APD/GBA (Belgium) - 24/2021: Difference between revisions
No edit summary |
m (Ar moved page APD/GBA - 24/2021 to APD/GBA (Belgium) - 24/2021) |
||
(11 intermediate revisions by 4 users not shown) | |||
Line 48: | Line 48: | ||
|National_Law_Link_1=https://www.ejustice.just.fgov.be/cgi_loi/change_lg_2.pl?language=fr&nm=2017031916&la=F | |National_Law_Link_1=https://www.ejustice.just.fgov.be/cgi_loi/change_lg_2.pl?language=fr&nm=2017031916&la=F | ||
|Party_Name_1=Defendant : Westtoer APB a public entity giving autonomous services in the area of tourism in the province of West - | |Party_Name_1=Defendant : Westtoer APB a public entity giving autonomous services in the area of tourism in the province of West -Flanders. | ||
|Party_Link_1=https://www.westtoer.be/nl | |Party_Link_1=https://www.westtoer.be/nl | ||
|Party_Name_2= | |Party_Name_2= | ||
Line 68: | Line 68: | ||
}} | }} | ||
The Belgian DPA | The Belgian DPA (APD/GBA) assessed whether the defendant (an autonomous provincial public entity for tourism) breached the GDPR by placing intelligent cameras to count passer-by at specific locations during the Covid-19 pandemic. The DPA assessed the legal basis for this processing and whether the principles of privacy by design and by default provided data subjects with transparent information concerning this processing. | ||
==English Summary== | ==English Summary== | ||
Line 75: | Line 75: | ||
'''Facts :''' | '''Facts :''' | ||
1/ The defendant is an autonomous provincial public entity working in the sector of tourism for the province of West- | 1/ The defendant is an autonomous provincial public entity working in the sector of tourism for the province of West-Flanders. | ||
2/ The defendant decided to place intelligent cameras in order to provide a passer-by counts at specific locations in the context of the Covid-19 epidemic. | 2/ The defendant decided to place intelligent cameras in order to provide a passer-by counts at specific locations in the context of the Covid-19 epidemic. | ||
Line 85: | Line 85: | ||
'''The DPA's inspection states the following :''' | '''The DPA's inspection states the following :''' | ||
1) Infringement by the defendant of the principles of lawfulness, propriety and transparency as well as the principle of purpose | 1) Infringement by the defendant of the principles of lawfulness, propriety and transparency as well as the principle of purpose limitation and the principle of data minimization and accountability. | ||
The Inspectorate states first of all that the defendant does not adequately demonstrate that the data subjects are properly and transparently informed | The Inspectorate states first of all that the defendant does not adequately demonstrate that the data subjects are properly and transparently informed and that the defendant insufficiently demonstrates that the processing of personal data by the relevant intelligent cameras is for specific, explicit and legitimate purposes. | ||
The defendant insufficiently demonstrates that the | The defendant insufficiently demonstrates that the personal data processed by the intelligent cameras is adequate, relevant and limited to what is necessary for the purposes for which the data is processed. | ||
2) Infringement of Article 6.1 GDPR. | 2) Infringement of Article 6.1 GDPR. | ||
Line 95: | Line 95: | ||
The Inspectorate is of the opinion that the defendant does not demonstrate why it is necessary for the achievement of its mission of public interest to process personal data via intelligent cameras. | The Inspectorate is of the opinion that the defendant does not demonstrate why it is necessary for the achievement of its mission of public interest to process personal data via intelligent cameras. | ||
3) The Inspection Service determines that the information provided by the defendant through the privacy statement published on the website www.westtoer.be/nl/data processing not completely correct and | 3) The Inspection Service determines that the information provided by the defendant through the privacy statement published on the website www.westtoer.be/nl/data processing is not completely correct and transparent. | ||
4) The Inspectorate determines that the | 4) The Inspectorate determines that the DPIA made by the defendant does not comply with the requirements of the GDPR and that the Data Protection Officer was insufficiently involved. | ||
The Inspectorate also makes a number of additional observations, outside the scope of the serious indications, especially: | The Inspectorate also makes a number of additional observations, outside the scope of the serious indications, especially: | ||
- use of cookies on the website | - consent for the use of cookies on the website of the Defendant does not comply with the GDPR. | ||
- the register of processing activities of the defendant does not meet the requirements of the GDPR | - the register of processing activities of the defendant does not meet the requirements of the GDPR | ||
Line 108: | Line 108: | ||
===Dispute=== | ===Dispute=== | ||
- What requirements must be met by a controller concerning the lawfulness of the processing of personal data through a system of intelligent cameras within the meaning of Article 6 GDPR ? | - What requirements must be met by a controller concerning the justification of the lawfulness of the processing of personal data through a system of intelligent cameras within the meaning of Article 6 GDPR ? | ||
- | - What must be taken into account by the controller when processing personal data through a system of intelligent cameras in order to respect the principles of data protection by default and by design ? | ||
- What obligations must be met by | - What obligations must be met by the controller in this context in terms of transparency and information given to the data subjects ? | ||
===Holding=== | ===Holding=== | ||
'''Holding :''' | '''Holding :''' | ||
Line 118: | Line 118: | ||
'''1) Sufficient legal ground for the intended processing.''' | '''1) Sufficient legal ground for the intended processing.''' | ||
A complete examination of the legal basis is not conducted by the litigation chambers which finds that the defendant makes a | A complete examination of the legal basis is not conducted by the litigation chambers which finds that the defendant makes a plausible case for performing a task of public interest. | ||
The litigation chamber states that it is primarily the task of the authorities at whose request the processing operations are carried out take place - in this case the province of West Flanders and the coastal municipalities involved ensure that a legal basis | The litigation chamber states that it is primarily the task of the authorities at whose request the processing operations are carried out take place - in this case the province of West Flanders and the coastal municipalities involved to ensure that a legal basis iexists that meets the requirements of article 6.3 GDPR. | ||
This does not alter the fact that a controller as the defendant has the duty to ascertain the extent to which an adequate legal basis is provided | This does not alter the fact that a controller as the defendant has the duty to ascertain the extent to which an adequate legal basis is provided. In this decision, the Disputes Chamber limits itself to these general considerations the legal basis | ||
'''2) The necessity and | '''2) The necessity and proportionality of the processing :''' | ||
The defendant proves that the processing meets the necessity and | The defendant proves that the processing meets the necessity and proportionality principles with a view in its implementation and intended purpose and also proves sufficiently the absence of an alternative- less intrusive system that would similarly achieve the same goals. | ||
'''3) Data protection by default and by design :''' | '''3) Data protection by default and by design :''' | ||
Line 132: | Line 132: | ||
The chamber concludes that the defendant has included data protection by default and by design at early stage in the design of the processing operations through the use of the system of intelligent cameras has included the appropriate technical and organizational measures since the outset (launching of the public contract) regarding the passer-by census system. | The chamber concludes that the defendant has included data protection by default and by design at early stage in the design of the processing operations through the use of the system of intelligent cameras has included the appropriate technical and organizational measures since the outset (launching of the public contract) regarding the passer-by census system. | ||
In practice, the defendant opted for a stand-alone system, not connected to any network, whereby the processing of personal data by means of | |||
video equipment is kept to a minimum and no other personal data becomes | video equipment is kept to a minimum and no other personal data becomes | ||
collected. | collected. | ||
Line 138: | Line 138: | ||
'''4) Transparent information to data subjects :''' | '''4) Transparent information to data subjects :''' | ||
The privacy policy and register | The privacy policy and register of the defendant are not entirely complete but in view of the cooperation of the defendant and the amendment of the privacy statement during the course of the proceedings, the litigation chamber does not consider it necessary to issue a sanction but does recommend to the defendant to take measure to comply with the GDPR. | ||
'''5) Other remarks :''' | '''5) Other remarks :''' | ||
The chamber does find that the way the defendant justifies the processing of personal data | The litigation chamber does find that the way the defendant justifies the processing of personal data via cookies present on its website is not sufficient and that the data protection officer also does not report to the highest level of management of the defendant. | ||
'''Decision of the DPA :''' | '''Decision of the DPA :''' | ||
- finds that the system of intelligent cameras implemented by the defendant | - finds that the system of intelligent cameras implemented by the defendant does not violate article 5.1 a), b) and c) and is in accordance with article 25 GDPR; | ||
- orders the defendant to complete the information that it provides about its processing operations in its privacy statement in accordance with Articles 12 and 13 GDPR, in particular with regard to the additional information requested from the data subject in the context of a request on the basis of Articles 15 to 21 of the GDPR. | - orders the defendant to complete the information that it provides about its processing operations in its privacy statement in accordance with Articles 12 and 13 GDPR, in particular with regard to the additional information requested from the data subject in the context of a request on the basis of Articles 15 to 21 of the GDPR. | ||
Line 155: | Line 153: | ||
- Formulates a reprimand with regard to the defendant for violation of articles 6.1 a), 7.1, 7.3 (consent cookies) and 38.3 GDPR (data protection officer must report directly to the highest management level of the controller). | - Formulates a reprimand with regard to the defendant for violation of articles 6.1 a), 7.1, 7.3 (consent cookies) and 38.3 GDPR (data protection officer must report directly to the highest management level of the controller). | ||
==Comment== | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' |
Latest revision as of 16:56, 12 December 2023
APD/GBA - 24/2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 6 GDPR Article 7(1) GDPR Article 7(3) GDPR Article 12 GDPR Article 13 GDPR Article 25 GDPR Article 30 GDPR Article 35(2) GDPR Article 35(7) GDPR Article 38 GDPR 63,1 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 17.02.2021 |
Published: | |
Fine: | None |
Parties: | Defendant : Westtoer APB a public entity giving autonomous services in the area of tourism in the province of West -Flanders. |
National Case Number/Name: | 24/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | APD/GBA (in NL) |
Initial Contributor: | Mathieu Desmet |
The Belgian DPA (APD/GBA) assessed whether the defendant (an autonomous provincial public entity for tourism) breached the GDPR by placing intelligent cameras to count passer-by at specific locations during the Covid-19 pandemic. The DPA assessed the legal basis for this processing and whether the principles of privacy by design and by default provided data subjects with transparent information concerning this processing.
English Summary
Facts
Facts :
1/ The defendant is an autonomous provincial public entity working in the sector of tourism for the province of West-Flanders.
2/ The defendant decided to place intelligent cameras in order to provide a passer-by counts at specific locations in the context of the Covid-19 epidemic.
