First Video Surveillance GDPR Fine In France

By: Charles Rollet, Published on Jul 08, 2019

The French government has imposed a sizeable fine on a small business for violating the GDPR after it constantly filmed employees without informing them and kept poor encryption practices. It marks the first ever GDPR video surveillance fine ever issued by the CNIL, France’s data protection agency, it has confirmed to IPVM.

first gdpr fine in france

In this post, we examine the case and what it means for GDPR compliance going forward, including:

  • France Video Surveillance Regulations Context
  • Company Background
  • CNIL Allegations
  • What GDPR Articles Were Violated
  • How the Fine Was Calculated
  • Broader Impact/Conclusion

For background, see our GDPR For Video Surveillance Guide.

Ultimately, the case shows the importance of GDPR compliance and working closely with data authorities to address issues. However, the evidence we found shows no stepped up GDPR violation enforcement for video surveillance.

*** ****** ********** *** imposed * ******** **** on * ***** ******** for ********* *** **** after ** ********** ****** employees ******* ********* **** and **** **** ********** practices. ** ***** *** first **** **** ***** surveillance **** **** ****** by *******, ******’* **** ********** agency, ** *** ********* to ****.

first gdpr fine in france

** **** ****, ** examine *** **** *** what ** ***** *** GDPR ********** ***** *******, including:

  • ****** ***** ************ *********** Context
  • ******* **********
  • **** ***********
  • **** **** ******** **** Violated
  • *** *** **** *** Calculated
  • ******* ******/**********

*** **********, *** ******* *** ***** ************ Guide.

**********, *** **** ***** the ********** ** **** compliance *** ******* ******* with **** *********** ** address ******. *******, *** evidence ** ***** ***** no ******* ** **** violation *********** *** ***** surveillance.

[***************]

Context: ******* ****** ***********

** ******, ***** ************************** ******* **** *********, and **** *** *** case ********** *** ****. *** *******, ******* individuals****** ******* ******* **** film ****** ********, **** * ******** in ***** ** ***** own *****. ** *** workplace, ******** ************ ** employees ** ********** - see **** ******* ****** by ******* ** *******:

***********:***, *** *** ******* security ******* ** *** [office] ******* *** ******** purposes.**, ** ** ********* to ******* ********* ** this *******.

Enforcement ***

*******, ****** *********** ** video ************ *********** ** low, *** **** *** not ******* ***** *** GDPR *** ******. ** 2017, **** *** ******* in *** ***** ******* was ***** *** ***** surveillance ********** ***** ** employee ********** ** * camera ******* *** ****; the **** *** *,*** euros ($*,***). *** * single ******* *** ***** in ****, *** **** the **** *** ******. From**********, *** ****** ** CNIL ***** ************ ******* investigations **** ******** **** 47 ** **, *** annual ******* ****.

************, **** ***** ************ investigations *** ********* ***** on **********, * ****** of**** *******************, ***** ***** *** CNIL ** *** *********** inspecting *** *** *****, integrators, ** ****** *** possible **********.

Company **********

*** ******* **** *** fined ** ***************, * *********** **** based ** ***** **** only * *********. *** revenue ** **** *** about $* ******* *** it **** ****** ** over $***,***, *** ******** ***********.

CNIL ***********

*** **** ********* **** it ***** *** ************* based ** ******** ********** about *********’* ************ ******: a ***** ** *, starting *** *** *** back ** ****. ** sent ******* ******* ** Uniontrad *** ******** ** response.

****’* ***** ****** ********** took ***** ** ******** 2018, *******:

* ****** ****** *** desks *** * ******… employees **** ***** ******** notified

******* *** ****** *** longer **** ******* ******

******** ** ***** ** access ******* *********** *** [email] ******* *** *** ensure **** ******** *** confidentiality (********'* ********* *** not ******* ********* *** employees ****** * ****** email *******)

** ****, *** **** gave ********* *** ****** to *** *** ***** issues. ** *********, ********* claimed ** * ****** that ** *** ********* them, *** * ****** CNIL ********** * ***** later ***** ****:

*** ****** ******* ********* has **** ***** ** constantly *** ******* ************ since *** ******* ********** in ********

** *********** *** **** relayed ** *** ********* about *** ***** ************, which ****** ************ **** the ******* ** *** processing, ******** ** *******, and ****** ********** *** data

*** * ****** ******** policy *** **** *** in ***** *** *** employee's ********* *** ** measures **** **** ***** to ****** ************ ** [who ** *****] *** email *****

***** *** ****** **********, Uniontrad ******* ** *** complied **** *** *** by ******* ******* **** on *** ******** ******, putting ** * ****, and ************ ******** ********. However, *** **** ********** that *** ****** *** still ******* *** ******** desk.

