Ministry – Violation Found (Luxembourg, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A secondary school in Luxembourg was found to have improper video surveillance practices. The school didn't properly balance its interest in preventing theft with the rights of people being recorded. This matters because it highlights the importance of respecting privacy rights even in security measures.
What happened
The school operated CCTV cameras 24/7 without adequately assessing the impact on people's privacy.
Who was affected
Students, staff, and visitors whose footage was captured by the school's CCTV cameras.
What the authority found
The data protection authority ruled that the school failed to balance its legitimate interest against the privacy rights of individuals, violating accountability and transparency obligations.
Why this matters
This decision emphasizes that organizations must carefully consider privacy rights when implementing surveillance. Schools and other institutions should review their practices to ensure they comply with privacy laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
In October 2022 the DPA opened an inquiry into the video surveillance measures implemented by a secondary school (the controller). Following two on-site inspections and an exchange of information with the controller, the DPA found the following facts: * video surveillance cameras operated 24/7 and stored footage for 57 days (the controller clarified that 57 days was the longest possible time the direction could take leave for the summer holidays); * 6 members of the technical staff had access to real-time footage through a shared account; * only the principal and deputy principal had access to recorded footage. Each of them accessed footage through an individual account; * the system did not log access to either real time footage or recordings; * three posters at the entrance of the school, informed the data subjects (i.e.: the people whose footage were capture) about the use of CCTV surveillance. During the procedure, the controller stated that the legal basis for the processing of personal data, was its interest in preventing theft and vandalism. However, the DPA found that the controller did not assess the balancing of this interest with the rights and freedoms of the data subjects (i.e.: the people whose footage was captured). First, the DPA held that the school was the controller for the processing of personal data via CCTV cameras. It did not matter that the school did not have legal personality under Luxembourgish law. In this regard, the DPA pointed out that the school could determine the purposes and means of the processing, and could freely choose its processor for installing and operating the CCTV system. Second, the DPA observed that the controller relied on the legal basis of legitimate interest, without balancing its interest against the data subject’s. For this reason, the controller violated its accountability obligations. Third, the DPA held that the controller violated its transparency obligation. The information posters at the entrance of the sc
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Ministry in LU
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
26 November 2024
Authority
Commission Nationale pour la Protection des Données
GDPRhub ID
gdprhub-9257About this data
Cite as: Cookie Fines. Ministry - Luxembourg (2024). Retrieved from cookiefines.eu
Last updated: