First Video Surveillance GDPR Fine In France

By: Charles Rollet, Published on Jul 08, 2019

The French government has imposed a sizeable fine on a small business for violating the GDPR after it constantly filmed employees without informing them and kept poor encryption practices. It marks the first ever GDPR video surveillance fine ever issued by the CNIL, France’s data protection agency, it has confirmed to IPVM.

first gdpr fine in france

In this post, we examine the case and what it means for GDPR compliance going forward, including:

  • France Video Surveillance Regulations Context
  • Company Background
  • CNIL Allegations
  • What GDPR Articles Were Violated
  • How the Fine Was Calculated
  • Broader Impact/Conclusion

For background, see our GDPR For Video Surveillance Guide.

Ultimately, the case shows the importance of GDPR compliance and working closely with data authorities to address issues. However, the evidence we found shows no stepped up GDPR violation enforcement for video surveillance.

*** ****** ********** *** imposed * ******** **** on * ***** ******** for ********* *** **** after ** ********** ****** employees ******* ********* **** and **** **** ********** practices. ** ***** *** first **** **** ***** surveillance **** **** ****** by *******, ******’* **** ********** agency, ** *** ********* to ****.

first gdpr fine in france

** **** ****, ** examine *** **** *** what ** ***** *** GDPR ********** ***** *******, including:

  • ****** ***** ************ *********** Context
  • ******* **********
  • **** ***********
  • **** **** ******** **** Violated
  • *** *** **** *** Calculated
  • ******* ******/**********

*** **********, *** ******* *** ***** ************ Guide.

**********, *** **** ***** the ********** ** **** compliance *** ******* ******* with **** *********** ** address ******. *******, *** evidence ** ***** ***** no ******* ** **** violation *********** *** ***** surveillance.

[***************]

Context: ******* ****** ***********

** ******, ***** ************************** ******* **** *********, and **** *** *** case ********** *** ****. *** *******, ******* individuals****** ******* ******* **** film ****** ********, **** * ******** in ***** ** ***** own *****. ** *** workplace, ******** ************ ** employees ** ********** - see **** ******* ****** by ******* ** *******:

***********:***, *** *** ******* security ******* ** *** [office] ******* *** ******** purposes.**, ** ** ********* to ******* ********* ** this *******.

Enforcement ***

*******, ****** *********** ** video ************ *********** ** low, *** **** *** not ******* ***** *** GDPR *** ******. ** 2017, **** *** ******* in *** ***** ******* was ***** *** ***** surveillance ********** ***** ** employee ********** ** * camera ******* *** ****; the **** *** *,*** euros ($*,***). *** * single ******* *** ***** in ****, *** **** the **** *** ******. From**********, *** ****** ** CNIL ***** ************ ******* investigations **** ******** **** 47 ** **, *** annual ******* ****.

************, **** ***** ************ investigations *** ********* ***** on **********, * ****** of**** *******************, ***** ***** *** CNIL ** *** *********** inspecting *** *** *****, integrators, ** ****** *** possible **********.

Company **********

*** ******* **** *** fined ** ***************, * *********** **** based ** ***** **** only * *********. *** revenue ** **** *** about $* ******* *** it **** ****** ** over $***,***, *** ******** ***********.

CNIL ***********

*** **** ********* **** it ***** *** ************* based ** ******** ********** about *********’* ************ ******: a ***** ** *, starting *** *** *** back ** ****. ** sent ******* ******* ** Uniontrad *** ******** ** response.

****’* ***** ****** ********** took ***** ** ******** 2018, *******:

* ****** ****** *** desks *** * ******… employees **** ***** ******** notified

******* *** ****** *** longer **** ******* ******

******** ** ***** ** access ******* *********** *** [email] ******* *** *** ensure **** ******** *** confidentiality (********'* ********* *** not ******* ********* *** employees ****** * ****** email *******)

** ****, *** **** gave ********* *** ****** to *** *** ***** issues. ** *********, ********* claimed ** * ****** that ** *** ********* them, *** * ****** CNIL ********** * ***** later ***** ****:

*** ****** ******* ********* has **** ***** ** constantly *** ******* ************ since *** ******* ********** in ********

** *********** *** **** relayed ** *** ********* about *** ***** ************, which ****** ************ **** the ******* ** *** processing, ******** ** *******, and ****** ********** *** data

*** * ****** ******** policy *** **** *** in ***** *** *** employee's ********* *** ** measures **** **** ***** to ****** ************ ** [who ** *****] *** email *****

***** *** ****** **********, Uniontrad ******* ** *** complied **** *** *** by ******* ******* **** on *** ******** ******, putting ** * ****, and ************ ******** ********. However, *** **** ********** that *** ****** *** still ******* *** ******** desk.