3/ To this end, the defendant issued a public contract on behalf of the coastal municipalities, which was awarded on June 9, 2020 to company X, which acts as processor.
4/ An investigation was launched by the DPA to submit a file to the Inspection Service since the serious evidence that the use of intelligent cameras by the defendant could give rise to an infringement of the fundamental principles of the protection of personal data.
The DPA's inspection states the following :
1) Infringement by the defendant of the principles of lawfulness, propriety and transparency as well as the principle of purpose limitation and the principle of data minimization and accountability.
The Inspectorate states first of all that the defendant does not adequately demonstrate that the data subjects are properly and transparently informed and that the defendant insufficiently demonstrates that the processing of personal data by the relevant intelligent cameras is for specific, explicit and legitimate purposes.
The defendant insufficiently demonstrates that the personal data processed by the intelligent cameras is adequate, relevant and limited to what is necessary for the purposes for which the data is processed.
2) Infringement of Article 6.1 GDPR.
The Inspectorate is of the opinion that the defendant does not demonstrate why it is necessary for the achievement of its mission of public interest to process personal data via intelligent cameras.
3) The Inspection Service determines that the information provided by the defendant through the privacy statement published on the website www.westtoer.be/nl/data processing is not completely correct and transparent.
4) The Inspectorate determines that the DPIA made by the defendant does not comply with the requirements of the GDPR and that the Data Protection Officer was insufficiently involved.
The Inspectorate also makes a number of additional observations, outside the scope of the serious indications, especially:
- consent for the use of cookies on the website of the Defendant does not comply with the GDPR.
- the register of processing activities of the defendant does not meet the requirements of the GDPR
- the data protection officer is not is employed full-time and does not report directly to the highest level manager of the defendant.
Dispute
- What requirements must be met by a controller concerning the justification of the lawfulness of the processing of personal data through a system of intelligent cameras within the meaning of Article 6 GDPR ?
- What must be taken into account by the controller when processing personal data through a system of intelligent cameras in order to respect the principles of data protection by default and by design ?
- What obligations must be met by the controller in this context in terms of transparency and information given to the data subjects ?
Holding
Holding :
1) Sufficient legal ground for the intended processing.
A complete examination of the legal basis is not conducted by the litigation chambers which finds that the defendant makes a plausible case for performing a task of public interest.
The litigation chamber states that it is primarily the task of the authorities at whose request the processing operations are carried out take place - in this case the province of West Flanders and the coastal municipalities involved to ensure that a legal basis iexists that meets the requirements of article 6.3 GDPR.
This does not alter the fact that a controller as the defendant has the duty to ascertain the extent to which an adequate legal basis is provided. In this decision, the Disputes Chamber limits itself to these general considerations the legal basis
2) The necessity and proportionality of the processing :
The defendant proves that the processing meets the necessity and proportionality principles with a view in its implementation and intended purpose and also proves sufficiently the absence of an alternative- less intrusive system that would similarly achieve the same goals.
3) Data protection by default and by design :
The chamber concludes that the defendant has included data protection by default and by design at early stage in the design of the processing operations through the use of the system of intelligent cameras has included the appropriate technical and organizational measures since the outset (launching of the public contract) regarding the passer-by census system.
In practice, the defendant opted for a stand-alone system, not connected to any network, whereby the processing of personal data by means of video equipment is kept to a minimum and no other personal data becomes collected.
4) Transparent information to data subjects :
The privacy policy and register of the defendant are not entirely complete but in view of the cooperation of the defendant and the amendment of the privacy statement during the course of the proceedings, the litigation chamber does not consider it necessary to issue a sanction but does recommend to the defendant to take measure to comply with the GDPR.
5) Other remarks :
The litigation chamber does find that the way the defendant justifies the processing of personal data via cookies present on its website is not sufficient and that the data protection officer also does not report to the highest level of management of the defendant.
Decision of the DPA :
- finds that the system of intelligent cameras implemented by the defendant does not violate article 5.1 a), b) and c) and is in accordance with article 25 GDPR;
- orders the defendant to complete the information that it provides about its processing operations in its privacy statement in accordance with Articles 12 and 13 GDPR, in particular with regard to the additional information requested from the data subject in the context of a request on the basis of Articles 15 to 21 of the GDPR.
- orders the defendant to align its register of processing activities with the requirements of Article 30 GDPR and in particular to specify to which third countries transfer of personal data takes place within the period of one month after the notification of this decision.
- Formulates a reprimand with regard to the defendant for violation of articles 6.1 a), 7.1, 7.3 (consent cookies) and 38.3 GDPR (data protection officer must report directly to the highest management level of the controller).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Dispute Chamber Decision on the merits 24/2021 of 19 February 2021 File number: DOS-2020-02716 Subject: Passer-by counts at specific locations on the dike and in shopping zones on the Coast through intelligent cameras under Covid-19 The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs Frank De Smet and Dirk Van Der Kelen, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter GDPR; In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal procedure, as approved by the Chamber of Representatives of the people on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; . . . Decision on the merits 24/2021 - 2/44 has taken the following decision regarding: - Westtoer APB, with registered office located at Koning Albert I-laan 120 - 8200 SINT MICHIELS (BRUGGE) and with company number 0267.388.418, hereinafter “the defendant". 1. Facts and procedure 1. On July 9, 2020, the Executive Committee of the Data Protection Authority will take a decision on the basis of Article 63, 1 ° WOG to submit a file to the Inspection Service since the serious evidence that the use of intelligent cameras by the defendant could give rise to an infringement of the fundamental principles of the protection of personal data. 2. More specifically, it was found that since June 27, 2020 in various coastal municipalities intelligent cameras were used to measure pressure in the context of the Covid-19 epidemic at specific locations on the dike and in shopping areas of these municipalities. To this end, the defendant issued a public contract on behalf of the person concerned coastal municipalities, which was awarded on June 9, 2020 to company X, which acts as processor within the meaning of Article 4.8 GDPR. 3. On July 16, 2020, the Inspectorate will send a written letter pursuant to Article 66, §1, 3 ° WOG ask for additional information and documentation from the defendant regarding the above processing activity and in particular concerning: 1) the register of processing activities kept by the defendant under Article 30 GDPR; 2) the number of installed and active intelligent cameras under the government contract “Passer-by counts at specific locations on the dike and in shopping zones on the coast ”issued by the defendant; 3) compliance with the principles of lawfulness, fairness and transparency (Article 5.1 a) GDPR), purpose limitation (Article 5.1 b) GDPR) and minimum data processing (Article 5.1 c) GDPR); 4) the legal basis for the processing of personal data through the system of intelligent cameras within the meaning of Article 6.1 GDPR, read in conjunction with Articles 5.2 GDPR and 24.1 GDPR; 5) the performance of a data protection impact assessment (Article 35 GDPR) the framework of the aforementioned public contract; and Decision on the merits 24/2021 - 3/44 6) the designation and position of the data protection officer of defendant (Articles 37 and 38 GDPR). 4. On 13 August 2020, the Inspection Service will send a reminder letter to the respondent with regard to the above-mentioned written inquiry. 5. By e-mail of 18 August 2020, the defendant informs the Inspection Service of the fact that the e-mail through which the answers as well as the requested documents were sent remitted, apparently never reached the latter. 6. By e-mail of 18 August 2020, the defendant will submit his answers to the questions of the Inspection service as well as the requested documents again to the latter. The Inspection Report 7. On August 25, 2020, the Inspectorate will be in accordance with Article 91, §2 WOG inspection report to the chairman of the Disputes Chamber, which makes the Disputes Chamber is taken on the basis of Article 92, 3 ° WOG. Within the scope of the serious indications, the inspection service does the following observations: 1) Infringement of Articles 5.1 a) (principle of lawfulness, propriety and transparency), b) (principle of purpose limitation) and c) (principle of minimum data processing) GDPR and Article 5.2 GDPR (accountability): the The Inspectorate states first of all that the defendant does not adequately demonstrate that the data subjects are properly and transparently informed about the processing of their personal data via the intelligent cameras and that the referral by the respondent to “the privacy statement that can be found on the websites of Westtoer, including dekust.be ”too vague and impreciseis. Second, the Inspection service that the defendant insufficiently demonstrates that the processing of personal data is done via the relevant intelligent cameras for specific, explicit and legitimate purposes. Third, the Inspection service that the defendant insufficiently demonstrates that the via the intelligent cameras processed personal data are adequate, relevant and limited to what is necessary for the purposes for which they are processed. 2) Infringement of Article 6.1 GDPR: the Inspection Service establishes that the defendant has the supports the processing of personal data by means of the intelligent cameras Decision on the merits 24/2021 - 4/44 to Article 6.1 e) GDPR and that the latter refers to the management agreement concluded with the province of West Flanders in which clarifies that the defendant's mission is to support tourism in West Flanders. However, the Inspectorate is of the opinion that the defendant does not demonstrate why it is for the achievement of that mission of public interest is necessary to process personal data via intelligent cameras. The Inspectorate would like to point out that it can demonstrate that necessity is a requirement on the basis of article 6.1 e) GDPR read together with articles 5.2 GDPR and 24.1 GDPR. 3) Violation of Articles 12.1, 12.6, 13.1 and 13.2 GDPR: the Inspection Service determines that the information provided by the defendant through the privacy statement published on the website www.westtoer.be/nl/data processing not completely correct and is transparent. 4) Infringement of Articles 35.2 and 35.7 GDPR: the Inspectorate determines that the Respondent prepared DPIA does not comply with the requirements contained in the aforementioned articles and that the officer for data protection was insufficiently involved. The Inspectorate also makes a number of additional observations, outside the scope of the serious indications, especially: 1) Violation of article 4.11 GDPR read in conjunction with article 6.1 a) GDPR as well Articles 7.1 and 7.3 GDPR: the Inspection Service determines in particular that on the website the defendant's further use of this website by the data subject considered as consent to the use of cookies. 2) Infringement of Article 30.1 GDPR: the Inspection Service establishes that the register of processing activities of the defendant does not meet the requirements of aforementioned article. More specifically, the Inspectorate has established that: (i) the contact details of the controller are incomplete, in view of the fact that the e-mail address stated in the privacy statement of the respondent is not mentioned herein; (ii) the description of the categories of data subjects is incomplete, which appears from the mention of “other” in the column “categories natural persons ”; Decision on the merits 24/2021 - 5/44 (iii) the third countries to which personal data are transferred are not are mentioned, but only the processing of e-mail addresses via Mailchimp, without mentioning the relevant countries involved; and iv) no mention is made in the register of website visitors and the use of cookies. 