According to the CNIL, employees of the company had filed complaints with the CNIL between 2013 and 2017 over the filming. In February 2018, the CNIL conducted an investigation at the company's offices and found that a camera was continuously recording the staff's activities at their work station, without sufficient information being provided to the staff. In addition, the CNIL found that the computers were not protected by a password and that the translators were all using the same messaging system with a single, shared password. In July 2018, the CNIL ordered the company to change its practices; however, an audit conducted in October 2018 found that the company had not taken any remedial action, which led to today's decision of the CNIL to issue a sanction against the company.
The CNIL stated that in deciding the amount of the fine to be imposed, it took into account the small size of the company (9 employees only), the financial situation of the company (including the fact that the company reported a loss for the financial year 2017) as well as the inaction of the company to comply with the CNIL's previous order. The CNIL further stated that the amount imposed is intended to be "dissuasive yet proportionate".
In addition to the fine of 20,000 euros, the company has also been ordered a) to move the camera (so that the employees are no longer constantly filmed), b) to provide information to employees on the video surveillance, c) to implement security measures to restrict access to computers and d) to ensure traceability of access to the messaging system (i.e. not to have a shared password). Last but not least, the company has been granted a two-month period to remedy its current practices, otherwise it would face a 200 euros fine for each day it remains in noncompliance.
Earlier this month (6th June 2019), the CNIL announced it issued a fine of 400,000 against Sergic, a French real estate service provider, for a) failure to implement appropriate security measures and b) failure to define appropriate data retention periods for the personal data of unsuccessful rental candidates. According to the CNIL, the company did not have in place a prior authentication procedure for the access and download of documents on the company's website, allowing users of the website to access data relating to other individuals by slightly amending the URL displayed in the browser bar. In particular, the CNIL stated that an authentication procedure is "a basic security measure" which should have implemented. Last but not least, the CNIL held that data retention periods must be determined based on the purpose of the data processing and be limited to the strict minimum. In particular, the CNIL noted that once the purpose of the data processing no longer justifies keeping the data in an active database, such data should be either deleted or archived on a separate database if the retention is needed to comply with legal obligations or if the data may be relevant to future litigation, provided of course that the retention period remains in each case limited to what is strictly necessary.