Unknown – €7,200 Fine (Luxembourg, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A company in Luxembourg was fined EUR 7,200 for using video surveillance and location tracking without proper justification. The cameras recorded employees unnecessarily, and location data was kept longer than needed. This case shows the importance of using surveillance tools responsibly and respecting employee privacy.
What happened
The company was fined for using video surveillance and location tracking on employees without a valid reason and for storing data longer than necessary.
Who was affected
Employees whose work areas were recorded and whose location data was tracked were affected.
What the authority found
The authority decided that the company's surveillance practices were disproportionate and violated GDPR's data minimization and retention principles.
Why this matters
This ruling highlights the need for companies to justify surveillance and tracking practices and to minimize data collection. It warns businesses to respect privacy and comply with data protection laws.
GDPR Articles Cited
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 7,200 on a company. The company had installed a video surveillance system to protect the company's assets, prevent intrusion by unauthorized persons and prevent accidents. However, the cameras also captured parts of an employee's work area and the smoking area that employees frequently used. Furthermore, the controller had installed location sensors on the cars in its fleet. This was intended to optimize the company's operations. The DPA finds that the recording of employees was not necessary to ensure the purposes associated with the video surveillance and was therefore disproportionate. The DPA states that the controller thus violated the principle of data minimization under Article 5 (1) c) of the GDPR. The location data collected by the controller was stored for a period of eight months, although this would not have been necessary for the purposes of the processing. The DPA considered this to be a violation of the principle of data retention. Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR. Finally, the DPA found a violation of Art. 32 (1) GDPR. All persons who had authorized access to the software via which the locations could be tracked used the same account and not an individual account.
Related Enforcement Actions (16)
Other enforcement actions involving Unknown in LU
Fine
€7K
Details
Fine Date
11 June 2021
Authority
Commission Nationale pour la Protection des Données
Fine Amount
€7,200
Enforcement Tracker ID
ETid-748
About this data
Cite as: Cookie Fines. Unknown - Luxembourg (2021). Retrieved from cookiefines.eu
Last updated: