CNPD (Luxembourg) - Délibération n° 47FR/2021: Difference between revisions

From GDPRhub
Line 50: Line 50:
}}
}}


The Luxembourg DPA fined a transport company €6800 for failing to comply with the principle of data minimisation by not limiting the field of vision of its video surveillance systems as well as inadequately informing both its employees and third parties of their existence.
The Luxembourg DPA (CNPD) fined a transport company €6800 for failing to comply with the principle of data minimisation by not limiting the field of vision of its video surveillance systems as well as inadequately informing both its employees and third parties of their existence.


== English Summary ==
== English Summary ==
Line 56: Line 56:
=== Facts ===
=== Facts ===
The processor is a transport company that installed video surveillance systems at its office.
The processor is a transport company that installed video surveillance systems at its office.
In February 2019, the Luxembourg DPA (CNPD) launched an investigation into the company's use of these video surveillance systems to assess its compliance with the GDPR.
In February 2019, the Luxembourg DPA (CNPD) launched an investigation into the company's use of these video surveillance systems to assess its compliance with the GDPR.



Revision as of 11:32, 18 January 2022

CNPD (Luxembourg) - Délibération n° 47FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 5(1)(c) GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 01.12.2021
Published: 17.01.2022
Fine: 6800 EUR
Parties: n/a
National Case Number/Name: Délibération n° 47FR/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: Frederick Antonovics

The Luxembourg DPA (CNPD) fined a transport company €6800 for failing to comply with the principle of data minimisation by not limiting the field of vision of its video surveillance systems as well as inadequately informing both its employees and third parties of their existence.

English Summary

Facts

The processor is a transport company that installed video surveillance systems at its office.

In February 2019, the Luxembourg DPA (CNPD) launched an investigation into the company's use of these video surveillance systems to assess its compliance with the GDPR.

Holding

First, the Luxembourg DPA assessed whether the company complied with the principle of data minimisation per Article 5(1)(c) GDPR. It started by affirming that only what is strictly necessary to achieve the pursued aims can be filmed, and that the processing operations cannot be disproportionate when assessed against their purpose. Companies seeking to lawfully install such systems are therefore required to set out the exact purposes of the processing prior to their installation.

During the investigation, the company argued the systems were installed to protect its goods and access to facilities, as well as to safeguard users and prevent accidents.

The DPA nonetheless held that three cameras did not comply with the requirements under Article 5(1)(c) GDPR:

  1. The camera aimed at the reception, which was unlawful because workers have a right to not be constantly monitored
  2. The camera aimed at the "smoker's corner", which was unlawful because it monitored a space reserved to employees' leisure time
  3. The camera aimed at the public road outside the office and neighbouring land, which was unlawful because it was disproportionate when assessed against the purposes of the processing.

Second, the DPA assessed whether the company complied with its information obligations under Article 13 GDPR. It found that although the employees were notified of the existence of the video surveillance systems, visitors of the company's facilities had no access to this information.

Thus, the Luxembourg DPA held that the company (1) failed to comply with the principle of data minimisation by not limiting the field of vision of its video surveillance systems, and (2) failed to adequately inform its employees and third parties of their existence.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] carried out at Company A
1/26
Decision of the National Commission sitting in restricted formation 
on the outcome of investigation no. [...] carried out on Company A
Deliberation n° 47FR/2021 of 1
December 1, 2021
The National Commission for Data Protection sitting in restricted formation 
composed of Ms Tine A. Larsen, President, and Messrs Thierry Lallemang and Marc Lemmer, Commissioners 
Lemmer, Commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data 
personal data and on the free movement of such data, and repealing Directive 
95/46/EC ;
Having regard to the Act of 1 August 2018 on the organisation of the National Commission for 
Having regard to the Act of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime, in particular 
Having regard to the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime, in particular Article 41 thereof
Having regard to the internal rules of procedure of the National Commission for Data Protection 
Having regard to the internal rules of procedure of the National Commission for Data Protection adopted by Decision No 3AD/2020 dated 22 January 2020, in particular Article 10 point 2 thereof 
Having regard to the Rules of Procedure of the National Commission for Data Protection adopted by decision no. 3AD/2020 dated 22 January 2020, in particular Article 10 point 2 thereof
Having regard to the Rules of Procedure of the National Commission for Data Protection relating to the 
Having regard to the regulation of the National Commission for Data Protection relating to the investigation procedure adopted by decision n°4AD/2020 dated 22 January 2020 
in particular Article 9 thereof;
Considering the following:
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] carried out on Company A
2/26
I. Facts and procedure
1. At its deliberation session on 14 February 2019, the National Commission for 
for Data Protection sitting in plenary session (hereinafter: "Plenary Session") had decided to open an 
Plenary Session") had decided to open an investigation at Company A on the basis of Article 
37 of the Act of 1 August 2018 on the organisation of the National Commission for 
Protection and the General Data Protection Regime (hereinafter: "Act"): "Act 
of 1 August 2018") and to appoint Mr Christophe Buschmann as head of the 
investigation.
2. According to the decision of the Plenary Session, the investigation conducted by the 
Commission for Data Protection (hereinafter: "CNPD") was to verify compliance with 
to verify compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament 
and of the Council of 27 April 2016 on the protection of individuals with regard to the 
protection of individuals with regard to the processing of personal data and on the free movement of such 
and repealing Directive 95/46/EC (hereinafter: "RGPD") and the law of 1 August 
2018, in particular through the implementation of video surveillance and geolocation systems 
geolocation systems, if any, installed by Company A.
3. On 20 March 2019, CNPD officers visited the premises of Company A. 
Company A's premises.
1 The decision of the National Commission for Data Protection 
1 The decision of the National Commission for Data Protection sitting in a restricted formation on the outcome of the investigation (hereinafter: "Restricted 
The decision of the National Commission for Data Protection sitting in restricted formation on the outcome of the investigation (hereinafter: "Restricted Formation") will be limited to the processing operations controlled by the CNPD agents.
4. Company A is a public limited company registered in the Luxembourg Trade and Companies Register under number [... 
Companies Register of Luxembourg under number [...], with registered office at L- [...], [...] (hereinafter :
the "controlled"). The object of the Controlled Party [is the operation of a transport company]. 
transport].
2
5. During the above-mentioned visit, it was confirmed to the CNPD officers that the auditee 
uses a video surveillance system, but that it has not installed a video surveillance system. 
 
