First Video Surveillance GDPR Fine In France
The French government has imposed a sizeable fine on a small business for violating the GDPR after it constantly filmed employees without informing them and kept poor encryption practices. It marks the first ever GDPR video surveillance fine ever issued by the CNIL, France’s data protection agency, it has confirmed to IPVM.
In this post, we examine the case and what it means for GDPR compliance going forward, including:
- France Video Surveillance Regulations Context
- Company Background
- CNIL Allegations
- What GDPR Articles Were Violated
- How the Fine Was Calculated
- Broader Impact/Conclusion
For background, see our GDPR For Video Surveillance Guide.
Ultimately, the case shows the importance of GDPR compliance and working closely with data authorities to address issues. However, the evidence we found shows no stepped up GDPR violation enforcement for video surveillance.
Context: ******* ****** ***********
** ******, ***** ************************** ******* **** *********, *** **** was *** **** ********** *** ****. *** *******, ******* ***************** ******* ******* **** **** ****** property, **** * ******** ** ***** of ***** *** *****. ** *** workplace, ******** ************ ** ********* ** prohibited - *** **** ******* ****** by ******* ** *******:
***********:***, *** *** ******* ******** ******* in *** [******] ******* *** ******** purposes.**, ** ** ********* ** ******* employees ** **** *******.
Enforcement ***
*******, ****** *********** ** ***** ************ regulations ** ***, *** **** *** not ******* ***** *** **** *** passed. ** ****, **** *** ******* in *** ***** ******* *** ***** for ***** ************ ********** ***** ** employee ********** ** * ****** ******* her ****; *** **** *** *,*** euros ($*,***). *** * ****** ******* was ***** ** ****, *** **** the **** *** ******. **************, *** ****** ** **** ***** surveillance ******* ************** **** ******** **** 47 ** **, *** ****** ******* show.
************, **** ***** ************ ************** *** typically ***** ** **********, * ****** of**** *******************, ***** ***** *** **** ** not *********** ********** *** *** *****, integrators, ** ****** *** ******** **********.
Company **********
*** ******* **** *** ***** ** called*********, * *********** **** ***** ** Paris **** **** * *********. *** revenue ** **** *** ***** $* million *** ** **** ****** ** over $***,***, *** ******** ***********.
CNIL ***********
*** **** ********* **** ** ***** its ************* ***** ** ******** ********** about *********’* ************ ******: * ***** of *, ******** *** *** *** back ** ****. ** **** ******* letters ** ********* *** ******** ** response.
****’* ***** ****** ********** **** ***** in ******** ****, *******:
* ****** ****** *** ***** *** a ******… ********* **** ***** ******** notified
******* *** ****** *** ****** **** company ******
******** ** ***** ** ****** ******* information *** [*****] ******* *** *** ensure **** ******** *** *************** (********'* computers *** *** ******* ********* *** employees ****** * ****** ***** *******)
** ****, *** **** **** ********* two ****** ** *** *** ***** issues. ** *********, ********* ******* ** a ****** **** ** *** ********* them, *** * ****** **** ********** a ***** ***** ***** ****:
*** ****** ******* ********* *** **** doing ** ********** *** ******* ************ since *** ******* ********** ** ********
** *********** *** **** ******* ** the ********* ***** *** ***** ************, which ****** ************ **** *** ******* of *** **********, ******** ** *******, and ****** ********** *** ****
*** * ****** ******** ****** *** been *** ** ***** *** *** employee's ********* *** ** ******** **** been ***** ** ****** ************ ** [who ** *****] *** ***** *****
***** *** ****** **********, ********* ******* it *** ******** **** *** *** by ******* ******* **** ** *** security ******, ******* ** * ****, and ************ ******** ********. *******, *** CNIL ********** **** *** ****** *** still ******* *** ******** ****.
**********, *** **** ****** **** ******* Uniontrad *** *** ****** ********* ****** the *** ***** ****** ** ****, and *** ******* ************** ***** ** that, * *********/****** ******* ***** *****.
What **** ******** **** ********
************, *** **** ****** **** **** GDPR ******** **** ******** ** *********:
******* *, **:******** **** ***** ** ********, ******** and ******* ** **** ** ********* in ******** ** *** ******** *** which **** *** ********* (‘**** ************’). **** ******* ******** ** *** constant ***** ************ ** *********'* *********. French ******* **** (**** ***-****) ** not ****** ****, ****** *** **** the **** ***** "*********** *************", **** as ****** ********* ************, *** * translation ******* **** *** *******, *** CNIL ******. *** **** ***** ****** laws ** ********** ********** *********, *******'* ************ *** **** *********** * $*.* million **** ** * ****** *** "excessive ***** ************."
******* **:*********** ***********, ************* *** ********** *** the ******** ** *** ****** ** the **** *******". *.*. ********* *** *** *********** to *** ********* ***** *** ***** surveillance ****** *****.
