices in some of its vehicles used by employees to travel to customers. During its investigation, the DPA found violations against the information obligations under article 13 GDPR and data minimsation principle (Article 5.1.c) GDPR.
The Luxembourg DPA (CNPD) imposed a fine of €5300 on a company for using a video camera surveillance system on its premises and tracking devices in some of its employees' vehicles in breach of the information obligation set out in [[Article 13 GDPR]] and in breach of the principle of data minimisation set out in [[Article 5 GDPR|Article 5(1)(c) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The CNPD carried out a (physical) investigation to monitor the application and compliance with the provisions of the GDPR, in particular within the framework of setting up video surveillance and geolocation systems, where applicable.  
The CNPD carried out an audit on the premises of a company (the Company) to verify whether the latter was complying with the GDPR, in particular with respect to the installation of video surveillance cameras in the building and of geolocation tracking devices in the vehicles of some of its employees.  


=== Holding ===
=== Holding ===
During the audit proceeding carried out by the CNPD on the use of surveillance systems within a company (hereafter, the Company), the CNPD found that the Company had fail to comply with several obligations relating to the data minimisation and transparency principles.
During the audit carried out by the CNPD, the CNPD found that the Company had failed to comply with several obligations relating to the principles of transparency and data minimization.


Relating to the use of video surveillance:
==== On the use of video surveillance cameras ====
Regarding the use of video surveillance cameras, first, the CNPD found that the Company had violated the principle of data minimisation as well as the obligation to properly inform data subjects about the processing.


* Violation of the principle of data minimization (Article 5(1), c) GDPR): according to the CNPD, the principle of data minimisation in the context of video surveillance implies that (i) the Company should only film what appears strictly necessary to achieve the purpose (s) of protecting the company assets and securing access and (ii) that the processing operations must not be disproportionate.
===== Violation of the principle of data minimisation =====
According to the CNPD, the principle of data minimisation in the context of video surveillance implies that (i) the Company should only record what appears strictly necessary to achieve the purpose(s) of the processing, i.e. protecting the Company's  assets and securing access to the building and (ii) that the processing operations must not be disproportionate.


in this case, one of the cameras of the systems was installed in such a way that the field of view camera includes, in the upper left corner, the staff dining hall and allows employees to be monitored during their free time. the CNPD considered that installing cameras and filming the employees in places designed for private use by the employees is considered disproportionate. In these cases, the fundamental rights and freedoms of employees must prevail over the legitimate interests of the employer.
In this case, the CNPD found however that one of the cameras had been installed in such a way that the field of vision included the staff dining hall. Employees were thus potentially being monitored during their free time. The CNPD considered that installing cameras and filming the employees in places designed for private use is disproportionate. In particular, the CNPD pointed that the fundamental rights and freedoms of the employees (including their right to privacy) were prevailing over the legitimate interests of the employer to use video surveillance cameras foe security purposes.


The outdoor camera's field of view makes it possible to monitor part of the public road and an adjacent site, (in this case the parking lot and the entrance to the shop located in front of the building of the inspected person and part of the public road). The CNPD admits that depending on the configuration of the premises, it is sometimes impossible to install a camera that does not include in its field of vision part of the public road, approaches, entrancesetc. In such a case, it considers that the data controller should implement masking or blurring techniques in order to limit the field of vision to its property.
The CNPD further found that the outdoor camera's field of vision included part of the public street as well as an adjacent site (i.e. the parking lot and the entrance of a shop located in front of the Company's building). The CNPD admitted that, depending on the configuration of the premises, it is sometimes impossible to limit the field of vision of the camera to private premises only. Sometimes, a small portion of the street or of the surrounding is also being recorded. In such a case, however, the CNPD considers that the data controller should implement masking or blurring techniques in order to limit the field of vision of the camera to its private property.


* Violation of the information obligations to third parties/employees (Article 13 GDPR): The communication to data subjects about the data processing is an essential element in the transparency obligation. The CNPD noted during the during the on-site visit that the presence of the video surveillance system was not notified to the third parties. Also employees were not duly informed on all the specific points mentioned in said article 13 GDPR.
In view of the above, the CNPD concluded that the Company had been acting in breach of the the principle of data minimization ([[Article 5 GDPR|Article 5(1)(c) GDPR]]).


Even the measures taken after the on-site visit (stickers with the warning sign & an information sheet displayed at the entrance to the building) were not sufficient to comply with the principle to "provide" all information. . The CNPD adds that a "multi-layer communication approach" is a good practice to comply with this principles: (i) the first layer (warning sign) information (warning sign) should generally convey the most important information, e.g. the details of the purposes of processing, the identity of controller and the existence of the rights of the data subject, together with information on the greatest impacts of the processing, (ii) The second layer information must also be made available at a place easily accessible to the data subject, for example as a complete information sheet available at a central location (e.g. information desk, reception or cashier) or displayed on an easy accessible poster. As mentioned above, the first layer warning sign has to refer clearly to the second layer information.
===== Violation of the information obligations =====
Informing the data subjects about the processing of their personal data is an essential element of the principle of transparency. The CNPD noted during the  on-site audit that the existence of the video camera surveillance system was not notified to visitors. Furthermore, the employees were not duly informed about all the points listed in [[Article 13 GDPR]].


Relating to the use of tracking devices:
After the on-site audit, the Company adopted several measures in an attempt to remedy that breach, such as displaying stickers with a warning sign and an information sheet at the entrance to the building about video camera surveillance. The CNPD found however that these measures were not sufficient to fully comply with Article 13 GDPR. In this respect, the CNPD recommended to adopt a "multi-layer communication approach": (i) the first layer of information (e.g. a warning sign accompanied with a short text) should generally convey the most important information, such as the existence of a processing, the purpose of the processing, the identity of the controller, etc, as well as the way to obtain further information ;  (ii) the second layer of information, which must include the rest of the elements listed in Article 13 GDPR, should be made easily accessible to the data subject, for example in the form of a comprehensive information sheet available at a central location (e.g. information desk, reception or cashier) or displayed on an easy accessible poster. As mentioned above, the first layer of information should clearly refer to the second layer of information.
* Violation of the information obligations to third parties/employees (Article 13 GDPR): During the on-site visit, the CNPD found that the employees were not informed of the presence of the geolocation system
in accordance with legal requirements (only orally), even though the Article 29 Working Group insists that the Company should ensure "to keep a written record, and ensure that it is able to prove it respected the obligation set out in article 13 GDPR.


Based on the above:, the CNPD:
Based on these elements, the CNPD found that the Company had violated [[Article 13 GDPR]].
* imposed a fine of € 5.300 on the Company with regard to the breaches of
 
Articles 5(1), c) and 13 of the GDPR;
==== On the use of geolocation tracking devices ====
* orders the Company to take following corrective measures in order to bring processing operations into compliance with the provisions of the GDPR within a period of two months: (i) modify the field of vision of the cameras, (ii), inform third parties in a clear and precise manner about the video surveillance system by providing them with the information set out in [[Article 13 GDPR|Article 13 GDPR]], (iii) inform employees individually in a clear and precise manner about the video surveillance system and tracking devices in their cars by providing them with the information set out in [[Article 13 GDPR|Article 13 GDPR]].
During the on-site audit, the CNPD found that the employees were not informed of the presence of the geolocation system in some of the Company's vehicles, except in some instances orally. The CNPD referred to the guidelines of the Article 29 Working Group on the transparency principle, and in particular to the fact that to controllers should always keep a written record of the measures that they have adopted, so that they are able to prove compliance with the obligation set out in [[Article 13 GDPR|Article 13]] GDPR. because the Company was not in position to prove that all its employees had been duly informed about the use of geolocation tracking device, the CNPD found that the Company had violated [[Article 13 GDPR]].
 
