First Video Surveillance GDPR Fine In France

By Charles Rollet, Published Jul 08, 2019, 09:12am EDT

The French government has imposed a sizeable fine on a small business for violating the GDPR after it constantly filmed employees without informing them and kept poor encryption practices. It marks the first ever GDPR video surveillance fine ever issued by the CNIL, France’s data protection agency, it has confirmed to IPVM.

first gdpr fine in france

In this post, we examine the case and what it means for GDPR compliance going forward, including:

  • France Video Surveillance Regulations Context
  • Company Background
  • CNIL Allegations
  • What GDPR Articles Were Violated
  • How the Fine Was Calculated
  • Broader Impact/Conclusion

For background, see our GDPR For Video Surveillance Guide.

Ultimately, the case shows the importance of GDPR compliance and working closely with data authorities to address issues. However, the evidence we found shows no stepped up GDPR violation enforcement for video surveillance.

Context: ******* ****** ***********

** ******, ***** ************************** ******* **** *********, and **** *** *** case ********** *** ****. *** *******, ******* individuals****** ******* ******* **** film ****** ********, **** * ******** in ***** ** ***** own *****. ** *** workplace, ******** ************ ** employees ** ********** - see **** ******* ****** by ******* ** *******:

***********:***, *** *** ******* security ******* ** *** [office] ******* *** ******** purposes.**, ** ** ********* to ******* ********* ** this *******.

Enforcement ***

*******, ****** *********** ** video ************ *********** ** low, *** **** *** not ******* ***** *** GDPR *** ******. ** 2017, **** *** ******* in *** ***** ******* was ***** *** ***** surveillance ********** ***** ** employee ********** ** * camera ******* *** ****; the **** *** *,*** euros ($*,***). *** * single ******* *** ***** in ****, *** **** the **** *** ******. From**********, *** ****** ** CNIL ***** ************ ******* investigations **** ******** **** 47 ** **, *** annual ******* ****.

************, **** ***** ************ investigations *** ********* ***** on **********, * ****** of**** *******************, ***** ***** *** CNIL ** *** *********** inspecting *** *** *****, integrators, ** ****** *** possible **********.

Company **********

*** ******* **** *** fined ** ***************, * *********** **** based ** ***** **** only * *********. *** revenue ** **** *** about $* ******* *** it **** ****** ** over $***,***, *** ******** ***********.

CNIL ***********

*** **** ********* **** it ***** *** ************* based ** ******** ********** about *********’* ************ ******: a ***** ** *, starting *** *** *** back ** ****. ** sent ******* ******* ** Uniontrad *** ******** ** response.

****’* ***** ****** ********** took ***** ** ******** 2018, *******:

* ****** ****** *** desks *** * ******… employees **** ***** ******** notified

******* *** ****** *** longer **** ******* ******

******** ** ***** ** access ******* *********** *** [email] ******* *** *** ensure **** ******** *** confidentiality (********'* ********* *** not ******* ********* *** employees ****** * ****** email *******)

** ****, *** **** gave ********* *** ****** to *** *** ***** issues. ** *********, ********* claimed ** * ****** that ** *** ********* them, *** * ****** CNIL ********** * ***** later ***** ****:

*** ****** ******* ********* has **** ***** ** constantly *** ******* ************ since *** ******* ********** in ********

** *********** *** **** relayed ** *** ********* about *** ***** ************, which ****** ************ **** the ******* ** *** processing, ******** ** *******, and ****** ********** *** data

*** * ****** ******** policy *** **** *** in ***** *** *** employee's ********* *** ** measures **** **** ***** to ****** ************ ** [who ** *****] *** email *****

***** *** ****** **********, Uniontrad ******* ** *** complied **** *** *** by ******* ******* **** on *** ******** ******, putting ** * ****, and ************ ******** ********. However, *** **** ********** that *** ****** *** still ******* *** ******** desk.

**********, *** **** ****** that ******* ********* *** not ****** ********* ****** the *** ***** ****** in ****, *** *** ignored ************** ***** ** that, * *********/****** ******* would *****.

What **** ******** **** ********

************, *** **** ****** that **** **** ******** were ******** ** *********:

******* *, **:******** **** ***** ** adequate, ******** *** ******* to **** ** ********* in ******** ** *** purposes *** ***** **** are ********* (‘**** ************’). **** ******* ******** to *** ******** ***** surveillance ** *********'* *********. French ******* **** (**** pre-GDPR) ** *** ****** this, ****** *** **** the **** ***** "*********** circumstances", **** ** ****** sensitive ************, *** * translation ******* **** *** qualify, *** **** ******. For **** ***** ****** laws ** ********** ********** employees, *******'* ************ *** **** *********** a $*.* ******* **** on * ****** *** "excessive ***** ************."

******* **:*********** ***********, ************* *** modalities *** *** ******** of *** ****** ** the **** *******". *.*. ********* *** not *********** ** *** employees ***** *** ***** surveillance ****** *****.