1 See Minutes No. [...] of the on-site visit to Company A on 20 March 2019 (hereinafter: "Minutes"). 
A (hereinafter: "Minutes no. [...]").
2 See Articles of Association coordinated at [...].
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] carried out at Company A
3/26
geolocation in its vehicles.3 The CNPD officers noted that the video surveillance system
The CNPD officers noted that the video surveillance system is composed of fixed cameras, as well as "dome" type cameras. 
dome" type cameras.
4
6. The audited party reacted to the report drawn up by the CNPD officers in a letter dated 20 March 
20 March 2019, delivered by hand after the site visit, and by letter dated 6 May 2019. 
6 May 2019.
7. At the end of his investigation, the head of the investigation notified the audited company of a statement of objections dated 30 October 2019. 
30 October 2019 a statement of objections detailing the shortcomings that he considered to 
the case, and more specifically a failure to comply with the requirements of Article 13.1 and 
Article 13.1 and 2 of the GDPR (right to information) as regards the data subjects, i.e. employees and 
employees and non-employees, i.e. customers, suppliers, service providers and visitors, 
suppliers, service providers and visitors (hereinafter: "third parties")
and non-compliance with the requirements of Article 5.1.c) of the GDPR (data minimisation principle). 
principle).
8. By letter of 29 November 2019, the auditee submitted its comments on the 
statement of objections.
9. A supplementary letter to the Statement of Objections was sent to the 
the statement of objections on 3 August 2020. In this letter, the Head of Investigation proposed to the 
In this letter, the Head of Investigation proposed to the Panel to adopt three corrective measures and to impose an administrative fine of 
administrative fine of EUR 6,800.
10. By letter dated 10 September 2020, the audited party submitted written observations 
on the supplementary letter to the statement of objections.
11. The Chair of the Panel informed the auditee by letter of 29 April 2021 that his case would be 
2021 that his case would be included in the Panel's meeting of 30 June 2021. 
30 June 2021. The auditee confirmed his attendance at the said meeting by e-mail of 8 June 2021.
12. At this sitting, the Head of the Investigation and the auditee, represented by [...], lawyer
the Court, made oral submissions in support of their written submissions and 
 
3 See Minutes No [...], finding 20.
4 See Minutes No [...], Finding 4.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...], finding 4. 
investigation no. [...] conducted at Company A
4/26
answered the questions put by the Restricted Section. The Chairperson granted 
the monitor the opportunity to send to the Panel additional information on the 
information on the area covered by the field of view of a specific camera, within two weeks. 
two weeks. The auditee was given the floor last.
13. 13. By letter dated 14 July 2021, the audited party provided the additional information 
information requested.
II. On the law
II.1 As to the grounds for the decision
A. On the breach of the principle of data minimisation 
1. On the principles
14. According to Article 5(1)(c) of the GDPR, personal data must be 
be 'adequate, relevant and restricted to what is necessary for the purposes for which 
purposes for which they are processed (data minimisation)".
15. The data minimisation principle in relation to video-surveillance implies that 
that only what appears to be strictly necessary to achieve the purpose(s) pursued should be filmed. 
purpose(s) and that the processing operations should not be disproportionate.5 
disproportionate.5
16. Article 5(1)(b) of the GDPR provides that personal data must be 
be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible 
further processed in a way incompatible with those purposes; [...] (purpose limitation)". 
purposes)'.
17. Before installing a video-surveillance system, the data controller 
must define, in a precise manner, the purpose(s) that he wishes to achieve by resorting to 
 
5 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html. 
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] conducted at Company A
5/26
such a system, and may not subsequently use the personal data collected for any other purpose. 
for other purposes.6
18. The necessity and proportionality of video surveillance is analysed on a case-by-case 
case and, in particular, with regard to criteria such as the nature of the place to be placed under 
surveillance, its location, configuration or frequency of use.7
2. In the present case
19. During the on-site visit, it was explained to the CNPD officers that the purposes of the 
of the video surveillance system are the protection of the controller's property, the protection of 
of the controller, the protection of access, as well as the safety of users and the prevention of 
prevention of accidents.
8
2.1. Regarding the field of view of the camera aimed at reception
20. During the said visit, the CNPD officers noted that the field of vision of the camera 
of the camera named "[...]" allows for the permanent surveillance of the employee working at the reception desk.9 
reception desk.9
21. With regard to the said camera, the head of the investigation was of the opinion that even if the 
purposes "may find one or more grounds for lawfulness under Article 6, the permanent 
surveillance of employees at their workstations is to be considered disproportionate. 
disproportionate. Indeed, such permanent surveillance may create a 
psychological pressure on employees who feel and know that they are being watched, especially as 
and know they are being watched, especially as the surveillance measures continue over time.
(Statement of Objections, Ad. A.3.). It thus found that the audited company did not comply with the requirements of Article 5.1. c) of the GDPR and the audited company's documentation 
submitted by the letters of 20 March and 6 May 2019 did not contain any evidence against this 
against such non-compliance, nor any explanation as to why such monitoring measures might be necessary. 
of such monitoring measures.
 
6 See CNPD Guidelines, available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html.
7 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html. 
8 See Finding 9 of Minute No. [...]. 
9 See finding 10 of minute no. [...].
_____________________________________________________________
Decision of the National Commission sitting in a restricted formation on the outcome of 
investigation no. [...] conducted at Company A
6/26
22. The audited company explained in its reply to the statement of objections of 
statement of objections of 29 November 2019 that the camera in question was intended to 
the building and the reception area, but that it had in its field of view part of the 
the reception area, but that it had part of the reception office and the employee working there in its field of view. He also 
also explained that following the visit of the CNPD officers, masking was first put in place and that after the 
and that afterwards, for technical reasons, the camera had been disconnected from the system and was not 
disconnected from the system and was no longer functional since 3 June 2019. Annex 2 of the 
letter from the controller dated 10 September 2020 contains photos showing that the camera's field of 
field of view of the camera had been masked so as to no longer aim at the employee working at 
working at the reception desk.
23. The Panel wishes to recall that employees have the right not to be 
surveillance in the workplace. In order to achieve the 
purposes, it may seem necessary for a controller to install a video surveillance system 
to install a video-surveillance system in the workplace. On the other hand, by respecting 
the principle of proportionality, the controller must use the most protective means of 
the most protective means of surveillance of the employee's private sphere and, for example, limit the 
fields of vision of the cameras to the area necessary to achieve the purpose(s) 
purpose(s) pursued. 
24. The Panel notes that the controlled party has masked the field of view of the camera 
camera aimed at the employee working in the reception area. 
25. 25. It nevertheless agrees with the finding of the head of the investigation that the non-compliance with Article 5.1(c) of the GDPR was established on the day of the on-site visit of the CNPD agents as regards the 
the day of the on-site visit of the CNPD's agents with regard to the said camera. 
2.2 Regarding the field of vision of the camera aimed at the "smoking area
26. During the said visit, the CNPD officers noted that the field of view of the camera 
of the camera "[...]" allowed surveillance of a space reserved for employees' free time, in this case a "smoking area". 
employees, in this case a "smoking area". 10
 