Considering the severity and extent of those violations, the CNPD imposed a fine of €5300 on the Company. The CNPD also issued an injunction against the Company to adopt corrective measures in order to bring its processing operations into compliance with the GDPR within a period of two months. in particular, the Company was ordered to: (i) modify the field of vision of the cameras, (ii) inform third parties in a clear and precise manner about the video surveillance system by providing them with all the information set out in [[Article 13 GDPR]], (iii) inform employees individually in a clear and precise manner about the video surveillance system and tracking devices in their cars by providing them with the information set out in [[Article 13 GDPR]].


== Comment ==
== Comment ==

Latest revision as of 10:59, 17 November 2021

CNPD (Luxembourg) - Délibération n° 35FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 5(1)(c) GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 06.11.2021
Published: 02.11.2021
Fine: 5300 EUR
Parties: n/a
National Case Number/Name: Délibération n° 35FR/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Délibération n° 35FR/2021 (in FR)
Initial Contributor: Matthias Smet

The Luxembourg DPA (CNPD) imposed a fine of €5300 on a company for using a video camera surveillance system on its premises and tracking devices in some of its employees' vehicles in breach of the information obligation set out in Article 13 GDPR and in breach of the principle of data minimisation set out in Article 5(1)(c) GDPR.

English Summary

Facts

The CNPD carried out an audit on the premises of a company (the Company) to verify whether the latter was complying with the GDPR, in particular with respect to the installation of video surveillance cameras in the building and of geolocation tracking devices in the vehicles of some of its employees.

Holding

During the audit carried out by the CNPD, the CNPD found that the Company had failed to comply with several obligations relating to the principles of transparency and data minimization.

On the use of video surveillance cameras

Regarding the use of video surveillance cameras, first, the CNPD found that the Company had violated the principle of data minimisation as well as the obligation to properly inform data subjects about the processing.

Violation of the principle of data minimisation

According to the CNPD, the principle of data minimisation in the context of video surveillance implies that (i) the Company should only record what appears strictly necessary to achieve the purpose(s) of the processing, i.e. protecting the Company's assets and securing access to the building and (ii) that the processing operations must not be disproportionate.

In this case, the CNPD found however that one of the cameras had been installed in such a way that the field of vision included the staff dining hall. Employees were thus potentially being monitored during their free time. The CNPD considered that installing cameras and filming the employees in places designed for private use is disproportionate. In particular, the CNPD pointed that the fundamental rights and freedoms of the employees (including their right to privacy) were prevailing over the legitimate interests of the employer to use video surveillance cameras foe security purposes.

The CNPD further found that the outdoor camera's field of vision included part of the public street as well as an adjacent site (i.e. the parking lot and the entrance of a shop located in front of the Company's building). The CNPD admitted that, depending on the configuration of the premises, it is sometimes impossible to limit the field of vision of the camera to private premises only. Sometimes, a small portion of the street or of the surrounding is also being recorded. In such a case, however, the CNPD considers that the data controller should implement masking or blurring techniques in order to limit the field of vision of the camera to its private property.

In view of the above, the CNPD concluded that the Company had been acting in breach of the the principle of data minimization (Article 5(1)(c) GDPR).

Violation of the information obligations

Informing the data subjects about the processing of their personal data is an essential element of the principle of transparency. The CNPD noted during the on-site audit that the existence of the video camera surveillance system was not notified to visitors. Furthermore, the employees were not duly informed about all the points listed in Article 13 GDPR.

After the on-site audit, the Company adopted several measures in an attempt to remedy that breach, such as displaying stickers with a warning sign and an information sheet at the entrance to the building about video camera surveillance. The CNPD found however that these measures were not sufficient to fully comply with Article 13 GDPR. In this respect, the CNPD recommended to adopt a "multi-layer communication approach": (i) the first layer of information (e.g. a warning sign accompanied with a short text) should generally convey the most important information, such as the existence of a processing, the purpose of the processing, the identity of the controller, etc, as well as the way to obtain further information ; (ii) the second layer of information, which must include the rest of the elements listed in Article 13 GDPR, should be made easily accessible to the data subject, for example in the form of a comprehensive information sheet available at a central location (e.g. information desk, reception or cashier) or displayed on an easy accessible poster. As mentioned above, the first layer of information should clearly refer to the second layer of information.

Based on these elements, the CNPD found that the Company had violated Article 13 GDPR.

On the use of geolocation tracking devices

During the on-site audit, the CNPD found that the employees were not informed of the presence of the geolocation system in some of the Company's vehicles, except in some instances orally. The CNPD referred to the guidelines of the Article 29 Working Group on the transparency principle, and in particular to the fact that to controllers should always keep a written record of the measures that they have adopted, so that they are able to prove compliance with the obligation set out in Article 13 GDPR. because the Company was not in position to prove that all its employees had been duly informed about the use of geolocation tracking device, the CNPD found that the Company had violated Article 13 GDPR.

Considering the severity and extent of those violations, the CNPD imposed a fine of €5300 on the Company. The CNPD also issued an injunction against the Company to adopt corrective measures in order to bring its processing operations into compliance with the GDPR within a period of two months. in particular, the Company was ordered to: (i) modify the field of vision of the cameras, (ii) inform third parties in a clear and precise manner about the video surveillance system by providing them with all the information set out in Article 13 GDPR, (iii) inform employees individually in a clear and precise manner about the video surveillance system and tracking devices in their cars by providing them with the information set out in Article 13 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision of the National Commission sitting in restricted formation

      on the outcome of survey no. [...] conducted with Company A



                      Deliberation n ° 35FR / 2021 of October 6, 2021


The National Commission for Data Protection sitting in a restricted body

composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc

Lemmer, commissioners;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

relating to the protection of individuals with regard to the processing of personal data

personal character and on the free movement of such data, and repealing the Directive
95/46 / EC;



Having regard to the law of 1 August 2018 on the organization of the National Commission for

data protection and the general data protection regime, in particular
its article 41;



Having regard to the internal regulations of the National Commission for the Protection of

data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its
article 10 point 2;



Having regard to the regulation of the National Commission for Data Protection relating to

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020,
in particular Article 9;



Considering the following:











   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                  1 / 32I. Facts and procedure



      1. During its deliberation session of January 16, 2019, the National Commission

for data protection sitting in plenary session (hereinafter: "Training

Plenary ") had decided to open an investigation with Group A on the basis of Article 37
                er
of the law of 1 August 2018 on the organization of the National Commission for

data protection and the general data protection regime (hereinafter: "law
     er
of August 1, 2018 ”) and to appoint Mr. Christophe Buschmann as chef

of investigation.


      2. According to the decision of the Plenary Panel, the investigation carried out by the
National Commission for Data Protection (hereafter: "CNPD") had as

purpose of monitoring the application and compliance with the provisions of Regulation (EU) 2016/679

of the European Parliament and of the Council of 27 April 2016 on the protection of individuals

physical with regard to the processing of personal data and to the

circulation of this data, and repealing Directive 95/46 / EC (hereinafter: "RGPD") and

of the law of August 1, 2018, in particular by the implementation of

video surveillance and geolocation, where applicable, installed by the three companies of the

Group A.


      3. On February 20, 2019, CNPD agents visited the

the premises of Group A. Given that the minutes relating to the said fact-finding mission

on site only mentions, among the three companies of Group A, as responsible
                                        2
of the controlled processing of Company A, the decision of the National Commission for
data protection sitting in restricted formation on the outcome of the investigation (hereafter:

"Restricted training") will be limited to processing operations controlled by CNPD agents

and carried out by Company A.


      4. Company A is a public limited company registered in the Trade and

Luxembourg companies under number B […], with registered office at L- […] (hereinafter “the



1And more specifically with companies B, registered in the Luxembourg Trade and Companies Register

under number B […], with registered office at L- […]; 2. C, registered in the Trade and Companies Register
Luxembourg under number B […], with registered office at L- […]; 3. and A, registered in the Trade Register and
Luxembourg Companies under number B […], with registered office at L- […].
2 See in particular report no. […] Relating to the on-site fact-finding mission carried out on 20
February 2019 with Company A (hereafter: “report no. […]”).
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of

                                survey no. [...] conducted with Company A


                                                                                                         2/32 controlled ”). The inspected [is active in the retail trade of furniture and appliances

lighting in specialized stores.] […].


      5. During the aforementioned visit of February 20, 2019 by CNPD agents in the

premises of the inspected, it was confirmed to the CNPD agents that the inspected uses a
CCTV system made up of seventy-five cameras including sixty-seven

were in working order and installed a geolocation device in

some of the vehicles used by its employees for their trips to customers.3


      6. The inspected responded to the report drawn up by the CNPD agents by

letter of April 2, 2019.


      7. At the end of his investigation, the head of investigation notified the inspector on 6
September 2019 a statement of objections detailing the shortcomings he considered

constituted in this case, and more specifically:

       with regard to video surveillance: non-compliance with the requirements prescribed by

         Article 13 of the GDPR (right to information) with regard to individuals

         concerned, i.e. employees and self-employed persons, i.e.

         customers, suppliers, service providers and visitors (hereinafter "the
         third parties ”) and non-compliance with the requirements of Article 5.1.c) of

         GDPR (principle of data minimization);

       with regard to geolocation: non-compliance with the requirements prescribed by

         Article 13 of the GDPR (right to information) with regard to employees.


      8. On 2 October 2019, the inspected filed written observations on the

statement of objections.



      9. A letter supplementing the statement of objections was sent to

checked on August 17, 2020. In this letter, the head of the investigation proposed to the
Restricted training to adopt two different corrective measures, as well as to inflict

at the control an administrative fine in the amount of 5,300 euros.






3
 See findings 8.10 and 9.1 of report no. […].
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                      3/32 10. By letter of September 21, 2020, the inspected produced written observations

on the additional letter to the statement of objections.


      11. The president of the Restricted Training informed the control by letter of 5

January 2021 that his case would be registered for the Restricted Training session on 11

February 2021. The inspected confirmed their presence at the said meeting on January 14

2021.


      12. During the Restricted Training session on February 11, 2021, the leader

investigation and the inspectorate, represented by Me Elisabeth Alex, lawyer at the Court, explained
their oral submissions in support of their written submissions and responded to

questions asked by the Restricted Training. The president granted the controlled

possibility of sending additional information on the forms until the end of the month

information signed by employees. The controlled had the floor last.


II. Place

II. 1. As to the grounds for the decision


II.1.1. As for the video surveillance system


A. On the breach linked to the principle of data minimization

    1. On the principles


      13. In accordance with Article 5.1.c) of the GDPR, personal data

must be "adequate, relevant and limited to what is necessary with regard to

purposes for which they are processed (data minimization) ”.


      14. The principle of data minimization in video surveillance
implies that it should only be filmed what appears strictly necessary to achieve

the purpose (s) pursued and that the processing operations must not be

disproportionate. 4






4
  See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                      4/32 15. Article 5.1.b) of the GDPR provides that personal data must

be "collected for specific, explicit and legitimate purposes, and not be

further processed in a manner incompatible with these purposes; […] (Limitation of

purposes) ”.


       16. Before installing a video surveillance system, the person in charge of

processing must define, precisely, the purpose (s) it wishes to achieve in

using such a system, and cannot then use the personal data
                                           5
personal data collected for other purposes.


       17. The necessity and proportionality of video surveillance is analyzed on a case-by-case basis.

case and, in particular, with regard to criteria such as the nature of the place to be placed under

video surveillance, its situation, configuration or attendance. 6


    2. In this case



       18. During the on-site visit, it was explained to CNPD officers that the

purposes of setting up the video surveillance system are the protection of property
                                                 7
of the company and securing access.


2.1 Regarding the field of view of the camera aimed at the staff dining hall


       19. During the said visit, the CNPD agents noted that the field of vision

of the camera called "[…]" includes, in the upper left corner, the refectory

staff and allows employees to be monitored during their free time. 8


       20. The head of the investigation was of the opinion that even if the aforementioned purposes "may

find one or more bases of lawfulness under article 6, the supervision of employees in

a space reserved for eating, relaxing and resting (such as a dining hall

personnel) is, however, to be considered as disproportionate when the




5
    See CNPD Guidelines, available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
6 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
7
 See report 8.9 of report no. […].
8See report 8.13 of report no. […].


   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of
                                  survey no. [...] conducted with Company A



                                                                                                              5/32 people present there will be permanently subject to video surveillance so

that they choose these places as meeting places to have a good time
around a meal, to communicate, have fun or relax. " (communication of

grievances, Ad. A.3.). For the head of the investigation, the assertion by the inspectorate that the system

surveillance would not have the purpose of monitoring employees is not

nature to upset this finding and it thus retained against the inspected a non-conformity

to the provisions of article 5.1. c) of the GDPR.

      21. The inspected for his part explained in his reply letter to the

statement of objections of 2 October 2019 that the camera at issue was not intended

to film the refectory, but its purpose was to film the access corridors or platforms

Delivery. Unfortunately, said camera would have captured in its field of vision the

upper corner of the refectory window and the inspector would thus have decided to remove
this camera.


      22. Restricted Training would like to remind you that employees have the right not to

be subject to continuous and permanent surveillance in the workplace. To reach

the purposes pursued, it may appear necessary for a controller

to install a video surveillance system in the workplace. On the other hand, respecting
the principle of proportionality, the controller must have recourse to the means of

monitoring the most protective of the employee's private sphere and, for example, limiting

fields of view of the cameras to the only area necessary to reach the

purpose (s) pursued.


      23. When it comes to places reserved for employees in the workplace for a
private use, such as a dining hall where employees can meet

around a meal, surveillance cameras are in principle considered to be

disproportionate to the purposes sought. The same goes for

places such as, for example, changing rooms, toilets, smoking areas,

rest, the kitchenette or any other place reserved for employees for private use. In
in these cases, the fundamental rights and freedoms of employees must prevail over the interests

legitimate lawsuits pursued by the employer.





9See controlled letter of April 2, 2019.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A


                                                                                                       6/32 24. The Restricted Formation notes that the inspected removed the disputed camera which

included in the upper left corner of his field of vision the refectory of the

staff.


      25. It nonetheless agrees with the findings of the head of the investigation that the non-
compliance with Article 5.1.c) of the GDPR was acquired on the day of the on-site visit of the agents

of the CNPD.


2.2 Regarding the field of vision of cameras targeting public roads / land

neighboring


      26. During the on-site visit of February 20, 2019, the CNPD agents noted

that the field of view of the camera called "[…]" allows the surveillance of a
part of the public road and a neighboring land, in this case the parking lot and access to the

store "[…]" located in front of the building of the inspected, while the field of vision of

cameras called […] ”and“ […] ”allow part of the track to be monitored
         10
public.


      27. In his letter of April 2, 2019, the inspected specified that as regards "

cameras placed outside the store to view the outdoor car park, the entrance and the
exit from the underground car park, emergency exits and doors, gates and entrances, there

unfortunately seems inevitable that a small part of the road respectively

of the site […] are in the field of vision. He felt that in view of the

distance between the two enclosures or between the store and the public road, "the images

that appear in the field of view are more than blurry. It is impossible to
recognize or identify individuals so that the invasion of privacy is more than

minimal or even totally non-existent. "The controlled nevertheless specified that he will try to

remedy this problem by seeking a solution that best respects the privacy of

physical persons.


      28. In his statement of objections, however, the head of the investigation was of the opinion

an identification of the people who appear in the fields of vision of
affected cameras is not excluded. As the surveillance of the public highway and




10
  See findings 8.14, 15 and 16 of report no. […].
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                     7/32 neighboring land would be considered disproportionate and that in view of the purposes

pursued, it would not be necessary to encompass parts of the public thoroughfare or

neighboring land in the fields of vision of said cameras, it thus

against the inspected non-compliance with the requirements of article 5.1. c) of the GDPR.


      29. The Restricted Training would like to remind you that the cameras intended to monitor

an access point (entrance and exit, threshold, porch, door, awning, hall, etc.) must have a

field of vision limited to the area strictly necessary to visualize people

preparing to access it. Those who film exterior accesses must not signpost

the entire width of a sidewalk running alongside, where applicable, the building or public roads

adjacent. Likewise, outdoor cameras installed near or around a

building must be configured so as not to capture the public thoroughfare, nor the surroundings,

entrances, accesses and interiors of other neighboring buildings possibly entering
                       11
their field of vision.


      30. She admits, however, that depending on the layout of the premises, it is sometimes

impossible to install a camera that does not include in its field of vision a

part of the public thoroughfare, surroundings, entrances, entrances and interiors of other buildings. In

such a case, it considers that the controller should put in place
masking or blurring techniques in order to limit the field of vision to its property. 12



      31. The Restricted Formation notes that the controlled letter of October 2, 2019

contains in appendix 5 photos showing that the fields of vision of the cameras
called "[…]" and "[…]" have been modified, so as to no longer film the public road

or neighboring land. With regard to the camera referred to by the agents of the

CNPD “[…]”, the Restricted Formation notes that two cameras are however targeted

having different fields of vision and referred to as “[…]” and “[…]”. No picture

annexed to the aforementioned letter of the inspected does not however demonstrate the modification of






11
   See CNPD Guidelines (Point 4.1.), Available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
12 See CNPD Guidelines (Point 4.1.), Available at: https://cnpd.public.lu/fr/dossiers-
thematic / videosurveillance / necessity-proportionality.html.
13
  See the photos […] and […] included in report 16 of report no. […].

   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of

                                 survey no. [...] conducted with Company A


                                                                                                           8/32 fields of vision of these two cameras allowing the surveillance of part of the track

public.


      32. In view of the foregoing, the Restricted Formation agrees with the findings of the chief
          14
investigation according to which the non-compliance with Article 5.1.c) of the GDPR with regard to
the aforementioned cameras was acquired on the day of the on-site visit of the agents of the

CNPD.


B. On the breach related to the obligation to inform the persons concerned



1. On the principles


      33. Pursuant to paragraph 1 of Article 12 of the GDPR, the "controller
take appropriate measures to provide any information referred to in Articles 13 and 14

as well as to make any communication under Articles 15 to 22 and Article

34 with regard to the processing to the data subject in a concise manner,

transparent, understandable and easily accessible, in clear and simple terms […]. "


      34. Article 13 of the GDPR provides the following:


"1. When personal data relating to a data subject are

collected from this person, the controller provides them, at the time
where the data in question is obtained, all of the following information:



a) the identity and contact details of the controller and, where applicable, of the

representative of the controller;



b) where applicable, the contact details of the data protection officer;


c) the purposes of the processing for which the personal data are intended as well

as the legal basis for the processing;







14
  Statement of objections, Ad. A.3.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                      9 / 32d) where the processing is based on Article 6 (1) (f), the legitimate interests
pursued by the controller or by a third party;



e) the recipients or the categories of recipients of the personal data,

if they exist; and


f) where applicable, the fact that the controller intends to carry out a

transfer of personal data to a third country or to an organization

international, and the existence or absence of an adequacy decision issued by the
Commission or, in the case of transfers referred to in Article 46 or 47, or in Article 49,

paragraph 1, second subparagraph, the reference to appropriate or adapted guarantees and the

how to obtain a copy or where it was made available;


2. In addition to the information referred to in paragraph 1, the controller shall provide

to the data subject, when the personal data are

obtained, the following additional information which is necessary to guarantee
fair and transparent treatment:



a) the retention period of personal data or, when this is not

possible, the criteria used to determine this duration;


b) the existence of the right to request from the controller access to data at

personal character, rectification or erasure thereof, or a limitation of the

processing relating to the data subject, or the right to object to the processing and
right to data portability;



c) where the processing is based on Article 6 (1) (a) or on Article 9,

paragraph 2 (a), the existence of the right to withdraw consent at any time,
without affecting the lawfulness of the processing based on consent made before the

withdrawal of it;


d) the right to lodge a complaint with a supervisory authority;




   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                     10/32 (e) information on whether the requirement to provide data to

personal character has a regulatory or contractual character or if it conditions the

conclusion of a contract and whether the data subject is obliged to provide the data to
personal character, as well as the possible consequences of the non-provision of

those data;



f) the existence of automated decision-making, including profiling, referred to in Article

22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the
underlying logic, as well as the significance and expected consequences of this processing

for the person concerned.



3. When he intends to carry out further processing of personal data

personal for a purpose other than that for which the personal data
have been collected, the data controller provides the person with

concerned information about this other purpose and any other information

relevant referred to in paragraph 2.



4. Paragraphs 1, 2 and 3 do not apply when and to the extent that the person
concerned already has this information. "


      35. Communication of information relating to the

processing of their data is an essential element in the context of compliance with

general transparency obligations within the meaning of the GDPR. 15 These obligations have been

clarified by the Article 29 Working Group in its guidelines on

transparency within the meaning of Regulation (EU) 2016/679, the revised version of which has been adopted
April 11, 2018 (hereafter: "WP 260 rev.01").


      36. Note that the European Data Protection Board (hereafter:

"EDPS"), which replaced the Article 29 Working Party since 25 May 2018, took over








15See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR.


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    11/32 and re-approved the documents adopted by the said Group between May 25, 2016 and May 25
                                                                                     16
2018, as precisely the aforementioned guidelines on transparency.


2. In this case



2.1. Information of third parties


      37. As regards the information of third parties, CNPD agents

observed during their on-site visit that the presence of the video surveillance system
                            17
was not reported to them. In addition, the head of the investigation considered that the documentation

submitted by the controlled by letter of April 2, 2019 did not contain any evidence
sufficient to counter non-compliance with the requirements of Article 13 of the GDPR

and that therefore, it is necessary to retain against the inspected a non-compliance with the prescribed

of Article 13 of the GDPR with regard to third parties (communication of

grievances, Ad.A.1.).


      38. By letter of October 2, 2019, the inspector specified that after the departure of the

CNPD agents, signage pictograms in the form of stickers have been

glued to all the access doors to the building to signal the presence of cameras

to third parties.18 In addition, in his letter of September 21, 2021, the inspected annexed a

information sheet which has meanwhile been posted at the entrance to the building.


      39. The Restricted Training would first like to point out that Article 13 of the GDPR

refers to the obligation imposed on the controller to "provide" all

information mentioned therein. The word "provide" is crucial here and it "means

that the controller must take concrete measures to provide the

information in question to the data subject or to actively direct the person

concerned to the location of said information (for example by means of a link

direct, a QR code, etc.). ”(WP260 rev. 01. paragraph 33).