**********, *** **** ****** that ******* ********* *** not ****** ********* ****** the *** ***** ****** in ****, *** *** ignored ************** ***** ** that, * *********/****** ******* would *****.

What **** ******** **** ********

************, *** **** ****** that **** **** ******** were ******** ** *********:

******* *, **:******** **** ***** ** adequate, ******** *** ******* to **** ** ********* in ******** ** *** purposes *** ***** **** are ********* (‘**** ************’). **** ******* ******** to *** ******** ***** surveillance ** *********'* *********. French ******* **** (**** pre-GDPR) ** *** ****** this, ****** *** **** the **** ***** "*********** circumstances", **** ** ****** sensitive ************, *** * translation ******* **** *** qualify, *** **** ******. For **** ***** ****** laws ** ********** ********** employees, *******'* ************ *** **** *********** a $*.* ******* **** on * ****** *** "excessive ***** ************."

******* **:*********** ***********, ************* *** modalities *** *** ******** of *** ****** ** the **** *******". *.*. ********* *** not *********** ** *** employees ***** *** ***** surveillance ****** *****.

******* **:*********** ** ** ******** where ******** **** *** collected **** *** **** subject.******* ** ******* **. Uniontrad *** *** *** up * ******* ******* sign ********* ********* ** the **** ********** ****** place, *** ****** ** contacted *** **** *******, storage ********, ***. *** IPVM's**** *** ***** ************ Guide*** **** ***** **** kind ** *********** ****** be *** ** ** such *****.

******* **:******** ** **********: *** processor ***** ********* *********** technical *** ************** ******** to ****** * ***** of ******** *********** ** the ****. **** ****** ** Uniontrad's **** ** ********* on ******* *********, ***** CNIL ****** "*** *** ensure *** ******** ** personal ****".

How *** **** *** **********

***** *******'* ******* **,* ******* **** ** 20 ******* ***** ($**.* million) ** *% ** global ****** ******* ** permitted, ********* ** ******. Fines **** ** "effective, *************, *** **********".

*** **** ********* ********** a **** ** **,*** euros ($**,***). ****** **********'* ***** ***** ************ GDPR ****,*** **** *** *** offer * ********* ** how **** **** ********* cost. *** **** ****** was ******* ********** ** the ******** ********** ***** Uniontrad ***** **** *** its ******* ** **** with **** ************* ** fix *** ******, **** the **** *******:

*** ******* - ******** to **** ** ****** - ***** ******** ************ with *** **** ***** the ****** ******* *** already ***** ***.

*******, ********* **** **** a **** *** "****************" under ******* ** *** to *** *******'* **** financial *********. *** **** agreed *** ******* ** fine ********* **,*** ***** (about $**,***). **** ** the ********** *** *** the **** ** ** made ****** - **** is *** * *** practice, ** *** ** seen **** **** **** of******** **** *****.

Broader **** ************

*** ********* **** ********* the ********** ** **** compliance. **,*** ***** *** a *****, *****-****** ******* is * *** *** and ** *** ******* video ************ **** *** CNIL *** ****** ***** at ***** ****, ********* to ********* ******** ** *********.

*** **** **** ** GDPR ********** **** ********* was ******* ** ***** how *** *** *** given **** ********** *********** a *** *** **** sophisticated ******* ** ****** against *********; ***** ** the ****, ***** ************ violations **** ******* ****** against******'* ***** **** ** law *** ******** *******.

*******, *** ****'* ******* should *** ** *****. Enforcement ** *** **** stringent. ** ********* *******, zero ***** ************ ***** were **** *** **** the **** ******, *** the ****** ** ***** surveillance ************** ******** ************* (47 ** **) **** 2017 ** ****.

**** ***** *** **** directly ** ** *** stepping ** *** *********** of ***** ************ *********** due ** *** ****. They **** ** - the **** ****** ****** by *** **** (** enforcement *****) ** *** maximum ********* **** ***** raised ** ** ******* euros ** *% ** global ****** ******* - admittedly * *** ******, but ********** *** ******* players, ********** ***** *** GDPR ****** ******** **** fines ** "*************".

Comments (15)

****.  * **** **** asked **** ***** ****** how ****** ** ** that *** ** ** Canada ****** ********* ******* to ****.  ** ** opinion ***** *** ******* administration, **** ** ********.  However, ****** *** *** shift ******** ****** *** left ** *** **** few ***** ** ** a ***********.

******* ******** **** *** come ** **** * do *** **** ** answer *** - ** EU ********* ***** * corporate ************ ** *** US **** **** ***** to **** ** ********?

** **** **** * way ** ********** **** ************** ** will ********** **** * use **** ** *** US.

** ************* ** **** is **** ** ******* to ** ******** ******** they ***. *******, **** can **** ****** * fine ** * ***-** company ** **** **** operate ** *** **.

