APD/GBA (Belgium) - 98/2024: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=98/2024 |ECLI= |Original_Source_Name_1=APD/GBA (Belgium) |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-nr.-98-2024.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2=...")
 
mNo edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 63: Line 63:
}}
}}


The DPA found a person installing a CCTV within the premises was a data controller, obliged to fulfil the duties of data controller stemming from the GDPR, including answering the access request under Article 15.
The DPA issued a warning to the operator of a video surveillance system for ignoring an access request by a data subject and failing to cooperate with the DPA. Thus, the controller violated [[Article 12 GDPR|Article 12(1)]], [[Article 12 GDPR|Article 12(3)]] and [[Article 31 GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
One of the resident (controller) installed five cameras (CCTV) within their premises. The controller obtained a consent of their neighbour to process the CCTV data.  
A resident (controller) installed five cameras (CCTV) within their premises (a house). The controller obtained the consent of their neighbour (data subject) to process the CCTV data.  


A data subject claimed two cameras covered their garden, which was contrary to what they agreed to. Then, the data subject asked the controller to move the cameras adequately and give data subject access to the recordings to verify their content. Despite multiple tries, the controller did not respond to the request.  
A data subject claimed two cameras covered their garden, which was contrary to what they agreed to. Then, the data subject asked the controller to move the cameras adequately and give the data subject access to the recordings to verify their content. Despite multiple tries by the data subject, the controller did not respond to the request.  


In the meantime, the controller installed additional camera – a doorbell camera facing data subject’s driveway and private entrance.  
In the meantime, the controller installed an additional camera – a doorbell camera facing the data subject’s driveway and private entrance.  


The data subject consulted the Belgian DPA (APD/GBA) on what further actions they should take. The DPA suggested to contact the local police or to start proceedings before the DPA.
The data subject consulted the Belgian DPA (APD/GBA) on what further actions they should take. The DPA suggested to contact the local police or to start proceedings before the DPA.


The Police found the setting of two cameras was changed, so it did not cover the data subject’s premises. Nevertheless, the doorbell camera was programmed to send notification every time someone showed up within its range. The data subject, requested the controller to change the setting of the doorbell camera as well, but the controller did not reply.
Following the DPA's advice, the data subject contacted the Police who found that the setting of two cameras was changed, so they did not cover the data subject’s premises. Nevertheless, the doorbell camera was programmed to send a notification every time someone showed up within its range. The data subject, requested the controller to change the setting of the doorbell camera as well, but the controller did not reply.


A moment later, the controller replaced two cameras with new, advanced models (vide-angle lenses) and changed the location of the doorbell, which covered also a pavement and a street.  
Later, the controller replaced two cameras with new, advanced models (vide-angle lenses) and changed the location of the doorbell, which covered not only the data subject’s premises but also a pavement and a street.  


As the mediation before the DPA was unsuccessful (the controller did not respond to official letter of DPA), the data subject decided to lodge a complaint with the DPA.
As the mediation before the DPA was unsuccessful (the controller did not respond to official letter of DPA), the data subject decided to lodge a complaint with the DPA.
Line 85: Line 85:
The DPA decided to close the case due to the expediency.  
The DPA decided to close the case due to the expediency.  


Firstly, the DPA noted the controller was obliged to answer data subject’s access request under Article 15, which they obviously failed to do. Hence, the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]].
First, the DPA noted the controller was obliged to answer data subject’s access request under [[Article 15 GDPR]], which they obviously failed to do. Hence, the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]].


Secondly, the controller violated [[Article 31 GDPR|Article 31 GDPR]], because they did not respond to any official mails sent by the DPA.
Second, the DPA noted that the controller violated [[Article 31 GDPR|Article 31 GDPR]], because they did not respond to any official mails sent by the DPA.


Nevertheless, the DPA found the case at hand was a broader dispute to be heard by a court. The complaint did not provide enough evidence to confirm the CCTV breached the GDPR. Also, there was a proceedings before the Police run in parallel, making a potential investigation of the DPA pointless.
For both violations, the DPA issued a warning to the controller under [[Article 58 GDPR|Article 58(2)(a) GDPR]].
 
Nevertheless, the DPA found the subject matter of the case at hand was a broader dispute and should be heard by a court. Furthermore, the complainant did not provide enough evidence to confirm the CCTV violated the GDPR. Also, there was a parallel proceeding before the Police, making a potential investigation of the DPA pointless.


== Comment ==
== Comment ==
Line 101: Line 103:


<pre>
<pre>
1/10
Contentious Chamber
 
Decision 98/2024 of July 24, 2024
Litigation Chamber
File number: DOS-2023-00957
 
Subject: Complaint regarding the installation of surveillance cameras in the context of a neighborly dispute
Decision 98/2024 of 24 July 2024
 
File number: DOS-2023-00957
 
Subject: Complaint regarding the installation of surveillance cameras in the context of a
 
neighbourhood dispute
 
The Litigation Chamber of the Data Protection Authority, consisting of Mr. Hielke
 
Hijmans, President, sitting alone;
 
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
 
protection of natural persons with regard to the processing of personal data and on the
 
free movement of such data, and repealing Directive 95/46/EC (General Data
 
Protection Regulation), hereinafter GDPR;
 
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter
 
LCA);
 
Having regard to the Law of 30 July 2018 on the protection of individuals with regard to the
 
processing of personal data (hereinafter LTD);
 
Having regard to the Rules of Procedure as approved by the Chamber of Representatives on 20
 
December 2018 and published in the Belgian Official Journal on 15 January 2019; 1
 
Having regard to the documents in the file;
 
Has taken the following decision concerning:
 
The complainants: X1 and X2, hereinafter "the complainants";
 
The defendant: Mr and Mrs Y, hereinafter "the defendant";
 
1The new internal regulations of the APD, following the amendments made by the Law of 25 December 2023
amending the law of 3 December 2017 establishing the Data Protection Authority (LCA) came into force on
01/06/2024.
 
In accordance with Article 56 of the law of 25 December 2023, it only applies to complaints, mediation files, requests, inspections and procedures before the Litigation Chamber initiated from this date:
https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur-de-l-autorite-de-protection-des-
donnees.pdf.
 
Cases initiated before 01/06/2024 [as in this case] are subject to the provisions of the LCA as not amended by the Law of 25 December 2023 and the internal regulations as they existed before that date. Decision 98/2024 - 2/10
 
I. Facts and procedure
 
1. On 29 August 2023, the complainants filed a complaint with the Data Protection Authority (hereinafter “the DPA”) against the defendant, a neighbouring couple having installed a video surveillance system around their home.
 
2. The subject of the complaint concerns unlawful data processing and an intrusion into the complainants’ private lives caused by the installation of outdoor cameras by the defendant, which, according to the complainants, film their home.
 
3. During the month of July 2022, the defendant installed surveillance cameras: one at the front of the house, three at the back. Among these, two cameras were allegedly oriented towards the plaintiffs’ garden, leading them to ask the defendant to modify the installation of these cameras, so as to no longer film their garden,
 
and to be able to check the images recorded by the cameras.
 