3) No violation of Articles 37.5 and 37.7 GDPR in connection with the designation of the data protection officer. 4) Breach of Articles 38.2 and 38.3 GDPR and no breach of Article 38.6 GDPR: the Inspection service finds that the data protection officer is not is employed full-time and does not report directly to the highest level manager of the defendant. 8. On September 3, 2020, the Disputes Chamber will decide on the basis of Articles 95, §1, 1 °, and 98 WOG that the file is ready for treatment on the merits. 9. By letter dated 3 September 2020, the defendant will be informed that the file is ready for treatment on the merits and is also processed on the basis of Article 99 WOG of the deadline to submit its defense. Conclusion of the respondent's reply 10. On October 1, 2020, the defendant will deposit and request its statement of defense also on the basis of Article 98, 2 ° WOG to be heard. 11. In its statement of defense, the defendant states with regard to the first finding of the Inspectorate (violation of the principles of lawfulness, propriety and transparency (art. 5.1 a) GDPR), purpose limitation (art. 5.1 b) GDPR) and minimum data processing (Art. 5.1 c) GDPR) that this statement is neither in fact nor in law since the defendant has adequately informed those concerned about the processing their personal data and this, on the one hand, included via the privacy statement on the defendant's website - including www.dekust.be - and, on the other hand, via the extensive number of press articles as well as sending out a press release. The defendant adds the supporting documents and decisionout that, given this wide communication, there can be assumed that the vast majority of coastal visitors were aware of the use of the intelligent cameras. Decision on the merits 24/2021 - 6/44 12. Furthermore, the defendant argues that the passer-by count system, contrary to what was determined by the Inspectorate, for a specific, clearly defined and legitimate purpose, in particular for the control of the number and the concentration of visitors on the coast in the context of the fight against the Covid-19- pandemic. 13. With regard to compliance with the principle of data minimization, the defendant in his statement of defense that this in advance together with the processor as well his data protection officer carried out an in-depth analysis in order to ensure that the use of the relevant intelligent cameras is adequate, to the point serving and limited to what is necessary for the intended purpose. The defendant specifies that the following measures have been taken to ensure data processing limit as much as possible: i) anonymizing the personal data, ii) short retention period of the personal data, iii) limitation of the number and placement of the cameras, iv) the short term of the measure and v) the limited access to the personal data. 14. The respondent further explains as to the necessity of using the system of intelligent cameras that provide alternative monitoring systems - such as manual ones counts or counts using Wi-Fi signals - that the latter is insufficiently accurate are for the intended purposes and only the system used permits certain obtain additional information necessary to accomplish this purpose. More specifically, the defendant argues that it may or may not respect the social distance rules, the direction of the traffic and the different types of passers-by cannot be determined by any alternative system and that only the system of intelligent cameras enables real-time reporting, which is crucial to timely to be able to communicate and, where necessary, to intervene. 15. With regard to the second determination of the Inspection Service (lawfulness of the processing - Article 6.1 GDPR), the defendant states that the passer-by counting system is indeed was necessary for the performance of the task of general interest within the meaning of Article 6.1 e) GDPR, especially fighting the Covid-19 pandemic and keeping the visitors from the coast. The defendant refers to the management agreement in this regard with the province of West Flanders. More specifically, it argues that the system of the smart cameras was the only way to fulfill the aforementioned public interest, as i) single a count via smart cameras can provide sufficiently accurate information about the number visitors, ii) crucial additional information can only be obtained by counting via smart cameras be obtained and iii) real-time reporting can only be done through this system. Decision on the merits 24/2021 - 7/44 16. With regard to the findings of the Inspectorate regarding transparency (Articles 12 and 13 GDPR), the defendant acknowledges that the privacy statement is susceptible to improvements, but states that he does not agree with the charges. 17. With regard to the findings of the Inspectorate regarding the data protection impact assessment (Articles 35.2 and 35.7 GDPR), the defendant states that the advice of the data protection officer was indeed sought and that it does contain the mandatory notifications of Article 35.7 GDPR and adds to this supporting documents. 18. With regard to the findings of the Inspection Service regarding the permission for the cookies on the defendant's website (Articles 4.1, 6.1 a) and 7.1 GDPR) recognize them last that the cookie policy could be improved, but states that in the privacy statement explains how cookies can be deleted and disclaims them note that this is possible through the browser settings. 19. With regard to the findings of the Inspectorate regarding the register of processing activities (Article 30.1 GDPR), the defendant states that there can be no question of incompleteness of the contact details of Westtoer just because of the lack of the email address data processing@westtoer.be. 20. With regard to the findings of the Inspectorate regarding the position of the data protection officer (Articles 38.2 and 38.3 GDPR) informs the defendant that the fact that it performs its function in a 4/5 system does not mean that it is insufficient would have time to perform his duties. The defendant points out in this regard that the Article 29 Working Party on Data Protection has indicated that an officer data protectionng is not necessarily required to perform his duties full-time. The defendant denies this charge and alleges that the acts of the official this dossier concerning the passer-by counting system, and in particular the advice of this one last, confirm that the data protection officer will have sufficient time has to perform its duties. Finally, the defendant confirms that the officer has a line with an employee of Westtoer for his daily communication, but that it has the right and the duty to discuss important points with the top of Westtoer parts. 21. In a letter dated 9 December 2020, the Disputes Chamber will address a number of additional questions the defendant with a view to the hearing. 22. On December 15, 2020, the defendant makes his written replies to the aforementioned questions from the Dispute Chamber about. Decision on the merits 24/2021 - 8/44 The hearing 23. On December 16, 2020, the defendant shall be declared in accordance with article 53 of the rules of internal order heard by the Disputes Chamber. 24. During this hearing, the defendant gives a visual demonstration to the Disputes Chamber regarding the system operation of the intelligent cameras used by way of passer-by counting system. 25. On 5 January 2021, the Report of the hearing submitted to the defendant. 26. On January 8, 2021, the defendant informs the Disputes Chamber that he has no observations concerning the aforementioned official report of questioning. 2. Justification 2.1. “Processing of personal data” and the competence of the Disputes Chamber 27. Article 4.1 GDPR defines the term “personal data” as being “all information about a identified or identifiable natural person ('the data subject'); as identifiable is considered a natural person who can be identified directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements that are characteristic for the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person ”. 28. In accordance with Article 4.2 GDPR it should be considered as a “processing” of personal data considered: “an operation or a set of operations with respect to personal data or a set of personal data, whether or not exported via automated processes, such as collecting, recording, organizing, structuring, store, update or change, retrieve, consult, use, provide by means of forwarding, dissemination or otherwise making available, aligning or combining, shielding, erasing or destroying data ”. Decision on the merits 24/2021 - 9/44 29. The Court of Justice has repeatedly confirmed in its case law that the recording of images of persons with cameras fall under the term "personal data" in the sense of European law standards on data protection. It stated in his judgment in Ryneš More specifically: “It should be recalled that […] this [Directive] 1 applies to “the whole or in part automated processing of personal data, as well as non-automated processing of personal data contained in a file or intended to to be included therein ”. The […] term “personal data” includes […] “any information relating to a identified or identifiable natural person ”. Considered identifiable “A person who can be identified directly or indirectly, in particular by reference to […] One or more elements specific to his or her physical identity ”. An image of a person captured by a camera therefore falls under the term personal data within the meaning of the provision referred to in the previous point, since the the person concerned can be identified as a result ”.2 30. In the present case, it is clear from the documents in the file and the explanations given by the defendant during the hearing that the activity concerned is a passer-by counting system where, by through the use of so-called “intelligent cameras”, to become passers-by filmed after which the video images involved locally temporarily (i.e. for less than one second) are stored and then “blurred” and sent to the data center from the processor to be forwarded. 31. On the basis of the above, the Disputes Chamber finds that there is a processing of personal data within the meaning of Article 4.1 in conjunction with Article 4.2 GDPR and that the The data protection authority is therefore empowered to supervise this and the Disputes Chamber to make a decision on this. 2.2. Identification of the controller (Article 4.7 GDPR) 32. In accordance with Article 4.7 GDPR serves as the processing orderto become sound considered: the “natural or legal person, government agency, service or other body that / that, alone or together with others, has the purpose of and means for the determine the processing of personal data ”. 1 Directive 95/46 / EC, repealed and replaced by the GDPR. 2 CJEU judgment of 11 December 2014, Ryneš, C-212/13, ECLI: EU: C: 2014: 2428, par. 20-22 (the Disputes Chamber underlines). Decision on the merits 24/2021 - 10/44 33. In its case law, the Court of Justice has defined the concept of 'controller' several times broadly interpreted in order to ensure effective and complete protection of the insure data subjects 3 34. In accordance with Group Opinion 1/2010 29, the status of the person concerned must controller (s) to be specifically assessed. 4 35. In the present case, the Disputes Chamber finds, first of all, that the defendant has processed performed personal data within the meaning of Article 4.2 GDPR, in particular “an operation or a set of operations with regard to personal data or a set of personal data, whether or not carried out by automated processes, such as the collect, record, organize, structure, save, update or modify, retrieve, to consult, use, provide by means of transmission, dissemination or otherwise making available, aligning or combining, shielding, deleting or destroying data". As explained above, the defendant processes video footage of passers-by, made through a system of intelligent cameras. The fact that these processing only takes place for a short time, does not detract from the fact that this under the material scope of the GDPR. After all, in the present case it concerns a “whole or partially automated processing ”within the meaning of Article 2 GDPR. 36. Still in accordance with Group Opinion 1/2010 29, the concepts “the purpose” and “The means” should be treated inseparably together and should be hereby determined who the "why" (the goal) and the "how" (the means) of the person involved processing. 5 37. The Disputes Chamber further establishes that the defendant has the object and the means certain of the processing of personal data concerned, as these as the commissioning board issued the public service contract with as object “Passer counts at specific locations on the dike and in shopping areas de Kust ”and determined herein the purpose and means of the processing concerned. 38. In accordance with Article 28 GDPR, a processor agreement was also concluded on 17 June 2020 concluded between the defendant and the processor, identifying the former 3 See, inter alia, CJEU, 5 June 2018, C-210/16, Wirtschaftsakademie Schleswig-Holstein, ECLI: EU: C: 2018: 388, par. 27-29. 4 See Group 29, Opinion 1/2010 on the concepts of “controller” and “processor”, 16 February 2010 (WP 169), as clarified by the GBA in a memorandum “Overview of the concepts controller / processor in light of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection of natural persons in connection with the processing of personal data (GDPR) and some specific uses for liberal professions such as lawyers ”. 