CNPD (Luxembourg) - Délibération n° 47FR/2021
From GDPRhub
| CNPD (Luxembourg) - Délibération n° 47FR/2021 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 01.12.2021 |
| Published: | 17.01.2022 |
| Fine: | 6800 EUR |
| Parties: | n/a |
| National Case Number/Name: | Délibération n° 47FR/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | French |
| Original Source: | CNPD (in FR) |
| Initial Contributor: | Frederick Antonovics |
The Luxembourg DPA (CNPD) fined a transport company €6800 for failing to comply with the principle of data minimisation by not limiting the field of vision of its video surveillance systems as well as inadequately informing both its employees and third parties of their existence.
English Summary
Facts
The processor is a transport company that installed video surveillance systems at its office. In February 2019, the Luxembourg DPA (CNPD) launched an investigation into the company's use of these video surveillance systems to assess its compliance with the GDPR.
Holding
First, the Luxembourg DPA assessed whether the company complied with the principle of data minimisation per Article 5(1)(c) GDPR. It started by affirming that only what is strictly necessary to achieve the pursued aims can be filmed, and that the processing operations cannot be disproportionate when assessed against their purpose. Companies seeking to lawfully install such systems are therefore required to set out the exact purposes of the processing prior to their installation.
During the investigation, the company argued the systems were installed to protect its goods and access to facilities, as well as to safeguard users and prevent accidents. The DPA nonetheless held that three cameras did not comply with the requirements under Article 5(1)(c) GDPR.
In particular, the camera aimed at the reception, which was unlawful because workers have a right to not be constantly monitored. The camera aimed at the "smoker's corner", which was unlawful because it monitored a space reserved to employees' leisure time. Finally, the camera aimed at the public road outside the office and neighboring land, which was unlawful because it was disproportionate when assessed against the purposes of the processing.
Second, the DPA assessed whether the company complied with its information obligations under Article 13 GDPR. It found that although the employees were notified of the existence of the video surveillance systems, visitors of the company's facilities had no access to this information.
Thus, the Luxembourg DPA held that the company (1) failed to comply with the principle of data minimisation by not limiting the field of vision of its video surveillance systems, and (2) failed to adequately inform its employees and third parties of their existence.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] carried out at Company A
1/26
Decision of the National Commission sitting in restricted formation
on the outcome of investigation no. [...] carried out on Company A
Deliberation n° 47FR/2021 of 1
December 1, 2021
The National Commission for Data Protection sitting in restricted formation
composed of Ms Tine A. Larsen, President, and Messrs Thierry Lallemang and Marc Lemmer, Commissioners
Lemmer, Commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data
personal data and on the free movement of such data, and repealing Directive
95/46/EC ;
Having regard to the Act of 1 August 2018 on the organisation of the National Commission for
Having regard to the Act of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime, in particular
Having regard to the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime, in particular Article 41 thereof
Having regard to the internal rules of procedure of the National Commission for Data Protection
Having regard to the internal rules of procedure of the National Commission for Data Protection adopted by Decision No 3AD/2020 dated 22 January 2020, in particular Article 10 point 2 thereof
Having regard to the Rules of Procedure of the National Commission for Data Protection adopted by decision no. 3AD/2020 dated 22 January 2020, in particular Article 10 point 2 thereof
Having regard to the Rules of Procedure of the National Commission for Data Protection relating to the
Having regard to the regulation of the National Commission for Data Protection relating to the investigation procedure adopted by decision n°4AD/2020 dated 22 January 2020
in particular Article 9 thereof;
Considering the following:
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] carried out on Company A
2/26
I. Facts and procedure
1. At its deliberation session on 14 February 2019, the National Commission for
for Data Protection sitting in plenary session (hereinafter: "Plenary Session") had decided to open an
Plenary Session") had decided to open an investigation at Company A on the basis of Article
37 of the Act of 1 August 2018 on the organisation of the National Commission for
Protection and the General Data Protection Regime (hereinafter: "Act"): "Act
of 1 August 2018") and to appoint Mr Christophe Buschmann as head of the
investigation.
2. According to the decision of the Plenary Session, the investigation conducted by the
Commission for Data Protection (hereinafter: "CNPD") was to verify compliance with
to verify compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament
and of the Council of 27 April 2016 on the protection of individuals with regard to the
protection of individuals with regard to the processing of personal data and on the free movement of such
and repealing Directive 95/46/EC (hereinafter: "RGPD") and the law of 1 August
2018, in particular through the implementation of video surveillance and geolocation systems
geolocation systems, if any, installed by Company A.
3. On 20 March 2019, CNPD officers visited the premises of Company A.
Company A's premises.
1 The decision of the National Commission for Data Protection
1 The decision of the National Commission for Data Protection sitting in a restricted formation on the outcome of the investigation (hereinafter: "Restricted
The decision of the National Commission for Data Protection sitting in restricted formation on the outcome of the investigation (hereinafter: "Restricted Formation") will be limited to the processing operations controlled by the CNPD agents.
4. Company A is a public limited company registered in the Luxembourg Trade and Companies Register under number [...
Companies Register of Luxembourg under number [...], with registered office at L- [...], [...] (hereinafter :
the "controlled"). The object of the Controlled Party [is the operation of a transport company].
transport].
2
5. During the above-mentioned visit, it was confirmed to the CNPD officers that the auditee
uses a video surveillance system, but that it has not installed a video surveillance system.
1 See Minutes No. [...] of the on-site visit to Company A on 20 March 2019 (hereinafter: "Minutes").
A (hereinafter: "Minutes no. [...]").
2 See Articles of Association coordinated at [...].
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] carried out at Company A
3/26
geolocation in its vehicles.3 The CNPD officers noted that the video surveillance system
The CNPD officers noted that the video surveillance system is composed of fixed cameras, as well as "dome" type cameras.
dome" type cameras.
4
6. The audited party reacted to the report drawn up by the CNPD officers in a letter dated 20 March
20 March 2019, delivered by hand after the site visit, and by letter dated 6 May 2019.
6 May 2019.
7. At the end of his investigation, the head of the investigation notified the audited company of a statement of objections dated 30 October 2019.