4. On 2 August 2022, the plaintiffs sent a registered letter to the defendant in which they
 
stated that they had given their consent to the installation of surveillance cameras on the condition that they did not record any images of their
 
property. They therefore asked them, once again, to modify the installation of the cameras and to be able to check the images filmed afterwards.
 
5. On 24 February 2023, the defendant installed, according to the plaintiffs, an additional camera, which would appear on the doorbell and would be directed towards their driveway and private entrance.
 
6. On 25 February 2023, the plaintiffs made a request for information to the APD to
 
find out their levers of action.
 
7. On 27 February 2023, the Frontline Service (hereinafter the "SPL") responded to this request
 
and suggested, on the basis of the law of 21 March 2007 regulating the installation and use of
 
surveillance cameras (hereinafter "the camera law"), to contact the local police or, on the basis of the
 
GDPR, to file an action with the APD, namely a complaint action or a request for
 
mediation.
 
8. On March 2, 2023, police officers visited the defendant. They confirmed
 
to the plaintiffs that their garden did not appear on the images filmed by the cameras.
 
However, the installer of the cameras allegedly informed the plaintiffs that the
cameras could have their settings and caches modified at any time by users. Also,
 
the doorbell with the installed camera allegedly sends a notification each time the
 
plaintiffs enter or leave their home. The latter allegedly complained about this to the
 
defendant, to no avail.
 
9. On 25 March 2023, the complainants filed a request for mediation, seeking to
 
obtain a change in the orientation of the cameras installed at the back of the house, so that they could no longer film the complainants' garden, as well as a change in the installation of the
 
connected doorbell.
 
10. On 4 April 2023, the SPL declared the request for mediation admissible.
 
11. On 14 April 2023, the SPL sent a letter to the defendant. The letter called on the latter to comment on the registered letter that the complainants had sent them on 2 August 2022.
 
12. On 6 July 2023, the SPL sent a registered letter to the defendant,
 
asking them to respond to the letter that had been sent to them on 14 April 2023.
 
13. On 19 July 2023, the complainants informed the APD of changes in the installation
 
of the defendant's cameras. In fact, the latter had replaced two
 
cameras with more efficient models since they were equipped with wide-angle lenses.
In addition, the connected doorbell would have been moved to face the street, making it possible to
 
film, in addition to the plaintiffs' driveway, their car, the sidewalk and the street from left to right
 
over 180°. Furthermore, the plaintiffs and the defendant live in semi-detached houses,
 
and whose gardens occupy an area of approximately 5.60 meters wide and 15 meters long.
 
It being understood that there are three cameras at the back of the
 
defendant's house, there would be, given the width of the garden area,
 
1 camera every 1.80 meters; according to the plaintiffs, it would therefore be
 
impossible for these cameras not to film their garden, and therefore, the number of cameras installed would
 
be disproportionate.
 
14. On 18 August 2023, the complainants sent an email to the APD to ask about the status of the
 
situation.
 
15. On 21 August 2023, the APD informed them that the two letters they had sent to the
 
defendants had still not been answered, declaring the mediation unsuccessful and
 
therefore informing them of the possibility of transforming their mediation into a complaint, in
 
accordance with Article 62, §2, 1° of the LCA.
 
16. On 29 August 2023, the complainants transformed their request for mediation into a complaint.
 
17. On 6 September 2023, the Front Line Service of the Data Protection Authority
 
declares the complaint admissible on the basis of Articles 58 and 60 of the LCA, and forwards it
 
to the Litigation Chamber in accordance with Article 62, § 1 of the LCA.
 
18. On 11 October 2023, the Litigation Chamber asks the complainants whether they have
 
exercised their right of access again and whether they have obtained a response from the
 
defendant.
 
19. On 12 October 2023, the complainants responded to the Litigation Chamber that they had not
 
resubmitted a request for a right of access and that the defendant had followed up on their
 
exercise of the right of access dated 2 August 2022. The complainants indicated that they were
 
not satisfied with this.
 
20. On 19 November 2023, the complainants sent an email to the Litigation Chamber
 
stating that they had again noticed on 16 November 2023 at around 8:30 p.m. that the
 
camera placed at the front of the defendant’s house was triggered when they
 
moved from their garden path to their entrance. Following this, the
 
complainants rang the defendant’s doorbell, to no avail. Approximately 30
 
minutes later, the police allegedly showed up at the plaintiffs’ home following a call from the
 
defendant. In an appendix to the email, the plaintiffs attach photos of the front facade of the
 
defendant’s home.
 
21. On December 1, 2023, the plaintiffs attach a new element to the file: they
 
noticed on Thursday, November 30 that the connected doorbell goes off as soon as they
 
appear on their private driveway, this happening each time they enter and exit.
 
The plaintiffs add that they have photos and videos.
 
22. On January 11, 2024, the plaintiffs add that the defendant modified
 
the installation of its cameras by connecting them to the electrical network so that
 
it is now fixed and permanent. One of the three cameras located at the rear of the
 
defendant’s home was allegedly moved and reoriented more towards
 
the orientation of the plaintiffs’ property.
 
II. Motivation
 
II.1. Warning
 
23. Article 4.7) of the GDPR defines the “controller” as “the natural or legal person, public authority, agency or other body which, alone or
 
jointly with others, determines the purposes and means of the processing”.
 
24. The controller must comply with the request made under Articles 15 to 22 of the GDPR by the data subject, in compliance with the conditions
 
set out in Article 12 of the GDPR.
 
25. The European Data Protection Board (hereinafter “EDPB”) has specified in its
 
guidelines that the information – or the copy of the personal data –
 
provided to the data subject within the scope of Article 15 of the GDPR must be in
 
a permanent and thus durable form. 2
 
26. Under Article 12.1 of the GDPR, the controller is responsible for “taking
 
appropriate measures to provide any information referred to in Articles 13 and 14 and
 
2EuropeanDataProtectionBoard,Guidelines01/2022ondatasubjectrights –Rightofaccess,point150,availableinEnglish
at: https://www.edpb.europa.eu/system/files/2023-04/edpb guidelines 202201 data subject rights access v2 en.pdf. Decision 98/2024 - 5/10
 
to provide any communication under Articles 15 to 22 and Article 34 concerning
 
the processing to the data subject in a concise, transparent,
 
intelligible and easily accessible manner, in clear and plain language […].”.
 
27. The Disputes Chamber adds that it is the responsibility of the data controller to provide the data subject with information on the measures taken following a request made under Articles 15 to 22 of the GDPR, as soon as possible and in any event within one month of receipt of the request. Article 12.3 of the GDPR provides that this period may, if necessary, be extended by two months, taking into account the complexity and number of requests. In such a case, the data controller shall inform the data subject of this extension and the reasons for the postponement within one month of receipt of the request. 28. In this case, the complainants exercised their right of access on 2 August 2022 by means of a registered letter. However, the defendant party allegedly did not comply with this request for access before – at the very least – 2 March 2023.
 
29. The Litigation Chamber thus notes that the defendant party may have failed
 
to comply with Article 12.3 of the GDPR.
 
