BOUTIQUE.AERO – Violation Found (France, 2019)

In July 2018, the southern-west DIRECCTE (regional office for undertakings, competition and consumers) warned the CNIL that cameras of the company BOUTIQUE.AERO – the data controller - were constantly scanning the workstations of certain employees. Following this warning, the CNIL carried out some investigations. The CNIL found that the surveillance cameras were recording personal data which were not adequate, relevant nor limited to what it was necessary. Thus, the data controller violated Article 5(1)(c) GPDR. The French DPA found as well that no information had been given to the data subjects regarding the collection of their personal data and the storage limitation periods. Thus, the CNIL determined that the data controller had violated Article 13 GDPR. In addition, the CNIL stated that the IT service provider for cameras maintenance could be qualified as a data processor. However, the contract between the data processor and the data controller did not include any measure providing for sufficient guarantees regarding the security of the processing. Also, the personal data recorded by the cameras and consulted through the data controller ‘s management software were not encrypted and were easily accessible. Therefore, the data controller violated both Articles 28 and 32 GDPR. Finally, the CNIL decided that the data controller did not comply with the obligation to create a record of processing activities, as required by Article 30(1) GDPR. As a consequence, the CNIL addressed a formal notice to the data controller and let a two-months period to comply with the GDPR. The controller had two months to comply with Articles 5(1)(c), 13, 28, 30(1) and 32 GDPR. In its latest order, the CNIL hold that keeping a register of processing activities, informing employees about the video-surveillance system and concluding a contract with your subcontractors was enough to comply with the aforementioned GDPR Articles. As a consequence, the CNIL issued a termination decision.