30 October 2019 a statement of objections detailing the shortcomings that he considered to
the case, and more specifically a failure to comply with the requirements of Article 13.1 and
Article 13.1 and 2 of the GDPR (right to information) as regards the data subjects, i.e. employees and
employees and non-employees, i.e. customers, suppliers, service providers and visitors,
suppliers, service providers and visitors (hereinafter: "third parties")
and non-compliance with the requirements of Article 5.1.c) of the GDPR (data minimisation principle).
principle).
8. By letter of 29 November 2019, the auditee submitted its comments on the
statement of objections.
9. A supplementary letter to the Statement of Objections was sent to the
the statement of objections on 3 August 2020. In this letter, the Head of Investigation proposed to the
In this letter, the Head of Investigation proposed to the Panel to adopt three corrective measures and to impose an administrative fine of
administrative fine of EUR 6,800.
10. By letter dated 10 September 2020, the audited party submitted written observations
on the supplementary letter to the statement of objections.
11. The Chair of the Panel informed the auditee by letter of 29 April 2021 that his case would be
2021 that his case would be included in the Panel's meeting of 30 June 2021.
30 June 2021. The auditee confirmed his attendance at the said meeting by e-mail of 8 June 2021.
12. At this sitting, the Head of the Investigation and the auditee, represented by [...], lawyer
the Court, made oral submissions in support of their written submissions and
3 See Minutes No [...], finding 20.
4 See Minutes No [...], Finding 4.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...], finding 4.
investigation no. [...] conducted at Company A
4/26
answered the questions put by the Restricted Section. The Chairperson granted
the monitor the opportunity to send to the Panel additional information on the
information on the area covered by the field of view of a specific camera, within two weeks.
two weeks. The auditee was given the floor last.
13. 13. By letter dated 14 July 2021, the audited party provided the additional information
information requested.
II. On the law
II.1 As to the grounds for the decision
A. On the breach of the principle of data minimisation
1. On the principles
14. According to Article 5(1)(c) of the GDPR, personal data must be
be 'adequate, relevant and restricted to what is necessary for the purposes for which
purposes for which they are processed (data minimisation)".
15. The data minimisation principle in relation to video-surveillance implies that
that only what appears to be strictly necessary to achieve the purpose(s) pursued should be filmed.
purpose(s) and that the processing operations should not be disproportionate.5
disproportionate.5
16. Article 5(1)(b) of the GDPR provides that personal data must be
be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible
further processed in a way incompatible with those purposes; [...] (purpose limitation)".
purposes)'.
17. Before installing a video-surveillance system, the data controller
must define, in a precise manner, the purpose(s) that he wishes to achieve by resorting to
5 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted at Company A
5/26
such a system, and may not subsequently use the personal data collected for any other purpose.
for other purposes.6
18. The necessity and proportionality of video surveillance is analysed on a case-by-case
case and, in particular, with regard to criteria such as the nature of the place to be placed under
surveillance, its location, configuration or frequency of use.7
2. In the present case
19. During the on-site visit, it was explained to the CNPD officers that the purposes of the
of the video surveillance system are the protection of the controller's property, the protection of
of the controller, the protection of access, as well as the safety of users and the prevention of
prevention of accidents.
8
2.1. Regarding the field of view of the camera aimed at reception
20. During the said visit, the CNPD officers noted that the field of vision of the camera
of the camera named "[...]" allows for the permanent surveillance of the employee working at the reception desk.9
reception desk.9
21. With regard to the said camera, the head of the investigation was of the opinion that even if the
purposes "may find one or more grounds for lawfulness under Article 6, the permanent
surveillance of employees at their workstations is to be considered disproportionate.
disproportionate. Indeed, such permanent surveillance may create a
psychological pressure on employees who feel and know that they are being watched, especially as
and know they are being watched, especially as the surveillance measures continue over time.
(Statement of Objections, Ad. A.3.). It thus found that the audited company did not comply with the requirements of Article 5.1. c) of the GDPR and the audited company's documentation
submitted by the letters of 20 March and 6 May 2019 did not contain any evidence against this
against such non-compliance, nor any explanation as to why such monitoring measures might be necessary.
of such monitoring measures.
6 See CNPD Guidelines, available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html.
7 See CNPD Guidelines (Point 4.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html.
8 See Finding 9 of Minute No. [...].
9 See finding 10 of minute no. [...].
_____________________________________________________________
Decision of the National Commission sitting in a restricted formation on the outcome of
investigation no. [...] conducted at Company A
6/26
22. The audited company explained in its reply to the statement of objections of
statement of objections of 29 November 2019 that the camera in question was intended to
the building and the reception area, but that it had in its field of view part of the
the reception area, but that it had part of the reception office and the employee working there in its field of view. He also
also explained that following the visit of the CNPD officers, masking was first put in place and that after the
and that afterwards, for technical reasons, the camera had been disconnected from the system and was not
disconnected from the system and was no longer functional since 3 June 2019. Annex 2 of the
letter from the controller dated 10 September 2020 contains photos showing that the camera's field of
field of view of the camera had been masked so as to no longer aim at the employee working at
working at the reception desk.
23. The Panel wishes to recall that employees have the right not to be
surveillance in the workplace. In order to achieve the
purposes, it may seem necessary for a controller to install a video surveillance system
to install a video-surveillance system in the workplace. On the other hand, by respecting
the principle of proportionality, the controller must use the most protective means of
the most protective means of surveillance of the employee's private sphere and, for example, limit the
fields of vision of the cameras to the area necessary to achieve the purpose(s)
purpose(s) pursued.
24. The Panel notes that the controlled party has masked the field of view of the camera
camera aimed at the employee working in the reception area.
25. 25. It nevertheless agrees with the finding of the head of the investigation that the non-compliance with Article 5.1(c) of the GDPR was established on the day of the on-site visit of the CNPD agents as regards the
the day of the on-site visit of the CNPD's agents with regard to the said camera.