16 See EDPS Endorsement 1/2018 decision of 25 May 2018, available at:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
17See finding 8.2 of report no. […].
18
  Annex 1 of the letter of October 2, 2019 from the inspected contains photos of said pictograms.
   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of
                                 survey no. [...] conducted with Company A



                                                                                                         12/32 40. The Restricted Training notes that during the on-site visit by the agents of the

CNPD, third parties were not informed of the presence of the

video surveillance.


      41. She also believes that a multi-level approach to communicating

information on transparency to data subjects can be used in a

offline or non-digital context, that is to say in a real environment such as
for example personal data collected by means of a

video surveillance. The first level of information should generally include

the most essential information, namely the details of the purpose of the processing, the identity

of the controller and the existence of the rights of the data subjects, as well

that the information having the greatest impact on the treatment or any treatment

likely to surprise those concerned. The second level of information,

That is to say all the information required under Article 13 of the GDPR, could
be provided or made available by other means, such as a copy

of the confidentiality policy sent by e-mail to employees or a link on the site

internet to an information notice for third parties. 19 He is

important to note that first level information (sign, information note,

etc.) should clearly refer to more detailed second level information

which includes all the mandatory information required under Article 13 of the
GDPR. 20


      42. However, it notes that in this case, the signaling pictogram and the note

information intended for the public, put in place after the on-site visit by the agents

of the CNPD, did not contain all of the elements required by Articles 13.1 and 2 of

GDPR.


      43. In view of the above, the Restricted Formation agrees with the opinion of the chief

investigation and concludes that at the time of the site visit by CNPD agents, Article 13

of the GDPR was not respected by the inspectorate in terms of video surveillance with regard to

concerns third parties.




19WP 260 rev.01., Points 35 to 38.
20 EDPS Guidelines 3/2019 on the processing of personal data by means of
video, version 2.0, adopted on 29 January 2020 (hereafter: “Guidelines 3/2019”) points 114 and 117.
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A


                                                                                                      13 / 322.2. Employee information


      44. As regards the information of employees about the system of

video surveillance, the head of the investigation found that simply informing the delegation

of staff does not ensure that company employees have been informed about the

specific elements of Article 13.1 and 2 of the GDPR and that the simple visibility of the cameras
monitoring does not ensure that the company's employees have been duly informed about all

the precise points mentioned in said article 13. 21 It therefore considered that it should be

against the controlled non-compliance with the provisions of Article 13 of the GDPR for this

which concerns employees (statement of objections, Ad. A.1.).


      45. By letter of October 2, 2019, the inspected specified that all employees

have signed an "information sheet relating to the collection of personal data
personal "which would provide information, among other things, on" the identity of the controller

their data, the purpose of data collection, information on the existence of

surveillance cameras and the geolocation system and their rights guaranteed by the

GDPR. "A blank copy of the said sheet was attached to the aforementioned letter. Control

y indicated that employees are also informed of the presence of cameras by the

stickers displayed on the entrance doors, as well as an information notice
hung on the information board inside the building intended for communication

with the staff. 22


      46. The Restricted Training would first like to point out that Article 13 of the GDPR

refers to the obligation imposed on the controller to "provide" all

information mentioned therein. The word "provide" is crucial here and it "means

that the controller must take concrete measures to provide the

information in question to the data subject or to actively direct the person
concerned to the location of said information (for example by means of a link

direct, a QR code, etc.). ”(WP260 rev. 01. paragraph 33).


      47. Regarding the tiered approach to communicating

information on transparency to data subjects that can be used in an




21See controlled letter of April 2, 2019.
22
  See appendix 3 of the inspected letter of October 2, 2019.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A


                                                                                                       Real environment such as personal data collected
by means of a video surveillance system, it refers to point 41 of this

decision.


      48. The Restricted Formation then considers that the fact that the demand

authorization for video surveillance, compulsory under the repealed law
of 2 August 2002 on the protection of individuals with regard to data processing

of a personal nature, has been countersigned by the staff delegation as

mentioned by the inspected in his letter of April 2, 2019, does not assure that the employees

of the company have been validly informed in accordance with Articles 13.1 and 2 of the GDPR,
unless the inspected could have shown otherwise, which is not the case in

species. In addition, she agrees with the observation of the head of the investigation that the simple

visibility of surveillance cameras does not ensure that company employees have been

duly informed on all the specific points mentioned in Article 13.

      49. It further notes that Annex 3 of the inspected letter of October 2, 2019

contains a note dated June 7, 2018 that would have been posted on the notice board

inside the building of the controlled. However, it does not have any documentation

demonstrating that the said note was actually posted prior to the control on
placed by CNPD agents, nor of any documentation that was posted by

after. The said note could at most be qualified as collective information, but

not as individual information. In addition, it did not contain the required elements

by Article 13.1 and 2 of the GDPR.

      50. Furthermore, following a question asked during the Training session

Restricted from February 11, 2021, the inspector specified by email of February 24, 2021 that the

"Information sheet relating to the collection of personal data", attached

to the inspected letter of October 2, 2019 and which would have been signed by all employees, do not
did not yet contain a clause relating to video surveillance before the on-site check

by CNPD agents. This clause had been added after the control of the agents of

the CNPD in February 2019.


      51. The Restricted Training notes as well as during the on-site visit by the
CNPD, employees were not informed of the presence of the

video surveillance in accordance with legal requirements.

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                   15/32 52. It further notes that the pictogram and the clause relating to
video surveillance, integrated into the "information sheet relating to data collection

of a personal nature ", did not contain the information required within the meaning of Article

13 of the GDPR.


      53. In view of the foregoing, the Restricted Formation concludes that at the time of the
site visit by CNPD agents, Article 13 of the GDPR was not respected by the

controlled in terms of video surveillance with regard to employees.


II.1.2. As for the geolocation system


On the breach related to the obligation to inform the persons concerned



1. On the principles


      54. With regard to the requirements to be met with regard to the obligation to inform

the persons concerned in accordance with Article 13 of the GDPR, Restricted Training
refers to points 33 to 36 of this decision.


2. In this case


      55. As regards the information of employees about the system of

geolocation, the head of the investigation considered that the observation of the control contained in
his letter of April 2, 2019 that the employees had been informed orally, without

as much to present evidence in support of this claim, is not likely to irritate

the finding that the non-compliance with Article 13 of the GDPR was established on the day of the visit

on the site. Moreover, he estimated that in “his letter of April 2, 2019, the company explains
that employees are informed about the geolocation system through a note

information hanging in the dispatching room. However, that informative note was not

attached to the letter of April 2, 2019. The company has therefore not provided any evidence as to

the existence or the content of this informative note. "Therefore, the head of the investigation
considered that the non-compliance with article 13 of the RGPD was acquired on the day of the visit on

site for employees concerning the geolocation system

(statement of objections, Ad.A.6).



   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                  16/32 56. The Restricted Training would first like to point out that Article 13 of the GDPR

refers to the obligation imposed on the controller to "provide" all
information mentioned therein. The word "provide" is crucial here and it "means

that the controller must take concrete measures to provide the

information in question to the data subject or to actively direct the person

concerned to the location of said information (for example by means of a link

direct, a QR code, etc.). ”(WP260 rev. 01. paragraph 33).

      57. Regarding the tiered approach to communicating

information on transparency to data subjects that can be used in an

real environment such as personal data collected

by means of a geolocation system, it refers to point 41 of this

decision.

      58. In addition, the Restricted Training would like to point out that article 12 of the GDPR

does not exclude de facto that the information provided for in Articles 13 and 14 of the GDPR may

be provided orally by the controller to the data subject.

However, the Article 29 Working Group insists that in this case, the person responsible for

treatment should ensure "to keep a written record, and ensure that it is able to
prove it (for the purposes of compliance with the liability requirement), of: i) the request

oral information, ii) the method by which the identity of the person

concerned has been verified (if applicable, see point 20 above), and iii) that the
                                                              23
information has been transmitted to the data subject. "


      59. However, it notes that no documentation submitted by the inspected
contained proof that the employees had been validly informed, before the

site visit, orally in accordance with Article 13 of the GDPR.


      60. Furthermore, the fact that the geolocation authorization request,

compulsory under the repealed law of 2 August 2002 relating to the protection of

persons with regard to the processing of personal data, had been
countersigned by the staff delegation as mentioned by the inspected in his

letter of April 2, 2019, does not ensure that the employees of the company have validly been




23WP 260 rev.01, point 21.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    Informed in accordance with Articles 13.1 and 2 of the GDPR, unless the inspected could have
demonstrate the contrary, which is not the case in this case. Moreover, in his letter of 2

April 2019, the inspected state that "employees know that their vehicle is equipped with a

geolocation device because they are called regularly during the day

by my principal who asks them to modify their delivery schedule due to

emergency repairs to be included in their schedule. The vehicle responsible for
emergency repair is selected based on its proximity to the location where the

repair must be carried out. The drivers are aware of this. »However, these explanations

do not ensure to demonstrate that the employees of the company have been duly informed on all
the precise points set out in said Article 13.


      61. Annex 6 to the letter of 2 October 2019 from the inspected also contains a

photo showing that a poster stating "As a reminder, this vehicle is equipped with a

geolocation system ”has since been stuck on vehicle dashboards
equipped with such a system. The inspector specified that all employees would have signed a

"Information sheet relating to the collection of personal data" which

would provide information, among other things, on "the identity of the data controller,

the purpose of data collection, information on the existence of cameras
monitoring and geolocation system and their rights guaranteed by the GDPR. " A

blank copy of said note was attached to the aforementioned letter.


      62. Nevertheless, following a question asked during the Training session

Restricted from February 11, 2021, the inspector specified by email of February 24, 2021 that
said "information sheet relating to the collection of personal data" does not

did not yet contain a clause relating to geolocation before the on-site check by

CNPD agents. This clause was added after the control of the agents of the

CNPD in February 2019.


      63. In his letters of April 2, 2019 and October 2, 2019, the inspector specified
in addition that employees are also informed about the geolocation system through

an informative note hung on the notice board for their information.

The said note dated February 29, 2016 was attached to the letter of October 2, 2019 (annex
7). However, the Restricted Training does not have any documentation demonstrating

that the said note was actually posted prior to the on-the-spot check by the

CNPD officials, nor any documentation showing that this was the case after the said check.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                   The inspected even mentioned in this context in his letter of April 2, 2019 that

for "some unknown reason, this poster was taken down at some point and is no longer
was hooked afterwards. The said note could not at most be qualified as

collective information, but not as individual information. In addition, it did not contain

not the elements required by Articles 13.1 and 2 of the GDPR.


      64. The Restricted Training notes as well as during the on-site visit by the
CNPD, employees were not informed of the presence of the geolocation system

in accordance with legal requirements.


      65. 2. It also notes that the poster mentioning "As a reminder, this vehicle

is equipped with a geolocation system "stuck on the dashboards of vehicles

equipped with a geolocation system and the clause relating to integrated geolocation
in the "information sheet relating to the collection of personal data",

did not contain the required information within the meaning of Article 13 of the GDPR.


      66. 3. In view of the foregoing, the Restricted Formation concludes that at the time of the

site visit by CNPD agents, Article 13 of the GDPR was not respected by the
controlled in terms of geolocation with regard to employees.


II. 2. On the fine and corrective measures



1. The principles

                                                       er
      67. In accordance with article 12 of the law of August 1, 2018, the CNPD has the
power to adopt all the corrective measures provided for in Article 58.2 of the GDPR:


"(A) notify a controller or processor that data processing operations

treatment envisaged are likely to violate the provisions of these regulations;



b) call to order a controller or a processor when the
processing operations have resulted in a violation of the provisions of this Regulation;



c) order the controller or processor to comply with the requests

presented by the data subject in order to exercise their rights under the
this regulation;

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    19/32 (d) order the controller or processor to put the data processing operations
processing in accordance with the provisions of this Regulation, where applicable, of

in a specific way and within a specific timeframe;



e) order the controller to communicate to the data subject a
personal data breach;



f) impose a temporary or permanent restriction, including a ban, of processing;


g) order the rectification or erasure of personal data or the

restriction of processing in application of Articles 16, 17 and 18 and the notification of these

measures to the recipients to whom the personal data have been disclosed

in accordance with Article 17, paragraph 2, and Article 19;


h) withdraw a certification or order the certification body to withdraw a

certification issued in application of Articles 42 and 43, or order the

certification not to issue certification if the requirements for certification
are not or no longer satisfied;



i) impose an administrative fine in application of Article 83, in addition to or

the place of the measures referred to in this paragraph, depending on the characteristics
specific to each case;



j) order the suspension of data flows addressed to a recipient located in a

third country or to an international organization. "

                                                      er
      68. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose
administrative fines as provided for in Article 83 of the GDPR, except against

state or municipalities.


      69. Article 83 of the GDPR provides that each supervisory authority ensures that

administrative fines imposed are, in each case, effective, proportionate and

dissuasive, before specifying the elements that must be taken into account in deciding

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    20/32 if it is necessary to impose an administrative fine and to decide on the amount of this
fine :


"(A) the nature, gravity and duration of the breach, taking into account the nature, extent

or the purpose of the processing concerned, as well as the number of data subjects

affected and the level of damage they suffered;


(b) whether the violation was committed willfully or negligently;



c) any measures taken by the controller or processor to mitigate the
damage suffered by the persons concerned;



d) the degree of responsibility of the controller or processor, account

taking into account the technical and organizational measures they have implemented in accordance with the
Articles 25 and 32;



e) any relevant breach previously committed by the controller or

the subcontractor ;


f) the degree of cooperation established with the supervisory authority in order to remedy the violation

and mitigate any negative effects;


g) the categories of personal data affected by the breach;



h) the manner in which the supervisory authority became aware of the breach, in particular whether,
and to what extent the controller or processor has notified the breach;



(i) where measures referred to in Article 58 (2) have previously been

ordered against the controller or the processor concerned for the
same object, compliance with these measures;



j) the application of codes of conduct approved in accordance with Article 40 or

certification mechanisms approved under Article 42; and


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    21 / 32k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as financial benefits obtained or losses avoided, directly or

indirectly, as a result of the violation ”.


      70. The Restricted Training would like to point out that the facts taken into account in the

framework of this decision are those noted at the start of the investigation. Any
changes relating to the processing of data subject to the investigation

later, even if they make it possible to fully or partially establish the

compliance, do not retroactively cancel a breach found.


      71. Nevertheless, the steps taken by the inspected to get into
compliance with the GDPR during the investigation process or to remedy

shortcomings identified by the head of investigation in the statement of objections, are taken

taken into account by the Restricted Training in the context of any corrective measures

and / or fixing the amount of a possible administrative fine to be pronounced.


2. In this case


2.1. As for the imposition of an administrative fine


      72. In his additional letter to the statement of objections of 17 August

2020, the head of the investigation proposed to the Restricted Formation to impose a fine
administrative control in the amount of 5,300 euros.


      73. In its response to said additional letter of September 21, 2020, the

controlled asked in view of the letters previously sent with the supporting documents

and in view of his proactive attitude to reconsider the sanction proposed by the
head of investigation.


