Legal framework. Like any data processing, CCTV use must comply with the General Data Protection Regulation (“GDPR”) in Luxembourg as such systems obviously impact the privacy of individuals.
No authorisation required – In Luxembourg, if an entity intends to implement a video surveillance system, there is no longer a requirement to obtain authorisation from the CNPD (there was such a requirement prior the GDPR). These systems must be implemented in line with the accountability principle where the data controller must ensure its compliance with the GDPR (clear purposes as analysed in a DPA is relevant, correct information for individuals, data minimisation, restricted retention period). It must also be reported in the record of processing activities in accordance with Article 30 of GDPR.
As a result, the CNPD consider that former authorisations given to data controllers for the use of CCTV may be kept and they will not required to perform a DPA if the whole system has not changed (same technologies, same angle of view, same purposes). If this is not the case, it is the duty of the data controller to assess that its system is compliant with the GDPR.
Specificities in the context of employment relationships: Article L.261-1 of the Labor Code – Depending of the purposes of the system and its legal basis, its implementation in the context of employment relationship may be the result of a co-decision process between the data controller (the employer) and staff delegation.
Entity control. In 2019, the CNPD introduced a guideline on CCTV. Despite that, the CNPD had the opportunity to remind companies of certain rules during its inspections and to sanction them for non-compliance. Fines from €200 to €12.500, calls to order as well as, depending on the case, injunctions to comply within a period of 1 to 3 months have been issued.
Main breaches – In most of the CNPD’s recent decisions, a significant issue was the failure to comply with the transparency principle due to a lack of information as provided in Articles 12 and 13 GDPR.
The CNPD considers that the use of a pictogram only indicating that a site is under video control or use of a CCTV system is not enough and does not comply with the GDPR. It requires two levels of information: at the first level, the use of a pictogram as well as the main principal information (the data controller details, the purposes of the system, the rights of concerned persons); and at the second level, full information as described in Article 13 of the GDPR must be provided. The CNPD considers it good practice to insert a QR code with the first level of information that redirects the persons concerned to the full privacy policy.
In other cases, pictograms and information were provided but only a part of the data subject was informed about CCTV use - and not necessarily clearly and fully, as required by the GDPR. For example, companies provided a "note to all employees" or a "welcome package" to employees, but nothing to their customers.
In the employment relation context, as mentioned before, a third level of information is necessary consisting of informing, or requesting advice from, the staff delegation.
Another significant issue was the difficulty to comply with the data minimisation principle under Article 5.1 c) GDPR. For example, employees were filmed at their workstations continuously and permanently in reception, production areas, etc., and continuously in common areas, such as in the smoking area or in the cafeteria.
Besides employees, sometimes third parties were permanently within the field of view of surveillance cameras. Filming employees or third parties continuously and permanently is disproportionate as it infringes their privacy.
Some entities also covered parts of public roads and neighbouring properties or public domains with their CCTV systems, which is prohibited in Luxembourg. Therefore, they had to apply technical measures such as blurring to exclude the affected areas from the field of view of the cameras.
As mentioned by the CNPD, data controllers must also perform an audit on a regular basis to ensure that their CCTV keeps the same angle of view as when initially set up. Subsidiary failures – Other deficiencies were also raised, such as issues with the security of processing and retention periods.
In some cases, retention periods were substantially exceeded: 4 years, 7 months and 14 weeks, 8 months or even 2 months and 3 weeks. The controlled entities had to reduce retention periods to comply with Article 5.1 e) GDPR.
Failures to comply with the obligation to implement technical and organisational measures were also reported (Article 32 GDPR). For example, there was no protection for access to a CCTV system, thereby allowing anyone to freely access and modify it.
Article provided by INPLP member: Molitor Michel (Molitor Avocats a La Cour, Luxembourg)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)