**********, *** **** ****** that ******* ********* *** not ****** ********* ****** the *** ***** ****** in ****, *** *** ignored ************** ***** ** that, * *********/****** ******* would *****.

What **** ******** **** ********

************, *** **** ****** that **** **** ******** were ******** ** *********:

******* *, **:******** **** ***** ** adequate, ******** *** ******* to **** ** ********* in ******** ** *** purposes *** ***** **** are ********* (‘**** ************’). **** ******* ******** to *** ******** ***** surveillance ** *********'* *********. French ******* **** (**** pre-GDPR) ** *** ****** this, ****** *** **** the **** ***** "*********** circumstances", **** ** ****** sensitive ************, *** * translation ******* **** *** qualify, *** **** ******. For **** ***** ****** laws ** ********** ********** employees, *******'* ************ *** **** *********** a $*.* ******* **** on * ****** *** "excessive ***** ************."

******* **:*********** ***********, ************* *** modalities *** *** ******** of *** ****** ** the **** *******". *.*. ********* *** not *********** ** *** employees ***** *** ***** surveillance ****** *****.

******* **:*********** ** ** ******** where ******** **** *** collected **** *** **** subject.******* ** ******* **. Uniontrad *** *** *** up * ******* ******* sign ********* ********* ** the **** ********** ****** place, *** ****** ** contacted *** **** *******, storage ********, ***. *** IPVM's**** *** ***** ************ Guide*** **** ***** **** kind ** *********** ****** be *** ** ** such *****.

******* **:******** ** **********: *** processor ***** ********* *********** technical *** ************** ******** to ****** * ***** of ******** *********** ** the ****. **** ****** ** Uniontrad's **** ** ********* on ******* *********, ***** CNIL ****** "*** *** ensure *** ******** ** personal ****".

How *** **** *** **********

***** *******'* ******* **,* ******* **** ** 20 ******* ***** ($**.* million) ** *% ** global ****** ******* ** permitted, ********* ** ******. Fines **** ** "effective, *************, *** **********".

*** **** ********* ********** a **** ** **,*** euros ($**,***). ****** **********'* ***** ***** ************ GDPR ****,*** **** *** *** offer * ********* ** how **** **** ********* cost. *** **** ****** was ******* ********** ** the ******** ********** ***** Uniontrad ***** **** *** its ******* ** **** with **** ************* ** fix *** ******, **** the **** *******:

*** ******* - ******** to **** ** ****** - ***** ******** ************ with *** **** ***** the ****** ******* *** already ***** ***.

*******, ********* **** **** a **** *** "****************" under ******* ** *** to *** *******'* **** financial *********. *** **** agreed *** ******* ** fine ********* **,*** ***** (about $**,***). **** ** the ********** *** *** the **** ** ** made ****** - **** is *** * *** practice, ** *** ** seen **** **** **** of******** **** *****.

Broader **** ************

*** ********* **** ********* the ********** ** **** compliance. **,*** ***** *** a *****, *****-****** ******* is * *** *** and ** *** ******* video ************ **** *** CNIL *** ****** ***** at ***** ****, ********* to ********* ******** ** *********.

*** **** **** ** GDPR ********** **** ********* was ******* ** ***** how *** *** *** given **** ********** *********** a *** *** **** sophisticated ******* ** ****** against *********; ***** ** the ****, ***** ************ violations **** ******* ****** against******'* ***** **** ** law *** ******** *******.

*******, *** ****'* ******* should *** ** *****. Enforcement ** *** **** stringent. ** ********* *******, zero ***** ************ ***** were **** *** **** the **** ******, *** the ****** ** ***** surveillance ************** ******** ************* (47 ** **) **** 2017 ** ****.