30. In addition to this potential failure, it also appears that the SPL, as part of a mediation
 
procedure, contacted the defendant party twice, including once by
 
registered email (see points 11 and 12). However, these two contacts
 
proved unsuccessful, given that they received no response, leading
 
the SPL to conclude that the said procedure had failed on 21 August 2023. Furthermore, the
 
Litigation Chamber notes that this decision is adopted precisely because the
 
complainants decided to transform their request for mediation into a complaint
 
in accordance with Article 62, §2, 1° of the LCA following this failure.
 
31. Article 31 of the GDPR provides that "The controller and the processor,
 
as well as, where applicable, their representatives, shall cooperate with the supervisory authority, at the request of
 
the latter, in the performance of its tasks.".
 
32. The GDPR, including its recitals, does not define what is meant by
 
"cooperation". However, the Litigation Chamber has already had the opportunity to decide that the
 
fact, among other things, of not "complying with the exercise of the complainant's rights and
3
informing the Litigation Chamber of the follow-up given to this decision", of not "putting forward
 
arguments against the injunction given to her as permitted by Article 99 LCA" and of not reacting to an email from the Litigation Chamber informing it
 
of the amount of the proposed administrative fine constitute an attitude reflecting "a
 
3Decision of the Litigation Chamber 32/2020 of 16 June 2020, point 24.
4Decision of the Litigation Chamber 32/2020 of 16 June 2020, point 25. Decision 98/2024 - 6/10
 
lack of consideration and cooperation that is manifestly contrary to what is expected of a data controller, in particular in the application of Article 31 of the GDPR.
 
33. Article 3 of the LCA establishes a supervisory authority within the meaning of Article 51 of the GDPR.
 
34. Article 4 of the LCA states that the Data Protection Authority (DPA) thus created ensures the monitoring of compliance with the fundamental principles of the protection of personal data.
 
35. This monitoring by an independent authority is an essential element of the fundamental right to data protection specifically enshrined in Article 8, §3 of the Charter of Fundamental Rights of the European Union.
 
36. Furthermore, it is clear from Article 22, §1, 2° of the LCA that the SPL “may launch a mediation procedure”, establishing this mechanism as a tool for carrying out its missions.
 
37. The Litigation Chamber is aware of the free nature of mediation, which can
 
lead to an amicable agreement. Indeed, the Litigation Chamber does not consider under any circumstances
 
that a party can be forced to conclude an amicable agreement. This is up to the
 
strictest discretion of each party. Furthermore, expressing a refusal to
 
engage in a mediation procedure could in no case be held against
 
a data controller or its subcontractor.
 
38. However, the same is not true for exchanges with the bodies of the DPA. Within the meaning of Article
31 of the GDPR, a data controller must be expected to respond to one of the
 
bodies of the DPA when he receives letters from one of them on two occasions
 
– including once by registered letter – asking him to communicate his position on an
 
invitation to a mediation procedure (the content of this response being in itself
 
completely free).
 
39. Consequently, the Litigation Chamber notes that the defendant party
 
may have failed to comply with Article 31 of the GDPR.
 
40. On the basis of the above facts, the Litigation Chamber considers that it is appropriate to
 
conclude that the defendant may have committed a violation of the provisions of the GDPR,
 
which justifies that in this case, a decision be taken in accordance with
Article 95, §1, 4° of the LCA, more precisely the adoption of a warning decision.
 
II.2. Discontinuation of proceedings
 
41. On the basis of the facts described in the complaint file as summarised above, and on
 
the basis of the powers conferred on it by the legislator under Article 95, § 1
 
of the LCA, the Litigation Chamber decides on the further action to be taken in the case; in this case,
 
5Decision of the Litigation Chamber 32/2020 of 16 June 2020, point 27; In this regard, see also Decision of the Litigation Chamber 87/2024 of 3 June 2024, points 74 to 87. Decision 98/2024 - 7/10
 
the Litigation Chamber decides to proceed with the classification without further action of the complaint,
 
in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below.
 
42. In matters of classification without further action, the Litigation Chamber is required to justify its
 
decision in stages and to:
 
- pronounce a classification without technical further action if the file does not contain or
 
insufficient evidence likely to lead to a sanction or if it contains a technical
 
obstacle preventing it from rendering a decision;
 
- or pronounce a dismissal of opportunity, if despite the presence
 
of elements likely to lead to a sanction, the continuation of the examination of the
 
file does not seem appropriate to it taking into account the priorities of the Data
 
Protection Authority as specified and illustrated in the Disputes Division's
 
Dismissal Policy.
 
43. In the event of dismissal based on several grounds for dismissal,
 
these grounds (respectively, dismissal of technical action and dismissal of
 
opportunity) must be treated in order of importance.
 
44. In this case, the Disputes Division decides to dismiss the
 
case on grounds of opportunity. The decision of the Disputes Division is based more
 
specifically on three reasons why it considers that it is inappropriate to
 
continue monitoring the file, and consequently decides not to proceed, among
 
other things, with an examination of the case on the merits.
 
45. More specifically, the decision of the Litigation Chamber is based on the fact that the remainder of
 
the complaint is incidental to a broader dispute that needs to be argued before the
 
judicial and administrative courts and tribunals or another competent authority and that the
 
complaint is not sufficiently supported by evidence that would allow the Litigation
 
Chamber to rule on the existence or not of a violation of the GDPR and that it
 
does not result in a high societal and/or personal impact (criteria B. 3 and B. 5 of the
 
dismissal policy).
 
46. The Litigation Chamber recalls that the law of 21 March 2007 regulating the installation and
 
use of surveillance cameras (hereinafter: the law on cameras) designates the police
 
as the body primarily competent to monitor the provisions of the law on
 
6Market Court (Brussels Court of Appeal), 2 September 2020, judgment 2020/AR/329, p. 18.
7
In this regard, the Litigation Chamber refers to its policy on dismissal as developed and published on the
website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-
classement-sans-suite-de-la-chambre-contentieuse.pdf.
8Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the
policy on dismissal of the Litigation Chamber.
 
9Laloidu21march2007regulatingtheinstallationanduseofsurveillancecameras,M.B.31may2007,asamendedbythelawof21march2018,M.B.16april2018,andtheroyaldecreeof8may2018relatingtodeclarationsofinstallationanduseofsurveillancecamerasandtheregisterofsurveillancecameraimageactivities,M.B.23may2018.Decision98/2024 - 8/10
 
cameras. Indeed, the installation of a surveillance camera must be notified to the
 
local police. The local police are also empowered to take decisions under
penal provisions sanctioning non-compliance with the law on cameras. In this case, it was
 
precisely for this reason that the complainants contacted their local police, who
 
actually went to the defendant’s home on 2 March 2023 (see point
 
8). Consequently, the Litigation Chamber wishes to avoid a double investigation, during
 
which the police and the Litigation Chamber would act on the basis of the same facts.
 
47. The Litigation Chamber also notes that the complainants claim to have accessed
 
images filmed by the defendant’s cameras. However, the complainants indicate that
 
they are not satisfied with the images they accessed, given that the
 
technical parameters of the cameras had been modified so that they did not film the
 
images usually recorded. However, given that the complainants
acknowledge that they do not have proof of the access granted to them, the
 
Litigation Chamber is not in a position to determine whether the follow-up granted to their exercise of the
 
right of access is satisfactory.
 