10 See finding 17 of minute no. [...].
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] conducted at Company A
7/26
27. With regard to the camera having the "smoking area" in its field of vision, the head of the investigation considered that "the surveillance of employees 
the head of the investigation considered that "the surveillance of employees in a space reserved for their free time 
is to be considered disproportionate since the people present in the smoking area will, in a way, be 
smoking area will be permanently subject to video surveillance. He thus 
the controlled party of non-compliance with the requirements of Article 5.1. c) of the 
RGPD (Statement of Objections, Ad. A.11.).
28. 28. In its reply to the Statement of Objections of 29 November 2019, the 
statement of objections of 29 November 2019 that the purpose of the camera was to secure access 
access between the car park and his building and that the monitored area would never have been an official 
an official smoking area authorised by the controller. As the employees would have 
the ashtray themselves in this monitored passage area, the audited party would have decided to 
would have decided to remove this smoking area, which would never have been authorised, and to 
and to direct the employees to official break areas. By letter dated 
10 September 2020, the audited party reiterated these statements.
29. When it comes to places reserved for employees at the workplace for private use, such as a 
private use, such as a smoking area, surveillance cameras are in principle considered disproportionate 
disproportionate to the intended purpose. The same applies to 
The same applies to places such as, for example, changing rooms, toilets, rest areas 
kitchenette or any other place reserved for employees for private use. In 
these cases, the fundamental rights and freedoms of employees must take precedence over the 
interests pursued by the employer.
30. With regard to the camera having the smoking area in its field of vision, the 
The Panel notes that the camera shows a large poster of a cigarette, 
signalling the authorisation to smoke in this area, as well as a sizeable ashtray. 
negligible size. However, it takes into account the letter from the controller dated 14 July 2021, in which he explains that after the 
However, it takes into account the audited party's letter of 14 July 2021, in which he explains that after the 30 June 2021 meeting of the Restricted Section, 
he realised that for security reasons the team in charge of building management 
management team ('[...]') had moved the smoking area into the field of vision of the 
camera without informing his internal security team. The auditor also stated 
that he assumed that after the on-site visit by the CNPD officers, the "[...]" team would have realized its mistake and would have 
realized their mistake and moved the smoking area by replacing the above-mentioned sign 
the aforementioned sign indicating that smoking was permitted by a sign indicating that smoking was prohibited 
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] conducted at Company A
8/26
smoking at this location. In the said letter, the inspector admitted that the smoking area was 
in the field of vision of a camera and that this configuration was linked to a lack of 
internal communication.
31. The Panel thus agrees with the finding of the head of the investigation that 
non-compliance with Article 5(1)(c) of the RGPD was established on the day of the on-site visit by the 
the day of the on-site visit of the CNPD agents with regard to the said camera.
2.3 With regard to the field of view of the cameras aimed at the public highway / neighbouring properties
neighbouring properties
32. 32. During the on-site visit on 20 March 2019, the CNPD officers noted 
that the fields of view of four cameras include part of a neighbouring property 
neighbouring land,11 that the fields of view of two cameras include the public highway,12
while one camera monitors part of the public highway and a neighbouring property. 
surrounding land.
13
33. In its letter of 6 May 2019, the auditee stated that it was "currently 
limiting the field of view of the cameras and blurring the areas in question, in order to 
ensure that the cameras [...] do not include parts of neighbouring properties or parts of the public highway. 
parts of the public highway.
34. In his Statement of Objections, the Head of Investigation was of the opinion that even if the 
purposes indicated by the monitor may find one or more grounds for lawfulness under Article 6 of the 
Article 6 of the GDPR, the surveillance of the public highway and surrounding areas is 
However, the surveillance of the public highway and neighbouring properties is to be considered as disproportionate. He also considered that the "documentation 
submitted to the CNPD by the letters of 20 March and 6 May 2019 do not contain any 
evidence against this non-compliance, nor any explanation as to the possible need for 
need for such monitoring measures. However, in its letter of 6 May 2019, 
the controller presented mitigating elements on this issue.
 
11 See findings 12, 13, 15 and 19 of minute no. [...]. These are the cameras named "[...]", "[...]", 
"and "[...]".
12 See findings 14 and 16 of minute no. [...]. These are the cameras referred to as "[...]".
13 See finding 18 of minute no. [...]. This concerns the camera named "[...]".
_____________________________________________________________
Decision of the National Commission sitting in a restricted formation on the outcome of 
investigation no. [...] conducted at Company A
9/26
35. The head of the investigation thus found that the audited company did not comply with the 
requirements of Article 5.1.c) of the GDPR.
36. The Panel wishes to recall that cameras intended to monitor a place of access 
access area (entrance and exit, threshold, staircase, door, canopy, hall, etc.) must have a field of view limited to 
limited to the area strictly necessary to view the persons about to enter 
about to enter. Those filming external accesses must not mark out 
the entire width of a pavement running alongside the building or adjacent public roads, if any. 
adjacent public roads. Similarly, outdoor cameras installed in or around a building should be configured so as to 
Similarly, outdoor cameras installed in the vicinity of or around a building should be configured so as not to capture the public highway or its surroundings, 
entrances, accesses and interiors of other neighbouring buildings that may be within their 
their field of vision.14
37. However, the Commission recognises that, depending on the configuration of the premises, it may be 
impossible to install a camera that does not include in its field of view a part of the 
part of the public highway, approaches, entrances, accesses and interiors of other buildings. In 
such a case, it considers that the controller should implement masking or blurring 
masking or blurring techniques to limit the field of view to his property.15
38. The Panel notes that in its letter of 29 November 2019, the 
position on each camera that contained in its field of view a part of the public highway and/or 
part of the public highway and/or neighbouring land. With regard to the cameras 
and "[...]", the auditor stated that since the on-site visit of the CNPD officers, the cameras had been 
the fields of view have been masked so that they no longer include a neighbouring property,16 while the 
neighbouring land,16 while the cameras "[...]" and "[...]", even if their fields of view have been partially masked 
fields of view have been partially masked, still target a small part of the surrounding land. 
neighbouring land.
17
39. Furthermore, the field of view of the "[...]" camera has been masked so that it no longer 
the public highway and a neighbouring property, while the field of view of the "[...]" camera has been masked so that it no longer targets the public highway and a neighbouring property. 
 
