The Luxembourg National Commission for Data Protection (CNPD) ruled on multiple violations of the General Data Protection Regulation (GDPR) committed by a public school in its video surveillance system. The investigation was launched in October 2022 and included on-site visits to the institution in December 2022 and July 2023. The school was considered the data controller, as it independently determined the purposes and means of the video surveillance system, including the selection of the service provider, approval of the budget, and funding from its own resources.

The authority identified a violation of the accountability principle established in Article 5.2 of the GDPR, as the school relied on the legal basis of legitimate interest for access control and property protection without conducting the required balancing test between its legitimate interests and the fundamental rights of the individuals affected. Violations of the transparency principles and information obligations were also found: the video surveillance signage was limited to three panels with camera pictograms and the phrase "area under video surveillance," with no additional information about the data controller, purposes, or data subjects' rights.

The video surveillance system, consisting of 12 cameras operating 24 hours a day, presented proportionality issues in data processing. Two specific cameras captured not only access areas but also spaces used for student recreation and sports during the institution's operating hours. The CNPD found that monitoring these common areas was disproportionate relative to the stated purposes and constituted an excessive violation of privacy, particularly given that less invasive alternative means — such as supervision by staff — could have been implemented during the school day.

Additionally, violations related to excessive data retention and processing security were identified. Images were retained for 57 days, well beyond the 30 days that could be justified by extended school holidays. The system's access controls showed significant security flaws: six members of the technical team shared a single username and password to access the video surveillance software, with no access traceability system in place. The CNPD ordered the system to be brought into compliance within three months, including restricting camera fields of view, reducing the retention period to 30 days, improving informational signage, and implementing individual accounts with an access audit system.

This post was summarized from the original decision using AI, with human review.

Source: Commission nationale pour la protection des données de Luxembourg (in French)

Commentary: Although this decision was issued in Luxembourg, the alignment between LGPD (Brazil's General Data Protection Law) and the GDPR makes it relevant for evaluation in Brazil. Brazil's National Data Protection Authority (ANPD) published in 2024 the "Guiding Guidelines — Legal Bases for Personal Data Processing — Legitimate Interest," which expressly requires conducting a balancing test whenever this legal basis is used. The guidelines also address special considerations when legitimate interest is invoked for processing data of children and adolescents. Among the measures recommended by the ANPD for cases involving security cameras that may capture images of minors are "strict control of access to videos, a shorter storage period, disclosure at strategic points of information about how cameras operate, and the non-use of technologies that process images at a biometric level, which would lead to the processing of sensitive data" — precisely the measures indicated by the Luxembourg authority. This case should therefore serve as a reminder for those who process personal data of children and adolescents in similar situations. It should also be noted that video surveillance use cases based on legitimate interest must still include a balancing test, even when the cameras do not capture images of minors.