48. Given that the complaint is not sufficiently supported by evidence that would
 
allow the Litigation Chamber to rule on whether or not there has been a violation of the
 
GDPR, it examines the criteria of high general or personal impact, as defined by the
 
DPA in its note on the policy on dismissal of 18 June 2021. The
 
Litigation Chamber first examines whether the criteria of high general or personal impact, as
 
defined by the DPA in their policy on dismissal of 18 June 2021, apply to the present case.
 
Finally, if the criteria of high general or personal impact do not apply, the Litigation Chamber
 
weighs the personal impact of the circumstances of the complaint on the
 
fundamental rights and freedoms of the person concerned, and the
 
effectiveness of the Litigation Chamber’s intervention.
 
49. After assessing the criteria of high general or personal impact, the
 
Litigation Chamber concludes that none of the criteria apply to the


present case. Consequently, the Litigation Chamber
The Contentious Chamber of the Data Protection Authority, constituted by Mr. Hielke Hijmans, President, sitting alone; 
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; 
Having regard to the Law of December 3, 2017, establishing the Data Protection Authority (hereinafter LCA); 
Having regard to the Law of July 30, 2018, on the protection of natural persons with regard to the processing of personal data (hereinafter LTD); 
Having regard to the Rules of Procedure as approved by the House of Representatives on December 20, 2018, and published in the Belgian Official Gazette on January 15, 2019; 
Having regard to the documents in the file; 
Has made the following decision regarding: 
The complainants: X1 and X2, hereinafter "the complainants"; 
The defendants: Mr. and Mrs. Y, hereinafter "the defendant party"; 


weighs the personal impact of the circumstances of the complaint on the
# I. Facts and Procedure 


fundamental rights and freedoms of the complainant against the
1. On August 29, 2023, the complainants filed a complaint with the Data Protection Authority (hereinafter "the DPA") against the defendant party, a neighboring couple who installed a video surveillance system around their house. 
2. The subject of the complaint concerns unlawful data processing and an intrusion into the complainants' privacy caused by the installation of exterior cameras by the defendant party, which, according to the complainants, film their home. 
3. In July 2022, the defendant party installed surveillance cameras: one at the front of the house and three at the back. Among the latter, two cameras were allegedly directed toward the complainants' garden, prompting them to request that the defendant party adjust the cameras to stop filming their garden and to allow them to verify the recorded images. 
4. On August 2, 2022, the complainants sent a registered letter to the defendant party, reminding them that they had allegedly given their consent for the installation of surveillance cameras on the condition that they would not record images of their property. Therefore, they again requested that the cameras be adjusted and that they be allowed to verify the recorded images. 
5. On February 24, 2023, the defendant party installed an additional camera, according to the complainants, which appeared on the doorbell of the front entrance and was directed toward their driveway and private entrance. 
6. On February 25, 2023, the complainants requested information from the DPA to understand their options for action. 
7. On February 27, 2023, the Frontline Service (hereinafter the "FLS") responded to this request and suggested, based on the Law of March 21, 2007, regulating the installation and use of surveillance cameras (hereinafter "the Camera Law"), that they contact the local police or, based on the GDPR, file a complaint or a mediation request with the DPA. 
8. On March 2, 2023, police officers visited the defendant party's residence. They confirmed to the complainants that their garden was not visible in the images filmed by the cameras. However, the camera installer allegedly told the complainants that the cameras could have their settings and caches modified at any time by their users. Additionally, the doorbell camera would send a notification every time the complainants entered or exited their home. They complained about this to the defendant party, to no avail. 
9. On March 25, 2023, the complainants filed a mediation request, seeking to change the orientation of the cameras installed at the back of the house so that they would no longer film the complainants' garden, as well as to adjust the installation of the connected doorbell. 
10. On April 4, 2023, the FLS declared the mediation request admissible. 
11. On April 14, 2023, the FLS sent a letter to the defendant party, asking them to respond to the registered letter the complainants had sent on August 2, 2022. 
12. On July 6, 2023, the FLS sent a registered letter to the defendant party, requesting a response to the letter sent on April 14, 2023. 
13. On July 19, 2023, the complainants informed the DPA of changes to the installation of the defendant party's cameras. Specifically, the defendant party had replaced two cameras with more advanced models equipped with wide-angle lenses. Furthermore, the connected doorbell had been repositioned facing the street, allowing it to film, in addition to the complainants' driveway, their car, the sidewalk, and the street from left to right over 180°. Additionally, the complainants and the defendant party live in adjoining houses with gardens measuring approximately 5.60 meters in width by 15 meters in length. Given that three cameras are installed at the back of the defendant party's house, with the width of the garden, there would be one camera every 1.80 meters; according to the complainants, it would be impossible for these cameras not to film their garden, and therefore, the number of cameras installed would be disproportionate. 
14. On August 18, 2023, the complainants emailed the DPA to inquire about the status of the situation. 
15. On August 21, 2023, the DPA informed them that the two letters they had sent to the defendant party remained unanswered, declaring the mediation unsuccessful and informing them of the possibility of converting their mediation request into a complaint, in accordance with Article 62, §2, 1° of the LCA. 
16. On August 29, 2023, the complainants converted their mediation request into a complaint. 
17. On September 6, 2023, the Frontline Service of the Data Protection Authority declared the complaint admissible based on Articles 58 and 60 of the LCA and forwarded it to the Contentious Chamber in accordance with Article 62, §1 of the LCA. 
18. On October 11, 2023, the Contentious Chamber asked the complainants if they had exercised their right of access again and if they had received a response from the defendant party. 
19. On October 12, 2023, the complainants informed the Contentious Chamber that they had not reintroduced a request for the right of access and that the defendant party had responded to their exercise of the right of access dated August 2, 2022. The complainants indicated that they were not satisfied. 
20. On November 19, 2023, the complainants emailed the Contentious Chamber, indicating that they had again observed on November 16, 2023, around 8:30 p.m., that the camera placed at the front of the defendant party's house was triggered when they moved from their garden driveway to their entrance. Following this, the complainants rang the defendant party's doorbell, to no avail. Approximately 30 minutes later, the police reportedly arrived at the complainants' residence following a call from the defendant party. Attached to the email, the complainants included photos of the front façade of the defendant party's house. 
21. On December 1, 2023, the complainants added a new element to the file: they noticed on Thursday, November 30, that the connected doorbell was triggered as soon as they appeared on their private driveway, doing so with each of their entries and exits. The complainants added that they have photos and videos. 
22. On January 11, 2024, the complainants added that the defendant party had modified the installation of their cameras by connecting them to the electrical network so that they are now fixed and permanent. One of the three cameras located at the back of the defendant party's house had been moved and reoriented further towards the complainants' property. 


effectiveness of its intervention to decide whether to deal with the
# II. Motivation 


complaint in depth. Without wishing to minimise the facts alleged by the complainants, the
## II.1. Warning 


Litigation Chamber notes that, in addition to the
23. Article 4.7 of the GDPR defines the "controller" as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing." 
24. The controller must respond to a request made pursuant to Articles 15 to 22 of the GDPR by the data subject, in accordance with the conditions set out in Article 12 of the GDPR. 
25. The European Data Protection Board (hereinafter "EDPB") has specified in its guidelines that the information – or a copy of the personal data – provided to the data subject under Article 15 of the GDPR must be in a permanent and thus durable form. 
26. Pursuant to Article 12.1 of the GDPR, it is the responsibility of the controller "to take appropriate measures to provide any information referred to in Articles 13 and 14 as well as any communication under Articles 15 to 22 and 34 regarding processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language [...]." 
27. The Contentious Chamber adds that it is the controller's responsibility to provide the data subject with information on the measures taken in response to a request made pursuant to Articles 15 to 22 of the GDPR as soon as possible and, in any case, within one month of receiving the request. Article 12.3 of the GDPR states that this period may be extended by two months if necessary, taking into account the complexity and number of requests. In such a case, the controller must inform the data subject of the extension and the reasons for the delay within one month of receiving the request. 
28. In this case, the complainants exercised their right of access on August 2, 2022, by means of a registered letter. However, the defendant party did not satisfy this access request before – at the very least – March 2, 2023. 
29. The Contentious Chamber thus finds that the defendant party may have violated Article 12.3 of the GDPR. 
30. In addition to this potential violation, it also appears that the FLS, in the context of a mediation procedure, contacted the defendant party twice, including once via registered email (see points 11 and 12). However, these two contacts proved unsuccessful, as they received no response, leading the FLS to conclude the failure of the said procedure on August 21, 2023. Furthermore, the Contentious Chamber notes that this decision was adopted precisely because the complainants decided to convert their mediation request into a complaint in accordance with Article 62, §2, 1° of the LCA following this failure. 
31. Article 31 of the GDPR provides that "The controller and the processor, and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks." 
32. The GDPR, including its recitals, does not define what is meant by "cooperation." However, the Contentious Chamber has previously decided that failing, among other things, "to comply with the exercise of the complainant's rights and to inform the Contentious Chamber of the follow-up to this decision," failing "to present arguments against the injunction given as permitted by Article 99 LCA," and failing to respond to an email from the Contentious Chamber informing them of the proposed administrative fine amount constitutes an attitude displaying "a manifest lack of consideration and cooperation contrary to what is expected of a controller, particularly under Article 31 of the GDPR." 
33. Article 3 of the LCA indeed establishes a supervisory authority within the meaning of Article 51 of the GDPR. 
34. Article 4 of the LCA states that the Data Protection Authority (DPA) thus created ensures the enforcement of the fundamental principles of personal data protection. 
35. This oversight by an independent authority is an essential element of the fundamental right to data protection specifically enshrined in Article 8, §3 of the Charter of Fundamental Rights of the European Union. 
36. Furthermore, Article 22, §1, 2° of the LCA states that the FLS "may initiate a mediation procedure," establishing this mechanism as a tool for carrying out its tasks. 
37. The Contentious Chamber does not overlook the voluntary nature of mediation, which can lead to an amicable agreement. Indeed, the Contentious Chamber in no way considers that a party can be forced to conclude an amicable agreement. This falls under the strictest discretion of each party. Moreover, expressing the refusal to engage in a mediation procedure could in no way be held against a controller or their processor. 
38. However, this is not the case for exchanges with the DPA's bodies. Under Article 31 of the GDPR, it is expected of a controller to respond to one of the DPA's bodies when they receive two letters from one of them – including one by registered mail – asking them to communicate their position on an invitation to a mediation procedure (the content of this response being entirely free in itself). 
39. Consequently, the Contentious Chamber finds that the defendant party may have violated Article 31 of the GDPR. 
40. Based on the aforementioned facts, the Contentious Chamber concludes that the defendant party may have committed a violation of the GDPR provisions, justifying, in this case, the adoption of a decision in accordance with Article 95, §1, 4° of the LCA, specifically the adoption of a warning decision. 


elements referred to in points 40 to 42 of this decision, the alleged facts
## II.2. Dismissal of the case 


mainly concern the complainants only. Consequently, the Contentious Chamber
41. Based on the facts described in the complaint file as summarized above, and based on the powers assigned to it by the legislator under Article 95, §1 of the LCA, the Contentious Chamber decides on the further course of the case; in this case, the Contentious Chamber decides to dismiss the rest of the complaint, in accordance with Article 95, §1, 3° of the LCA, for the reasons stated below. 
42. In matters of case dismissal, the Contentious Chamber is required to justify its decision in stages and to: 
- Pronounce a technical dismissal if the file does not contain or contains insufficient elements likely to lead to a sanction or if it contains a technical obstacle preventing it from rendering a decision; 
- Or pronounce an opportunity dismissal if, despite the presence of elements likely to lead to a sanction, it does not seem appropriate to pursue the examination of the file given the priorities of the Data Protection Authority as specified and illustrated in the Contentious Chamber’s Dismissal Policy. 
43. In the case of a dismissal based on multiple reasons for dismissal, these (respectively, technical dismissal and opportunity dismissal) must be addressed in order of importance. 
44. In this case, the Contentious Chamber decides to proceed with an opportunity dismissal. The Contentious Chamber's decision is based more specifically on three reasons why it considers it inappropriate to continue monitoring the case, and consequently decides not to conduct, among other things, a substantive examination of the matter. 
45. More precisely, the Contentious Chamber's decision is based on the fact that the remainder of the complaint is accessory to a broader dispute that needs to be addressed before judicial and administrative courts or another competent authority and that the complaint is not sufficiently supported by evidence that would allow the Contentious Chamber to rule on the existence or absence of a GDPR violation, and that it does not entail a high societal and/or personal impact (criteria B.3 and B.5 of the dismissal policy). 
46. The Contentious Chamber recalls that the Law of March 21, 2007, regulating the installation and use of surveillance cameras (hereinafter: the Camera Law) designates the police as the primary authority responsible for monitoring compliance with the provisions of the Camera Law. Indeed, the installation of a surveillance camera must be notified to the local police. The local police are also empowered to make decisions under penal provisions sanctioning non-compliance with the Camera Law. In this case, it is precisely in this capacity that the complainants contacted their local police, who indeed visited the defendant party's residence on March 2, 2023 (see point 8). Consequently, the Contentious Chamber wishes to avoid a double investigation, where the police and the Contentious Chamber would act based on the same facts. 
47. Furthermore, the Contentious Chamber notes that the complainants claim to have accessed images filmed by the defendant party's cameras. However, the complainants indicate that they are not satisfied with the images they accessed, as the cameras' technical settings would have been modified so that they did not film the images usually recorded. However, given that the complainants acknowledge not having proof of the access they were granted, the Contentious Chamber is unable to determine whether the follow-up given to their exercise of the right of access is satisfactory. 
48. Since the complaint is not sufficiently supported by evidence that would allow the Contentious Chamber to rule on the existence or absence of a GDPR violation, it examines the criteria for high general or personal impact, as defined by the DPA in its Dismissal Policy Note of June 18, 2021. The Contentious Chamber first examines whether the criteria for high general or personal impact, as defined by the DPA in their dismissal policy, apply to the present case. Finally, if the criteria for high general or personal impact do not apply, the Contentious Chamber balances the personal impact of the circumstances of the complaint on the fundamental rights and freedoms of the data subject, and the efficiency of the Contentious Chamber’s intervention. 
49. After evaluating the criteria for high general or personal impact, the Contentious Chamber concludes that none of the criteria apply to the present case. Consequently, the Contentious Chamber assesses the personal impact of the circumstances of the complaint on the fundamental rights and freedoms of the complainant against the efficiency of its intervention to decide on the appropriateness of a thorough investigation of the complaint. Without minimizing the facts alleged by the complainants, the Contentious Chamber notes that, in addition to the elements mentioned in points 40 to 42 of this decision, the alleged facts primarily concern the complainants. Consequently, the Contentious Chamber does not deem it appropriate to initiate an investigation by the Inspection Service to corroborate the complainants' allegations and, therefore, decides not to conduct, among other things, a substantive examination of the matter. 


does not consider it appropriate to launch an investigation through the Inspection Service to
# III. Publication and communication of the decision 


corroborate the complainant's allegations, and consequently decides not to proceed,
50. Given the importance of transparency regarding the decision-making process and the decisions of the Contentious Chamber, this decision will be published on the Data Protection Authority's website. However, it is not necessary for this purpose to directly communicate the identifying data of the parties. 


among other things, with an examination of the case on the merits. Decision 98/2024 - 10/10
FOR THESE REASONS,


1034quinquies of the Judicial Code, or via the e-Deposit information system of the Ministry of Justice
the Contentious Chamber of the Data Protection Authority decides, subject to the submission of a request by the defendant party for substantive treatment in accordance with Articles 98 et seq. of the LCA: 
Pursuant to Article 58.2.a) of the GDPR and Article 95, §1, 4° of the LCA, to warn the defendant party for the future that they must


(Article 32ter of the Judicial Code).
cooperate with the DPA under Article 31 of the GDPR and must respond to the exercise of rights under Articles 15 to 22 of the GDPR within the timeframe provided by Articles 12.3 and 12.4 of the GDPR; 
Pursuant to Article 95, §1, 3° of the LCA, to dismiss the grievances formulated by the complainant.


(). Hielke HIJMANS
The Contentious Chamber reminds that if the defendant party disagrees with the content of this prima facie decision and believes that they can present factual and/or legal arguments that could lead to a different decision, they may, on the one hand, address a request for substantive treatment of the matter to the Contentious Chamber via the email address litigationchamber@apd-gba.be within 30 days after the notification of this decision. If applicable, the execution of this decision is suspended during the aforementioned period. 
And, on the other hand, the defendant party may file an appeal against this decision in accordance with Article 108, §1 of the LCA, within 30 days from its notification, with the Market Court (Court of Appeal of Brussels), with the Data Protection Authority as the defendant. Such an appeal may be filed by means of an interlocutory petition that must contain the information listed in Article 1034ter of the Judicial Code. The interlocutory petition must be filed with the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code).


(sgd.) Hielke HIJMANS 
President of the Contentious Chamber
President of the Contentious Chamber


11The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter
to the court clerk or filed with the registry.
</pre>
</pre>

Latest revision as of 08:25, 21 August 2024

APD/GBA - 98/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 15 GDPR
Article 31 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 24.07.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 98/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: APD/GBA (Belgium) (in FR)
Initial Contributor: wp

The DPA issued a warning to the operator of a video surveillance system for ignoring an access request by a data subject and failing to cooperate with the DPA. Thus, the controller violated Article 12(1), Article 12(3) and Article 31 GDPR.

English Summary

Facts

A resident (controller) installed five cameras (CCTV) within their premises (a house). The controller obtained the consent of their neighbour (data subject) to process the CCTV data.

A data subject claimed two cameras covered their garden, which was contrary to what they agreed to. Then, the data subject asked the controller to move the cameras adequately and give the data subject access to the recordings to verify their content. Despite multiple tries by the data subject, the controller did not respond to the request.

In the meantime, the controller installed an additional camera – a doorbell camera facing the data subject’s driveway and private entrance.

The data subject consulted the Belgian DPA (APD/GBA) on what further actions they should take. The DPA suggested to contact the local police or to start proceedings before the DPA.

Following the DPA's advice, the data subject contacted the Police who found that the setting of two cameras was changed, so they did not cover the data subject’s premises. Nevertheless, the doorbell camera was programmed to send a notification every time someone showed up within its range. The data subject, requested the controller to change the setting of the doorbell camera as well, but the controller did not reply.

Later, the controller replaced two cameras with new, advanced models (vide-angle lenses) and changed the location of the doorbell, which covered not only the data subject’s premises but also a pavement and a street.

As the mediation before the DPA was unsuccessful (the controller did not respond to official letter of DPA), the data subject decided to lodge a complaint with the DPA.

Holding

The DPA decided to close the case due to the expediency.

First, the DPA noted the controller was obliged to answer data subject’s access request under Article 15 GDPR, which they obviously failed to do. Hence, the controller violated Article 12(3) GDPR.

Second, the DPA noted that the controller violated Article 31 GDPR, because they did not respond to any official mails sent by the DPA.

For both violations, the DPA issued a warning to the controller under Article 58(2)(a) GDPR.

Nevertheless, the DPA found the subject matter of the case at hand was a broader dispute and should be heard by a court. Furthermore, the complainant did not provide enough evidence to confirm the CCTV violated the GDPR. Also, there was a parallel proceeding before the Police, making a potential investigation of the DPA pointless.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details. 

Contentious Chamber  
Decision 98/2024 of July 24, 2024  
File number: DOS-2023-00957  
Subject: Complaint regarding the installation of surveillance cameras in the context of a neighborly dispute  

The Contentious Chamber of the Data Protection Authority, constituted by Mr. Hielke Hijmans, President, sitting alone;  
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;  
Having regard to the Law of December 3, 2017, establishing the Data Protection Authority (hereinafter LCA);  
Having regard to the Law of July 30, 2018, on the protection of natural persons with regard to the processing of personal data (hereinafter LTD);  
Having regard to the Rules of Procedure as approved by the House of Representatives on December 20, 2018, and published in the Belgian Official Gazette on January 15, 2019;  
Having regard to the documents in the file;  
Has made the following decision regarding:  
The complainants: X1 and X2, hereinafter "the complainants";  
The defendants: Mr. and Mrs. Y, hereinafter "the defendant party";  

# I. Facts and Procedure  

1. On August 29, 2023, the complainants filed a complaint with the Data Protection Authority (hereinafter "the DPA") against the defendant party, a neighboring couple who installed a video surveillance system around their house.  
2. The subject of the complaint concerns unlawful data processing and an intrusion into the complainants' privacy caused by the installation of exterior cameras by the defendant party, which, according to the complainants, film their home.  
3. In July 2022, the defendant party installed surveillance cameras: one at the front of the house and three at the back. Among the latter, two cameras were allegedly directed toward the complainants' garden, prompting them to request that the defendant party adjust the cameras to stop filming their garden and to allow them to verify the recorded images.  
4. On August 2, 2022, the complainants sent a registered letter to the defendant party, reminding them that they had allegedly given their consent for the installation of surveillance cameras on the condition that they would not record images of their property. Therefore, they again requested that the cameras be adjusted and that they be allowed to verify the recorded images.  
5. On February 24, 2023, the defendant party installed an additional camera, according to the complainants, which appeared on the doorbell of the front entrance and was directed toward their driveway and private entrance.  
6. On February 25, 2023, the complainants requested information from the DPA to understand their options for action.  
7. On February 27, 2023, the Frontline Service (hereinafter the "FLS") responded to this request and suggested, based on the Law of March 21, 2007, regulating the installation and use of surveillance cameras (hereinafter "the Camera Law"), that they contact the local police or, based on the GDPR, file a complaint or a mediation request with the DPA.  
8. On March 2, 2023, police officers visited the defendant party's residence. They confirmed to the complainants that their garden was not visible in the images filmed by the cameras. However, the camera installer allegedly told the complainants that the cameras could have their settings and caches modified at any time by their users. Additionally, the doorbell camera would send a notification every time the complainants entered or exited their home. They complained about this to the defendant party, to no avail.  
9. On March 25, 2023, the complainants filed a mediation request, seeking to change the orientation of the cameras installed at the back of the house so that they would no longer film the complainants' garden, as well as to adjust the installation of the connected doorbell.  
10. On April 4, 2023, the FLS declared the mediation request admissible.  
11. On April 14, 2023, the FLS sent a letter to the defendant party, asking them to respond to the registered letter the complainants had sent on August 2, 2022.  
12. On July 6, 2023, the FLS sent a registered letter to the defendant party, requesting a response to the letter sent on April 14, 2023.  
13. On July 19, 2023, the complainants informed the DPA of changes to the installation of the defendant party's cameras. Specifically, the defendant party had replaced two cameras with more advanced models equipped with wide-angle lenses. Furthermore, the connected doorbell had been repositioned facing the street, allowing it to film, in addition to the complainants' driveway, their car, the sidewalk, and the street from left to right over 180°. Additionally, the complainants and the defendant party live in adjoining houses with gardens measuring approximately 5.60 meters in width by 15 meters in length. Given that three cameras are installed at the back of the defendant party's house, with the width of the garden, there would be one camera every 1.80 meters; according to the complainants, it would be impossible for these cameras not to film their garden, and therefore, the number of cameras installed would be disproportionate.  
14. On August 18, 2023, the complainants emailed the DPA to inquire about the status of the situation.  
15. On August 21, 2023, the DPA informed them that the two letters they had sent to the defendant party remained unanswered, declaring the mediation unsuccessful and informing them of the possibility of converting their mediation request into a complaint, in accordance with Article 62, §2, 1° of the LCA.  
16. On August 29, 2023, the complainants converted their mediation request into a complaint.  
17. On September 6, 2023, the Frontline Service of the Data Protection Authority declared the complaint admissible based on Articles 58 and 60 of the LCA and forwarded it to the Contentious Chamber in accordance with Article 62, §1 of the LCA.  
18. On October 11, 2023, the Contentious Chamber asked the complainants if they had exercised their right of access again and if they had received a response from the defendant party.  
19. On October 12, 2023, the complainants informed the Contentious Chamber that they had not reintroduced a request for the right of access and that the defendant party had responded to their exercise of the right of access dated August 2, 2022. The complainants indicated that they were not satisfied.  
20. On November 19, 2023, the complainants emailed the Contentious Chamber, indicating that they had again observed on November 16, 2023, around 8:30 p.m., that the camera placed at the front of the defendant party's house was triggered when they moved from their garden driveway to their entrance. Following this, the complainants rang the defendant party's doorbell, to no avail. Approximately 30 minutes later, the police reportedly arrived at the complainants' residence following a call from the defendant party. Attached to the email, the complainants included photos of the front façade of the defendant party's house.  
21. On December 1, 2023, the complainants added a new element to the file: they noticed on Thursday, November 30, that the connected doorbell was triggered as soon as they appeared on their private driveway, doing so with each of their entries and exits. The complainants added that they have photos and videos.  
22. On January 11, 2024, the complainants added that the defendant party had modified the installation of their cameras by connecting them to the electrical network so that they are now fixed and permanent. One of the three cameras located at the back of the defendant party's house had been moved and reoriented further towards the complainants' property.  

# II. Motivation  

## II.1. Warning  

23. Article 4.7 of the GDPR defines the "controller" as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing."  
24. The controller must respond to a request made pursuant to Articles 15 to 22 of the GDPR by the data subject, in accordance with the conditions set out in Article 12 of the GDPR.  
25. The European Data Protection Board (hereinafter "EDPB") has specified in its guidelines that the information – or a copy of the personal data – provided to the data subject under Article 15 of the GDPR must be in a permanent and thus durable form.  
26. Pursuant to Article 12.1 of the GDPR, it is the responsibility of the controller "to take appropriate measures to provide any information referred to in Articles 13 and 14 as well as any communication under Articles 15 to 22 and 34 regarding processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language [...]."  
27. The Contentious Chamber adds that it is the controller's responsibility to provide the data subject with information on the measures taken in response to a request made pursuant to Articles 15 to 22 of the GDPR as soon as possible and, in any case, within one month of receiving the request. Article 12.3 of the GDPR states that this period may be extended by two months if necessary, taking into account the complexity and number of requests. In such a case, the controller must inform the data subject of the extension and the reasons for the delay within one month of receiving the request.  
28. In this case, the complainants exercised their right of access on August 2, 2022, by means of a registered letter. However, the defendant party did not satisfy this access request before – at the very least – March 2, 2023.  
29. The Contentious Chamber thus finds that the defendant party may have violated Article 12.3 of the GDPR.  
30. In addition to this potential violation, it also appears that the FLS, in the context of a mediation procedure, contacted the defendant party twice, including once via registered email (see points 11 and 12). However, these two contacts proved unsuccessful, as they received no response, leading the FLS to conclude the failure of the said procedure on August 21, 2023. Furthermore, the Contentious Chamber notes that this decision was adopted precisely because the complainants decided to convert their mediation request into a complaint in accordance with Article 62, §2, 1° of the LCA following this failure.  
31. Article 31 of the GDPR provides that "The controller and the processor, and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks."  
32. The GDPR, including its recitals, does not define what is meant by "cooperation." However, the Contentious Chamber has previously decided that failing, among other things, "to comply with the exercise of the complainant's rights and to inform the Contentious Chamber of the follow-up to this decision," failing "to present arguments against the injunction given as permitted by Article 99 LCA," and failing to respond to an email from the Contentious Chamber informing them of the proposed administrative fine amount constitutes an attitude displaying "a manifest lack of consideration and cooperation contrary to what is expected of a controller, particularly under Article 31 of the GDPR."  
33. Article 3 of the LCA indeed establishes a supervisory authority within the meaning of Article 51 of the GDPR.  
34. Article 4 of the LCA states that the Data Protection Authority (DPA) thus created ensures the enforcement of the fundamental principles of personal data protection.  
35. This oversight by an independent authority is an essential element of the fundamental right to data protection specifically enshrined in Article 8, §3 of the Charter of Fundamental Rights of the European Union.  
36. Furthermore, Article 22, §1, 2° of the LCA states that the FLS "may initiate a mediation procedure," establishing this mechanism as a tool for carrying out its tasks.  
37. The Contentious Chamber does not overlook the voluntary nature of mediation, which can lead to an amicable agreement. Indeed, the Contentious Chamber in no way considers that a party can be forced to conclude an amicable agreement. This falls under the strictest discretion of each party. Moreover, expressing the refusal to engage in a mediation procedure could in no way be held against a controller or their processor.  
38. However, this is not the case for exchanges with the DPA's bodies. Under Article 31 of the GDPR, it is expected of a controller to respond to one of the DPA's bodies when they receive two letters from one of them – including one by registered mail – asking them to communicate their position on an invitation to a mediation procedure (the content of this response being entirely free in itself).  
39. Consequently, the Contentious Chamber finds that the defendant party may have violated Article 31 of the GDPR.  
40. Based on the aforementioned facts, the Contentious Chamber concludes that the defendant party may have committed a violation of the GDPR provisions, justifying, in this case, the adoption of a decision in accordance with Article 95, §1, 4° of the LCA, specifically the adoption of a warning decision.  