5 Opinion 1/2010 of the Working group 29 on the concepts “controller” and “processor”, WP 169, p. 15. Decision on the merits 24/2021 - 11/44 as being the controller. 6 The defendant also acknowledges himself be a controller. 39. On the basis of the above, the Disputes Chamber decides that the defendant should are considered as controller within the meaning of Article 4.7 GDPR for the processing of personal data that are the subject of the investigation. He is therefore there in this capacity in accordance with Articles 5.2 and 24 GDPR accountability contained in it to ensure compliance with the principles and provisions of the GDPR. 2.3. With regard to the findings of the Inspectorate within the scope of the serious Clues 40. The Disputes Chamber has established that the findings B.1 and B.2 of the Inspection Service relate to the legality of the passer-by counting system by means of intelligent cameras as such, where the other observations are within the scope of the serious instructions relate to the privacy statement and the data protection impact assessment. The Disputes Chamber will make the aforementioned determinations treat separately. 2.3.1. Compliance with the principles of the processing of personal data (Articles 5.1 and 5.2 GDPR) and the lawfulness of the processing (Article 6.1 GDPR) 41. In its findings B.1 and B.2, the Inspectorate finds that the defendant is inadequate would have shown that the system of intelligent cameras used the principles on data protection respecthonors. More specifically, it states that the defendant has a allegedly infringed Article 5.1 a) (legality, propriety and transparency), 5.1 b) (purpose limitation) and 5.1 c) (data minimization) GDPR as well as the Articles 5.2 GDPR (accountability) and Article 6.1 GDPR (legality of the processing). 42. With regard to the aforementioned findings of the Inspection Service, the Disputes Chamber points out note that the use of so-called intelligent cameras in public space only complies with European law standards on data protection if and for as long as the following principles are adhered to: 6 According to the defendant's documents. Decision on the merits 24/2021 - 12/44 A. The processing of personal data through the system of intelligent cameras must be based on a valid ground of lawfulness within the meaning of Article 6 GDPR 43. As with any processing of personal data, the processing of personal data by means of intelligent cameras in the first place only lawful if this is done in accordance with Article 6.1 GDPR and in particular if and insofar as at least one the following conditions are met: a) “the data subject has consented to the processing of his personal data for one or more specific purposes; b) the processing is necessary for the performance of an agreement whereby the data subject is a party, or at the request of the data subject before the conclusion of a agreement to take measures; c) the processing is necessary to comply with a legal obligation on the controller rests; d) the processing is necessary for the vital interests of the data subject or of another protect a natural person; e) the processing is necessary for the performance of a task carried out in the public interest or of a task in the exercise of official authority vested in the controller has been instructed; f) the processing is necessary for the representation of the legitimate interests of the controller or of a third party, except where the interests or the fundamental rights and freedoms of the data subject that protect personal data outweigh those interests, especially where the person concerned is a child. ” 44. If special categories of personal data are processed through the system - such as data on the health of the data subjects - serves the controller also to demonstrate that one of the grounds for exception of Article 9.2 GDPR applies finds. However, this has not been established in the present case. 45. In accordance with guidelines 3/2019 on the subject of the European Committee for Data protection (hereinafter in the English abbreviation: “EDPB”) can in principle be any legal basis provided for in Article 6.1 GDPR constitute a legal basis for the processing of personal data obtained via video images. The EDPB nevertheless specifies that in practice such processing will usually be based on Article 6.1 f) GDPR (legitimate interest) or Article 6.1 e) GDPR (necessary for the fulfillment of a Decision on the merits 24/2021 - 13/44 task of general interest or of a task in the context of the exercise of public interest authority). In rather exceptional cases, Article 6.1 a) GDPR (consent) can be obtained by the controller can be used as the legal basis. 7 46. In the present case, it is apparent from the defendant's statement of defense that the latter drawn up register of the processing activities as well as the drawn up data protection impact assessment that this data subject personal data processing is based on Article 6.1 e) GDPR. More specifically, the defendant argues that its task in the public interest is to promote tourism in West Flanders support and make it more attractive and specifies that this implies that this tourism should be done safely. He refers to the Management Agreement in this regard closed with the province of West Flanders for the period 2020-2024. 8 The defendant specifies that the passer-by counting system uses intelligent cameras to control the fighting the Covid-19 pandemic and keeping visitors safe from the coast until purpose. 47. The Disputes Chamber points out that the use of the ground of lawfulness contained in Article 6.1 e) GDPR means that the controller must be able to demonstrate that: i) it is charged with a task of general interest or a task in the context of the exercise of official authority; and ii) the processing concerned is necessary for the performance of the aforementioned task (see also infra B). 48. With regard to point (i), Recital 45 GDPR and Article 6.3 GDPR specify that processing based on Article 6.1 e) GDPR “must be based on Union law or the Member State law ”. With this, the GDPR excludes that a “task in the context of the exercise of the publicauthority ”or“ of public interest ”to the controller would be instructed by virtue of an agreement or contract, even if so provided in it public interest has been closed. 9 7 EDBP Guidelines 3/2019 (version 2.0) on the processing of personal data by means of video equipment, available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personaldata-through-video_en (hereinafter: Guidelines 3/2019), marginal no. 16. 8 Defendant's documents. 9 KOTCHY, W., “Article 6. Lawfulness of processing” in KUNER, C., BYGRAVE, L.A. and DOCKSEY, C., The EU General Data Protection Regulation (GDPR). A Commentary, Oxford University Press, Oxford, p. 335. Decision on the merits 24/2021 - 14/44 49. With regard to this basis that a processing must have based on article 6.1 e) “in Union or Member State law ”, recital 45 GDPR further states: “It must also be Union or Member State law that is the purpose of the processing determines. Furthermore, that right could further define the general conditions of this regulation with which the personal data processing must comply to be lawful, and can establish specifications for determining the controller, the type of personal data processed, the data subjects, the entities to which the personal data may be disclosed, the purpose limitation, the storage period and other measures to ensure lawful and proper processing. Union or Member State law should also establish whether the controller charged with a task of general interest or with a task in the exercise of official authority, a public authority or another person under public law (…) ”[The Disputes Chamber underlines]. 50. However, recital 45 of the GDPR makes it clear that not specific to each individual processing operation legislation required. It is therefore sufficient to have legislation acting as a basis for various processing operations that are necessary for the fulfillment of a task of public interest or for a task in the context of the exercise of public interest authority. 51. In the present case, the controller refers to the Management Agreement concluded with the province of West Flanders as the basis for its task of general interest in the sense of Article 6.1 e) GDPR and its mission described therein (see above). In his data protection impact assessment10, the defendant specifies that “the legal basis for this processing can be traced back to the tasks of general interest and public authority of local authorities ”.11 52. The Disputes Chamber points out that one of the tasks of general interest of the local administrations (i.e. the municipalities) indeed consists in guaranteeing the safety of persons on their territory (cf. inter alia Article 135, §2 of the New Municipalities Act). It notes that in the present case, however, the defendant does not specify which are the exact legal ones is based in EU law or Belgian law that justifies the disputed processing. 10 Defendant's documents. 11 GEB defendant, p. 5. Decision on the merits 24/2021 - 15/44 53. In accordance with Article 6.3 GDPR, however, as already stated, “the purpose of the processing in that legal basis [to be] established or with respect to the in paragraph 1 point e), said processing [to be] necessary for the performance of a task of general interest or for the exercise of official authority vested in the controller is granted ”. 54. Furthermore, according to Article 6.3 GDPR, the legal basis may also contain “specific provisions to adapt the application of the rules of this Regulation, including the general conditions regarding the lawfulness of processing by the controller; the types of data processed; The involved; the entities to which and the purposes for which the personal data may be provided; the purpose limitation; the storage periods; and the processing activities and procedures (…) ”. 55. In this context, the Disputes Chamber also refers to the legislative advice of the Data Protection Authority (Knowledge Center) - for example regarding certain measures taken in the fight against the spread of the corona virus pursuant to Article 6.1 e) GDPR - which also indicates that corresponding aforementioned Article 6.3 GDPR, read in conjunction with Article 22 of the Constitution and Article 8 ECHR, a legislative standard must define the essential characteristics of a data processing operation record what is necessary for the performance of a task of general interest or for the exercise of official authority vested in the controller entrusted. The aforementioned advice emphasizes that the processing concerned should be framed by a standard that is sufficiently clear and accuratefrom the application is foreseeable for the persons concerned. It is hereby specified that in particular, the following elements should be included in this standard: de precise purpose (s) of the processing, the identity of the controller (s), the categories of data processed, with the understanding that they must be in accordance with Article 5.1 GDPR, "adequate, relevant and limited to what is necessary for the purposes for which they are processed ", the categories of data subjects whose data will be processed, the retention period of the data, the recipients or categories of recipients to whom their data is sent communicated, the circumstances in which and the reasons for which they will be communicated and any limitation of the obligations and / or rights stated in the Articles 5, 12 to 22 and 34 GDPR. 12 12 See, among others, opinions 36/2020, 42/2020, 44/2020, 46/2020, 52/2020 and 64/2020 (https://www.gegevensbeschermingsautoriteit.be/burger/vragen?q=&search_category%5B%5D=taxonomy%3Apublications& search_type% 5B% 5D = advice & s = recent & l = 25). Decision on the merits 24/2021 - 16/44 56. The Disputes Chamber points out in this respect, however, that tasks of general interest or public authority with which data controllers are entrusted, often not based are on precisely defined obligations or legislative standards that meet the requirements stated under marginal 55, more specifically laying down the essentials characteristics of the data processing. Rather, processing takes place on the basis of a more general authorization to act, such as for the fulfillment of the task - such as in this case, the safety and health of residents and tourists of the coastal municipalities - necessary.13 This often concerns relatively old legislation where the aspect data protection has not yet been sufficiently elaborated. This leads to the relevant in practice, the legal basis often does not contain any specifically described provisions regarding the necessary data processing. Data controllers based on If you want to invoke such legal basis on Article 6.1 e) GDPR, you have to create a weighing up the necessity of the processing for the task of general interests and interests of those involved. 57. In the present case, therefore, the Disputes Chamber finds that the defendant makes a plausible case that he has to perform a task of general interest within the meaning of Article 6.1 e) GDPR. There however, it should be noted that the defendant himself does not indicate which specific legal basis (such as Article 135, §2 of the New Municipalities Act) in Union law or Member State law within the meaning of Article 6.3 GDPR the processing activity concerned - in particular processing personal data through a system of intelligent cameras in the framework of the fight against Covid-19 - has been supported. 