Hidden cameras: the CNIL sanctions the SAMARITAINE

Background information

In August 2023, due to the increase in cargo thefts in its reserves, the company SAMARITAINE SAS placed new cameras in two reserves. These cameras took the appearance of smoke detectors and made it possible to record sound. Discovered by employees, the cameras were removed in September 2023.

The CNIL’s attention was drawn to these facts by a press article of 25 November 2023. Shortly thereafter, it received a complaint concerning the same matters. In the days that followed, the CNIL conducted an investigation.

On the basis of the findings made during that investigation, the restricted committee – the body of the CNIL responsible for imposing sanctions – fined the company SAMARITAINE SAS EUR 100,000 for several infringements of the GDPR. As a follow-up to the European Court of Human Rights (ECHR), the restricted committee recalled that an employer can install hidden cameras in exceptional circumstances and provided that a fair balance is struck between the objective pursued (the protection of property and persons) and the protection of employees’ privacy. For example, in order to be proportionate, such a device would need to be temporary and deployed after a documented analysis of its compatibility with the GDPR and in light of exceptional circumstances. 

In particular, the CNIL has sanctioned the following failures.

Sanctioned breaches

Failure to comply with the obligation to process data lawfully and breach of the principle of liability (articles 5-1-a) and 5-2 of the GDPR)

The restricted committee recalled that, in principle, in order to meet the loyalty requirement, CCTV cameras filming employees must be visible and not concealed. However, as recognised by the case-law, in exceptional circumstances and under certain conditions, the controller may temporarily install cameras that are not visible to employees. The data controller must then analyse the compatibility of the device with the GDPR and be able to justify it.

In the present case, the company did report the existence of thefts committed in the reserves and explained that the device was temporary (which the technical characteristics of the device appear to confirm), but it did not conduct any prior analysis of compliance with the GDPR, nor did it document the temporary nature of the facility – which was discovered by employees a few weeks after its deployment.

The company SAMARITAINE SAS did not mention that device either in its register of processing operations or in its impact assessment. In addition, the company did not inform the data protection officer of its intention to install hidden cameras in reserves. Thus, the establishment of that system has not been accompanied by appropriate safeguards to ensure that a fair balance is maintained between the objective pursued by the controller and the protection of employees’ privacy.

Failure to collect adequate, relevant and necessary data (article 5-1-c) of the GDPR)

The cameras were equipped with microphones and conversations between employees, belonging to the personal sphere, were recorded. The restricted group considered that the sound recording of employees was excessive in the present case, which constitutes a breach of the principle of minimisation.

Failure to involve the Data Protection Officer in matters relating to the protection of personal data (article 38-1 of the GDPR)

It was only several weeks after the cameras were installed that the Data Protection Officer was informed of the existence of the device. In view of the characteristics of the device in question, the Data Protection Officer was able to alert the company on the means to be implemented to limit the risks to the protection of employees’ data, in accordance with its tasks.