News

Source : PS 0345-2024

🎯 Context:

A supermarket customer complains about a refund error.
An employee shows her the CCTV footage captured on her mobile, and then sends the video to her via WhatsApp.
The video clearly shows the customer and other shoppers, and was captured from the CCTV screen via a mobile phone.

👉 First problem: this means that the video was reproduced from an unsecured screen, using a personal device, outside the official system.

📤 .The video is sent to the customer on WhatsApp

The customer, according to the company, asked to receive the video.
She provided her personal phone number, and the employee sent her the video via WhatsApp.

👉 The second problem is that surveillance videos must never be transmitted without a supervised procedure, and even less so via non-professional, unencrypted tools that are outside the company's control.

❌ Infractions observed:
- The video was:
o captured by a mobile (outside a secure system),
o shared via a personal application (WhatsApp),
o without clear justification that the employees concerned had permission to view these images.
- Violation of Article 32 of the GDPR: Lack of technical and organisational measures to guarantee data security (confidentiality, access control, limitation of processing, etc.).

⚖️ Penalty:

The Spanish regulator, AEPD, has set the fine at €20,000.
The supermarket:
acknowledged its responsibility and made an advance payment.
➡️ the fine was reduced to €12,000.
A corrective measure was also imposed: to implement technical/organisational controls to secure the video surveillance images.