14 See CNPD Guidelines (Point 4.1.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html. 
15 See CNPD Guidelines (Point 4.1.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html. 
16 See photos in Annexes 1 and 2 of the letter from the controller of 29 November 2019.
17 See photos in Annexes 3 and 4 of the auditee's letter of 29 November 2019.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] conducted at Company A
10/26
[...]" no longer refers to the public highway.
18 With regard specifically to the camera "[...] 
"the auditor stated that, even though the field of view was partially obscured, it still 
the field of view has been partially obscured, it is still aimed at a part of the public highway and a nearby forest.19
40. The steps taken by the inspector, following the on-site visit of the 
to comply with the provisions of Article 5.1(c) of the GDPR will be taken into account by the 
taken into account by the Panel in the section "II.2. 
corrective measures and fines".
41. In view of the above, the Panel agrees with the finding of the Head of 
of the investigation20 that the non-compliance with Article 5.1.c) of the RGPD with regard to the 
the above-mentioned cameras was acquired on the day of the on-site visit of the 
CNPD OFFICERS.
B. On the breach of the obligation to inform data subjects
1. On the principles
42. Under Article 12(1) of the GDPR, the "controller shall take appropriate measures to 
shall take appropriate measures to provide any information referred to in Articles 13 and 14 
as well as to make any communication under Articles 15 to 22 and Article 
34 in relation to the processing to the data subject in a concise, transparent, comprehensible and easily accessible manner, 
transparent, comprehensible and easily accessible, in clear and simple terms [...].
43. Article 13 of the GDPR provides that:
" 1. Where personal data relating to a data subject are collected from that person, the 
1. Where personal data relating to a data subject are collected from that person, the controller shall, at the time when the data are obtained, provide him 
(a) the identity and contact details of the data subject 
(a) the identity and contact details of the controller and, where applicable, of the 
(a) the identity and contact details of the controller and, where applicable, of the representative of the controller;
 
18 See photos in Annexes 5 and 6 of the letter from the controller dated 29 November 2019.
19 See photo in Annex 7 of the auditee's letter of 29 November 2019.
20 Statement of Objections, Ad. A.4. to A.10.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation n° [...] carried out at Company A
11/26
b) if applicable, the contact details of the data protection officer; 
c) the purposes of the processing operation for which the personal data are intended and the legal 
(c) the purposes of the processing operation for which the personal data are intended and the legal basis of the processing operation;
(d) where the processing is based on Article 6(1)(f), the legitimate interests 
(d) where the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party 
(e) the recipients or categories of recipients of the personal data, 
(e) the recipients or categories of recipients of the personal data, if any; and 
(f) where applicable, the fact that the controller intends to carry out a transfer of personal data to a third party 
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or to an international 
organisation, and the existence or absence of an adequacy decision by the Commission or, in the case of 
or, in the case of transfers referred to in Article 46 or 47, or in Article 49, 
(1), second subparagraph, the reference to the appropriate or adequate safeguards and the means of 
means of obtaining a copy or the place where they have been made available;
2. In addition to the information referred to in paragraph 1, the controller shall provide 
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data are 
the following additional information necessary to ensure fair and transparent processing 
fair and transparent processing: 
(a) the length of time for which the personal data will be kept or, where this is not possible, the criteria used to 
(a) the period of time for which the personal data will be kept or, where this is not possible, the criteria used to determine that period 
(b) the existence of the right to request from the controller access to, rectification of or erasure of the personal data 
(b) the existence of the right to request from the controller access to, rectification or erasure of personal data or a restriction of the processing 
(b) the existence of the right to request from the controller access to, rectification or erasure of personal data, or a restriction of the processing relating to the data subject, or the right to object to the processing and the right to data portability 
right to data portability; 
(c) where the processing is based on Article 6(1)(a) or on Article 9, 
(c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, 
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
conducted at Company A
12/26
without affecting the lawfulness of the processing based on the consent given before the withdrawal of the consent 
withdrawal of consent; 
d) the right to lodge a complaint with a supervisory authority; 
(e) information on whether the requirement to provide personal data is of a regulatory or contractual nature 
(e) information on whether the requirement to provide personal data is of a regulatory or contractual nature or is a condition for the conclusion of a contract and whether the 
(e) information on whether the requirement to provide personal data is of a regulatory or contractual nature or is a condition for the conclusion of a contract and whether the data subject is obliged to provide the personal data, as well as on the consequences for the data subject of providing the data. 
personal data, as well as on the possible consequences of not providing such data 
of the data; 
(f) the existence of automated decision-making, including profiling, as referred to in Article 
(f) the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4), and, at least in such cases, relevant information about the underlying logic, as well as the 
logic and the significance and intended consequences of such processing for the 
for the data subject. 
3. Where the controller intends to further process the personal data for a purpose other than that for which they were collected, the 
personal data for a purpose other than that for which the personal data were collected, the 
data were collected, the controller shall provide the data subject with prior information 
data subject prior to the processing for that other purpose and any other relevant information 
referred to in paragraph 2.
4. 4. Paragraphs 1, 2 and 3 shall not apply where, and insofar as, the data subject already has such information. 
concerned already has such information.
44. The provision of information to data subjects about the processing of their data is an essential element in the 
44. The provision of information to data subjects on the processing of their data is an essential element of compliance with the 
obligations of transparency under the GDPR.21 These obligations have been clarified by the 
by the Article 29 Working Party in its guidelines on transparency under 
Regulation (EU) 2016/679, the revised version of which was adopted on 11 April 2018 
11 April 2018 (hereinafter: "WP 260 rev.01").
 