2.2 Regarding the field of vision of the camera aimed at the "smoking area
26. During the said visit, the CNPD officers noted that the field of view of the camera
of the camera "[...]" allowed surveillance of a space reserved for employees' free time, in this case a "smoking area".
employees, in this case a "smoking area". 10
10 See finding 17 of minute no. [...].
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted at Company A
7/26
27. With regard to the camera having the "smoking area" in its field of vision, the head of the investigation considered that "the surveillance of employees
the head of the investigation considered that "the surveillance of employees in a space reserved for their free time
is to be considered disproportionate since the people present in the smoking area will, in a way, be
smoking area will be permanently subject to video surveillance. He thus
the controlled party of non-compliance with the requirements of Article 5.1. c) of the
RGPD (Statement of Objections, Ad. A.11.).
28. 28. In its reply to the Statement of Objections of 29 November 2019, the
statement of objections of 29 November 2019 that the purpose of the camera was to secure access
access between the car park and his building and that the monitored area would never have been an official
an official smoking area authorised by the controller. As the employees would have
the ashtray themselves in this monitored passage area, the audited party would have decided to
would have decided to remove this smoking area, which would never have been authorised, and to
and to direct the employees to official break areas. By letter dated
10 September 2020, the audited party reiterated these statements.
29. When it comes to places reserved for employees at the workplace for private use, such as a
private use, such as a smoking area, surveillance cameras are in principle considered disproportionate
disproportionate to the intended purpose. The same applies to
The same applies to places such as, for example, changing rooms, toilets, rest areas
kitchenette or any other place reserved for employees for private use. In
these cases, the fundamental rights and freedoms of employees must take precedence over the
interests pursued by the employer.
30. With regard to the camera having the smoking area in its field of vision, the
The Panel notes that the camera shows a large poster of a cigarette,
signalling the authorisation to smoke in this area, as well as a sizeable ashtray.
negligible size. However, it takes into account the letter from the controller dated 14 July 2021, in which he explains that after the
However, it takes into account the audited party's letter of 14 July 2021, in which he explains that after the 30 June 2021 meeting of the Restricted Section,
he realised that for security reasons the team in charge of building management
management team ('[...]') had moved the smoking area into the field of vision of the
camera without informing his internal security team. The auditor also stated
that he assumed that after the on-site visit by the CNPD officers, the "[...]" team would have realized its mistake and would have
realized their mistake and moved the smoking area by replacing the above-mentioned sign
the aforementioned sign indicating that smoking was permitted by a sign indicating that smoking was prohibited
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted at Company A
8/26
smoking at this location. In the said letter, the inspector admitted that the smoking area was
in the field of vision of a camera and that this configuration was linked to a lack of
internal communication.
31. The Panel thus agrees with the finding of the head of the investigation that
non-compliance with Article 5(1)(c) of the RGPD was established on the day of the on-site visit by the
the day of the on-site visit of the CNPD agents with regard to the said camera.
2.3 With regard to the field of view of the cameras aimed at the public highway / neighbouring properties
neighbouring properties
32. 32. During the on-site visit on 20 March 2019, the CNPD officers noted
that the fields of view of four cameras include part of a neighbouring property
neighbouring land,11 that the fields of view of two cameras include the public highway,12
while one camera monitors part of the public highway and a neighbouring property.
surrounding land.
13
33. In its letter of 6 May 2019, the auditee stated that it was "currently
limiting the field of view of the cameras and blurring the areas in question, in order to
ensure that the cameras [...] do not include parts of neighbouring properties or parts of the public highway.
parts of the public highway.
34. In his Statement of Objections, the Head of Investigation was of the opinion that even if the
purposes indicated by the monitor may find one or more grounds for lawfulness under Article 6 of the
Article 6 of the GDPR, the surveillance of the public highway and surrounding areas is
However, the surveillance of the public highway and neighbouring properties is to be considered as disproportionate. He also considered that the "documentation
submitted to the CNPD by the letters of 20 March and 6 May 2019 do not contain any
evidence against this non-compliance, nor any explanation as to the possible need for
need for such monitoring measures. However, in its letter of 6 May 2019,
the controller presented mitigating elements on this issue.
11 See findings 12, 13, 15 and 19 of minute no. [...]. These are the cameras named "[...]", "[...]",
"and "[...]".
12 See findings 14 and 16 of minute no. [...]. These are the cameras referred to as "[...]".
13 See finding 18 of minute no. [...]. This concerns the camera named "[...]".
_____________________________________________________________
Decision of the National Commission sitting in a restricted formation on the outcome of
investigation no. [...] conducted at Company A
9/26
35. The head of the investigation thus found that the audited company did not comply with the
requirements of Article 5.1.c) of the GDPR.
36. The Panel wishes to recall that cameras intended to monitor a place of access
access area (entrance and exit, threshold, staircase, door, canopy, hall, etc.) must have a field of view limited to
limited to the area strictly necessary to view the persons about to enter
about to enter. Those filming external accesses must not mark out
the entire width of a pavement running alongside the building or adjacent public roads, if any.
adjacent public roads. Similarly, outdoor cameras installed in or around a building should be configured so as to
Similarly, outdoor cameras installed in the vicinity of or around a building should be configured so as not to capture the public highway or its surroundings,
entrances, accesses and interiors of other neighbouring buildings that may be within their
their field of vision.14
37. However, the Commission recognises that, depending on the configuration of the premises, it may be
impossible to install a camera that does not include in its field of view a part of the
part of the public highway, approaches, entrances, accesses and interiors of other buildings. In
such a case, it considers that the controller should implement masking or blurring
masking or blurring techniques to limit the field of view to his property.15
38. The Panel notes that in its letter of 29 November 2019, the
position on each camera that contained in its field of view a part of the public highway and/or
part of the public highway and/or neighbouring land. With regard to the cameras
and "[...]", the auditor stated that since the on-site visit of the CNPD officers, the cameras had been
the fields of view have been masked so that they no longer include a neighbouring property,16 while the
neighbouring land,16 while the cameras "[...]" and "[...]", even if their fields of view have been partially masked
fields of view have been partially masked, still target a small part of the surrounding land.
neighbouring land.