**** ***** *** **** directly ** ** *** stepping ** *** *********** of ***** ************ *********** due ** *** ****. They **** ** - the **** ****** ****** by *** **** (** enforcement *****) ** *** maximum ********* **** ***** raised ** ** ******* euros ** *% ** global ****** ******* - admittedly * *** ******, but ********** *** ******* players, ********** ***** *** GDPR ****** ******** **** fines ** "*************".

Comments (15)

****.  * **** **** asked **** ***** ****** how ****** ** ** that *** ** ** Canada ****** ********* ******* to ****.  ** ** opinion ***** *** ******* administration, **** ** ********.  However, ****** *** *** shift ******** ****** *** left ** *** **** few ***** ** ** a ***********.

******* ******** **** *** come ** **** * do *** **** ** answer *** - ** EU ********* ***** * corporate ************ ** *** US **** **** ***** to **** ** ********?

** **** **** * way ** ********** **** ************** ** will ********** **** * use **** ** *** US.

** ************* ** **** is **** ** ******* to ** ******** ******** they ***. *******, **** can **** ****** * fine ** * ***-** company ** **** **** operate ** *** **.

*** ****** ***** **** bigger ********* *** ******** privacy ********** **** *** broadly ** **** **** GDPR ********** ** **** is ******* ** *** US.

****

*******, **** *** **** impose * **** ** a ***-** ******* ** they **** ******* ** the **.

**** ****** ****** **** right ****.  

******* *** ********* ******* and ********** ******* ****** possible ** **** ***** fine, *** *******, * Japanese ******* ***** ******** in ***** ;)

******* ******** **** *** come ** **** * do *** **** ** answer *** - ** EU ********* ***** * corporate ************ ** *** US **** **** ***** to **** ** ********?

***** **** *** **** under *** ***** ****? An ******** ********* ** an ** ****** ***** have **** *****, *** not *** ***** *** around ** **'* * European ***.

** ***** ****'* *** I ********** **. ********* I, * ********, ****** be **** ** ***** pot ** *** ******* I ****, ***** **'* legal ** ******.

** ********, **** ** a **** ******** **** comes ** *****. ** I **** ** ****** with *** **** *** every ** *******/********, ** matter ***** **** ***? If ** ***** ****** in *** **** **** has * ******** ****** that ****** * ******* tourist, **** **** ******* now **** *** ***** to ****** * **** complaint?

*** ****** ** **. *** **** **** not ******* "** ********" or "** *********" ********. The **** "******* ** *** ********** of ******** **** ** data ********who *** ** *** ***** [emphasis added]", according to ******* * ('*********** *****'). ** **** ***** people - ********** ** citizenship ** ********* - within *** ** *** protected ** *** ****. If **** ***** *** Union, **** *** ***.

 

** * ******* *** stand *** **** ** the ***** *** ***'* see ** *** *****, can't *** *** **********. With * ********* * would ******* ********* **** must **** **** ***** on **** **** * vendetta ** **** ****.

***** **** **** *** is *** ***** *** not **** ********** **. Leaving ** *****. *** employees ***** **'* ******* and *** **** *** happy.

 

**** ****** ****, *** law **** ****** ***** for *** ******** ****** in ******, ** *** data ********** ******** ** information, ** **** *** CNIL *** ******* ** 1978 **** *** ******* of ********** ********* **** and ********* *** *** about **** **********, ********** public ******* *** ** forth...

******, ** ****** * lot ** ******* *** thinking ** **** ** a **** ** ** the ******** **** ***  (ie: "***  ************ ** libertées" ***** ********* ** "law ** *********** ************ and *******") , **** more ******** *** ****. 

 

** **** ****, **** if *** ****** **** physically ******* *** *** working *** ******* ***** have ** **** ***** personnel **** *** ****** is ******* ** *** if **** ******* *** information **** **** ***** would **** *** ***** to ******* *** **** for * **** ***** on *****. 

 

** **** ****, **** if *** ****** **** physically ******* *** *** working *** ******* ***** have ** **** ***** personnel **** *** ****** is ******* ** *** if **** ******* *** information **** **** ***** would **** *** ***** to ******* *** **** for * **** ***** on *****.

** *** **** ***** to ***** *******? 

***.

**** **** *** ***** to ***** ******, *** in ********** ************ *** local *** ***** (********* the  ********* *** *** right ** **** ** he's ***** ******* ** no.