58. Of course, it is primarily the task of the authorities at whose request the processing operations are carried out take place - in this case the province of West Flanders and the coastal municipalities involved ensure that a legal basis is in place that meets the requirements of article 6.3 GDPR. This does not alter the fact that also on a controller as the defendant the duty rests to ascertain the extent to which an adequate legal basis is provided exists. 59. In this decision, the Disputes Chamber limits itself to these general considerations the legal basis. It has the right legal basis for the concerning processing by Westtoer has not been investigated. It points out that a complete Examining the legal basis would also require the province and all concerned municipalities would be involved in the study. This would add to the complexity of it significantly increase investigation by the Dispute Chamber. Considering the size 13 KOTCHY, W., “Article 6. Lawfulness of processing” in KUNER, C., BYGRAVE, L.A. and DOCKSEY, C., The EU General Data Protection Regulation (GDPR). A Commentary, Oxford University Press, Oxford, p. 336. Decision on the merits 24/2021 - 17/44 social importance of a timely decision of the Dispute Chamber that is stringent establishes conditions with a view to possible future passer-by counts, this is investigation under this decision did not take place. 60. The Disputes Chamber nevertheless emphasizes that the defendant and others controllers for any similar future processing activities in accordance with the accountability set out in Article 5.2 GDPR must ensure that the conditions of Articles 6.1 e) GDPR in conjunction with Article 6.3 GDPR is met. In a subsequent decision regarding measures in the context of the health crisis, the Dispute Chamber can also verify the correctness of the legal basis to investigate. B. The necessity and proportionality of the measure must be demonstrated in relation to the with the use of theintelligent cameras intended purposes 61. In addition to the requirement that the processing of personal data by means of intelligent cameras can only take place if there is a valid ground for legitimacy moreover, it must be demonstrated that the use of the system is necessary (ii; see supra marginal 47) and that this does not disproportionately affect the right to data protection of the data subjects. This necessity requirement is contained in several provisions of the GDPR, in particular Article 5.1 c) (principle of the minimum data processing) and Articles 6.1 c) and 6.1 e) GDPR. 62. The necessity and proportionality test is all the more relevant if the controller the processing in question, as in the present case, is based on the latter provision, Article 6.1 e) GDPR. Contrary to article 6.1 c) GDPR (legal obligation resting on the controller), will - as already stated above - the task of public interest or public authority with which the controller is responsible is taxed, after all often do not result in precisely defined obligations, but rather in a more general authorization to act as for the fulfillment of the task - as in this case, the safety and health of residents and tourists of the coast - necessary is.14 63. It follows from this that the controller, if necessary, has a certain balance must make between the necessity stated in the aforementioned article and the interests of the involved. In this regard, it should be noted that, as far as this 14 KOTCHY, W., “Article 6. Lawfulness of processing” in KUNER, C., BYGRAVE, L.A. and DOCKSEY, C., The EU General Data Protection Regulation (GDPR). A Commentary, Oxford University Press, Oxford, p. 336. Decision on the merits 24/2021 - 18/44 balancing of interests, Article 6.1 e) GDPR is essentially not fundamentally different from Article 6.1 f) GDPR (legitimate interest). The aforementioned element of balancing of interests explains also the right of objection contained in Article 21 GDPR, which only applies to processing operations based on these two grounds of lawfulness. 64. The Disputes Chamber points out that the necessity should be assessed, among other things the consideration explained above must be made in the light of case law of the Court of Justice of the European Union as well as Article 8 of the European Convention Human Rights (“ECHR”) and Article 22 of the Belgian Constitution as well as seriousness of the interference in the privacy of the data subjects. 65. In its case law - including in Huber - the Court of Justice of the European Union on the point that the concept of "necessity" within the meaning of Article 6.1 e) GDPR should be interpreted strictly and judged in light of proportionality and that, in other words, if different alternatives are available in order to achieve the objective pursued, should go for the least intrusive alternative are opted for. 15 66. The necessary and proportionate nature of the measure should therefore be more specific are demonstrated with regard to the lack of less invasive resources for the rights and freedoms of the data subjects through which the intended purposes also could be achieved. 67. As to the necessity of the intelligent system he uses cameras, the defendant states in his statement of defense as well as during the hearing First, that this passer-by count system was the only way to prevent the Covid-19 pandemic to fight efficiently and thus to fulfill its task of general interest and this for the sake of the following reasons: i. only a count via intelligent cameras can provide sufficiently accurate data about the number of visitors. The defendant states in this regard that the visitor flows are complex and that only the system of intelligent cameras can measure such visitor flows with sufficient accuracy, where alternative monitoring systems are much less accurate; ii. only a count via intelligent cameras can provide crucial additional information provide. The defendant argues in this regard that in order to make appropriate decisions Take, additional information should be obtained, such as in particular the direction of visitor flows; and 15 CJEU, Huber, C-524/06, ECLI: EU: C: 2008: 724, par. 59-61. Decision on the merits 24/2021 - 19/44 iii. only a count via intelligent cameras makes the necessary real-time reporting possible. The defendant states in this regard that, in order to immediately can intervene if necessary, it is necessary to provide real-time reporting can do and that only the system of intelligent cameras allows the crowds display on a real-time dashboard and send push notifications. 68. The defendant points out that the same result could not be achieved through theuse of alternative monitoring systems, such as manual counts or measurements via Wi-Fi signals, as the latter are not sufficiently accurate for their intended purposes and only the system used allows certain additional information to be obtained is necessary for the realization of this purpose. More specifically, the defendant argues that whether or not to respect the social rules of distance, the direction of it passers-by and the different types of passers-by - such as cyclists and pedestrians no alternative system can be established and that only the system of intelligent cameras enable real-time reporting, which is crucial to timely to be able to communicate and, where necessary, to intervene. 69. As to the proportionality of the processing activity in question, the defendant points out points out that the processing only takes a fraction of a second since the live camera images be anonymized almost immediately by the software (locally on the camera itself) and converted to raw data (aggregated count data) and blurred images. The defendant emphasizes that the live images are then not stored anywhere but immediately are deleted from the camera's memory. 70. The defendant also points out that the proportionate nature of the measure as well is ensured by its limitation in time and space. First of all, it specifies in this connection that the contract with the processor deliberately for a short period of three months and therefore the measure only during this period of was in force (i.e. the summer period). Second, the defendant points to the conscious choice of the places where the relevant intelligent cameras were installed and specifies them that this only happened in those places where special crowds were expected (in particular dikes and shopping streets). 71. On the basis of the above, the Disputes Chamber finds that the defendant the necessity and proportionality of the system concerned with a view to its implementation of the intended purposes. After all, the defendant proves the absence of an alternative - less intrusive - system that would similarly achieve these goals Decision on the merits 24/2021 - 20/44 can achieve. Furthermore, it shows that it has taken the necessary measures in order to ensure proportionality (cf. also infra). C. Data protection by design and by default settings (Article 25 GDPR) 72. With regard to the processing of personal data by (intelligent) cameras, it is - in view of the potentially serious risks to the rights and freedoms of data subjects - essential importance that appropriate measures are taken by the controller to ensure that data protection principles become effective built-in to avoid these risks of violations of the rights and freedoms of data subjects be limited as much as possible. 73. The aforementioned “appropriate measures” are not only technical but also of organizational nature and should be taken by the controller prior to the start of the processing activities such as, in this case, the collecting video images, especially at the time of determining the target and the means of processing. 16 74. In other words, the controller serves the principles of "data protection by design "and" data protection by default "." 17 75. These concepts are one of the cornerstones of the GDPR and are central to it accountability of Article 5.2 in conjunction with Article 24 GDPR. They are contained in Article 25 GDPR and are further explained in recital 78 GDPR. 76. In accordance with Article 25.1 GDPR, the controller must in particular: “Taking into account the state of the art, the implementation costs, and the nature, the scope, context and purpose of the processing as well as with the probability and serious risks to the rights and freedoms of individuals the processing are connected, both in the determination of the processing means and in the processing itself, take the appropriate technical and organizational measures, such as pseudonymisation, which are drawn up for the purpose of data protection principles, such as minimal data processing, to be carried out in an effective manner and the necessary to build in safeguards in the processing to comply with the regulations of the GDPR and to protect the rights of data subjects ”. 16 Guidelines 3/2019, marginal no. 126. 17 The Disputes Chamber hereinafter uses the abbreviation “DPbDD” when it concerns both concepts at the same time. Decision on the merits 24/2021 - 21/44 77. Article 25.2 GDPR states that “the controller provides appropriate technical and organizational[takes] measures to ensure that in principle only personal data are processed that are necessary for each specific purpose of the processing. This obligation applies to the amount of personal data collected, the extent to which they are processed, the period for which they are stored and the accessibility thereof. In particular, these measures ensure that personal data in principle not without human intervention for an unlimited number of natural ones persons are made accessible ”. 78. Recital 78 GDPR specifies with regard to the aforementioned technical and organizational measures that these “include minimizing of the processing of personal data, pseudonymisation as soon as possible personal data, transparency regarding the functions and the processing of personal data, enabling the data subject to control the information processing and from enabling the controller to create and improve security features ”. 79. In its Guidelines 4/2019 on DPbDD, the EDPB specifies that data protection by default refers to a pre-existing or pre-selected value of an adjustable setting within a software application. In these guidelines the EDPB defines data protection by design as “protecting rights data subjects and ensure that the protection of their personal data ("Built-in") is in the processing. "18 80. The Court of Justice has also emphasized the importance of this in its case-law concepts and, in particular in its judgment in Digital Rights Ireland, has argued that the essence of Article 8 of the Charter of Fundamental Rights of the European Union requires technical and organizational measures are taken to ensure that personal data be effectively protected against any risk of misuse and against any form of unauthorized access and use. 19 81. In the present case, the Disputes Chamber determines on the basis of both the documents in the file and the demonstration of the intelligent camera system during the hearing by the defendant that the latter took a series of organizational and technical measures 18 EDBP Guidelines 4/2019 (version 2.0), Guidelines on Article 25 - Data Protection by Design and by Default, available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_ en.pdf (hereinafter: Guidelines 4/2019). 19 CJEU, joined cases C-293/12 and C-594/12, Digital Rights Ireland, par. 40 and 66-67. Decision on the merits 24/2021 - 22/44 in order, on the one hand, to limit the processing of personal data as much as possible and, on the other hand, to protect and secure this data. 82. These measures were taken following the advice of the data protection officer and after conducting a DPIA based on Article 35 GDPR by the defendant with regard to the intelligent camera system (cf. also marginal nos. 131 et seq.). 