      74. In order to decide whether to impose an administrative fine and to decide,

if applicable, the amount of this fine, the Restricted Training takes into account

the elements provided for in Article 83.2 of the GDPR:


     As to the nature and seriousness of the violation (article 83.2.a) of the GDPR), the
       Restricted Training notes that with regard to the breach of Article 5.1.c)

       of the GDPR, it constitutes a breach of the fundamental principles of

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                 22/32 GDPR (and data protection law in general), namely in principle
     data minimization devoted to Chapter II “Principles” of the GDPR.



     As for the breach of the obligation to inform the persons concerned

     in accordance with Article 13 of the GDPR, the Restricted Training recalls that
     information and transparency relating to the processing of personal data

     personnel are essential obligations incumbent on those responsible for

     treatment so that people are fully aware of the use that

     will be made of their personal data, once it has been collected. a
     breach of Article 13 of the GDPR thus constitutes an infringement of rights

     of the people concerned. This right to information has also been strengthened at

     terms of the GDPR, which testifies to their particular importance.


     Note that at the time of the site visit by CNPD officers, no

     signage pictogram, nor any poster or information leaflet

     be communicated to CNPD officers with regard to the information of
     employees and third parties with regard to the video surveillance system,

     on the one hand, as well as concerning employees relating to the geolocation system, on the other

     go.


  As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Training

     notes that these shortcomings have lasted over time, at least since

     May 25, 2018 and until the day of the on-site visit. The Restricted Training recalls

     here that two years have separated the entry into force of the GDPR from its entry into
     application to allow data controllers to comply with

     obligations incumbent on them, even if an obligation to respect the principle

     data minimization, as well as a comparable information obligation

     already existed under Articles 4.1. b), 10.2 and 26 of the repealed law of 2
     August 2002 on the protection of individuals with regard to the processing of

     personal data. Guidance on principles and obligations

     provided for in the said law was available from the CNPD, in particular through

     mandatory prior authorizations for video surveillance and
     geolocation.


_____________________________________________________________
           Decision of the National Commission sitting in restricted formation on the outcome of
                           survey no. [...] conducted with Company A


                                                                                               23/32  As for the number of data subjects (article 83.2.a) of the GDPR), the
       Restricted Training notes that for video surveillance, this concerns all

       employees working on the inspected site, as well as all third parties,

       i.e. customers, suppliers, service providers and visitors are

       visiting said site.


       Regarding the geolocation system, these are the employees of the company

       who use the vehicles for their trips to customers.


     As to the question of whether the breaches were deliberately committed

       or not (by negligence) (article 83.2.b) of the GDPR), the Restricted Training recalls

       that "not willfully" means that there was no intention to commit the

       violation, although the controller or processor has not
       complied with its duty of care under the law.



       In this case, the Restricted Training is of the opinion that the facts and the breaches

       observed do not reflect a deliberate intention to violate the GDPR in the chief
       of the controlled.



     As for the degree of cooperation established with the supervisory authority (Article 83.2.f) of

       RGPD), the Restricted Training takes into account the statement of the head of the investigation
       that the cooperation of the controlled throughout the investigation was good, thus

       that of its desire to comply with the law as soon as possible.


      75. The Restricted Panel notes that the other criteria of Article 83.2 of

GDPR are neither relevant nor likely to influence his decision on taxation
of an administrative fine and its amount.


      76. Restricted Training also notes that although several measures have been implemented

placed by the inspected in order to remedy in whole or in part certain shortcomings,

these were only adopted following the control of CNPD agents on
20 February 2019 (see also point 70 of this decision).





   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                  24/32 77. Therefore, the Restricted Panel considers that the imposition of a fine
administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for

breach of Articles 5.1.c) and 13 of the GDPR.


      78. Regarding the amount of the administrative fine, the Restricted Training

recalls that paragraph 3 of Article 83 of the GDPR provides that in the event of violations
multiple, as is the case in this case, the total amount of the fine may not exceed

the amount set for the most serious violation. Insofar as a breach of

Articles 5 and 13 of the GDPR is criticized for the inspectorate, the maximum amount of the fine

that can be retained amounts to 20 million euros or 4% of annual turnover
worldwide, whichever is higher.


      79. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the

Formation Restreinte considers that the imposition of a fine of five thousand three hundred

euros (5,300 euros) appears to be both effective, proportionate and dissuasive, in accordance with
requirements of Article 83.1 of the GDPR.


2.2. Regarding the taking of corrective measures


      80. The adoption of the following corrective measures was proposed by the Chief

investigation into the Restricted Training in its additional letter to the

statement of objections:

      "A) Order the controller to complete the information measures

      intended for people concerned by video surveillance and geolocation,

      in accordance with the provisions of Article 13, paragraphs (1) and (2) of the GDPR in

      informing in particular the identity of the controller, where applicable, the
      contact details of the data protection officer, the purposes of the processing and

      its legal basis, the categories of data processed, the legitimate interests

      pursued by the inspected, the recipients, the retention period of the data

      thus the rights of the data subject and how to exercise them, and the right
      to lodge a complaint with a supervisory authority;


      b) Order the controller to process only data

      relevant, adequate and limited to what is necessary for the purposes of

      protecting property and securing access and, in particular, adapting the
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                 25/32 video device so as not to film the staff dining hall and the public thoroughfare,
      for example by deleting or reorienting the camera called "[…]" and the

      cameras referred to as […] ”.


      81. As to the corrective measures proposed by the head of the investigation and by

reference to point 71 of this decision, the Restricted Training takes into account
the procedures carried out by the inspected, following the visit of CNPD agents, in order to

comply with the provisions of Articles 5.1.c) and 13 of the GDPR, as detailed in

his letters of April 2, 2019, October 2, 2019, September 21, 2020, as well as in

her email of February 24, 2021. In particular, she takes note of the following facts:

    1. As for the implementation of information measures intended for people

       third parties involved in video surveillance, in accordance with the provisions of

       Article 13.1 and 2 of the RGPD, the inspected annexed to his letter of October 2, 2019

       pictograms of a camera that have been pasted on the access doors to the
       building. In addition, to his letter of September 21, 2021 is attached a file

       information intended for the public, as well as a photo showing that the said sheet has

       been glued to the front door of the building.


       The Restricted Training notes that the pictograms, combined with the form
       information intended for the public does not contain all the information

       required by Article 13 of the GDPR.


       Thus, the basis of lawfulness (article 13.1. C) of the GDPR), the right to request a

       restriction of processing and the right to object to processing (Article 13.2. b) of

       GDPR) and the right to lodge a complaint with the CNPD (Article 13.2. D)
       GDPR) are not mentioned.


       In addition, it is noted that the information provided by the inspected does not

       meet neither the requirements of the first level of information, nor those of

       second level of information (see point 41).

    2. As for the implementation of information measures intended for employees

       concerned by video surveillance, in accordance with the provisions of article 13.1

       and 2 of the RGPD, the inspected annexed to his letter of October 2, 2019 a note

       internal dated June 7, 2018. Nevertheless, the Restricted Training does not have any
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                 26/32 of documentation demonstrating that said note has actually been posted

        prior to the on-site inspection by CNPD agents, or a

        documentation that it would have been posted afterwards.



        In addition, by letter of October 2, 2019, the inspected affirmed that the employees
        had been informed of the presence of the cameras by the stickers displayed on

        the entrance doors and Annex 2 of the said letter contained an "information sheet

        relating to the collection of personal data ”. By email from 24

        February 2021, the inspected nevertheless specified that the clause relating to

        video surveillance was only added after the visit of CNPD agents in

        February 2019.


