Background information
- Date of final decision: 18 Semptember 2025
- National case
- Controller: SAMARITAINE SAS
- Legal Reference: obligation to process data lawfully and breach of the principle of liability (articles 5-1-a) and 5-2 of the GDPR); Failure to collect adequate, relevant and necessary data (article 5-1-c) of the GDPR); Failure to involve the Data Protection Officer in matters relating to the protection of personal data (article 38-1 of the GDPR)
- Decision: administrative fine
- Key words: CCTV cameras, hidden cameras
Summary of the Decision
Origin of the case
In August 2023, due to the increase in cargo thefts in its reserves, the company SAMARITAINE SAS placed new cameras in two reserves. These cameras took the appearance of smoke detectors and made it possible to record sound. Discovered by employees, the cameras were removed in September 2023. The CNIL’s attention was drawn to these facts by a press article of 25 November 2023. Shortly thereafter, it received a complaint concerning the same matters. In the days that followed, the CNIL conducted an investigation.
Key Findings
- Failure to comply with the obligation to process data lawfully and breach of the principle of liability (articles 5-1-a) and 5-2 of the GDPR): The company did not conduct any prior analysis of compliance with the GDPR, nor did it document the temporary nature of the facility – which was discovered by employees a few weeks after its deployment. The company did not mention that device either in its register of processing operations or in its impact assessment. In addition, the company did not inform the data protection officer of its intention to install hidden cameras in reserves. Thus, the establishment of that system has not been accompanied by appropriate safeguards to ensure that a fair balance is maintained between the objective pursued by the controller and the protection of employees’ privacy.
- Failure to collect adequate, relevant and necessary data (article 5-1-c) of the GDPR): The cameras were equipped with microphones and conversations between employees, belonging to the personal sphere, were recorded. The restricted group considered that the sound recording of employees was excessive in the present case, which constitutes a breach of the principle of minimisation.
- Failure to involve the Data Protection Officer in matters relating to the protection of personal data (article 38-1 of the GDPR): It was only several weeks after the cameras were installed that the Data Protection Officer was informed of the existence of the device. In view of the characteristics of the device in question, the Data Protection Officer was able to alert the company on the means to be implemented to limit the risks to the protection of employees’ data, in accordance with its tasks.
Decision
On the basis of the findings made during that investigation, the restricted committee – the body of the CNIL responsible for imposing sanctions – fined the company SAMARITAINE SAS EUR 100 000 for several infringements of the GDPR. As a follow-up to the European Court of Human Rights (ECHR), the restricted committee recalled that an employer can install hidden cameras in exceptional circumstances and provided that a fair balance is struck between the objective pursued (the protection of property and persons) and the protection of employees’ privacy.
For further information:
- Decision in national language: Caméras dissimulées : la CNIL sanctionne la SAMARITAINE (French), Hidden cameras: the CNIL sanctions the SAMARITAINE (English).
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.