*** ****** ***** **** bigger ********* *** ******** privacy ********** **** *** broadly ** **** **** GDPR ********** ** **** is ******* ** *** US.

****

*******, **** *** **** impose * **** ** a ***-** ******* ** they **** ******* ** the **.

**** ****** ****** **** right ****.  

******* *** ********* ******* and ********** ******* ****** possible ** **** ***** fine, *** *******, * Japanese ******* ***** ******** in ***** ;)

******* ******** **** *** come ** **** * do *** **** ** answer *** - ** EU ********* ***** * corporate ************ ** *** US **** **** ***** to **** ** ********?

***** **** *** **** under *** ***** ****? An ******** ********* ** an ** ****** ***** have **** *****, *** not *** ***** *** around ** **'* * European ***.

** ***** ****'* *** I ********** **. ********* I, * ********, ****** be **** ** ***** pot ** *** ******* I ****, ***** **'* legal ** ******.

** ********, **** ** a **** ******** **** comes ** *****. ** I **** ** ****** with *** **** *** every ** *******/********, ** matter ***** **** ***? If ** ***** ****** in *** **** **** has * ******** ****** that ****** * ******* tourist, **** **** ******* now **** *** ***** to ****** * **** complaint?

*** ****** ** **. *** **** **** not ******* "** ********" or "** *********" ********. The **** "******* ** *** ********** of ******** **** ** data ********who *** ** *** ***** [emphasis added]", according to ******* * ('*********** *****'). ** **** ***** people - ********** ** citizenship ** ********* - within *** ** *** protected ** *** ****. If **** ***** *** Union, **** *** ***.

 

** * ******* *** stand *** **** ** the ***** *** ***'* see ** *** *****, can't *** *** **********. With * ********* * would ******* ********* **** must **** **** ***** on **** **** * vendetta ** **** ****.

***** **** **** *** is *** ***** *** not **** ********** **. Leaving ** *****. *** employees ***** **'* ******* and *** **** *** happy.

 

**** ****** ****, *** law **** ****** ***** for *** ******** ****** in ******, ** *** data ********** ******** ** information, ** **** *** CNIL *** ******* ** 1978 **** *** ******* of ********** ********* **** and ********* *** *** about **** **********, ********** public ******* *** ** forth...

******, ** ****** * lot ** ******* *** thinking ** **** ** a **** ** ** the ******** **** ***  (ie: "***  ************ ** libertées" ***** ********* ** "law ** *********** ************ and *******") , **** more ******** *** ****. 

 

** **** ****, **** if *** ****** **** physically ******* *** *** working *** ******* ***** have ** **** ***** personnel **** *** ****** is ******* ** *** if **** ******* *** information **** **** ***** would **** *** ***** to ******* *** **** for * **** ***** on *****. 

 

** **** ****, **** if *** ****** **** physically ******* *** *** working *** ******* ***** have ** **** ***** personnel **** *** ****** is ******* ** *** if **** ******* *** information **** **** ***** would **** *** ***** to ******* *** **** for * **** ***** on *****.

** *** **** ***** to ***** *******? 

***.

**** **** *** ***** to ***** ******, *** in ********** ************ *** local *** ***** (********* the  ********* *** *** right ** **** ** he's ***** ******* ** no.

** ** **** ********** setting *** ********** ** a ***** ****** ** make *** ********* ***** they *** ***** ************ is ***** ** *.

 

 

*************** ** ******* ****** GDPR *********?

(*** *** ********, ***** is * **** *********, but **** *** *****).

* **** * *** of *** ******** ** this ***** *** ***** not **** *** **** this *****. *** ***?

**.  * ***** ***** it’s * ******* ***** by ******* *** ********* the *********** *** ********, and **** ****** ** anonymously ******* **** **** it *** ****** ******* to *******.

********: **** **** ***** to *** ******* ** a ****** ******, ****** a ***** *****?

*** **** ** ******** data ***** ********* ****** the ** ***** ***** the ****. ** ***, the **** '*******' ** a ***** ***** ** a ******, ** **** as **** ****** ** identifiable *** ** ** the **. *******, **** doesn't **** *** ***** of *** *********** ** somehow ****** ** *** GDPR. *** **** ** very *******-******, ********** ****** * ****** ** situations ***** ********** ** permitted, *********:

********** **necessary *** *** ******** ** *** ********** ********* ******* ** *** ********** or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. [emphasis added]

** *** ******** *** becomes ******* *** "*********** rights *** ********" ** the **** ******* ********* the "********** ********" ** taking *** *****, *.*. ********** cheating.

**** ** * **** a ***** ****** **** any ******** ********* *** legality ** *** ***********'* photo ***** ** ******** not ** ************ *** GDPR *** ** ********* to ******'* ******** ******* laws. ****** ******* ******** ********* ********** ****** ** someone ******* ***** *******. For *******, ***** *** Paris ******* **** ******** of ****, * *** pictured ******* *** ************* *** *************** *** **** the *******, ****** ****** privacy ****; *** **** was*********, ** *** ***** was ********** **** ** legitimate *************.

** *********, *** ***** case **** ** *** grandmaster (** ** ****) would **** ****** **** on *************** ** ******** French ******* **** - which ******* ********* ***** types ** ********** - rather **** *** **** itself.

 

*******, **** *******!

** ***** **** *** American ***********, * ***** the ******** / ******* would ** ******* ** a ****** ** * bathroom *****, ** ***, where ** ** *********, at *****, ********* ** be *** ******. *** example, *** **** *** in **** ******** *** what **** *** **** camera ********? * ** not **** **** **** come **** **** ** this ****, **** *** admission ** ********, *** it ** * ****** stunning ****** ** *** up * ****** ** someone ****** * ******** stall.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Austria’s First GDPR Fine Is For Video Surveillance on Jan 29, 2019
Should EU businesses be concerned if police see a business' surveillance cameras filming public areas? This is what happened with Austria’s first...
Verified Response Discontinued in Silicon Valley San Jose on Feb 28, 2019
Almost all security alarms are false. This has driven some municipalities to require verified response before dispatching police. However, now San...
US City Sued For Hiding Surveillance Camera Map on Mar 08, 2019
UPDATE: The judgment is now in and updated information is at the bottom of the post. Should maps of public surveillance camera locations be kept...
UK Camera Commissioner Calls for Regulating Facial Recognition on Apr 15, 2019
IPVM interviewed Tony Porter, the UK’s surveillance camera commissioner after he recently called for regulations on facial recognition in the...
Verkada Wins $783,000 Memphis Deal on Apr 29, 2019
The US city, most famous in video surveillance for standardizing on Hikvision, has issued an RFQ for 962 Verkada cameras due Wednesday, May 1,...
San Francisco Face Recognition Ban And Surveillance Regulation Details Examined on May 14, 2019
San Francisco passed the legislation 8-1 today. While the face recognition 'ban' has already received significant attention over the past few...
New GDPR Guidelines for Video Surveillance Examined on Jul 18, 2019
The highest-level EU data protection authority has issued a new series of provisional video surveillance guidelines. While GDPR has been in...
UK Facewatch GDPR Compliance Questioned on Aug 27, 2019
Even as the GDPR strictly regulates biometrics, a UK company called Facewatch is selling anti-shoplifter facial recognition systems to hundreds of...
First GDPR Facial Recognition Fine For Sweden School on Aug 22, 2019
A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is...
France Declares School Facial Recognition Illegal Due to GDPR on Oct 31, 2019
France is the latest European country to effectively prohibit facial recognition as a school access control solution, even with the consent of...

Most Recent Industry Reports

Hazardous & Explosion Proof Access Control Tutorial on Feb 27, 2020
Controlling access to hazardous environments requires equipment meeting specific ratings that certify they will not start fires or will not...
Motorola / Avigilon Drops ISC West on Feb 26, 2020
Motorola Solutions has pulled out of ISC West 2020 effective immediately, because of coronavirus concerns, IPVM has learned. This is done amidst...
Cancel or Not? Industry Split Over ISC West on Feb 26, 2020
The industry is split, polarized, over whether ISC West 2020 should run or be canceled. New IPVM survey results of 400+ respondents show heated...
Coronavirus Hits Sony, Bosch Says Switch on Feb 26, 2020
Sony's fall in video surveillance has been severe over the past decade. Now, they may be done. In this note, we examine Bosch's new...
Video Surveillance Cameras 101 on Feb 25, 2020
Cameras come in many shapes, sizes and specifications. This 101 examines the basics of cameras and features used in 2020. In this report, we...
Favorite Video Analytic Manufacturers 2020 on Feb 25, 2020
Video analytics is now as hot as ever, driven by the excitement of advancing deep learning offers. But what are actually integrator's...
Latest London Police Facial Recognition Suffers Serious Issues on Feb 24, 2020
On February 20, IPVM visited another live face rec deployment by London police, but this time the system was thwarted by technical problems and...
Masks Cause Major Facial Recognition Problems on Feb 24, 2020
Coronavirus is spurring an increase in the use of medical masks, which new IPVM test results show cause major problems for facial recognition...
Every VMS Will Become a VSaaS on Feb 21, 2020
VMS is ending. Soon every VMS will be a VSaaS. Competitive dynamics will be redrawn. What does this mean? VMS Historically...
Video Surveillance 101 Course - Last Chance on Feb 20, 2020
This is the last chance to join IPVM's first Video Surveillance 101 course, designed to help those new to the industry to quickly understand the...