17
39. Furthermore, the field of view of the "[...]" camera has been masked so that it no longer
the public highway and a neighbouring property, while the field of view of the "[...]" camera has been masked so that it no longer targets the public highway and a neighbouring property.
14 See CNPD Guidelines (Point 4.1.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html.
15 See CNPD Guidelines (Point 4.1.), available at: https://cnpd.public.lu/fr/dossiersthematiques/videosurveillance/necessite-proportionnalite.html.
16 See photos in Annexes 1 and 2 of the letter from the controller of 29 November 2019.
17 See photos in Annexes 3 and 4 of the auditee's letter of 29 November 2019.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted at Company A
10/26
[...]" no longer refers to the public highway.
18 With regard specifically to the camera "[...]
"the auditor stated that, even though the field of view was partially obscured, it still
the field of view has been partially obscured, it is still aimed at a part of the public highway and a nearby forest.19
40. The steps taken by the inspector, following the on-site visit of the
to comply with the provisions of Article 5.1(c) of the GDPR will be taken into account by the
taken into account by the Panel in the section "II.2.
corrective measures and fines".
41. In view of the above, the Panel agrees with the finding of the Head of
of the investigation20 that the non-compliance with Article 5.1.c) of the RGPD with regard to the
the above-mentioned cameras was acquired on the day of the on-site visit of the
CNPD OFFICERS.
B. On the breach of the obligation to inform data subjects
1. On the principles
42. Under Article 12(1) of the GDPR, the "controller shall take appropriate measures to
shall take appropriate measures to provide any information referred to in Articles 13 and 14
as well as to make any communication under Articles 15 to 22 and Article
34 in relation to the processing to the data subject in a concise, transparent, comprehensible and easily accessible manner,
transparent, comprehensible and easily accessible, in clear and simple terms [...].
43. Article 13 of the GDPR provides that:
" 1. Where personal data relating to a data subject are collected from that person, the
1. Where personal data relating to a data subject are collected from that person, the controller shall, at the time when the data are obtained, provide him
(a) the identity and contact details of the data subject
(a) the identity and contact details of the controller and, where applicable, of the
(a) the identity and contact details of the controller and, where applicable, of the representative of the controller;
18 See photos in Annexes 5 and 6 of the letter from the controller dated 29 November 2019.
19 See photo in Annex 7 of the auditee's letter of 29 November 2019.
20 Statement of Objections, Ad. A.4. to A.10.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation n° [...] carried out at Company A
11/26
b) if applicable, the contact details of the data protection officer;
c) the purposes of the processing operation for which the personal data are intended and the legal
(c) the purposes of the processing operation for which the personal data are intended and the legal basis of the processing operation;
(d) where the processing is based on Article 6(1)(f), the legitimate interests
(d) where the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party
(e) the recipients or categories of recipients of the personal data,
(e) the recipients or categories of recipients of the personal data, if any; and
(f) where applicable, the fact that the controller intends to carry out a transfer of personal data to a third party
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or to an international
organisation, and the existence or absence of an adequacy decision by the Commission or, in the case of
or, in the case of transfers referred to in Article 46 or 47, or in Article 49,
(1), second subparagraph, the reference to the appropriate or adequate safeguards and the means of
means of obtaining a copy or the place where they have been made available;
2. In addition to the information referred to in paragraph 1, the controller shall provide
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data are
the following additional information necessary to ensure fair and transparent processing
fair and transparent processing:
(a) the length of time for which the personal data will be kept or, where this is not possible, the criteria used to
(a) the period of time for which the personal data will be kept or, where this is not possible, the criteria used to determine that period
(b) the existence of the right to request from the controller access to, rectification of or erasure of the personal data
(b) the existence of the right to request from the controller access to, rectification or erasure of personal data or a restriction of the processing
(b) the existence of the right to request from the controller access to, rectification or erasure of personal data, or a restriction of the processing relating to the data subject, or the right to object to the processing and the right to data portability
right to data portability;
(c) where the processing is based on Article 6(1)(a) or on Article 9,
(c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time,
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
conducted at Company A
12/26
without affecting the lawfulness of the processing based on the consent given before the withdrawal of the consent
withdrawal of consent;
d) the right to lodge a complaint with a supervisory authority;
(e) information on whether the requirement to provide personal data is of a regulatory or contractual nature
(e) information on whether the requirement to provide personal data is of a regulatory or contractual nature or is a condition for the conclusion of a contract and whether the
(e) information on whether the requirement to provide personal data is of a regulatory or contractual nature or is a condition for the conclusion of a contract and whether the data subject is obliged to provide the personal data, as well as on the consequences for the data subject of providing the data.
personal data, as well as on the possible consequences of not providing such data
of the data;
(f) the existence of automated decision-making, including profiling, as referred to in Article
(f) the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4), and, at least in such cases, relevant information about the underlying logic, as well as the
logic and the significance and intended consequences of such processing for the
for the data subject.
3. Where the controller intends to further process the personal data for a purpose other than that for which they were collected, the
personal data for a purpose other than that for which the personal data were collected, the
data were collected, the controller shall provide the data subject with prior information
data subject prior to the processing for that other purpose and any other relevant information
referred to in paragraph 2.
4. 4. Paragraphs 1, 2 and 3 shall not apply where, and insofar as, the data subject already has such information.
concerned already has such information.
