On September 18, 2025, the CNIL sanctioned Samaritaine SAS, operator of the famous Parisian department store, for installing hidden cameras in the store’s stockrooms, some of which were equipped with microphones.
The authority’s restricted panel imposed a fine of €100,000, accompanied by publicity of the decision, considering that the video surveillance system put in place failed to comply with several fundamental obligations of the General Data Protection Regulation (GDPR).
Cameras that did not last long
In the summer of 2023, faced with a resurgence of internal theft, La Samaritaine decided to install cameras in its storage areas. These devices were concealed in fake smoke detectors and, in some cases, equipped with microphones for sound recording.
Employees quickly discovered the cameras and demanded their removal. A few weeks later, a newspaper article revealed the affair, sparking a media frenzy.
The CNIL then decided to intervene. An on-site inspection was carried out in November 2023, revealing that the system had not been documented, that no impact assessment had been carried out, and that the data protection officer (DPO) had not been consulted.
Methods contrary to the principles of the GDPR
The select committee identified several breaches of the principles of the GDPR, resulting from the implementation of the devices, thus explaining that it could have been compliant if several conditions had been met.
– Failure to comply with the obligation to process data fairly and failure to comply with the principle of accountability
The CNIL points out that, in principle, in order to comply with the requirement of fair, lawful, and transparent processing, video surveillance cameras installed in a workplace must be visible and known to employees. The data controller may temporarily use hidden cameras, provided that they can demonstrate the necessity of the device and assess its compliance with the GDPR before implementation.
La Samaritaine cited a series of internal thefts to justify the installation of cameras concealed in fake smoke detectors, which was presented as a temporary measure. While the purpose may have appeared legitimate at first glance, the CNIL points out that nothing had been formalized: no impact assessment, no entry in the processing register.
Furthermore, the temporary nature of the system was never documented and was only discovered by chance by employees several weeks after its installation.
The implementation of this system was not accompanied by appropriate safeguards to ensure a fair balance between the objective pursued by the data controller and the protection of employees’ privacy.
– Breach of the principle of minimization
The presence of a microphone on some devices was an aggravating circumstance. The CNIL considered that audio recording was neither necessary nor proportionate to the purpose of preventing theft.
It therefore constituted excessive data collection and thus a breach of the GDPR’s principle of data minimization.
– Breach of the obligation to involve the DPO in the system
The system had not been entered in the processing register, no impact assessment had been carried out, and the DPO had not been involved in the process.
Given the characteristics of the system, the data protection officer could have alerted the company to the precautions to be taken and the measures to be put in place to limit the risks to employee data, in accordance with the advisory and monitoring role entrusted to her by the GDPR.