83. The Disputes Chamber also establishes that the defendant has personal data protection ab initio integrated into the implementation of the project. This is evident from the fact that in the specifications entitled “Passer counts at specific locations on the dike and in shopping areas on the coast ”, through which the latter the public contract for the implementation for the aforementioned system, became a title in the contractual provisions foreseen regarding data processing and compliance with the provisions of the GDPR the contractor, who acts as data processor. During the hearing the defendant that the ultimate contractor was selected because of, among other things of the particular attention it paid to personal data protection. With this the defendant acts in accordance with the provisions of recital 78 GDPR, in fine in this regard, it states that “the principles of data protection by design and data protection by default settings also applies to public procurement must be taken into account ”. 84. That is apparent from the documents in the file and from the defendant's oral defense also in the actual implementation of the system by the defendant and the processor one series of organizational and technical measures were taken with a view to personal data protection, in accordance with Articles 25.1 and 25.2 GDPR. 85. The first article mentions one of these organizational and technical measures that must be taken by the controller first of all pseudonymisation of the personal data concerned. Recital 78 GDPR also states this “Such measures include [may] consist in (…) it as soon as possible pseudonymisation of personal data ”. 86. From the documents in the file as well as from thedemonstration of the used system of intelligent cameras by the defendant to the Dispute Chamber during the hearing, the Disputes Chamber understands that the relevant passer-by counting system consists of a software component as well as a hardware component, each of which is assigned to cameras are linked to a printed circuit board ("PCB") serving as a local Single Board Decision on the merits 24/2021 - 23/44 Computer acts to process the images locally in real time. The camera images (frames) are processed locally, on premise by the PCB. 87. The demonstration of the system at the hearing shows that the cameras involved do film passers-by, but relevant objects in a fraction of a second (such as bicycles and cars) as well as individuals are distinguished and replaced by a so-called “blob”. This is a colored box that a recognized passer-by or a object. The filmed passers-by are thus analyzed in real time by means of artificial intelligence and a self-learning algorithm. 88. In its Guidelines 3/2019, the EDPB also points out in this regard that, applied to the processing of personal data by means of video equipment, examples of this such privacy-friendly technologies within the meaning of Article 25 GDPR are those make it possible to block out parts of the image that are not necessary or blur or to omit the images of third parties when recording video data subjects are provided. 20 89. The defendant explains this - including on the basis of screenshots of the affected cameras - that in an initial phase, especially during the first hour after installation of these cameras, is filmed at a low resolution (Figure 1) and that, then, in a second phase, the road users are replaced by the “blobs” (in this decision also called the “blurred images”). The defendant specifies that the (short-lived) processing of these images only locally - more specifically on the installed cameras themselves - happens and then two streams of data from these devices leave for it data center of the processor, in particular (i) blurred images and (ii) aggregated count data. Based on the latter data, it is possible to pressure measurement - as well as control of the social Distance rules - are done and intervened if necessary. From the documents in the file and the notes provided by the defendant show the actual camera footage as well are not stored anywhere. 20 Guidelines 3/2019, marginal no. 129. Decision on the merits 24/2021 - 24/44 Figure 1. Low resolution images displayed by the firmware (stage 1) Figure 2. Replacing road users with “blobs” (phase 2) 90. On the basis of the above, it appears that the camera images in question are almost instantaneous anonymized and the identification of the filmed passers-by becomes impossible made. 91. The Disputes Chamber is of the opinion that the requirements of Article 25.1 are thus met GDPR and recital 78 GDPR as well as the principle of minimum data processing, which is also referred to by the former provisions. Where Article 25.1 GDPR only requires pseudonymisation, the data subjects personal data irreversibly anonymised. 92. After all, this almost immediate anonymization only makes personal data processed that are “relevant” and “limited to what is necessary for the purposes for which they are processed ”and are subsequently converted to anonymous counting data as well blurred images. Decision on the merits 24/2021 - 25/44 93. The measures described above also meet the requirement of Article 25.2 GDPR that the controller must ensure that “in principle, only personal data are processed that are necessary for each specific purpose of the processing ”, which applies to“ the amount collected personal data, the extent to which they are processed, the period for which they are processed stored (…) ”. Both the amount of personal data and the retention period of the live images - which are only a few milliseconds - thus become the minimum, thus becoming the principle of storage limitation (art.5.1 e) GDPR) complied. 94. It appears from the documents in the file that the defendant also has a number of others took organizational and technical measures to prevent the processing of keep personal data as limited as possible, more specifically: i. the space limitation of the measure, especially the placement of intelligent cameras only at those locations with a risk of high traffic (for example sea dikes and shopping areas); ii. the time limitation of the measure: the passer-by counting system with use of intelligent cameras was mainly used from June 2020 untilSeptember 30, 2020, with the exception of one municipality, where the continued busy use of the system was extended until February 1, 2021; and iii. limitation and security of access to the camera images (see infra). 95. Article 25.2 in fine GDPR stipulates with regard to the latter that the accessibility to the data subject personal data should be limited, among other things to ensure that “Personal data in principle not without human intervention for an unlimited number of natural persons are made accessible ”. 96. The Disputes Chamber also refers in this respect to guidelines 3/2019 of the EDPB, outlining the importance of system security and data security underlines and states that this is “the physical security of all system components as well system integrity, i.e. protection and resistance to intentional and unintentional violations of normal activities and access control ”as well as“ the confidentiality (data is only accessible to those who are granted access), integrity (prevention of data loss or manipulation) and availability (data can be consulted when needed) ”21 21 Guidelines 3/2019), marginal no. 132. Decision on the merits 24/2021 - 26/44 97. In this regard, the Disputes Chamber establishes on the basis of the documents in the file that the controller as well as the processor the necessary organizational and technical have taken measures to secure the data and access it only limited to authorized persons. 98. In his statement of defense, the defendant specifically states in this regard that only a limited number (in particular seven) of the processor's employees have access to the blurred (and therefore in principle anonymous) live images that are sent to the data center of the processor are forwarded and this with the sole aim of ensuring the proper functioning of the system checking (for example: checking that the camera's lens is clean and the cameras are correct positioned). 99. The defendant also shows that access to these images is subject to strict security measures and is tracked. During the hearing, the defendant in this regard that the authorized employees only have access to the images from the data center, that multiple passwords are required to gain access to these images and that access is limited to fifteen minutes. The defendant emphasized also relevant that neither the participating municipalities nor they themselves have access to the live camera images. She added to these (blurred) images for the first time herself in preparation for the hearing in the context of the present proceedings. Moreover, these blurred live images are not saved anywhere. 100. With regard to the organizational and technical prescribed by Article 25 GDPR measures, the EDPB further emphasizes in its guidelines that the chosen solutions do not may offer functionalities that are not necessary (for example, unlimited camera movement capabilities, zoom function, radio transmission, analysis functions and sound recordings). The EDPB states that the functions are present but not necessary must be turned off. 22 101. The defendant states in this regard that in the firmware of the system in question of intelligent cameras the functions that are not necessary for the intended purpose were deactivated. The latter specifies that, for example, it has been made impossible to disable applied blurring. The defendant further argues that the artificial intelligence software does not technically allow you to extract unblurred live images from the intelligent obtain cameras and refers to a written statement from the processor about this. 22 Guidelines 3/2019, marginal no. 129. Decision on the merits 24/2021 - 27/44 102. The Disputes Chamber points out the essential importance of the above-mentioned technical aspects measures to ensure that the images cannot be incompatible are used for purposes other than those for which the data were used collected (for example making the data accessible to third parties, such as the law enforcement agencies), which would be contrary to the purpose limitation principle contained in Article 5.1 b) GDPR. 103. On the basis of the above, the Disputes Chamber concludes that the defendant, in accordance with its duty of accountability under Article 5.2 in conjunction with Article 24 GDPR, shows that these are already at an early stage in the design of the processing operations through the use of the system of intelligent cameras has taken the appropriate technical and organizational measures necessary in order to comply with the principles of privacy and ensure data protection from the outset. Thus it formsby the defendant implemented system a good example of “data protection by design” (“Data protection by design”) within the meaning of Article 25 GDPR. 104. In particular, the defendant demonstrates that these have already been issued from the moment the public contract regarding the passer-by census system took compliance into account of the aforementioned principles by considering technologies that comply with the requirements of DPbDD. They opted for a stand-alone system, no connected to any network, whereby the processing of personal data by means of video equipment is kept to a minimum and no other personal data becomes collected. 105. The defendant provided an appropriate management framework and took technical measures regarding the (intended) processing, in particular with regard to: i. anonymization, in accordance with Article 25.1 GDPR and recital 78 GDPR, by the automatic and irreversible “blur” of the camera images after a few milliseconds by replacing passersby with “blobs”; ii. minimal data processing (Art. 5.1 c) GDPR), due to the short retention period as well the time and space limitation of the measure; iii. storage limitation, by not storing the camera images for longer than strict necessary for the realization of the intended purposes (local storage for just a few milliseconds) and by preserving the acquired data in a form that makes it impossible to re-identify the data subjects, in accordance with Article 5.1 e) GDPR; Decision on the merits 24/2021 - 28/44 iv. security of data and limitation of access, by limiting the access the blurred live images to a limited number of authorized persons employees of the processor (even when people clicked on this live images cannot in principle be re-identified), the security of the access to the system with multiple passwords and access tracking as well as its time limitation; v. deactivation of the unnecessary functionalities in the firmware of the system, in such a way that no unblurred live images can be extracted from the cameras obtained which would allow identification of the data subjects as well as by the technical disable the automatic “blurring” of the images. 106. The defendant has thus complied with the requirements of Article 25 GDPR. The Dispute Chamber takes into account that the current sanitary crisis is taking exceptional measures requires, which requires the processing of personal data in the public interest be able to make, such as, for example, by filming flows of movements of people. It it is essential that a controller takes the highest precaution endeavors to reduce the potential adverse consequences for the data subjects whose data is processed to a minimum. 