44. The provision of information to data subjects about the processing of their data is an essential element in the
44. The provision of information to data subjects on the processing of their data is an essential element of compliance with the
obligations of transparency under the GDPR.21 These obligations have been clarified by the
by the Article 29 Working Party in its guidelines on transparency under
Regulation (EU) 2016/679, the revised version of which was adopted on 11 April 2018
11 April 2018 (hereinafter: "WP 260 rev.01").
21 See in particular Articles 5.1(a) and 12 of the GDPR, see also Recital (39) of the GDPR.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted at Company A
13/26
45. It should be noted that the European Data Protection Committee (hereinafter: "EDPS"), which replaced the
Note that the European Data Protection Committee (hereinafter: "EDPS"), which replaces the Article 29 Working Party since 25 May 2018, has taken over
and re-approved the documents adopted by the Article 29 Working Party between 25 May 2016 and 25 May
May 2018, such as precisely the above-mentioned guidelines on transparency.22
2. In the present case
46. The CNPD officers noted during their site visit that the presence of the video
video surveillance system is not reported to the persons concerned. Upon questioning,
it was nevertheless explained to the CNPD agents that the employees had been informed by
an explanatory e-mail followed by a physical letter.23
In its letter of 6 May 2019, the controller clarified that the document that the employees
received on 25 May 2018 by e-mail and physical mail is the document entitled
"Note to all employees on personal data" and that he is working on "the implementation of an
information about the video surveillance system in two complementary ways
i) the installation of pictograms at the entrance to the monitored areas, and ii) the publication of a
(i) the installation of pictograms at the entrance to the monitored areas, and (ii) the publication of a detailed information notice on the website of [...]. These
operations shall be completed by 1 July 2019.
47. As regards third parties, the Head of the Investigation noted in his Statement of Objections that
statement of objections "that no means were implemented to inform customers, visitors or
customers, visitors or suppliers of the presence of the video surveillance cameras,
particularly by means of signs or pictograms affixed at strategic points within the buildings.
the presence of video surveillance cameras, in particular by means of signs or pictograms affixed at strategic points within the controller's buildings" and that it is therefore
therefore, the audited entity should be held to be in non-compliance with the requirements of Article
13 of the GDPR with regard to third parties (Statement of Objections,
Ad.A.1.).
48. With regard to employees, the head of the investigation found that non-compliance with Article 13 of the
13 of the RGPD was also established on the day of the on-site visit, as "the document 'Note to all
to all employees on Personal Data" communicated to employees does not contain certain
22 See EDPS Endorsement Decision 1/2018 of 25 May 2018, available at:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
23 See Findings 1 and 2 of Minute No [...].
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted at Company A
14/26
of the compulsory information prescribed by Article 13 of the GDPR. (Statement of
statement of objections, Ad.A.2.).
49. In a letter dated 29 November 2019, the controller stated that after the departure of the
the departure of the CNPD agents, first-level information was provided by means of
pictograms and a short text in French, German and English to alert the public as soon as they
the public as soon as they enter the monitored area.
24 The pictograms would refer to a second-level
The pictograms would refer to a second-level information notice containing all the information required under
The pictograms would refer to a second level information notice containing all the information required under Article 13 of the RGPD available to the public and to employees on their website. With regard to employees
specifically for employees, the controller stated that the "Note to all employees on Personal Data" provided to
on Personal Data" communicated to employees on 25 May 2018 had been updated and
employees would also be informed by the pictograms and the information note available on the
on the website of the controller. At the same time, the section on the GDPR on the intranet of the
intranet would have been updated and the staff delegation would have been informed and consulted
at all stages of the implementation of the video-surveillance system.
50. The Panel would first like to point out that Article 13 of the RGPD refers to the
the obligation imposed on the controller to "provide" all the information
information mentioned therein. The word "provide" is crucial in this case and it "means
that the controller must take concrete steps to provide the data subject with the
information in question to the data subject or to actively direct the data subject to the
data subject to the location of the information (e.g. by means of a direct link, a QR code
link, QR code, etc.). (WP260 rev. 01. paragraph 33).
51. 51. The Commission also considers that a multi-level approach to communicating
transparency information to data subjects can be used in an offline or non-digital
offline or non-digital context, i.e. in a real environment such as personal data collected
personal data collected by means of a video surveillance system.
video surveillance system. The first level of information (warning sign, information note, etc.) should be
The first level of information (warning sign, information note, etc.) should generally include the most
details of the purpose of the processing, the identity of the controller and the existence of
identity of the controller and the existence of the data subjects' rights, as well as the information
impact on the processing operation or any processing operation likely to cause surprise
24 See Annex 8 of the letter from the controller dated 29 November 2019.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted at Company A
15/26
the persons concerned, as well as a reference to the more detailed information of the second level (for example, via a
second level (e.g. via a QR code or a website address).
25 The
second level of information, i.e. the set of information required under Article 13 of the
Article 13 of the GDPR, could be provided or made available by other means,
such as a copy of the privacy policy sent by e-mail to employees or a link on the
employees or a link on the website to an information notice in respect of non-employees
non-employees.
26
2.1. Information to third parties
52. The Panel notes that during the site visit by the CNPD officers, third parties were not informed of the presence of the
CNPD officers, third parties were not informed of the presence of the video surveillance system.
video surveillance system.
53. However, it notes that in its letter of 29 November 2019, the audited party
approach to communicating information on transparency to third parties by means of
transparency to third parties through pictograms and an information note available on its website.
available on its website. The Panel considers that the pictograms
contain the information of the first level of information and that the second level of
information, i.e. the information note available on the website, contains
all the information required under Article 13 of the GDPR.
The Panel notes, however, that all the documentation of the first and second level of information has been provided to the Commission.
and second level of information was only put in place after the on-site visit of the
CNPD officials.
54. 54. In view of the above, it therefore agrees with the Head of Investigation and concludes that
that at the time of the on-site visit of the CNPD officers, Article 13 of the GDPR was not
the controlled party with regard to video surveillance as far as third parties are concerned.
third parties.
25 See EDPS Guidelines 3/2019 on the processing of personal data by video devices, version 2.0
devices, version 2.0, adopted on 29 January 2020 (points 114. and 117.).
26 See WP260 rev. 01 (point 38.)
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation n° [...] conducted at Company A
16/26
2.2. Information for employees
55. With regard to informing employees about the video surveillance system, the
system, the Restricted Section notes that during the on-site visit by CNPD agents, the employees were
employees were informed of the presence of the video-surveillance system by the document "Note to all employees
by the document "Note to all employees on Personal Data".