** ** **** ********** setting *** ********** ** a ***** ****** ** make *** ********* ***** they *** ***** ************ is ***** ** *.

 

 

*************** ** ******* ****** GDPR *********?

(*** *** ********, ***** is * **** *********, but **** *** *****).

* **** * *** of *** ******** ** this ***** *** ***** not **** *** **** this *****. *** ***?

**.  * ***** ***** it’s * ******* ***** by ******* *** ********* the *********** *** ********, and **** ****** ** anonymously ******* **** **** it *** ****** ******* to *******.

********: **** **** ***** to *** ******* ** a ****** ******, ****** a ***** *****?

*** **** ** ******** data ***** ********* ****** the ** ***** ***** the ****. ** ***, the **** '*******' ** a ***** ***** ** a ******, ** **** as **** ****** ** identifiable *** ** ** the **. *******, **** doesn't **** *** ***** of *** *********** ** somehow ****** ** *** GDPR. *** **** ** very *******-******, ********** ****** * ****** ** situations ***** ********** ** permitted, *********:

********** **necessary *** *** ******** ** *** ********** ********* ******* ** *** ********** or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. [emphasis added]

** *** ******** *** becomes ******* *** "*********** rights *** ********" ** the **** ******* ********* the "********** ********" ** taking *** *****, *.*. ********** cheating.

**** ** * **** a ***** ****** **** any ******** ********* *** legality ** *** ***********'* photo ***** ** ******** not ** ************ *** GDPR *** ** ********* to ******'* ******** ******* laws. ****** ******* ******** ********* ********** ****** ** someone ******* ***** *******. For *******, ***** *** Paris ******* **** ******** of ****, * *** pictured ******* *** ************* *** *************** *** **** the *******, ****** ****** privacy ****; *** **** was*********, ** *** ***** was ********** **** ** legitimate *************.

** *********, *** ***** case **** ** *** grandmaster (** ** ****) would **** ****** **** on *************** ** ******** French ******* **** - which ******* ********* ***** types ** ********** - rather **** *** **** itself.

 

*******, **** *******!

** ***** **** *** American ***********, * ***** the ******** / ******* would ** ******* ** a ****** ** * bathroom *****, ** ***, where ** ** *********, at *****, ********* ** be *** ******. *** example, *** **** *** in **** ******** *** what **** *** **** camera ********? * ** not **** **** **** come **** **** ** this ****, **** *** admission ** ********, *** it ** * ****** stunning ****** ** *** up * ****** ** someone ****** * ******** stall.

Read this IPVM report for free.

This article is part of IPVM's 6,438 reports, 865 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Beware Of Feevr on Apr 14, 2020
Beware of "Feevr". The company is marketing a 'Feevr' solution that...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
FDA "Does Not Intend to Object" To Unapproved Fever Detection Cameras If No 'Undue Risk' on Apr 17, 2020
The US FDA has declared it will not go after the many companies marketing...
Terrible Convergint Coronavirus Thermal Camera Recommendation on Apr 01, 2020
A week after Convergint disclosed falling revenue, pay and job cuts,...
ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...
Vape Detection Legal Battle: Soter Sues IPVideo Corp on Jul 22, 2020
The crosstown vape detection rivals are now in a legal battle. While IPVideo...
FDA Defines Correct Operation of "Fever Cameras" on May 26, 2020
The US FDA has now defined the correct operation of "Thermal Imaging...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
FLIR Suspends Agreement With Feevr on May 07, 2020
Thermal manufacturer FLIR has suspended its agreement with Feevr (aka...
FLIR Markets Windows Temperature Screening, Violates IEC And Causes Performance Problems on Jul 17, 2020
FLIR, one of the largest thermal screening manufacturers, is marketing...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of...
IPVM For PR / Marketing People on Apr 29, 2020
Since IPVM does not accept advertising nor sponsorships, etc., PR / marketing...
Convergint Refuses To Fix Faked Fever Marketing, FTC Complaint Filed on Jun 19, 2020
Since Convergint has refused to fix their faked fever camera marketing, IPVM...
IPVM Rejects Feevr's Improper Threats And Demands on May 04, 2020
IPVM categorically rejects Feevr's improper threats and demands submitted...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...