107. On the basis of the above, the Disputes Chamber also concludes that the defendant does not have any has infringed Articles 5.1 a), 5.1 b) and 5.1 c) GDPR and that this is sufficient has demonstrated compliance with data protection principles at the implementation of the passer-by counting system. 2.3.2. Transparent information, communication and further rules for the exercise of the rights of the data subject (Articles 12 and 13 GDPR) 108. In its investigation report, the Inspectorate establishes that the privacy statement of the respondent on the website www.westtoer.be/nl/datagegevens2.3 does not comply with the transparency obligations of Articles 12.1, 12.6, 13.1 and 13.2 GDPR. 109. The Inspection Service hereby first establishes an infringement of Articles 12.1 and 12.6 GDPR, in particular in view of the fact that: 23 Of which screenshots were taken by the Inspection Service on July 13, 2020 as well as on July 18, 2020. Decision on the merits 24/2021 - 29/44 1) the information provided to data subjects through the privacy statement is not complete correct and therefore not transparent, as it is not stated which changes are made were affixed to this privacy statement and when this happened; 2) it is not stated in a transparent manner on which grounds the personal data of data subjects are processed by the defendant; 3) the privacy statement incorrectly states that for statistical research processed personal data are pseudonymised, which according to the defendant would mean that the data cannot be linked to an individual; 4) is incorrectly stated in the defendant's privacy statement that a data subject who wishes to exercise his rights must first contact the controller and his response must await before making his request to be addressed to the data protection officer; 5) the privacy statement states this for exercising the rights of data subjects a copy of theidentity card is requested by the defendant, which would be disproportionate; and 6) the privacy statement with regard to the possibility for data subjects to file a complaint to submit to a supervisory authority only refers to the Belgian Data protection authority, although in accordance with Article 77.1 GDPR with each European supervisory authority complaint can be lodged. 110. Furthermore, the Inspection Service finds a violation of Articles 13.1 and 13.2 GDPR, since: 1) the precise purposes and legal basis for the processing are not specified in the privacy declaration; 2) the retention periods or the criteria for determining those periods are not specified in the privacy statement; and 3) the right for data subjects to use the consent given for to revoke cookies is not stated. 111. At the hearing, the defendant acknowledges that the privacy statement was overdue updated but specifies that it was initially concentrated on the data protection impact assessment as well as the legality of the system itself. The defendant adds that the privacy statement meanwhile, however, following and in accordance with the findings of the Inspectorate, was adjusted and points out that a legal counsel has been appointed to start the further update privacy documents where necessary. Decision on the merits 24/2021 - 30/44 112. The Disputes Chamber points out that, in accordance with Article 12.1 GDPR, the controller “must take appropriate measures to ensure that the data subject the information referred to in Articles 13 and 14 and the information referred to in Articles 15 to 22 and communication referred to in Article 34 in connection with the processing in a summary, transparent, intelligible and easily accessible form and in plain and simple language receives (…) ”. 113. Recitals 58 and 60 GDPR specify that “in accordance with the principles of proper and transparent processing [must] be informed of the fact that processing takes place and its purposes ”and that“ in accordance with the transparency principle information intended for the public or for the data subject concise, simple, accessible and understandable [should] be (…) ”. 114. In the case where the personal data concerned did not belong to the data subject himself collected, Article 13 of the GDPR determines which information must be provided to the latter provides: “When personal data concerning a data subject is collected from that person, the controller shall provide the data subject in obtaining the personal data all of the following information: (a) the identity and contact details of the controller and, in where applicable, of the controller's representative; (b) where applicable, the contact details of the data protection officer; c) the processing purposes for which the personal data are intended, as well as the legal basis for the processing; d) the legitimate interests of the controller or of a third party, if the processing is based on Article 6 (1) (f); (d) where applicable, the recipients or categories of recipients of the personal data; (e) where applicable, that the controller intends the transfer personal data to a third country or an international organization; if there whether or not an adequacy decision by the Commission exists; or, in the case of in Article 46, Article 47 or the second subparagraph of Article 49 (1), whichever the appropriate or suitable safeguards are how or where they can be obtained a copy are consulted. 2. In addition to the information referred to in paragraph 1, the controller shall provide the the person involved in obtaining the personal data the following additional information to ensure fair and transparent processing: a) the period for which the personal data will be stored, or if so is not possible, the criteria for determining that period; Decision on the merits 24/2021 - 31/44 (b) that the data subject has the right to request access to the controller of and rectification or erasure of personal data or restriction of the data concerning him processing, as well as the right to object and the right to the processing data portability; (c) where the processing is based on point (a) of Article 6 (1) or point (a) of Article 9 (2), that the data subject has the right to withdraw consent at any time, without this affects the lawfulness of the processing based on the consent before the withdrawal thereof; d) that the data subject has the right to lodge a complaint with a supervisory authority; e) whether the provision of personal data is a legal or contractual mattertual obligation is then a necessary condition to conclude an agreement, and / or the person concerned is obliged to provide the personal data and what the possible consequences are when this information is not provided; (f) the existence of automated decision-making, including those referred to in Article 22 (22) 1 and 4, and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the person concerned ”. 115. The Disputes Chamber consulted the defendant's privacy statement (last consultation on 05/02/2021) and indeed established that the latter was in such a way was updated to take into account most of the comments of the Inspectorate and the privacy statement are therefore almost completely in line was brought with the relevant provisions of the GDPR. The Disputes Chamber takes over deed of this. 116. However, it is noted that not all of the findings have yet been addressed of the Inspection Service. 117. First of all, the Disputes Chamber establishes in this regard that the privacy statement is not on states in sufficient detail the precise legal basis (s) of the processing of the personal data concerned, as required by Article 13.1 c) GDPR. The privacy statement states in this regard: “We process your personal data on the basis of either: Your consent. • A contract that we conclude among ourselves. • A legal obligation that we must comply with. • A public interest. ” Decision on the merits 24/2021 - 32/44 118. However, it is not specified which legal obligations or general ones importance it concerns. For example, for the processing of personal data via the intelligent camera system does not specifically state the legal basis is for the processing concerned (see above; Article 6.3 GDPR). 119. In accordance with the Guidelines on Transparency prepared by the Working Party 29, the information provided pursuant to Articles 13 and / or 14 GDPR to be concrete and final and it may not contain abstract or ambivalent formulations. The Group 29 emphasizes that this applies in particular to the purposes of and the legal basis for the processing. 24 120. The Disputes Chamber is of the opinion that this constitutes a violation of article 13.1 c) GDPR and the defendant therefore orders this legal basis (s) in accordance with the aforementioned provision to be further specified. 121. Second, the Disputes Chamber finds that the privacy statement does not clearly state either makes the retention periods of the personal data concerned or the criteria for this provision thereof, as required by Article 13.2 a) GDPR. The privacy statement states in this respect that “the data will be kept for as long as is necessary to provide our services because we have an interest in it or because of our legal fulfill obligations ”. However, the Group Guidelines 29 show that such formulation is not sufficient. Working Party 29 points out in this regard that the (mention of the) retention period is related to the principle of data minimization contained in Article 5.1, c) GDPR as well as the storage limitation requirement of Article 5.1, e) GDPR. This specifies that “the storage period (or the criteria for determining it) can (can) be dictated by factors such as legal requirements or sectoral guidelines, but always such must be formulated that the data subject, based on his or her own situation, can assess the retention period for specific data / purposes ”.25 122. The Disputes Chamber therefore orders the defendant to keep the data collected personal data in accordance with Article 13.2 a) GDPR to be further specified in the privacy declaration. 123. Furthermore, the Disputes Chamber also establishes that the privacy statement provides the following states with regard to the exercise of the rights of data subjects: 24 Guidance on transparency according to Regulation (EU) 2016/679, WP260rev1 adopted on November 29 2017, p. 9-10. 25 Working group 29, Guidelines on transparency according to Regulation (EU) 2016/679, WP260Rev1, p. 45. Decision on the merits 24/2021 - 33/44 “We may need proof of your identity to be able to answer your question reply. In that case we will ask for a copy or a scan of your identity card or provide any other proof of your identity. We will only use the evidence to confirm to establish whether you are actually the data subject whose personal data are being processed, or the parent or guardian in the case of under-16s. As soon as we are both satisfied with the answer to your question we will destroy the evidence ”. 124. As also stated by the Inspectorate, the Disputes Chamber points out that in accordance with artel 12.6 GDPR the controller only additional may request information from the data subject “when he has reasons to doubt the identity of the natural person submitting the request as referred to in Articles 15 to and with 21 ”. Systematically requesting a copy or scan of the identity card of the data subject is therefore disproportionate. 125. The Disputes Chamber points out in this regard that only in the specific cases in which the controller in accordance with Article 5.2 GDPR can demonstrate that he / she has the cannot identify the data subject (Article 11.2 GDPR) and / or that he or she has reasons to doubt the identity of the natural person submitting the request (art.12.6 GDPR), this the may request additional data necessary for the confirmation of the identity of the data subject. This additional data can, for example, consist of a copy of the front of the identity card with only the personal data strictly necessary for this verification, are legible. The other data may be sent by the the complainant must be made illegible in advance. 126. The Disputes Chamber establishes this in the other findings of the Inspection Service in the meantime, it was accommodated by the changes made to it by the defendant the privacy statement, but establishes that this at the time of the implementation of the inspection investigation were established. 127. The defendant acknowledges this and points out in its defense, as stated earlier, that it was first focused on the GDPR compliance of the intelligent camera system itself, before adjusting the privacy statement. 128. However, the Disputes Chamber emphasizes the importance of compliance with the transparency obligations from the start of the processing activity having regard to its impact on the exercise of the rights of data subjects contained in Articles 15 to 22 GDPR, as illustrated by the case law of the Court of Justice. 26 26 CJEU October 1, 2015, Bara, C-201/14, ECLI: EU: C: 2015: 638. Decision on the merits 24/2021 - 34/44 129. In addition, the Disputes Chamber points out that the defendant is autonomous a provincial company charged with a task of general interest has an exemplary function in it in terms of compliance with legislation on the protection of personal data and that it must therefore be available at all times in accordance with the principle of “lead by example” to act in accordance with this legislation and in particular those mentioned above essential provisions of the GDPR regarding transparency. 27 130. In view of the cooperation of the defendant and the amendment of the privacy statement in During the course of the proceedings, the Disputes Chamber does not consider it necessary a sanction to the aforementioned findings, but does recommend these to the defendant privacy statement in full compliance. 