SAMARITAINE SAS – €100,000 Fine (France, 2025)

Samaritaine SAS (the controller) is the company operating the "La Samaritaine" store since 2021 and employs approximately 640 employees. The store welcomes about 4 million visitors per year. In November 2023, a press article reported the installation of “spy cameras camouflaged as smoke detectors" in the storerooms. Based on this information and a complaint from an employee, the DPA carried out an investigation in order to verify the controller’s compliance with the GDPR and French Data Protection Act. The DPA noted that the controller installed five CCTV cameras in the form of smoke detectors and equipped them with microphones. The cameras recorded images and sound of employees working for several weeks. The cameras were removed by employees, who kept two SD cards containing the recordings made by the device. In December 2023, the controller notified the DPA of a personal data breach related to the theft of the two SD cards. The controller explained that the device was temporary (involving “test” cameras), and it was not to monitor employees, but to identify where to install the future cameras to better cover the reserves in case of theft. In addition, it argued that it was not aware that the cameras were equipped with microphones and that it was never in possession of the recordings because the cameras were dismantled and the SD cards were stolen. Finally, the controller argued that the cameras were not concealed because they were placed on bare walls, and that the reserves are not the place of work of employees, who are only required to go there occasionally. During its investigations, the DPA found that the controller did not mention the cameras in its processing operations or in the impact assessment before installing them. The controller did not inform its Data Protection Officer (DPO) until after the cameras were installed and later dismantled. The DPA found a violation of Articles 5(1)(a) and 5(2) GDPR. The DPA recalled that, in principle, in order to m