On 18 June 2019, the French data protection supervisory authority (CNIL) issued a decision on video surveillance at work. The Uniontrad Company case demonstrates that a law specifically regulating the processing of images is not an indispensable prerequisite for reaching a decision. Instead, CNIL relied on the general GDPR rules on proportionality, fair notices, and security of processing.
That does not mean that every detail of video surveillance legal regime obviously flows from the general data protection rules. For example, data protection authorities may differ as regards the format of a data processing notice. But the fundamental rules governing video surveillance at work are clear, even in the absence of a specific regulation.
Case history
The case concerns Uniontrad Company, a small agency providing both sworn and non-certified translation services. Between 2013 and 2016, CNIL received repeated complaints that the employees were under constant video surveillance. CNIL called company’s attention to the need to process personal data in a lawful manner. Nothing changed, and in 2017 CNIL received four additional complaints.
On 16 February 2018, CNIL inspected the company offices. The supervisory authority found that a camera filmed six employees and a cabinet with the work products. Uniontrad Company had not provided any data processing notice to the employees. The company kept the recorded images longer than what the stated purpose of the processing justified. Finally, CNIL found that the access to electronic equipment was not constrained by any security rules.
By a decision of 26 July 2018 CNIL ordered the Uniontrad Company to take the following remedial steps:
- cease placing the employees under a constant surveillance (for example by reorienting or moving cameras or by implementing dynamic masks when viewing images);
- not keep the recordings of the images of the device of CCTV beyond a period of fifteen days;
- inform the individuals, for example by placing a sign, of the implementation of a video surveillance system, specifying in accordance with Article 13 of the GDPR the purpose of treatment, the retention period and the recipients of data, the identity of the controller, and the procedures for exercising data subjects’ rights;
- ensure that access to employees’ computer workstations is subject to authentication by each user; and
- take specific measures concerning the passwords and traceability of access to the mailbox.
CNIL gave Uniontrad Company two months to make the above changes. However, the only step the company took was to place a sign about the video surveillance, in September 2018. The only pieces of information included in the sign were the name and telephone number of the data controller (Uniontrad Company). Moreover, the sign was not placed in the employees’ office, but in the lobby for visitors, where another camera was placed.
Disproportionate use of cameras
CNIL did not challenge Uniontrad Company’s professed purpose of the use of video surveillance: ensuring the security of persons and goods. However, the processing went beyond what achievement of the purpose would require. Protection of goods and persons did not require constant video surveillance of the six employees. Such processing was contrary to the principle of data minimization, from Article 5(3), item (c), of the GDPR.
CNIL noted that only under exceptional circumstances could permanent surveillance of employees be justified. Such circumstances would exist if the employee handles objects of great value or if the data controller has to prove theft or damage in the area. No such exceptional circumstances existed in this case. If the documents are of such nature to call for implementation of some special measures, securing access to the workplace would be the adequate measure. In any event, the Uniontrad Company did not report any thefts or damage in its premises.
Failure to properly notify the employees
CNIL also faulted Uniontrad Company with failing to provide a notice to the employees that they were under video surveillance. In the decision of 18 June 2019, CNIL quoted Article 13 of the GDPR, which sets out in detail elements of a data processing notice. Previously, on 26 July 2018, CNIL had condensed the Art. 13 notice elements into the following list: the purpose of treatment; the retention period; the recipients of data; the identity of the controller; and, the procedures for exercising rights.
Interestingly, the Spanish data processing authority, in its Guide on the use of video cameras for security and other purposes, does not require inclusion of some of the information from CNIL’s order in a sign indicating video surveillance. Data subjects may request information about the purpose of treatment, the retention period, and the recipients at the contact point.
Failure to ensure safety of the data
CNIL established that Uniontrad Company failed to implement necessary measures to ensure safety of the personal data. The data was contained in the video recordings and in the emails exchanged with the customers. The computer containing the video images could be accessed without any password. Individual computers of the employees were also accessible without passwords. In addition, all employees used the same password to access the messaging system. There were no measures in place to ensure traceability of the access to the system.
Penalty
CNIL fined Uniontrad Company with the relatively modest sum of EUR 20,000. The data protection authority evidently attached significant weight to the fact that Uniontrad Company has faced financial difficulties. The fact that Uniontrad Company did take steps to address CNIL’s requests, even if well after the expiration of the deadline, also helped. On the other hand, the long duration of the violations, lack of collaboration on the part of the company in spite of the clarity of legal framework, and the particular sensitivity of the issue, all worked against the company.