******* **:*********** ** ** ******** where ******** **** *** collected **** *** **** subject.******* ** ******* **. Uniontrad *** *** *** up * ******* ******* sign ********* ********* ** the **** ********** ****** place, *** ****** ** contacted *** **** *******, storage ********, ***. *** IPVM's**** *** ***** ************ Guide*** **** ***** **** kind ** *********** ****** be *** ** ** such *****.

******* **:******** ** **********: *** processor ***** ********* *********** technical *** ************** ******** to ****** * ***** of ******** *********** ** the ****. **** ****** ** Uniontrad's **** ** ********* on ******* *********, ***** CNIL ****** "*** *** ensure *** ******** ** personal ****".

How *** **** *** **********

***** *******'* ******* **,* ******* **** ** 20 ******* ***** ($**.* million) ** *% ** global ****** ******* ** permitted, ********* ** ******. Fines **** ** "effective, *************, *** **********".

*** **** ********* ********** a **** ** **,*** euros ($**,***). ****** **********'* ***** ***** ************ GDPR ****,*** **** *** *** offer * ********* ** how **** **** ********* cost. *** **** ****** was ******* ********** ** the ******** ********** ***** Uniontrad ***** **** *** its ******* ** **** with **** ************* ** fix *** ******, **** the **** *******:

*** ******* - ******** to **** ** ****** - ***** ******** ************ with *** **** ***** the ****** ******* *** already ***** ***.

*******, ********* **** **** a **** *** "****************" under ******* ** *** to *** *******'* **** financial *********. *** **** agreed *** ******* ** fine ********* **,*** ***** (about $**,***). **** ** the ********** *** *** the **** ** ** made ****** - **** is *** * *** practice, ** *** ** seen **** **** **** of******** **** *****.

Broader **** ************

*** ********* **** ********* the ********** ** **** compliance. **,*** ***** *** a *****, *****-****** ******* is * *** *** and ** *** ******* video ************ **** *** CNIL *** ****** ***** at ***** ****, ********* to ********* ******** ** *********.

*** **** **** ** GDPR ********** **** ********* was ******* ** ***** how *** *** *** given **** ********** *********** a *** *** **** sophisticated ******* ** ****** against *********; ***** ** the ****, ***** ************ violations **** ******* ****** against******'* ***** **** ** law *** ******** *******.

*******, *** ****'* ******* should *** ** *****. Enforcement ** *** **** stringent. ** ********* *******, zero ***** ************ ***** were **** *** **** the **** ******, *** the ****** ** ***** surveillance ************** ******** ************* (47 ** **) **** 2017 ** ****.

**** ***** *** **** directly ** ** *** stepping ** *** *********** of ***** ************ *********** due ** *** ****. They **** ** - the **** ****** ****** by *** **** (** enforcement *****) ** *** maximum ********* **** ***** raised ** ** ******* euros ** *% ** global ****** ******* - admittedly * *** ******, but ********** *** ******* players, ********** ***** *** GDPR ****** ******** **** fines ** "*************".

Comments (15)

****.  * **** **** asked **** ***** ****** how ****** ** ** that *** ** ** Canada ****** ********* ******* to ****.  ** ** opinion ***** *** ******* administration, **** ** ********.  However, ****** *** *** shift ******** ****** *** left ** *** **** few ***** ** ** a ***********.

******* ******** **** *** come ** **** * do *** **** ** answer *** - ** EU ********* ***** * corporate ************ ** *** US **** **** ***** to **** ** ********?

Agree
Disagree
Informative
Unhelpful
Funny

** **** **** * way ** ********** **** ************** ** will ********** **** * use **** ** *** US.

Agree
Disagree
Informative
Unhelpful
Funny

** ************* ** **** is **** ** ******* to ** ******** ******** they ***. *******, **** can **** ****** * fine ** * ***-** company ** **** **** operate ** *** **.

*** ****** ***** **** bigger ********* *** ******** privacy ********** **** *** broadly ** **** **** GDPR ********** ** **** is ******* ** *** US.

****

Agree
Disagree
Informative: 1
Unhelpful
Funny

*******, **** *** **** impose * **** ** a ***-** ******* ** they **** ******* ** the **.

**** ****** ****** **** right ****.  

******* *** ********* ******* and ********** ******* ****** possible ** **** ***** fine, *** *******, * Japanese ******* ***** ******** in ***** ;)

Agree
Disagree
Informative
Unhelpful
Funny

******* ******** **** *** come ** **** * do *** **** ** answer *** - ** EU ********* ***** * corporate ************ ** *** US **** **** ***** to **** ** ********?

***** **** *** **** under *** ***** ****? An ******** ********* ** an ** ****** ***** have **** *****, *** not *** ***** *** around ** **'* * European ***.

** ***** ****'* *** I ********** **. ********* I, * ********, ****** be **** ** ***** pot ** *** ******* I ****, ***** **'* legal ** ******.

Agree
Disagree
Informative
Unhelpful
Funny: 2

** ********, **** ** a **** ******** **** comes ** *****. ** I **** ** ****** with *** **** *** every ** *******/********, ** matter ***** **** ***? If ** ***** ****** in *** **** **** has * ******** ****** that ****** * ******* tourist, **** **** ******* now **** *** ***** to ****** * **** complaint?