## II.2. Dismissal of the case  

41. Based on the facts described in the complaint file as summarized above, and based on the powers assigned to it by the legislator under Article 95, §1 of the LCA, the Contentious Chamber decides on the further course of the case; in this case, the Contentious Chamber decides to dismiss the rest of the complaint, in accordance with Article 95, §1, 3° of the LCA, for the reasons stated below.  
42. In matters of case dismissal, the Contentious Chamber is required to justify its decision in stages and to:  
- Pronounce a technical dismissal if the file does not contain or contains insufficient elements likely to lead to a sanction or if it contains a technical obstacle preventing it from rendering a decision;  
- Or pronounce an opportunity dismissal if, despite the presence of elements likely to lead to a sanction, it does not seem appropriate to pursue the examination of the file given the priorities of the Data Protection Authority as specified and illustrated in the Contentious Chamber’s Dismissal Policy.  
43. In the case of a dismissal based on multiple reasons for dismissal, these (respectively, technical dismissal and opportunity dismissal) must be addressed in order of importance.  
44. In this case, the Contentious Chamber decides to proceed with an opportunity dismissal. The Contentious Chamber's decision is based more specifically on three reasons why it considers it inappropriate to continue monitoring the case, and consequently decides not to conduct, among other things, a substantive examination of the matter.  
45. More precisely, the Contentious Chamber's decision is based on the fact that the remainder of the complaint is accessory to a broader dispute that needs to be addressed before judicial and administrative courts or another competent authority and that the complaint is not sufficiently supported by evidence that would allow the Contentious Chamber to rule on the existence or absence of a GDPR violation, and that it does not entail a high societal and/or personal impact (criteria B.3 and B.5 of the dismissal policy).  
46. The Contentious Chamber recalls that the Law of March 21, 2007, regulating the installation and use of surveillance cameras (hereinafter: the Camera Law) designates the police as the primary authority responsible for monitoring compliance with the provisions of the Camera Law. Indeed, the installation of a surveillance camera must be notified to the local police. The local police are also empowered to make decisions under penal provisions sanctioning non-compliance with the Camera Law. In this case, it is precisely in this capacity that the complainants contacted their local police, who indeed visited the defendant party's residence on March 2, 2023 (see point 8). Consequently, the Contentious Chamber wishes to avoid a double investigation, where the police and the Contentious Chamber would act based on the same facts.  
47. Furthermore, the Contentious Chamber notes that the complainants claim to have accessed images filmed by the defendant party's cameras. However, the complainants indicate that they are not satisfied with the images they accessed, as the cameras' technical settings would have been modified so that they did not film the images usually recorded. However, given that the complainants acknowledge not having proof of the access they were granted, the Contentious Chamber is unable to determine whether the follow-up given to their exercise of the right of access is satisfactory.  
48. Since the complaint is not sufficiently supported by evidence that would allow the Contentious Chamber to rule on the existence or absence of a GDPR violation, it examines the criteria for high general or personal impact, as defined by the DPA in its Dismissal Policy Note of June 18, 2021. The Contentious Chamber first examines whether the criteria for high general or personal impact, as defined by the DPA in their dismissal policy, apply to the present case. Finally, if the criteria for high general or personal impact do not apply, the Contentious Chamber balances the personal impact of the circumstances of the complaint on the fundamental rights and freedoms of the data subject, and the efficiency of the Contentious Chamber’s intervention.  
49. After evaluating the criteria for high general or personal impact, the Contentious Chamber concludes that none of the criteria apply to the present case. Consequently, the Contentious Chamber assesses the personal impact of the circumstances of the complaint on the fundamental rights and freedoms of the complainant against the efficiency of its intervention to decide on the appropriateness of a thorough investigation of the complaint. Without minimizing the facts alleged by the complainants, the Contentious Chamber notes that, in addition to the elements mentioned in points 40 to 42 of this decision, the alleged facts primarily concern the complainants. Consequently, the Contentious Chamber does not deem it appropriate to initiate an investigation by the Inspection Service to corroborate the complainants' allegations and, therefore, decides not to conduct, among other things, a substantive examination of the matter.  

# III. Publication and communication of the decision  

50. Given the importance of transparency regarding the decision-making process and the decisions of the Contentious Chamber, this decision will be published on the Data Protection Authority's website. However, it is not necessary for this purpose to directly communicate the identifying data of the parties.  

FOR THESE REASONS,  

the Contentious Chamber of the Data Protection Authority decides, subject to the submission of a request by the defendant party for substantive treatment in accordance with Articles 98 et seq. of the LCA:  
Pursuant to Article 58.2.a) of the GDPR and Article 95, §1, 4° of the LCA, to warn the defendant party for the future that they must

 cooperate with the DPA under Article 31 of the GDPR and must respond to the exercise of rights under Articles 15 to 22 of the GDPR within the timeframe provided by Articles 12.3 and 12.4 of the GDPR;  
Pursuant to Article 95, §1, 3° of the LCA, to dismiss the grievances formulated by the complainant.  

The Contentious Chamber reminds that if the defendant party disagrees with the content of this prima facie decision and believes that they can present factual and/or legal arguments that could lead to a different decision, they may, on the one hand, address a request for substantive treatment of the matter to the Contentious Chamber via the email address litigationchamber@apd-gba.be within 30 days after the notification of this decision. If applicable, the execution of this decision is suspended during the aforementioned period.  
And, on the other hand, the defendant party may file an appeal against this decision in accordance with Article 108, §1 of the LCA, within 30 days from its notification, with the Market Court (Court of Appeal of Brussels), with the Data Protection Authority as the defendant. Such an appeal may be filed by means of an interlocutory petition that must contain the information listed in Article 1034ter of the Judicial Code. The interlocutory petition must be filed with the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code).  

(sgd.) Hielke HIJMANS  
President of the Contentious Chamber
Retrieved from "https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_98/2024&oldid=42709"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki