The National Commission for Data Protection ('CNPD') published, on 13 May 2022, its decision in Case No. 3FR/2022, as issued on 2 February 2022, in which it ordered a fine of €1,000 to an unnamed company, for violations of Articles 5(1)(c) and 13 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation.

Background to the case

In particular, the CNPD stated that it had decided, on 14 Janaury 2020, to launch an investigation on the unnamed company on the basis of Article 37 of the Act of 1 August 2018 on the Organisation of the National Commission for Data Protection and Implementing the GDPR ('the Act') and the general data protection regime. In addition, the CNPD noted that the purpose of the investigation was to monitor the application of and compliance with the GDPR and the Act, and more specifically the installation of surveillance cameras. Furthermore, the CNPD outlined that CNPD agents visited the unnamed company's premises to carry out the investigation on 29 January 2020. 

Findings of the CNPD

In particular, the CNPD outlined that with regard to the information provided to third parties and employees about the video surveillance system, the head of the investigation noted that the controller used small stickers affixed next to the entrance door at the front of the café to inform about the presence of video surveillance measures. In addition, the CNPD concurred with the head of the investigation that neither the sticker nor the signs affixed after the on-site visit of the CNPD agents fulfilled all the requirements of Article 13 of the GDPR. Hence, the CNPD agreed with the head of the investigation that the controller had failed in its obligation to inform both employees and third parties about the video surveillance as required by Article 13 of the GDPR. Furthermore, the CNPD agreed with the head of the investigation that at the time of the on-site visit of the CNPD agents the controller had failed to comply with its obligation under Article 5.1(c) of the GDPR, with regard to third parties and employees.

Outcomes

As a result, the CNPD imposed a fine of €1,000 on the unnamed company and also required the unnamed company to bring the processing operations into compliance with the obligations resulting from Articles 5(1)(c) and 13 of the GDPR, within a period of two months following notification of the decision, and in particular to:

• remove the cameras with the field of view of employees' workstations;
• remove the cameras which have as their field of view areas for consumption and/or relaxation and/or play;
• remove cameras installed outside the front of the establishment, or to reconfigure the field of vision of this camera so that the field of view is limited to the area strictly necessary to view the persons about to access it; and
• inform non-employees and employees in a clear and precise manner about the video surveillance system by providing them with information in accordance with Article 13 of the GDPR.

Lastly, the CNPD stated that the decision can be appealed within three months of its notification.

You can read the press release here and the decision here, both only available in French.