*** ****** ** **. *** **** **** not ******* "** ********" or "** *********" ********. The **** "******* ** *** ********** of ******** **** ** data ********who *** ** *** ***** [emphasis added]", according to ******* * ('*********** *****'). ** **** ***** people - ********** ** citizenship ** ********* - within *** ** *** protected ** *** ****. If **** ***** *** Union, **** *** ***.

 

Agree: 1
Disagree
Informative: 3
Unhelpful
Funny

** * ******* *** stand *** **** ** the ***** *** ***'* see ** *** *****, can't *** *** **********. With * ********* * would ******* ********* **** must **** **** ***** on **** **** * vendetta ** **** ****.

***** **** **** *** is *** ***** *** not **** ********** **. Leaving ** *****. *** employees ***** **'* ******* and *** **** *** happy.

 

Agree
Disagree: 2
Informative
Unhelpful: 3
Funny

**** ****** ****, *** law **** ****** ***** for *** ******** ****** in ******, ** *** data ********** ******** ** information, ** **** *** CNIL *** ******* ** 1978 **** *** ******* of ********** ********* **** and ********* *** *** about **** **********, ********** public ******* *** ** forth...

******, ** ****** * lot ** ******* *** thinking ** **** ** a **** ** ** the ******** **** ***  (ie: "***  ************ ** libertées" ***** ********* ** "law ** *********** ************ and *******") , **** more ******** *** ****. 

 

** **** ****, **** if *** ****** **** physically ******* *** *** working *** ******* ***** have ** **** ***** personnel **** *** ****** is ******* ** *** if **** ******* *** information **** **** ***** would **** *** ***** to ******* *** **** for * **** ***** on *****. 

 

Agree
Disagree
Informative
Unhelpful
Funny

** **** ****, **** if *** ****** **** physically ******* *** *** working *** ******* ***** have ** **** ***** personnel **** *** ****** is ******* ** *** if **** ******* *** information **** **** ***** would **** *** ***** to ******* *** **** for * **** ***** on *****.

** *** **** ***** to ***** *******? 

***.

Agree
Disagree
Informative
Unhelpful
Funny

**** **** *** ***** to ***** ******, *** in ********** ************ *** local *** ***** (********* the  ********* *** *** right ** **** ** he's ***** ******* ** no.

** ** **** ********** setting *** ********** ** a ***** ****** ** make *** ********* ***** they *** ***** ************ is ***** ** *.

 

 

Agree
Disagree
Informative
Unhelpful
Funny

*************** ** ******* ****** GDPR *********?

(*** *** ********, ***** is * **** *********, but **** *** *****).

Agree
Disagree
Informative
Unhelpful
Funny

* **** * *** of *** ******** ** this ***** *** ***** not **** *** **** this *****. *** ***?

Agree
Disagree
Informative
Unhelpful
Funny

**.  * ***** ***** it’s * ******* ***** by ******* *** ********* the *********** *** ********, and **** ****** ** anonymously ******* **** **** it *** ****** ******* to *******.

********: **** **** ***** to *** ******* ** a ****** ******, ****** a ***** *****?

Agree
Disagree
Informative
Unhelpful
Funny

*** **** ** ******** data ***** ********* ****** the ** ***** ***** the ****. ** ***, the **** '*******' ** a ***** ***** ** a ******, ** **** as **** ****** ** identifiable *** ** ** the **. *******, **** doesn't **** *** ***** of *** *********** ** somehow ****** ** *** GDPR. *** **** ** very *******-******, ********** ****** * ****** ** situations ***** ********** ** permitted, *********:

********** **necessary *** *** ******** ** *** ********** ********* ******* ** *** ********** or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. [emphasis added]

** *** ******** *** becomes ******* *** "*********** rights *** ********" ** the **** ******* ********* the "********** ********" ** taking *** *****, *.*. ********** cheating.

**** ** * **** a ***** ****** **** any ******** ********* *** legality ** *** ***********'* photo ***** ** ******** not ** ************ *** GDPR *** ** ********* to ******'* ******** ******* laws. ****** ******* ******** ********* ********** ****** ** someone ******* ***** *******. For *******, ***** *** Paris ******* **** ******** of ****, * *** pictured ******* *** ************* *** *************** *** **** the *******, ****** ****** privacy ****; *** **** was*********, ** *** ***** was ********** **** ** legitimate *************.

** *********, *** ***** case **** ** *** grandmaster (** ** ****) would **** ****** **** on *************** ** ******** French ******* **** - which ******* ********* ***** types ** ********** - rather **** *** **** itself.

 

Agree
Disagree
Informative: 1
Unhelpful
Funny

*******, **** *******!

** ***** **** *** American ***********, * ***** the ******** / ******* would ** ******* ** a ****** ** * bathroom *****, ** ***, where ** ** *********, at *****, ********* ** be *** ******. *** example, *** **** *** in **** ******** *** what **** *** **** camera ********? * ** not **** **** **** come **** **** ** this ****, **** *** admission ** ********, *** it ** * ****** stunning ****** ** *** up * ****** ** someone ****** * ******** stall.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,023 reports, 934 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports