First Video Surveillance GDPR Fine In France

By Charles Rollet, Published on Jul 08, 2019

The French government has imposed a sizeable fine on a small business for violating the GDPR after it constantly filmed employees without informing them and kept poor encryption practices. It marks the first ever GDPR video surveillance fine ever issued by the CNIL, France’s data protection agency, it has confirmed to IPVM.

first gdpr fine in france

In this post, we examine the case and what it means for GDPR compliance going forward, including:

  • France Video Surveillance Regulations Context
  • Company Background
  • CNIL Allegations
  • What GDPR Articles Were Violated
  • How the Fine Was Calculated
  • Broader Impact/Conclusion

For background, see our GDPR For Video Surveillance Guide.

Ultimately, the case shows the importance of GDPR compliance and working closely with data authorities to address issues. However, the evidence we found shows no stepped up GDPR violation enforcement for video surveillance.

Context: ******* ****** ***********

** ******, ***** ************************** ******* **** *********, and **** *** *** case ********** *** ****. *** *******, ******* individuals****** ******* ******* **** film ****** ********, **** * ******** in ***** ** ***** own *****. ** *** workplace, ******** ************ ** employees ** ********** - see **** ******* ****** by ******* ** *******:

***********:***, *** *** ******* security ******* ** *** [office] ******* *** ******** purposes.**, ** ** ********* to ******* ********* ** this *******.

Enforcement ***

*******, ****** *********** ** video ************ *********** ** low, *** **** *** not ******* ***** *** GDPR *** ******. ** 2017, **** *** ******* in *** ***** ******* was ***** *** ***** surveillance ********** ***** ** employee ********** ** * camera ******* *** ****; the **** *** *,*** euros ($*,***). *** * single ******* *** ***** in ****, *** **** the **** *** ******. From**********, *** ****** ** CNIL ***** ************ ******* investigations **** ******** **** 47 ** **, *** annual ******* ****.

************, **** ***** ************ investigations *** ********* ***** on **********, * ****** of**** *******************, ***** ***** *** CNIL ** *** *********** inspecting *** *** *****, integrators, ** ****** *** possible **********.

Company **********

*** ******* **** *** fined ** ***************, * *********** **** based ** ***** **** only * *********. *** revenue ** **** *** about $* ******* *** it **** ****** ** over $***,***, *** ******** ***********.

CNIL ***********

*** **** ********* **** it ***** *** ************* based ** ******** ********** about *********’* ************ ******: a ***** ** *, starting *** *** *** back ** ****. ** sent ******* ******* ** Uniontrad *** ******** ** response.

****’* ***** ****** ********** took ***** ** ******** 2018, *******:

* ****** ****** *** desks *** * ******… employees **** ***** ******** notified

******* *** ****** *** longer **** ******* ******

******** ** ***** ** access ******* *********** *** [email] ******* *** *** ensure **** ******** *** confidentiality (********'* ********* *** not ******* ********* *** employees ****** * ****** email *******)

** ****, *** **** gave ********* *** ****** to *** *** ***** issues. ** *********, ********* claimed ** * ****** that ** *** ********* them, *** * ****** CNIL ********** * ***** later ***** ****:

*** ****** ******* ********* has **** ***** ** constantly *** ******* ************ since *** ******* ********** in ********

** *********** *** **** relayed ** *** ********* about *** ***** ************, which ****** ************ **** the ******* ** *** processing, ******** ** *******, and ****** ********** *** data

*** * ****** ******** policy *** **** *** in ***** *** *** employee's ********* *** ** measures **** **** ***** to ****** ************ ** [who ** *****] *** email *****

***** *** ****** **********, Uniontrad ******* ** *** complied **** *** *** by ******* ******* **** on *** ******** ******, putting ** * ****, and ************ ******** ********. However, *** **** ********** that *** ****** *** still ******* *** ******** desk.

**********, *** **** ****** that ******* ********* *** not ****** ********* ****** the *** ***** ****** in ****, *** *** ignored ************** ***** ** that, * *********/****** ******* would *****.

What **** ******** **** ********

************, *** **** ****** that **** **** ******** were ******** ** *********:

******* *, **:******** **** ***** ** adequate, ******** *** ******* to **** ** ********* in ******** ** *** purposes *** ***** **** are ********* (‘**** ************’). **** ******* ******** to *** ******** ***** surveillance ** *********'* *********. French ******* **** (**** pre-GDPR) ** *** ****** this, ****** *** **** the **** ***** "*********** circumstances", **** ** ****** sensitive ************, *** * translation ******* **** *** qualify, *** **** ******. For **** ***** ****** laws ** ********** ********** employees, *******'* ************ *** **** *********** a $*.* ******* **** on * ****** *** "excessive ***** ************."

******* **:*********** ***********, ************* *** modalities *** *** ******** of *** ****** ** the **** *******". *.*. ********* *** not *********** ** *** employees ***** *** ***** surveillance ****** *****.

******* **:*********** ** ** ******** where ******** **** *** collected **** *** **** subject.******* ** ******* **. Uniontrad *** *** *** up * ******* ******* sign ********* ********* ** the **** ********** ****** place, *** ****** ** contacted *** **** *******, storage ********, ***. *** IPVM's**** *** ***** ************ Guide*** **** ***** **** kind ** *********** ****** be *** ** ** such *****.

******* **:******** ** **********: *** processor ***** ********* *********** technical *** ************** ******** to ****** * ***** of ******** *********** ** the ****. **** ****** ** Uniontrad's **** ** ********* on ******* *********, ***** CNIL ****** "*** *** ensure *** ******** ** personal ****".

How *** **** *** **********

***** *******'* ******* **,* ******* **** ** 20 ******* ***** ($**.* million) ** *% ** global ****** ******* ** permitted, ********* ** ******. Fines **** ** "effective, *************, *** **********".

*** **** ********* ********** a **** ** **,*** euros ($**,***). ****** **********'* ***** ***** ************ GDPR ****,*** **** *** *** offer * ********* ** how **** **** ********* cost. *** **** ****** was ******* ********** ** the ******** ********** ***** Uniontrad ***** **** *** its ******* ** **** with **** ************* ** fix *** ******, **** the **** *******:

*** ******* - ******** to **** ** ****** - ***** ******** ************ with *** **** ***** the ****** ******* *** already ***** ***.

*******, ********* **** **** a **** *** "****************" under ******* ** *** to *** *******'* **** financial *********. *** **** agreed *** ******* ** fine ********* **,*** ***** (about $**,***). **** ** the ********** *** *** the **** ** ** made ****** - **** is *** * *** practice, ** *** ** seen **** **** **** of******** **** *****.

Broader **** ************

*** ********* **** ********* the ********** ** **** compliance. **,*** ***** *** a *****, *****-****** ******* is * *** *** and ** *** ******* video ************ **** *** CNIL *** ****** ***** at ***** ****, ********* to ********* ******** ** *********.

*** **** **** ** GDPR ********** **** ********* was ******* ** ***** how *** *** *** given **** ********** *********** a *** *** **** sophisticated ******* ** ****** against *********; ***** ** the ****, ***** ************ violations **** ******* ****** against******'* ***** **** ** law *** ******** *******.

*******, *** ****'* ******* should *** ** *****. Enforcement ** *** **** stringent. ** ********* *******, zero ***** ************ ***** were **** *** **** the **** ******, *** the ****** ** ***** surveillance ************** ******** ************* (47 ** **) **** 2017 ** ****.

**** ***** *** **** directly ** ** *** stepping ** *** *********** of ***** ************ *********** due ** *** ****. They **** ** - the **** ****** ****** by *** **** (** enforcement *****) ** *** maximum ********* **** ***** raised ** ** ******* euros ** *% ** global ****** ******* - admittedly * *** ******, but ********** *** ******* players, ********** ***** *** GDPR ****** ******** **** fines ** "*************".

Comments (15)

****.  * **** **** asked **** ***** ****** how ****** ** ** that *** ** ** Canada ****** ********* ******* to ****.  ** ** opinion ***** *** ******* administration, **** ** ********.  However, ****** *** *** shift ******** ****** *** left ** *** **** few ***** ** ** a ***********.

******* ******** **** *** come ** **** * do *** **** ** answer *** - ** EU ********* ***** * corporate ************ ** *** US **** **** ***** to **** ** ********?

** **** **** * way ** ********** **** ************** ** will ********** **** * use **** ** *** US.

** ************* ** **** is **** ** ******* to ** ******** ******** they ***. *******, **** can **** ****** * fine ** * ***-** company ** **** **** operate ** *** **.

*** ****** ***** **** bigger ********* *** ******** privacy ********** **** *** broadly ** **** **** GDPR ********** ** **** is ******* ** *** US.

****

*******, **** *** **** impose * **** ** a ***-** ******* ** they **** ******* ** the **.

**** ****** ****** **** right ****.  

******* *** ********* ******* and ********** ******* ****** possible ** **** ***** fine, *** *******, * Japanese ******* ***** ******** in ***** ;)

******* ******** **** *** come ** **** * do *** **** ** answer *** - ** EU ********* ***** * corporate ************ ** *** US **** **** ***** to **** ** ********?

***** **** *** **** under *** ***** ****? An ******** ********* ** an ** ****** ***** have **** *****, *** not *** ***** *** around ** **'* * European ***.

** ***** ****'* *** I ********** **. ********* I, * ********, ****** be **** ** ***** pot ** *** ******* I ****, ***** **'* legal ** ******.

** ********, **** ** a **** ******** **** comes ** *****. ** I **** ** ****** with *** **** *** every ** *******/********, ** matter ***** **** ***? If ** ***** ****** in *** **** **** has * ******** ****** that ****** * ******* tourist, **** **** ******* now **** *** ***** to ****** * **** complaint?

*** ****** ** **. *** **** **** not ******* "** ********" or "** *********" ********. The **** "******* ** *** ********** of ******** **** ** data ********who *** ** *** ***** [emphasis added]", according to ******* * ('*********** *****'). ** **** ***** people - ********** ** citizenship ** ********* - within *** ** *** protected ** *** ****. If **** ***** *** Union, **** *** ***.

 

** * ******* *** stand *** **** ** the ***** *** ***'* see ** *** *****, can't *** *** **********. With * ********* * would ******* ********* **** must **** **** ***** on **** **** * vendetta ** **** ****.

***** **** **** *** is *** ***** *** not **** ********** **. Leaving ** *****. *** employees ***** **'* ******* and *** **** *** happy.

 

**** ****** ****, *** law **** ****** ***** for *** ******** ****** in ******, ** *** data ********** ******** ** information, ** **** *** CNIL *** ******* ** 1978 **** *** ******* of ********** ********* **** and ********* *** *** about **** **********, ********** public ******* *** ** forth...

******, ** ****** * lot ** ******* *** thinking ** **** ** a **** ** ** the ******** **** ***  (ie: "***  ************ ** libertées" ***** ********* ** "law ** *********** ************ and *******") , **** more ******** *** ****. 

 

** **** ****, **** if *** ****** **** physically ******* *** *** working *** ******* ***** have ** **** ***** personnel **** *** ****** is ******* ** *** if **** ******* *** information **** **** ***** would **** *** ***** to ******* *** **** for * **** ***** on *****. 

 

** **** ****, **** if *** ****** **** physically ******* *** *** working *** ******* ***** have ** **** ***** personnel **** *** ****** is ******* ** *** if **** ******* *** information **** **** ***** would **** *** ***** to ******* *** **** for * **** ***** on *****.

** *** **** ***** to ***** *******? 

***.

**** **** *** ***** to ***** ******, *** in ********** ************ *** local *** ***** (********* the  ********* *** *** right ** **** ** he's ***** ******* ** no.

** ** **** ********** setting *** ********** ** a ***** ****** ** make *** ********* ***** they *** ***** ************ is ***** ** *.

 

 

*************** ** ******* ****** GDPR *********?

(*** *** ********, ***** is * **** *********, but **** *** *****).

* **** * *** of *** ******** ** this ***** *** ***** not **** *** **** this *****. *** ***?

**.  * ***** ***** it’s * ******* ***** by ******* *** ********* the *********** *** ********, and **** ****** ** anonymously ******* **** **** it *** ****** ******* to *******.

********: **** **** ***** to *** ******* ** a ****** ******, ****** a ***** *****?

*** **** ** ******** data ***** ********* ****** the ** ***** ***** the ****. ** ***, the **** '*******' ** a ***** ***** ** a ******, ** **** as **** ****** ** identifiable *** ** ** the **. *******, **** doesn't **** *** ***** of *** *********** ** somehow ****** ** *** GDPR. *** **** ** very *******-******, ********** ****** * ****** ** situations ***** ********** ** permitted, *********:

********** **necessary *** *** ******** ** *** ********** ********* ******* ** *** ********** or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. [emphasis added]

** *** ******** *** becomes ******* *** "*********** rights *** ********" ** the **** ******* ********* the "********** ********" ** taking *** *****, *.*. ********** cheating.

**** ** * **** a ***** ****** **** any ******** ********* *** legality ** *** ***********'* photo ***** ** ******** not ** ************ *** GDPR *** ** ********* to ******'* ******** ******* laws. ****** ******* ******** ********* ********** ****** ** someone ******* ***** *******. For *******, ***** *** Paris ******* **** ******** of ****, * *** pictured ******* *** ************* *** *************** *** **** the *******, ****** ****** privacy ****; *** **** was*********, ** *** ***** was ********** **** ** legitimate *************.

** *********, *** ***** case **** ** *** grandmaster (** ** ****) would **** ****** **** on *************** ** ******** French ******* **** - which ******* ********* ***** types ** ********** - rather **** *** **** itself.

 

*******, **** *******!

** ***** **** *** American ***********, * ***** the ******** / ******* would ** ******* ** a ****** ** * bathroom *****, ** ***, where ** ** *********, at *****, ********* ** be *** ******. *** example, *** **** *** in **** ******** *** what **** *** **** camera ********? * ** not **** **** **** come **** **** ** this ****, **** *** admission ** ********, *** it ** * ****** stunning ****** ** *** up * ****** ** someone ****** * ******** stall.

Read this IPVM report for free.

This article is part of IPVM's 6,592 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Vape Detection Legal Battle: Soter Sues IPVideo Corp on Jul 22, 2020
The crosstown vape detection rivals are now in a legal battle. While IPVideo...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
FLIR Markets Windows Temperature Screening, Violates IEC And Causes Performance Problems on Jul 17, 2020
FLIR, one of the largest thermal screening manufacturers, is marketing...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of...
Gait Recognition Examined on Sep 14, 2020
Facial recognition faces increasing ethical and political criticisms while...
Startup Digeiz Reidentification Video Analytics Profile on Jul 20, 2020
French Start-Up Digeiz is marketing 'shopping centre analytics' with, most...
ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...
Thermology Expert: "95-99%" Doing Fever Screening Wrong, Unjustified Compensating Algorithms "Insane" on Aug 27, 2020
A thermology expert tells IPVM "95 to 99% of people" are doing fever...
UN Agency Buys 'Swiss' Fever Cams From Firm That Faked Accreditation, Sales, Marketing on Oct 06, 2020
A Swiss company claims to have "fully designed and manufactured" the world's...

Recent Reports

ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...