        The Restricted Training first notes that the inspected has dated and signed

        employees the aforementioned sheet and that they must tick a box that is

        found at the bottom of the page indicating the following: "I fully understood this

        information notice and I give my express consent that […] the Company

        A collects about me the personal data detailed in point 4 of

        this information notice. ”It should be noted in this context that the
        signature of an information sheet by the employee can at most be considered

        as an acknowledgment of receipt allowing the employer to document that he has

        provided the information under Article 13 of the GDPR, but cannot

        no case is valid consent of the employee to the processing of data by his
                    24
        employer. Indeed, an employee, in view of the imbalance of the balance of power

        existing in the context of labor relations, cannot freely respond to

        a request for consent from his employer "without fear or
        incur negative consequences following this refusal. ". 25 Consent

        as the basis of lawfulness of data processing (article 6.1.a) of the GDPR) is therefore

        ineffective in cash due to the nature of the employer / employee relationship.






24 See the definition of consent provided for in Article 4.10) of the GDPR, as well as the conditions applicable to
consent provided for in Article 7 of the GDPR.
25
  Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679, Version 1.1, adopted
May 4, 2020, item 21, see also Opinion 15/2011 on the definition of consent (WP 187), adopted on 13
Jul_____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A


                                                                                                       27/32 She then noted that the pictograms, combined with the "information sheet
     relating to the collection of personal data ”do not contain

     all the information required by article 13 of the GDPR.


     Thus, the basis of lawfulness (article 13.1. C) of the GDPR), the right to request a

     restriction of processing and the right to object to processing (Article 13.2. b) of
     GDPR) and the right to lodge a complaint with the CNPD (Article 13.2. D)

     GDPR) are not mentioned. The aforementioned internal note dated June 7, 2018

     does not concern additional information.


     In addition, it is noted that the information provided by the inspected does not
     meet neither the requirements of the first level of information, nor those of

     second level of information (see point 41).


 3. As for the implementation of information measures intended for employees

     concerned by geolocation, in accordance with the provisions of article 13.1

     and 2 of the RGPD, the inspected annexed to his letter of October 2, 2019 a note
     internal dated February 29, 2016. However, the Restricted Training does not have

     nor documentation demonstrating that said note has actually been posted

     prior to the on-site inspection by CNPD agents, or a
     documentation that it would have been posted afterwards. In addition, Annex 6 of

     letter of October 2, 2019 from the inspected contains a photo showing that a

     poster stating "As a reminder, this vehicle is equipped with a

     geolocation ”has since been stuck on the dashboards of vehicles
     equipped with such a system. Annex 2 of this same letter of October 2, 2019 contains

     also an "information sheet relating to the collection of personal data

     staff ". By email of February 24, 2021, the inspected nevertheless specified that

     the clause relating to geolocation was only added after the visit of the agents
     of the CNPD in February 2019.



     Regarding the checkbox by employees at the bottom of the form

     aforementioned, the Restricted Training would like to reiterate that in view of the dependence
     resulting from the employer / employee relationship, the consent of the employees cannot

     not be considered as meeting the requirements of Articles 4.11 and

     7 of the GDPR.
_____________________________________________________________
           Decision of the National Commission sitting in restricted formation on the outcome of
                           survey no. [...] conducted with Company A


                                                                                               28/32 She then noted that the stickers, combined with the "information sheet
     relating to the collection of personal data ”do not contain

     all the information required by article 13 of the GDPR.


     Thus, the basis of lawfulness (article 13.1. C) of the GDPR), the recipients or the

     categories of recipients of personal data collected by the
     geolocation system (article 13.1. e) of the GDPR), the retention period

     personal data collected by the geolocation system

     (Article 13.2. a) of the GDPR), the right to request restriction of processing and the

     right to object to processing (Article 13.2. b) of the GDPR), as well as the right
     to lodge a complaint with the CNPD (article 13.2. d) of the GDPR) are not

     not mentioned. The aforementioned internal note dated February 29, 2016 does not include

     no additional information.


     In addition, it is noted that the information provided by the inspected does not
     meet neither the requirements of the first level of information, nor those of

     second level of information (see point 41).


     In conclusion, in consideration of insufficient compliance measures

     taken by the inspected in this case and point 71 of this decision, the
     Restricted Training therefore considers that it is appropriate to pronounce the measure

     corrective action proposed by the head of the investigation in this regard in point 79 (a) with regard to

     which concerns the information of employees and third parties about the system

     video surveillance, on the one hand, as well as concerning employees with regard to
     geolocation system, on the other hand.


 4. As for the obligation to process only relevant, adequate and

     limited to what is necessary with regard to the purposes of protecting property and

     for securing access, and, in particular, adapting the video device so as not to
     not film the staff dining hall and the public thoroughfare, Restricted Training

     note that the controlled deleted the disputed camera which included in the corner

     upper left of his field of vision the staff dining hall, on the one hand, and

     that the fields of view of the cameras called “[…] have been modified, from




_____________________________________________________________
           Decision of the National Commission sitting in restricted formation on the outcome of
                            survey no. [...] conducted with Company A


                                                                                                29/32 so as not to film the public road or neighboring land. However, no

        part (for example an image capture reproducing the field of vision)

        demonstrates the modification of the field of view of the cameras named […]
        allowing the surveillance of part of the public highway.


        In view of the insufficient compliance measures taken by the

        controlled in this case and point 71 of this decision, the Restricted Panel

        therefore considers that the corrective measure proposed by

        the head of the investigation in this regard in point 79 (b) with regard to the cameras

        referred to as […].



In view of the foregoing developments, the National Commission sitting

in restricted formation and deliberating unanimously decides:



- to retain the breaches of articles 5.1.c) and 13 of the GDPR;


- to pronounce against Company A an administrative fine in the amount of

five thousand three hundred euros (5,300 euros) with regard to breaches of

Articles 5.1.c) and 13 of the GDPR;



- to issue an injunction against Company A to bring the
processing with the obligations resulting from articles 5.1 c) and 13 of the GDPR, within a

two months following the notification of the decision of the Restricted Panel, and in

particular:



     with regard to the breach of the principle of minimization of personal data
        personnel (art 5.1.c of the GDPR):



        - modify the field of vision of the cameras referred to as […];







26
  See letter from the inspectorate of October 2, 2019 and its annex 5.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    30/32  with regard to the failure to inform the persons concerned of the
       processing of their personal data (article 13 of the GDPR):



       - inform non-salaried third parties in a clear and precise manner about

           the video surveillance system by providing them with information relating to
           the basis of lawfulness, the right to request restriction of processing and the right

           to oppose the processing, as well as the right to lodge a complaint

           with the CNPD;

       - inform employees individually in a clear and precise manner on the
           video surveillance system by providing them with information relating to the

           basis of lawfulness, the right to request restriction of processing and the right to

           oppose the processing, as well as the right to lodge a complaint with

           of the CNPD;
       - inform employees individually in a clear and precise manner on the

           geolocation system by providing them with information relating to the

           basis of lawfulness, to the recipients or the categories of recipients of

           personal data collected by the geolocation system, to
           the retention period of personal data collected by the

           geolocation system, the right to request restriction of processing

           and the right to object to processing, as well as the right to initiate a
           complaint to the CNPD.



So decided in Belvaux on October 6, 2021.


For the National Commission for Data Protection sitting in formation

restraint








Tine A. Larsen Thierry Lallemang Marc Lemmer

  President Commissioner Commissioner



   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A


                                                                                                  31/32 Indication of remedies



This administrative decision may be the subject of an appeal for reformation in the
three months following its notification. This appeal is to be brought before the administrative court.

and must be introduced through a lawyer at the Court of one of the Orders of

lawyers.



















































   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A


                                                                                                    32/32