******* **:*********** ** ** ******** ***** ******** data *** ********* **** *** **** subject.******* ** ******* **. ********* *** not *** ** * ******* ******* sign ********* ********* ** *** **** processing ****** *****, *** ****** ** contacted *** **** *******, ******* ********, etc. *** ****'***** *** ***** ************ ******** **** ***** **** **** ** information ****** ** *** ** ** such *****.
******* **:******** ** **********: *** ********* ***** implement *********** ********* *** ************** ******** to ****** * ***** ** ******** appropriate ** *** ****. **** ****** ** *********'* **** of ********* ** ******* *********, ***** CNIL ****** "*** *** ****** *** security ** ******** ****".
How *** **** *** **********
***** *******'* ******* **,* ******* **** ** ** ******* euros ($**.* *******) ** *% ** global ****** ******* ** *********, ********* is ******. ***** **** ** "effective, *************, *** **********".
*** **** ********* ********** * **** of **,*** ***** ($**,***). ****** **********'* ***** ***** ************ **** ****,*** **** *** *** ***** * breakdown ** *** **** **** ********* cost. *** **** ****** *** ******* attributed ** *** ******** ********** ***** Uniontrad ***** **** *** *** ******* to **** **** **** ************* ** fix *** ******, **** *** **** stating:
*** ******* - ******** ** **** it ****** - ***** ******** ************ with *** **** ***** *** ****** process *** ******* ***** ***.
*******, ********* **** **** * **** was "****************" ***** ******* ** *** to *** *******'* **** ********* *********. The **** ****** *** ******* ** fine ********* **,*** ***** (***** $**,***). Part ** *** ********** *** *** the **** ** ** **** ****** - **** ** *** * *** practice, ** *** ** **** **** this **** ********** **** *****.
Broader **** ************
*** ********* **** ********* *** ********** of **** **********. **,*** ***** *** a *****, *****-****** ******* ** * big *** *** ** *** ******* video ************ **** *** **** *** issued ***** ** ***** ****, ********* to ********* ******** ** *********.
*** **** **** ** **** ********** that ********* *** ******* ** ***** how *** *** *** ***** **** protection *********** * *** *** **** sophisticated ******* ** ****** ******* *********; prior ** *** ****, ***** ************ violations **** ******* ****** *************'* ***** **** ** *** *** personal *******.
*******, *** ****'* ******* ****** *** be *****. *********** ** *** **** stringent. ** ********* *******, **** ***** surveillance ***** **** **** *** **** the **** ******, *** *** ****** of ***** ************ ************** ******** ************* (47 ** **) **** **** ** 2018.
**** ***** *** **** ******** ** it *** ******** ** *** *********** of ***** ************ *********** *** ** the ****. **** **** ** - the **** ****** ****** ** *** GDPR (** *********** *****) ** *** maximum ********* **** ***** ****** ** 20 ******* ***** ** *% ** global ****** ******* - ********** * big ******, *** ********** *** ******* players, ********** ***** *** **** ****** mandates **** ***** ** "*************".
** **** **** * *** ** make****** **** ************** ** **** ********** have * *** **** ** *** US.
** ************* ** **** ** **** it ******* ** ** ******** ******** they ***. *******, **** *** **** impose * **** ** * ***-** company ** **** **** ******* ** the **.
*** ****** ***** **** ****** ********* are ******** ******* ********** **** *** broadly ** **** **** **** ********** of **** ** ******* ** *** US.
****
*******, **** *** **** ****** * fine ** * ***-** ******* ** they **** ******* ** *** **.
**** ****** ****** **** ***** ****.
******* *** ********* ******* *** ********** revenue ****** ******** ** **** ***** fine, *** *******, * ******** ******* doing ******** ** ***** ;)
******* ******** **** *** **** ** that * ** *** **** ** answer *** - ** ** ********* visit * ********* ************ ** *** US **** **** ***** ** **** EU ********?
***** **** *** **** ***** *** local ****? ** ******** ********* ** an ** ****** ***** **** **** apply, *** *** *** ***** *** around ** **'* * ******** ***.
** ***** ****'* *** * ********** it. ********* *, * ********, ****** be **** ** ***** *** ** any ******* * ****, ***** **'* legal ** ******.
** ********, **** ** * **** question **** ***** ** *****. ** I **** ** ****** **** *** GDPR *** ***** ** *******/********, ** matter ***** **** ***? ** ** pizza ****** ** *** **** **** has * ******** ****** **** ****** a ******* *******, **** **** ******* now **** *** ***** ** ****** a **** *********?
*** ****** ** **. *** **** **** *** ******* "EU ********" ** "** *********" ********. The **** "******* ** *** ********** ** ******** data ** **** ********who *** ** *** ***** [emphasis added]", according to ******* * ('*********** *****'). ** **** ***** ****** - regardless ** *********** ** ********* - within *** ** *** ********* ** the ****. ** **** ***** *** Union, **** *** ***.
** * ******* *** ***** *** look ** *** ***** *** ***'* see ** *** *****, ***'* *** the **********. **** * ********* * would ******* ********* **** **** **** been ***** ** **** **** * vendetta ** **** ****.
***** **** **** *** ** *** would *** *** **** ********** **. Leaving ** *****. *** ********* ***** it's ******* *** *** **** *** happy.
**** ****** ****, *** *** **** really ***** *** *** ******** ****** in ******, ** *** **** ********** database ** ***********, ** **** *** CNIL *** ******* ** **** **** the ******* ** ********** ********* **** and ********* *** *** ***** **** protection, ********** ****** ******* *** ** forth...
******, ** ****** * *** ** company *** ******** ** **** ** a **** ** ** *** ******** 1978 *** (**: "*** ************ ** libertées" ***** ********* ** "*** ** Information ************ *** *******") , **** more ******** *** ****.
** **** ****, **** ** *** camera **** ********** ******* *** *** working *** ******* ***** **** ** tell ***** ********* **** *** ****** is ******* ** *** ** **** request *** *********** **** **** ***** would **** *** ***** ** ******* the **** *** * **** ***** on *****.
** **** ****, **** ** *** camera **** ********** ******* *** *** working *** ******* ***** **** ** tell ***** ********* **** *** ****** is ******* ** *** ** **** request *** *********** **** **** ***** would **** *** ***** ** ******* the **** *** * **** ***** on *****.
** *** **** ***** ** ***** cameras?
***.
**** **** *** ***** ** ***** camera, *** ** ********** ************ *** local *** ***** (********* *** ********* has *** ***** ** **** ** he's ***** ******* ** **.
** ** **** ********** ******* *** efficiency ** * ***** ****** ** make *** ********* ***** **** *** under ************ ** ***** ** *.
*************** ** ******* ****** **** *********?
(*** *** ********, ***** ** * FIDE *********, *** **** *** *****).
* **** * *** ** *** articles ** **** ***** *** ***** not **** *** **** **** *****. Did ***?
**. * ***** ***** **’* * picture ***** ** ******* *** ********* the *********** *** ********, *** **** posted ** *********** ******* **** **** it *** ****** ******* ** *******.
********: **** **** ***** ** *** actions ** * ****** ******, ****** a ***** *****?
*** **** ** ******** **** ***** processed ****** *** ** ***** ***** the ****. ** ***, *** **** 'applies' ** * ***** ***** ** a ******, ** **** ** **** person ** ************ *** ** ** the **. *******, **** *****'* **** the ***** ** *** *********** ** somehow ****** ** *** ****. *** GDPR ** **** *******-******, ********** ****** * ****** ** ********** ***** processing ** *********, *********:
********** **necessary *** *** ******** ** *** ********** ********* ******* ** *** ********** or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. [emphasis added]
** *** ******** *** ******* ******* the "*********** ****** *** ********" ** the **** ******* ********* *** "********** interest" ** ****** *** *****, *.*. ********** cheating.
**** ** * **** * ***** debate **** *** ******** ********* *** legality ** *** ***********'* ***** ***** be ******** *** ** ************ *** GDPR *** ** ********* ** ******'* existing ******* ****. ****** ******* ******** ********* ********** ****** ** ******* ******* their *******. *** *******, ***** *** Paris ******* **** ******** ** ****, a *** ******** ******* *** ************* *** *************** *** **** *** *******, citing ****** ******* ****; *** **** was*********, ** *** ***** *** ********** part ** ********** *************.
** *********, *** ***** **** **** by *** *********** (** ** ****) would **** ****** **** ** *************** of ******** ****** ******* **** - which ******* ********* ***** ***** ** situations - ****** **** *** **** itself.
*******, **** *******!
** ***** **** *** ******** ***********, I ***** *** ******** / ******* would ** ******* ** * ****** in * ******** *****, ** ***, where ** ** *********, ** *****, perceived ** ** *** ******. *** example, *** **** *** ** **** bathroom *** **** **** *** **** camera ********? * ** *** **** this **** **** **** **** ** this ****, **** *** ********* ** cheating, *** ** ** * ****** stunning ****** ** *** ** * camera ** ******* ****** * ******** stall.
****. * **** **** ***** **** times ****** *** ****** ** ** that *** ** ** ****** ****** something ******* ** ****. ** ** opinion ***** *** ******* **************, **** is ********. *******, ****** *** *** shift ******** ****** *** **** ** the **** *** ***** ** ** a ***********.
******* ******** **** *** **** ** that * ** *** **** ** answer *** - ** ** ********* visit * ********* ************ ** *** US **** **** ***** ** **** EU ********?