27 While this document
contains some of the information required by Article 13 of the GDPR, it nevertheless concerns
all the data processed by the controller, all the legal bases applicable to the various
processing carried out by the controller and all the purposes invoked for such processing, without
processing operations, without differentiating between the processing operations concerned. These
information does not therefore comply with the principle of transparency to which every controller is
principle of transparency to which every controller is bound. According to this principle, the information must be
to the data subject "in a concise, transparent, comprehensible and easily accessible manner
easily accessible, in clear and simple terms".
28 Furthermore, the document does not
document does not contain all the information within the meaning of Article 13 of the GDPR.
56. However, the Commission notes that in its letter of 29 November 2019, the controller has
specified its approach at several levels to communicate information on transparency to
transparency to employees, in particular through pictograms and an information note
available on its website. In addition, it mentioned that the document "Note to
all [...] employees on Personal Data" has been updated to include the information
available on the said website. The Panel considers that the pictograms
pictograms contain the first level of information and that the second level of information
information, i.e. the information note available on the website, contains
all the information required under Article 13 of the GDPR.
The Panel notes, however, that all the documentation of the first and second level of information has been provided to the Commission.
and second level of information was only put in place after the on-site visit of the
CNPD officials.
27 The said document can be found in the annex to the inspection letter of 6 May 2019 and mentions the following: [...].
28 See Article 12.1. of the GDPR.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted at Company A
17/26
57. In view of the above, it agrees with the opinion of the head of the investigation and concludes that, at the time of the on-site visit by the
the time of the on-site visit of the CNPD agents, Article 13 of the GDPR was not
Article 13 of the RGPD was not complied with by the audited company with regard to video surveillance of employees.
II. 2. Corrective measures and fines
1. On the principles
58. In accordance with Article 12 of the Act of 1 August 2018, the CNPD has the power to
power to adopt all the corrective measures provided for in Article 58(2) of the RGPD:
"(a) to warn a controller or processor that the proposed processing operations are likely to infringe
(a) warn a controller or processor that the proposed processing operations are likely to infringe the provisions of this Regulation ;
(b) call a controller or processor to order where the processing operations have led to a breach of the
(b) call a controller or processor to order where the processing operations have led to a breach of the provisions of this Regulation
(c) order the controller or processor to comply with requests made by the data
(c) order the controller or processor to comply with requests made by the data subject to exercise his or her rights under this Regulation
(c) order the controller or the processor to comply with requests made by the data subject to exercise his rights under this Regulation ;
(d) order the controller or the processor to bring the processing operations into conformity with the
(d) order the controller or the processor to bring the processing operations into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period
(d) order the controller or the processor to bring the processing operations into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period ;
(e) order the controller to notify the data subject of a personal data
(e) order the controller to notify the data subject of a personal data breach
(f) impose a temporary or definitive restriction, including a ban, on processing
(g) order the rectification or erasure of personal data or the restriction of processing pursuant to
(g) order the rectification or erasure of personal data or the restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such
(g) order the rectification or erasure of personal data or the restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such measures to the recipients to whom the personal data have been disclosed
pursuant to Articles 17(2) and 19 ;
(h) withdraw a certification or order the certification body to withdraw a certification
(h) withdraw a certification or order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or order the certification body to withdraw a certification issued pursuant to Articles 42 and 43
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation n° [...] carried out at Company A
18/26
certification body not to issue a certification if the requirements applicable to the certification
are not or no longer met;
(i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph
(i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the specific characteristics of each case
(i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the specific characteristics of each case
(j) order the suspension of data flows to a recipient in a third country or to an
(j) order the suspension of data flows to a recipient in a third country or to an international organisation.
59. In accordance with Article 48 of the Act of 1 August 2018, the CNPD may impose administrative
administrative fines as provided for in Article 83 of the GDPR, except against the State or
State or municipalities.
60. Article 83 of the RGPD provides that each supervisory authority shall ensure that the
administrative fines imposed are, in each case, effective, proportionate and dissuasive
and dissuasive, before specifying the elements that should be taken into account when deciding
whether an administrative fine should be imposed and the amount of the fine
(a) the nature, gravity and gravity of the infringement
"(a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned
(a) the nature, gravity and duration of the infringement, having regard to the nature, scope or purpose of the processing operation concerned, as well as to the number of data subjects affected and the level of damage that the infringement causes
affected and the level of damage suffered by them ;
(b) whether the breach was committed intentionally or negligently;
(c) any measures taken by the controller or processor to mitigate the damage suffered by
(c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects
(d) the degree of responsibility of the controller or processor, taking into account the
(d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures they have implemented pursuant to
Articles 25 and 32 ;
(e) any previous relevant breach by the controller or processor
(e) any previous relevant breach by the controller or the processor;
(f) the degree of cooperation established with the supervisory authority in order to remedy the breach and
(f) the degree of cooperation established with the supervisory authority in order to remedy the breach and to mitigate any negative effects thereof;
_____________________________________________________________
Decision of the National Commission sitting in a restricted formation on the outcome of
investigation no. [...] carried out at Company A
19/26
g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the data controller had been informed of the breach; and
(h) the manner in which the supervisory authority has become aware of the breach, including whether and to what extent the controller or processor has notified the breach;
(i) where measures referred to in Article 58(2) have previously been
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same subject-matter, compliance with those measures shall be verified
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or the processor concerned in relation to the same matter, compliance with those measures ;
(j) the application of codes of conduct approved pursuant to Article 40 or of
(j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and
(k) any other aggravating or mitigating circumstances applicable to the circumstances of the
(k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, as a result of the
(k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation.
61. The Panel wishes to make it clear that the facts taken into account in the context of this
decision are those found at the beginning of the investigation. Any changes to the data processing
modifications relating to the data processing operations under investigation, even if they
even if they make it possible to establish full or partial compliance, do not
compliance, do not allow for the retroactive annulment of a failure found.
62. Nevertheless, the steps taken by the supervised party to comply with the
with the GDPR during the investigation procedure or to remedy the shortcomings
by the head of the investigation in the statement of objections, are taken into account by the
the Panel in the context of possible remedial action and/or the setting of a possible fine.
the amount of any administrative fine to be imposed.
2. In the present case
2.1 On the imposition of an administrative fine
63. In the letter supplementing the statement of objections of 3 August 2020, the head of the
proposes to the Restricted Section to impose an administrative fine on the
amount of six thousand eight hundred (6,800) euros.
64. In his letter of 10 September 2020, the audited party considered that the amount of the fine is disproportionate to the
disproportionate due to the absence of any intention to cause the
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] carried out at Company A
20/26
alleged violations and its efforts to comply, while in its letter of 14 July 2021 it indicated
July 14, 2021 he indicated that he accepts the fact that he had monitored a smoking area with a camera
in violation of the requirements of the GDPR and that he accepts the fine of EUR 6,800.29
65. In order to decide whether an administrative fine should be imposed and to decide
the amount of the fine, the Panel shall take into account the elements
the elements provided for in Article 83(2) of the RGPD :
- As regards the nature and gravity of the breach (Article 83.2.a) of the RGPD), it notes
As regards the breaches of Article 5(1)(c) of the RGPD, they are
constitute breaches of a fundamental principle of the RGPD (and of data protection law in general)
protection law in general), namely the principle of data minimisation enshrined in
principle enshrined in Chapter II "Principles" of the RGPD. It should be noted that at the time of
the time of the on-site visit by the CNPD agents, a camera allowed the permanent
surveillance of the employee working in the reception area, one camera
surveillance of an area reserved for employees' free time, in this case a "smoking
smoking area, while seven cameras were aimed at the surrounding grounds and/or the
and seven cameras were aimed at neighbouring properties and/or the public highway.
- As for the failure to inform the persons concerned
in accordance with Article 13 of the RGPD, the Panel recalls that
information and transparency regarding the processing of personal data are essential
transparency regarding the processing of personal data is an essential obligation for data controllers
data controllers so that individuals are fully aware of the use that will be made of their
their personal data, once collected. A
failure to comply with Article 13 of the RGPD thus constitutes a breach of the rights of the
of the data subjects. This right to information has also been strengthened under the
under the RGPD, which shows their particular importance. It should be noted that
that at the time of the site visit by the CNPD agents, no pictograms, posters or notices
pictograms, posters or information leaflets could be shown to the CNPD officials.
to the CNPD officers. Thus, third parties were not at all
informed of the presence of the video surveillance system in accordance with
Article 13 of the GDPR, while the document given to the employees, i.e. the
29 Original text of the controller's letter of 14 July 2021: "Accordingly we accept the fact that we monitored
a smoking area by CCTV in contravention of CNPD requirements and accept the penalty of Euro 6,800."
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation n° [...] carried out at Company A
21/26
"Note to all employees on Personal Data", did not contain all the information
information required by Article 13 of the GDPR.
- As regards the criterion of duration (Article 83(2)(a) of the GDPR), the Panel
notes that these shortcomings lasted over time, at least since 25 May 2018 and until
25 May 2018 and until the day of the on-site visit. It recalls here that two years have
the entry into force of the RGPD from its entry into application to allow
to comply with their obligations.
obligations. In particular, an obligation to respect the principle of minimisation,
as well as a comparable obligation to provide information already existed under
4.1.b), 10.2 and 26 of the repealed Act of 2 August 2002 on the
protection of persons with regard to the processing of personal data.
personal data. Guidance on the principles and obligations laid down in the said Act was available from the
law was available from the CNPD, in particular through mandatory prior authorisations
prior authorisations for video surveillance.
- As for the number of data subjects (Article 83.2.a) of the GDPR), the
As for the number of data subjects (Article 83.2.a) of the GDPR), the Panel notes that these are [...] employees30 working on the premises of the
premises of the controller, as well as all third parties visiting the said
premises.
- As to the question of whether the breaches were committed deliberately
(Article 83.2.b) of the GDPR), the Panel recalls that "not deliberately" means that the
that "not deliberately" means that there was no intention to commit the breach, although the
breach, although the controller has not complied with its duty of care under
duty of care under the legislation, which is the case here.
- As for the measures taken by the controller to mitigate the damage suffered by the
persons concerned (Article 83.2.c), the Panel takes into account the measures
measures taken by the auditee and refers to Chapter II.2. section 2.2. of this decision for
decision for the explanations related thereto.
- As to the degree of cooperation established with the supervisory authority (Article 83.2.f) of the
RGPD), the Panel takes into account the statement of the head of the investigation
30 [...].
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] carried out at Company A
22/26
that the cooperation of the audited company throughout the investigation was good, as well as its willingness to comply with the
and its willingness to comply with the requirements of the GDPR as soon as possible.31
as soon as possible.31
66. The Panel notes that the other criteria of Article 83.2 of the GDPR are neither relevant nor
are neither relevant nor likely to influence its decision on the imposition of an administrative fine and its
administrative fine and its amount.
67. It also notes that while several measures have been put in place by the supervised
to remedy certain shortcomings in whole or in part, these were only adopted following the
adopted following the inspection by CNPD officials on 20 March 2019 (see also point 61 of this
see also paragraph 61 of this decision).
68. The Panel therefore considers that the imposition of an administrative fine is
justified in the light of the criteria laid down in Article 83(2) of the RGPD for
breach of Articles 5(1)(c) and 13 of the RGPD.
69. With regard to the amount of the administrative fine, it recalls that Article 83(3) of the
3 of Article 83 of the RGPD provides that in the event of multiple breaches, as in the case of
case, the total amount of the fine may not exceed the amount set for the most serious
violation. Insofar as a breach of Articles 5 and 13 of the GDPR is alleged, the maximum fine
the maximum fine that can be imposed is EUR 20 million or
20 million or 4% of annual worldwide turnover, whichever is higher.
70. In the light of the relevant criteria of Article 83(2) of the GDPR mentioned above, the
Panel considers that the imposition of a fine of six thousand eight hundred
(6,800) appears to be effective, proportionate and dissuasive, in accordance with the
requirements of Article 83.1 of the GDPR.
2.2 As regards the taking of corrective measures
71. In his supplementary letter to the Statement of Objections of 3 August 2020
the Head of Investigation proposes that the Restricted Panel adopt the following corrective measures
corrective measures:
31 See supplementary letter to the Statement of Objections.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation n° [...] carried out at Company A
23/26
"a) Order the data controller to complete the information measures
to third parties ([...]) affected by the video surveillance,
in accordance with the provisions of Article 13, paragraphs (1) and (2) of the GDPR by
the identity of the data controller, the contact details of the data protection
Data Protection Officer, the purposes of the processing and its legal basis,
the categories of data processed, the legitimate interests pursued by the controller, the
recipients of the data, the duration of the data storage as well as the indication of the
the rights of the person and how to exercise them.
b) Order the controller to complete the information measures
(b) Order the controller to complete the information measures for the employees concerned by the video surveillance,
in accordance with the provisions of Article 13(1) and (2) of the GDPR by
informing in particular the purposes of the processing and its legal basis, the categories
of data processed, the legitimate interests pursued by the controller, the recipients of the
recipients of the data as well as the period for which the data are kept.
c) Order the controller to process only relevant data,
(c) Order the controller to process only relevant, adequate and limited to what is necessary for the purposes of protecting
(c) Order the controller to process only data which are relevant, adequate and limited to what is necessary for the purposes of protecting property, securing access, ensuring user safety and preventing accidents, and in particular
and, in particular, to adapt the video system so that employees are not filmed at their workstations or in
at their workstations or in areas reserved for their free time, nor to film
parts of the public highway or neighbouring properties, for example by removing or
or reorienting the cameras.
72. As for the remedial measures proposed by the head of the investigation and with reference to
to point 62 of this decision, the Panel takes into account the steps taken by the
the steps taken by the auditee, following the on-site visit of the CNPD officers, to comply with the provisions of Articles 5 and 6 of the
to comply with the provisions of Articles 5.1.c) and 13 of the GDPR, as detailed in its letters of 6 May 2019
in its letters of 6 May 2019, 29 November 2019, 10 September 2020 and 14 July 2021.
July 2021. In particular, it notes the following facts:
With regard to the implementation of information measures for data subjects (third parties and employees), the
concerned (third parties and employees) by the video surveillance, in accordance with the
the provisions of Article 13.1 and 2 of the RGPD, the controller specified in its letter of 29 November 2019 its approach to
letter of 29 November 2019, the audited body specified its multi-level approach to
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted at Company A
24/26
communicate information on transparency to the persons concerned by
pictograms containing a brief text in French, German and English, as well as an
and by an information note available on its website. In addition, the
Note to all [...] employees on Personal Data" has been updated to include the information
to include the information available on the website.
The Panel considers that the pictograms contain the first level of information and are
information of the first level of information and that the second level of
information, i.e. the information note available on the website,
contains all the information required under Article 13 of the GDPR.
As to the obligation to process only relevant, adequate and
limited to what is necessary for the purposes of protection of property,
protection of access, as well as the safety of users and the prevention of
of accidents, the Select Committee takes into account that :
o Annex 2 of the letter from the controller dated 10 September 2020 contains
o Annex 2 of the letter from the audited party of 10 September 2020 contains photos showing that the field of view of the camera "[...]" has now been masked so as not to interfere with the access to the premises.
"has been masked so as to no longer permanently aim at the employee working at the reception
working at the reception desk;
o the audited party attached to its letter of 29 November 2019 photos
o the auditor attached to his letter of 29 November 2019 photos showing that the fields of view of the cameras "[...] " " [...] ", " [...]
"and "[...]" have been masked so that they no longer include a neighbouring property and/or public road
and/or the public highway;
o the inspector attached to his letter of 29 November 2019 photos
o the auditor attached to his letter of 29 November 2019 photos showing that the fields of view of the cameras "[...]", "[...]" and "[...]" had been
[...]" have been masked, but he specified that they are still aimed at a small
part of a neighbouring plot of land (a field) and / or the public highway.
In view of the sensitivity of the land under surveillance ([...]), the
considers that the masking in place has reduced the field of view of the cameras in question to the
field of vision of the cameras in question necessary to pursue the
purposes of securing the surroundings and the entrances to the building.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] carried out at Company A
25/26
o in its letter of 14 July 2021, following the meeting of the
session of 30 June 2021, that the "[...]" camera
allowed the surveillance of an area reserved for employees' free time,
in this case a "smoking area", and that this constellation was linked to a
This constellation was linked to a lack of internal communication. In fact, it would have realised that
for safety reasons, the team in charge of managing the buildings
management team ('[...]') had moved the smoking area into the field of vision of the
of the camera in question, without knowing that a smoking area was now in the
without knowing that a smoking area was now in the field of view of a camera and without informing his
and without informing his internal security team, and that he assumed that after the on-site visit by the
the team "[...]" would have moved the smoking area by replacing the aforementioned sign
the aforementioned sign indicating that smoking was permitted by a sign indicating that
smoking is prohibited in this area.
73. In view of the compliance measures taken by the controlled party in this case and
and point 62 of this decision, the Panel considers that there is no evidence of a breach of the
the three remedial measures proposed by the head of the investigation in this respect as
the three remedies proposed by the head of the investigation in this respect as set out in paragraph 71 of this Decision.
In view of the above developments, the National Commission, sitting in a restricted
in a restricted formation and deliberating unanimously decides :
- to retain the breaches of Articles 5.1.c) and 13 of the GDPR ;
- to impose an administrative fine on Company A in the amount of
six thousand eight hundred (6,800) euros, in view of the breaches of Articles 5.1.c) and 13 of the GDPR
Articles 5.1.c) and 13 of the GDPR;
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] carried out at Company A
26/26
Thus decided in Belvaux on 1
December 1, 2021.
For the National Commission for Data Protection sitting in restricted formation
sitting in restricted formation
Tine A. Larsen Thierry Lallemang Marc Lemmer
President Commissioner Commissioner
Indication of the means of appeal
An appeal against this administrative decision may be lodged within three months of its notification.
three months after its notification. This appeal must be brought before the administrative court
and must be lodged through a lawyer at the Court of one of the Bar Associations.
of lawyers.
