Unknown

Summary

The DPA from Luxembourg (CNPD) has imposed a fine of EUR 7,200 on a company. The company had installed a video surveillance system to protect the company's assets, prevent intrusion by unauthorized persons and prevent accidents. However, the cameras also captured parts of an employee's work area and the smoking area that employees frequently used. Furthermore, the controller had installed location sensors on the cars in its fleet. This was intended to optimize the company's operations.

The DPA finds that the recording of employees was not necessary to ensure the purposes associated with the video surveillance and was therefore disproportionate. The DPA states that the controller thus violated the principle of data minimization under Article 5 (1) c) of the GDPR.

The location data collected by the controller was stored for a period of eight months, although this would not have been necessary for the purposes of the processing. The DPA considered this to be a violation of the principle of data retention.

Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR.

Finally, the DPA found a violation of Art. 32 (1) GDPR. All persons who had authorized access to the software via which the locations could be tracked used the same account and not an individual account.