The National Commission for Data Protection ('CNPD') published, on 13 May 2022, its decision in Case No. 1FR/2022, as issued on 2 February 2022, in which it ordered a fine of €4,900 to an unnamed company for violations of Articles 5(1)(c), 5(1)(e), and 13 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation.

Background to the case

In particular, the CNPD stated that it had decided, on 22 November 2018, to launch an investigation into the unnamed company on the basis of Article 37 of the Act of 1 August 2018 on the Organisation of the National Commission for Data Protection and Implementing the GDPR ('the Act') and the general data protection regime. In addition, the CNPD noted that the purpose of the investigation was to monitor the application of and compliance with the GDPR and the Act, by verifying the compliance of measures implemented by the unnamed company, in particular by means of a geolocation and a video surveillance device. Furthermore, the CNPD outlined that CNPD agents visited the unnamed company's premises to carry out the investigation on 7 December 2018.

Findings of the CNPD

In particular, the CNPD outlined that the agents observed during the on-site visit that the presence of the video surveillance system was not reported to third parties, such as customers, suppliers, and visitors nor to the employees. Thus, the CNPD concurred with the head of the investigation and concluded that at the time of the on-site visit by the agents, the company failed in its obligation to inform third parties and employees under Article 13 of the GDPR. In addition, the CNPD noted that the surveillance of neighbouring land was disproportionate in view of the purposes for which video surveillance was operated, hence the company breached Article 5(1)(c) of the GDPR.

Furthermore, the CNPD noted that the head of investigation found during the on-site visit that the presence of the geolocation device is not indicated inside the rented vehicles and that third parties are informed about the geolocation device by signing the rental contract which includes specific stipulation relating to this. However, the CNPD concurred with the head investigation that the specific stipulation contained in the vehicle rental contract to inform third parties of the presence of the geolocation device did not meet the requirements of Article 13 of the GDPR. Moreover, the CNPD concluded that the company failed in its obligation arising from Article 5(1)(e) of the GDPR since the CNPD considered that no documentation submitted by the company contains proof that the retention period of geolocation data was no longer than necessary in order to achieve the goals pursued by the controller.

Outcomes

As a result, the CNPD imposed a fine of €4,900 on the unnamed company and also required the unnamed company to bring the processing operations into compliance with the obligations resulting from Articles 5(1)(c), 5(1)(e), and 13 of the GDPR, within a period of four months following notification of the decision.

You can read the press release here and the decision here, both only available in French.