21 See in particular Articles 5.1(a) and 12 of the GDPR, see also Recital (39) of the GDPR.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] conducted at Company A
13/26
45. It should be noted that the European Data Protection Committee (hereinafter: "EDPS"), which replaced the 
Note that the European Data Protection Committee (hereinafter: "EDPS"), which replaces the Article 29 Working Party since 25 May 2018, has taken over 
and re-approved the documents adopted by the Article 29 Working Party between 25 May 2016 and 25 May 
May 2018, such as precisely the above-mentioned guidelines on transparency.22
2. In the present case
46. The CNPD officers noted during their site visit that the presence of the video
video surveillance system is not reported to the persons concerned. Upon questioning,
it was nevertheless explained to the CNPD agents that the employees had been informed by 
an explanatory e-mail followed by a physical letter.23
In its letter of 6 May 2019, the controller clarified that the document that the employees 
received on 25 May 2018 by e-mail and physical mail is the document entitled 
"Note to all employees on personal data" and that he is working on "the implementation of an 
information about the video surveillance system in two complementary ways 
i) the installation of pictograms at the entrance to the monitored areas, and ii) the publication of a 
(i) the installation of pictograms at the entrance to the monitored areas, and (ii) the publication of a detailed information notice on the website of [...]. These 
operations shall be completed by 1 July 2019.
47. As regards third parties, the Head of the Investigation noted in his Statement of Objections that 
statement of objections "that no means were implemented to inform customers, visitors or 
customers, visitors or suppliers of the presence of the video surveillance cameras, 
particularly by means of signs or pictograms affixed at strategic points within the buildings. 
the presence of video surveillance cameras, in particular by means of signs or pictograms affixed at strategic points within the controller's buildings" and that it is therefore 
therefore, the audited entity should be held to be in non-compliance with the requirements of Article 
13 of the GDPR with regard to third parties (Statement of Objections, 
Ad.A.1.). 
48. With regard to employees, the head of the investigation found that non-compliance with Article 13 of the 
13 of the RGPD was also established on the day of the on-site visit, as "the document 'Note to all 
to all employees on Personal Data" communicated to employees does not contain certain 
 
22 See EDPS Endorsement Decision 1/2018 of 25 May 2018, available at: 
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf. 
23 See Findings 1 and 2 of Minute No [...].
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] conducted at Company A
14/26
of the compulsory information prescribed by Article 13 of the GDPR. (Statement of 
statement of objections, Ad.A.2.).
49. In a letter dated 29 November 2019, the controller stated that after the departure of the 
the departure of the CNPD agents, first-level information was provided by means of 
pictograms and a short text in French, German and English to alert the public as soon as they 
the public as soon as they enter the monitored area.
24 The pictograms would refer to a second-level 
The pictograms would refer to a second-level information notice containing all the information required under 
The pictograms would refer to a second level information notice containing all the information required under Article 13 of the RGPD available to the public and to employees on their website. With regard to employees 
specifically for employees, the controller stated that the "Note to all employees on Personal Data" provided to 
on Personal Data" communicated to employees on 25 May 2018 had been updated and 
employees would also be informed by the pictograms and the information note available on the 
on the website of the controller. At the same time, the section on the GDPR on the intranet of the 
intranet would have been updated and the staff delegation would have been informed and consulted 
at all stages of the implementation of the video-surveillance system. 
50. The Panel would first like to point out that Article 13 of the RGPD refers to the 
the obligation imposed on the controller to "provide" all the information 
information mentioned therein. The word "provide" is crucial in this case and it "means 
that the controller must take concrete steps to provide the data subject with the 
information in question to the data subject or to actively direct the data subject to the 
data subject to the location of the information (e.g. by means of a direct link, a QR code 
link, QR code, etc.). (WP260 rev. 01. paragraph 33).
51. 51. The Commission also considers that a multi-level approach to communicating 
transparency information to data subjects can be used in an offline or non-digital 
offline or non-digital context, i.e. in a real environment such as personal data collected 
personal data collected by means of a video surveillance system. 
video surveillance system. The first level of information (warning sign, information note, etc.) should be 
The first level of information (warning sign, information note, etc.) should generally include the most 
details of the purpose of the processing, the identity of the controller and the existence of 
identity of the controller and the existence of the data subjects' rights, as well as the information 
impact on the processing operation or any processing operation likely to cause surprise 
 
24 See Annex 8 of the letter from the controller dated 29 November 2019.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] conducted at Company A
15/26
the persons concerned, as well as a reference to the more detailed information of the second level (for example, via a 
second level (e.g. via a QR code or a website address).
25 The 
second level of information, i.e. the set of information required under Article 13 of the 
Article 13 of the GDPR, could be provided or made available by other means, 
such as a copy of the privacy policy sent by e-mail to employees or a link on the 
employees or a link on the website to an information notice in respect of non-employees 
non-employees.
26
2.1. Information to third parties
52. The Panel notes that during the site visit by the CNPD officers, third parties were not informed of the presence of the 
CNPD officers, third parties were not informed of the presence of the video surveillance system. 
video surveillance system.
53. However, it notes that in its letter of 29 November 2019, the audited party 
approach to communicating information on transparency to third parties by means of 
transparency to third parties through pictograms and an information note available on its website. 
available on its website. The Panel considers that the pictograms 
contain the information of the first level of information and that the second level of 
information, i.e. the information note available on the website, contains 
all the information required under Article 13 of the GDPR.
The Panel notes, however, that all the documentation of the first and second level of information has been provided to the Commission. 
and second level of information was only put in place after the on-site visit of the 
CNPD officials.
54. 54. In view of the above, it therefore agrees with the Head of Investigation and concludes that 
that at the time of the on-site visit of the CNPD officers, Article 13 of the GDPR was not 
the controlled party with regard to video surveillance as far as third parties are concerned. 
third parties.
 
25 See EDPS Guidelines 3/2019 on the processing of personal data by video devices, version 2.0 
devices, version 2.0, adopted on 29 January 2020 (points 114. and 117.).
26 See WP260 rev. 01 (point 38.)
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation n° [...] conducted at Company A
16/26
2.2. Information for employees
55. With regard to informing employees about the video surveillance system, the 
system, the Restricted Section notes that during the on-site visit by CNPD agents, the employees were 
employees were informed of the presence of the video-surveillance system by the document "Note to all employees
by the document "Note to all employees on Personal Data".
27 While this document 
contains some of the information required by Article 13 of the GDPR, it nevertheless concerns 
all the data processed by the controller, all the legal bases applicable to the various 
processing carried out by the controller and all the purposes invoked for such processing, without 
processing operations, without differentiating between the processing operations concerned. These 
information does not therefore comply with the principle of transparency to which every controller is 
principle of transparency to which every controller is bound. According to this principle, the information must be 
to the data subject "in a concise, transparent, comprehensible and easily accessible manner 
easily accessible, in clear and simple terms".
28 Furthermore, the document does not 
document does not contain all the information within the meaning of Article 13 of the GDPR.
56. However, the Commission notes that in its letter of 29 November 2019, the controller has 
specified its approach at several levels to communicate information on transparency to 
transparency to employees, in particular through pictograms and an information note 
available on its website. In addition, it mentioned that the document "Note to 
all [...] employees on Personal Data" has been updated to include the information 
available on the said website. The Panel considers that the pictograms 
pictograms contain the first level of information and that the second level of information 
information, i.e. the information note available on the website, contains 
all the information required under Article 13 of the GDPR. 
The Panel notes, however, that all the documentation of the first and second level of information has been provided to the Commission. 
and second level of information was only put in place after the on-site visit of the 
CNPD officials.
 
27 The said document can be found in the annex to the inspection letter of 6 May 2019 and mentions the following: [...].
28 See Article 12.1. of the GDPR.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] conducted at Company A
17/26
57. In view of the above, it agrees with the opinion of the head of the investigation and concludes that, at the time of the on-site visit by the 
the time of the on-site visit of the CNPD agents, Article 13 of the GDPR was not 
Article 13 of the RGPD was not complied with by the audited company with regard to video surveillance of employees.
II. 2. Corrective measures and fines
1. On the principles
58. In accordance with Article 12 of the Act of 1 August 2018, the CNPD has the power to 
power to adopt all the corrective measures provided for in Article 58(2) of the RGPD:
"(a) to warn a controller or processor that the proposed processing operations are likely to infringe 
(a) warn a controller or processor that the proposed processing operations are likely to infringe the provisions of this Regulation ; 
(b) call a controller or processor to order where the processing operations have led to a breach of the 
(b) call a controller or processor to order where the processing operations have led to a breach of the provisions of this Regulation 
(c) order the controller or processor to comply with requests made by the data 
(c) order the controller or processor to comply with requests made by the data subject to exercise his or her rights under this Regulation 
(c) order the controller or the processor to comply with requests made by the data subject to exercise his rights under this Regulation ;
(d) order the controller or the processor to bring the processing operations into conformity with the 
(d) order the controller or the processor to bring the processing operations into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period 
(d) order the controller or the processor to bring the processing operations into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period ;
(e) order the controller to notify the data subject of a personal data 
(e) order the controller to notify the data subject of a personal data breach 
(f) impose a temporary or definitive restriction, including a ban, on processing 
(g) order the rectification or erasure of personal data or the restriction of processing pursuant to 
(g) order the rectification or erasure of personal data or the restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such 
(g) order the rectification or erasure of personal data or the restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such measures to the recipients to whom the personal data have been disclosed 
pursuant to Articles 17(2) and 19 ; 
(h) withdraw a certification or order the certification body to withdraw a certification 
(h) withdraw a certification or order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or order the certification body to withdraw a certification issued pursuant to Articles 42 and 43 
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation n° [...] carried out at Company A
18/26
certification body not to issue a certification if the requirements applicable to the certification 
are not or no longer met; 
(i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph 
(i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the specific characteristics of each case 
(i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the specific characteristics of each case 
(j) order the suspension of data flows to a recipient in a third country or to an 
(j) order the suspension of data flows to a recipient in a third country or to an international organisation.
59. In accordance with Article 48 of the Act of 1 August 2018, the CNPD may impose administrative 
administrative fines as provided for in Article 83 of the GDPR, except against the State or 
State or municipalities.
60. Article 83 of the RGPD provides that each supervisory authority shall ensure that the 
administrative fines imposed are, in each case, effective, proportionate and dissuasive 
and dissuasive, before specifying the elements that should be taken into account when deciding 
whether an administrative fine should be imposed and the amount of the fine 
(a) the nature, gravity and gravity of the infringement
"(a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned 
(a) the nature, gravity and duration of the infringement, having regard to the nature, scope or purpose of the processing operation concerned, as well as to the number of data subjects affected and the level of damage that the infringement causes 
affected and the level of damage suffered by them ; 
(b) whether the breach was committed intentionally or negligently; 
(c) any measures taken by the controller or processor to mitigate the damage suffered by 
(c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects 
(d) the degree of responsibility of the controller or processor, taking into account the 
(d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures they have implemented pursuant to 
Articles 25 and 32 ; 
(e) any previous relevant breach by the controller or processor 
(e) any previous relevant breach by the controller or the processor; 
(f) the degree of cooperation established with the supervisory authority in order to remedy the breach and 
(f) the degree of cooperation established with the supervisory authority in order to remedy the breach and to mitigate any negative effects thereof; 
_____________________________________________________________
Decision of the National Commission sitting in a restricted formation on the outcome of 
investigation no. [...] carried out at Company A
19/26
g) the categories of personal data affected by the breach; 
(h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the data controller had been informed of the breach; and 
(h) the manner in which the supervisory authority has become aware of the breach, including whether and to what extent the controller or processor has notified the breach; 
(i) where measures referred to in Article 58(2) have previously been 
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same subject-matter, compliance with those measures shall be verified 
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or the processor concerned in relation to the same matter, compliance with those measures ; 
(j) the application of codes of conduct approved pursuant to Article 40 or of 
(j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and 
(k) any other aggravating or mitigating circumstances applicable to the circumstances of the 
(k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, as a result of the 
(k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation.
61. The Panel wishes to make it clear that the facts taken into account in the context of this 
decision are those found at the beginning of the investigation. Any changes to the data processing 
modifications relating to the data processing operations under investigation, even if they 
even if they make it possible to establish full or partial compliance, do not 
compliance, do not allow for the retroactive annulment of a failure found.
62. Nevertheless, the steps taken by the supervised party to comply with the 
with the GDPR during the investigation procedure or to remedy the shortcomings 
by the head of the investigation in the statement of objections, are taken into account by the 
the Panel in the context of possible remedial action and/or the setting of a possible fine. 
the amount of any administrative fine to be imposed.
2. In the present case
2.1 On the imposition of an administrative fine
63. In the letter supplementing the statement of objections of 3 August 2020, the head of the 
proposes to the Restricted Section to impose an administrative fine on the 
amount of six thousand eight hundred (6,800) euros.
64. In his letter of 10 September 2020, the audited party considered that the amount of the fine is disproportionate to the 
disproportionate due to the absence of any intention to cause the 
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] carried out at Company A
20/26
alleged violations and its efforts to comply, while in its letter of 14 July 2021 it indicated 
July 14, 2021 he indicated that he accepts the fact that he had monitored a smoking area with a camera 
in violation of the requirements of the GDPR and that he accepts the fine of EUR 6,800.29
65. In order to decide whether an administrative fine should be imposed and to decide 
the amount of the fine, the Panel shall take into account the elements 
the elements provided for in Article 83(2) of the RGPD :
- As regards the nature and gravity of the breach (Article 83.2.a) of the RGPD), it notes 
As regards the breaches of Article 5(1)(c) of the RGPD, they are 
constitute breaches of a fundamental principle of the RGPD (and of data protection law in general) 
protection law in general), namely the principle of data minimisation enshrined in 
principle enshrined in Chapter II "Principles" of the RGPD. It should be noted that at the time of 
the time of the on-site visit by the CNPD agents, a camera allowed the permanent 
surveillance of the employee working in the reception area, one camera 
surveillance of an area reserved for employees' free time, in this case a "smoking 
smoking area, while seven cameras were aimed at the surrounding grounds and/or the 
and seven cameras were aimed at neighbouring properties and/or the public highway.
- As for the failure to inform the persons concerned 
in accordance with Article 13 of the RGPD, the Panel recalls that 
information and transparency regarding the processing of personal data are essential 
transparency regarding the processing of personal data is an essential obligation for data controllers 
data controllers so that individuals are fully aware of the use that will be made of their 
their personal data, once collected. A 
failure to comply with Article 13 of the RGPD thus constitutes a breach of the rights of the 
of the data subjects. This right to information has also been strengthened under the 
under the RGPD, which shows their particular importance. It should be noted that 
that at the time of the site visit by the CNPD agents, no pictograms, posters or notices 
pictograms, posters or information leaflets could be shown to the CNPD officials. 
to the CNPD officers. Thus, third parties were not at all 
informed of the presence of the video surveillance system in accordance with
Article 13 of the GDPR, while the document given to the employees, i.e. the 
 
29 Original text of the controller's letter of 14 July 2021: "Accordingly we accept the fact that we monitored 
a smoking area by CCTV in contravention of CNPD requirements and accept the penalty of Euro 6,800."
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation n° [...] carried out at Company A
21/26
"Note to all employees on Personal Data", did not contain all the information 
information required by Article 13 of the GDPR. 
- As regards the criterion of duration (Article 83(2)(a) of the GDPR), the Panel 
notes that these shortcomings lasted over time, at least since 25 May 2018 and until
25 May 2018 and until the day of the on-site visit. It recalls here that two years have 
the entry into force of the RGPD from its entry into application to allow 
to comply with their obligations. 
obligations. In particular, an obligation to respect the principle of minimisation, 
as well as a comparable obligation to provide information already existed under 
4.1.b), 10.2 and 26 of the repealed Act of 2 August 2002 on the 
protection of persons with regard to the processing of personal data. 
personal data. Guidance on the principles and obligations laid down in the said Act was available from the 
law was available from the CNPD, in particular through mandatory prior authorisations 
prior authorisations for video surveillance. 
- As for the number of data subjects (Article 83.2.a) of the GDPR), the 
As for the number of data subjects (Article 83.2.a) of the GDPR), the Panel notes that these are [...] employees30 working on the premises of the 
premises of the controller, as well as all third parties visiting the said 
premises.
- As to the question of whether the breaches were committed deliberately 
(Article 83.2.b) of the GDPR), the Panel recalls that "not deliberately" means that the 
that "not deliberately" means that there was no intention to commit the breach, although the 
breach, although the controller has not complied with its duty of care under 
duty of care under the legislation, which is the case here.
- As for the measures taken by the controller to mitigate the damage suffered by the 
persons concerned (Article 83.2.c), the Panel takes into account the measures 
measures taken by the auditee and refers to Chapter II.2. section 2.2. of this decision for 
decision for the explanations related thereto.
- As to the degree of cooperation established with the supervisory authority (Article 83.2.f) of the 
RGPD), the Panel takes into account the statement of the head of the investigation 
 
30 [...].
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] carried out at Company A
22/26
that the cooperation of the audited company throughout the investigation was good, as well as its willingness to comply with the 
and its willingness to comply with the requirements of the GDPR as soon as possible.31 
as soon as possible.31
66. The Panel notes that the other criteria of Article 83.2 of the GDPR are neither relevant nor 
are neither relevant nor likely to influence its decision on the imposition of an administrative fine and its 
administrative fine and its amount. 
67. It also notes that while several measures have been put in place by the supervised 
to remedy certain shortcomings in whole or in part, these were only adopted following the 
adopted following the inspection by CNPD officials on 20 March 2019 (see also point 61 of this 
see also paragraph 61 of this decision).
68. The Panel therefore considers that the imposition of an administrative fine is 
justified in the light of the criteria laid down in Article 83(2) of the RGPD for 
breach of Articles 5(1)(c) and 13 of the RGPD. 
69. With regard to the amount of the administrative fine, it recalls that Article 83(3) of the 
3 of Article 83 of the RGPD provides that in the event of multiple breaches, as in the case of 
case, the total amount of the fine may not exceed the amount set for the most serious 
violation. Insofar as a breach of Articles 5 and 13 of the GDPR is alleged, the maximum fine 
the maximum fine that can be imposed is EUR 20 million or 
20 million or 4% of annual worldwide turnover, whichever is higher. 
70. In the light of the relevant criteria of Article 83(2) of the GDPR mentioned above, the 
Panel considers that the imposition of a fine of six thousand eight hundred
(6,800) appears to be effective, proportionate and dissuasive, in accordance with the 
requirements of Article 83.1 of the GDPR.
2.2 As regards the taking of corrective measures
71. In his supplementary letter to the Statement of Objections of 3 August 2020 
the Head of Investigation proposes that the Restricted Panel adopt the following corrective measures 
corrective measures:
 
31 See supplementary letter to the Statement of Objections.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation n° [...] carried out at Company A
23/26
"a) Order the data controller to complete the information measures 
to third parties ([...]) affected by the video surveillance, 
in accordance with the provisions of Article 13, paragraphs (1) and (2) of the GDPR by 
the identity of the data controller, the contact details of the data protection 
Data Protection Officer, the purposes of the processing and its legal basis, 
the categories of data processed, the legitimate interests pursued by the controller, the 
recipients of the data, the duration of the data storage as well as the indication of the 
the rights of the person and how to exercise them.
b) Order the controller to complete the information measures 
(b) Order the controller to complete the information measures for the employees concerned by the video surveillance, 
in accordance with the provisions of Article 13(1) and (2) of the GDPR by 
informing in particular the purposes of the processing and its legal basis, the categories 
of data processed, the legitimate interests pursued by the controller, the recipients of the 
recipients of the data as well as the period for which the data are kept. 
c) Order the controller to process only relevant data, 
(c) Order the controller to process only relevant, adequate and limited to what is necessary for the purposes of protecting 
(c) Order the controller to process only data which are relevant, adequate and limited to what is necessary for the purposes of protecting property, securing access, ensuring user safety and preventing accidents, and in particular 
and, in particular, to adapt the video system so that employees are not filmed at their workstations or in 
at their workstations or in areas reserved for their free time, nor to film 
parts of the public highway or neighbouring properties, for example by removing or 
or reorienting the cameras.
72. As for the remedial measures proposed by the head of the investigation and with reference to 
to point 62 of this decision, the Panel takes into account the steps taken by the 
the steps taken by the auditee, following the on-site visit of the CNPD officers, to comply with the provisions of Articles 5 and 6 of the 
to comply with the provisions of Articles 5.1.c) and 13 of the GDPR, as detailed in its letters of 6 May 2019 
in its letters of 6 May 2019, 29 November 2019, 10 September 2020 and 14 July 2021. 
July 2021. In particular, it notes the following facts:
With regard to the implementation of information measures for data subjects (third parties and employees), the 
concerned (third parties and employees) by the video surveillance, in accordance with the 
the provisions of Article 13.1 and 2 of the RGPD, the controller specified in its letter of 29 November 2019 its approach to 
letter of 29 November 2019, the audited body specified its multi-level approach to 
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] conducted at Company A
24/26
communicate information on transparency to the persons concerned by 
pictograms containing a brief text in French, German and English, as well as an 
and by an information note available on its website. In addition, the 
Note to all [...] employees on Personal Data" has been updated to include the information 
to include the information available on the website.
The Panel considers that the pictograms contain the first level of information and are 
information of the first level of information and that the second level of 
information, i.e. the information note available on the website, 
contains all the information required under Article 13 of the GDPR. 
As to the obligation to process only relevant, adequate and 
limited to what is necessary for the purposes of protection of property, 
protection of access, as well as the safety of users and the prevention of 
of accidents, the Select Committee takes into account that :
o Annex 2 of the letter from the controller dated 10 September 2020 contains 
o Annex 2 of the letter from the audited party of 10 September 2020 contains photos showing that the field of view of the camera "[...]" has now been masked so as not to interfere with the access to the premises.
"has been masked so as to no longer permanently aim at the employee working at the reception 
working at the reception desk;
o the audited party attached to its letter of 29 November 2019 photos 
o the auditor attached to his letter of 29 November 2019 photos showing that the fields of view of the cameras "[...] " " [...] ", " [...]
"and "[...]" have been masked so that they no longer include a neighbouring property and/or public road 
and/or the public highway;
o the inspector attached to his letter of 29 November 2019 photos 
o the auditor attached to his letter of 29 November 2019 photos showing that the fields of view of the cameras "[...]", "[...]" and "[...]" had been 
[...]" have been masked, but he specified that they are still aimed at a small 
part of a neighbouring plot of land (a field) and / or the public highway. 
In view of the sensitivity of the land under surveillance ([...]), the 
considers that the masking in place has reduced the field of view of the cameras in question to the 
field of vision of the cameras in question necessary to pursue the 
purposes of securing the surroundings and the entrances to the building.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] carried out at Company A
25/26
o in its letter of 14 July 2021, following the meeting of the 
session of 30 June 2021, that the "[...]" camera 
allowed the surveillance of an area reserved for employees' free time, 
in this case a "smoking area", and that this constellation was linked to a 
This constellation was linked to a lack of internal communication. In fact, it would have realised that 
for safety reasons, the team in charge of managing the buildings 
management team ('[...]') had moved the smoking area into the field of vision of the 
of the camera in question, without knowing that a smoking area was now in the 
without knowing that a smoking area was now in the field of view of a camera and without informing his 
and without informing his internal security team, and that he assumed that after the on-site visit by the 
the team "[...]" would have moved the smoking area by replacing the aforementioned sign 
the aforementioned sign indicating that smoking was permitted by a sign indicating that 
smoking is prohibited in this area.
73. In view of the compliance measures taken by the controlled party in this case and 
and point 62 of this decision, the Panel considers that there is no evidence of a breach of the 
the three remedial measures proposed by the head of the investigation in this respect as 
the three remedies proposed by the head of the investigation in this respect as set out in paragraph 71 of this Decision.
In view of the above developments, the National Commission, sitting in a restricted 
in a restricted formation and deliberating unanimously decides :
- to retain the breaches of Articles 5.1.c) and 13 of the GDPR ;
- to impose an administrative fine on Company A in the amount of 
six thousand eight hundred (6,800) euros, in view of the breaches of Articles 5.1.c) and 13 of the GDPR 
Articles 5.1.c) and 13 of the GDPR;
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of 
investigation no. [...] carried out at Company A
26/26
Thus decided in Belvaux on 1
December 1, 2021.
For the National Commission for Data Protection sitting in restricted formation 
sitting in restricted formation
Tine A. Larsen Thierry Lallemang Marc Lemmer
 President Commissioner Commissioner
Indication of the means of appeal
An appeal against this administrative decision may be lodged within three months of its notification. 
three months after its notification. This appeal must be brought before the administrative court 
and must be lodged through a lawyer at the Court of one of the Bar Associations. 
of lawyers.