2.3.3. The data protection impact assessment (Articles 35.2 and 35.7 GDPR) 131. According to the Inspectorate, the defendant has infringed Articles 35.2 and 35.7 GDPR. The Inspectorate is of the opinion that the defendant does not, or in any case not timely, the has obtained advice on a GEB from the data protection officer (Article 35.2). Moreover, according to the Inspectorate, article 35.7 GDPR has not been complied with which stipulates that the GEB must contain the following elements: (a) a systematic description of the intended processing operations and processing purposes, including in where the legitimate interests pursued by the controller are looked after; (b) an assessment of the necessity and proportionality of the processing operations with regard to the purposes; c) an assessment of the risks to the rights and freedoms of data subjects; d) the envisaged measures to address the risks suits including safeguards, security measures and mechanisms to ensure protection of personal data. 132. The respondent indicated in the answers to the questions of the Inspectorate that the data protection officer has been involved in the implementation of the GEB regarding the intelligent cameras. According to defendant, on 11 June 2020 the first consultation will take place regarding the GEB. In the statement of defense, the defendant reiterated that both the data protection officer and defendant explicitly indicate that the officer is present and involved from the start on 11 June 2020 has been in the implementation of the GEB. The Inspectorate, on the other hand, is of the opinion that it has not been proven that the aforementioned consultation actually took place and that the 27 Data Protection Authority, “Strategic Plan 2020-2025”, https://www.dataprotectionautoriteit.be/sites/privacycommission/files/documents/GBA_Strategisch_Plan_28012020.p df, p. 22. Decision on the merits 24/2021 - 35/44 data protection officer was present. In the opinion of the data protection officer is referred to the GEB with the wording “The drafted GEB” .28 The above indicates, according to the Inspectorate, that the GEB (in at least part of it) even before the official was given his advice drawn up. According to the Inspectorate, an assessment of the in Article 35.1 of the GDPR referred to risks to the rights and freedoms of data subjects (cf. Article 35.7, c) and the envisaged measures to combat the risks, including safeguards and security measures and mechanisms to protect guarantee personal data (article 35.7 d). 133. According to the Disputes Chamber, it is indeed impossible to use the documents submitted put up a discussion on drafting a GEB on June 11, 2020 in the presence of the data protection officer has taken place. In the absence of evidence the Disputes Chamber can be there in connection with the presence or absence of the officer do not say anything further about it. 134. However, it appears from the documents before us that the data protection officer van Westtoer, has his written advice (dated June 17, 2020) on June 18, 2020 transferred to Westtoer. Comments were formulated in the advice and the officer approved the GEB. According to Working Group 29, the Obtain advice on a GEB from the officer for the controller data protection on matters such as the following: - which methodology to follow in a DPIA; - whether the DPIA should be carried out internally or outsourced; - which safeguards (including technical and organizational measures) should be used applied to mitigate any risks to the rights and interests of data subjects; - whether or not the DPIA has been carried out correctly and whether the conclusions (whether or not to carry out the processing and which safeguards apply) whether or not comply with the General Data Protection Regulation. 29 135. The Disputes Chamber is of the opinion that in the written advice dated 17 June 2020 of the data protection officer, a description can be found of the possible risks that the data processing could entail and a description of the the guarantees that can be applied against this. The officer for data protection has also indicated in the advice that the GEB complies with the 28 Advice on GEB from data protection officer, Annex 5, by email of 28 July 2020 from defendant. 29 Working group 29 WP243 rev. 01 Decision on the merits 24/2021 - 36/44 requirements of Article 35.7 GDPR and emphasizes that the GEB also takes into account taken into account the points for attention described by the officer in his advice. On June 25, 2020, more than a week after the official's written advice, the GEB approved and signed by the CEO and Chairman of the Board of board of defendant. The Disputes Chamber is in view of the above and the submitted resources and evidence, therefore, other than the Inspectorate is of the opinion that the data protection officer has issued an opinion on the GEB. No infringement of Article 35.2 GDPR can be established. 136. According to the Inspectorate, there are further violations of Article 35.7, c and d GDPR. According to the Inspection Service, the GEB contains a too brief description of the risks for the rights and freedoms of data subjects. The GEB would not show how the risk is estimated came into being. The envisaged measures to address the risks, including safeguards, security measures and mechanisms to protect to guarantee personal data and to demonstrate compliance with this Regulation, are described too briefly and inadequately, according to the Inspectorate. 137. The Disputes Chamber is of the opinion that the risks that the processing would entail can entail sufficiently accurately described and assessed in the drafted GEB. As the Disputes Chamber has already established in this decision, is defendant managed to base on both a range of organizational and technical measures, such as by limiting, protecting and securing the processing of personal data, has the necessary measures against any risks affected. Therefore, according to the Disputes Chamber, no infringement of Article 35.7 has been committed GDPR. 2.4. With regard to the findings of the Inspectorate outside the scope of the serious evidence. 2.4.1. Consent to the placement of cookies (Articles 4.11, 6.1 a), 7.1 and 7.3 GDPR) 138. The Inspectorate comes to the conclusion that the defendant does not request permission for the platecookies on the website https://www.westtoer.be/. The Inspectorate has established a violation of articles 4.11, 6.1 a), and 7.1 and 7.3 GDPR. from the screenshots of the above website taken by the Inspection Service on 13 July 201930, it appears that those involved who visit the Westtoer website, 30 Document 8 to the Inspection Report of 25 August 2019 Decision on the merits 24/2021 - 37/44 were deemed to have given their consent at the time of continued use of the website. Therefore, the data subjects are not asked for their to consent to the use of cookies on the websites. Nor is there any asked for permission to place unnecessary cookies. This is evident from the sentence “By using this site, or by clicking agree, you give your consent for the use of cookies ”. 139. The concept of “consent” consists of a number of elements that must be cumulative satisfied. Article 4.11 GDPR defines consent as: “any free, specific, informed and unambiguous expression of will by the data subject by means of a statement or an unambiguous active act concerning him regarding the processing of accepts personal data. " . The element “free” should be interpreted as the actually offering a choice and leaving the control to the data subject. When a person concerned did not actually have the choice and forced himself feels to agree because the consequences of not agreeing would be detrimental, consent is deemed not to have been freely given. When permission is a part of the terms is non-negotiable it becomes assumed not to have been released. This means that consent is not considered free given if the data subject cannot give his or her consent without consequences refuse or withdraw. 31 140. The Disputes Chamber refers in this context32 to the Planet 49 judgment of the European Court of the Ministry of Justice.33 In that judgment, the consent requirement for placing cookies following the entry into force of the GDPR clarified, explained as follows, in this sense that an explicit active consent is now required: “Regulation 2016/679 now explicitly includes active consent prescribed. In this regard, it should be noted that according to recital 32 of this Regulation the consent can be expressed in particular by clicking on a box when visiting a website. On the other hand, this recital closes expressly states that 'silence, use of ticked boxes or inactivity' may count as consent. It follows that the consent of Article 2 (f) and Article 5 (3) of Directive 2002/58, read in conjunction with Article 4 (11) and Article 6 (1) (a) of Regulation 2016/679 is not validly granted when storing information or gaining access to information that already exists 31 See more in detail Guidelines 5/2020 of the EDPB on consent. 32 See more detailed Decision 12/2019 of the Dispute Chamber. 33 CJEU, 1 October 2019, C-673/17, Planet49, ECLI: EU: C: 2019: 801. Decision on the merits 24/2021 - 38/44 stored in the user's terminal equipment of a website is allowed by means of a standard checked box that the user must uncheck in case he refuses to grant his consent. ”(The Disputes Chamber underlines) 141. As described above, the Inspectorate established on July 13, 2019 that the visitors of the website are deemed to have given their consent for the use of the cookies when they decide to make further use of the website. There is no there is prior permission requested. However, Article 6.1 GDPR shows that those consent must be obtained prior to the processing. By no to obtain prior consent from those involved, the defendant acted in violation of Articles 6.1 a) and 7.1 GDPR. 142. In its statement of defense dated 1 October 2020, the respondent acknowledged that the cookie policy could be improved. During the hearing, the defendant is to announced that the cookie policy has now been brought into line with the prevailing privacy legislation and that from now on cookies will only be placed when there active consent has been obtained. The Inspectorate also establishes that the defendant does not comply with Article 7.3 GDPR, which states that the data subject must have the right have to withdraw his consent at any time. In the first version of the cookie policy which was examined by the Inspectorate on July 13, 2020, is, according to the Inspection service to data subjects no information about their right to consent that they provide for the use of cookies. The message betreffende the cookies which was used34 “By using this site, or by clicking agree, you consent to the use of cookies ”. In addition, there was an option with “OK, I agree”. Except for the chord button, no other options were available offered or the possibility to withdraw the given agreement. 143. In its statement of defense, the respondent states the following with regard to the possibility to withdraw consent for cookies35: Finally, the Inspectorate states that those involved are not sufficiently informed about them right to withdraw their consent to the use of cookies. This is not right. First of all, the privacy statement generally states that "For certain As a data subject, you always have the right to request your consent free of charge draw. ”This right can of course also be exercised where consent is granted became for cookies. In addition, the privacy statement mentions specifically for cookies how such 34 Screenshot of the website taken by the Inspection Service 35 Conclusion of the respondent's answer, p. 19. Decision on the merits 24/2021 - 39/44 cookies can be deleted by the users: "You can do this via the settings of your browser prevent cookies from being used or that you receive certain warnings when installing or removing cookies. [...] ” Clicking on the links for the aforementioned browsers explains in detail how cookies can be removed (the link to Google Chrome, for example, prominently mentions "Allow or block cookies"). In practice, the user can therefore decide at any time that cookies may no longer be processed. " 144. The Disputes Chamber does not share the defendant's position and follows the determination of the Inspection Service that defendant in the first version (of 13 July 2020) of the cookie policy has not complied with the requirements of article 7.3 GDPR, which article reads as follows: “The The data subject has the right to withdraw his consent at any time. Withdrawal of the consent precedes the lawfulness of processing based on consent without prejudice to its withdrawal. Before the data subject gives his consent, he becomes informed thereof. Withdrawing consent is as easy as giving it of it. ” 36 According to the Disputes Chamber, withdrawing consent was not evident as simple as giving it. There was next to the button to agree to it cookie policy did not give a choice to withdraw the given consent. Like described under marginal number 8, the person concerned had to go through various steps via the settings of the browser before the consent could be withdrawn. The Disputes Chamber therefore finds an infringement of Article 7.3 GDPR. 145. On December 6, 2020, the website https://www.westtoer.be was studied by the Disputes Chamber in order to determine whether there were any changes made to the cookie policy of the defendant, since the investigation by the Inspection Service as above indicated. This turned out to be the case. The Disputes Chamber notes this in the window For the management of cookies, a distinction is now made between the following cookies: requires, functional, analysis, advertising. The cookie “required” is pre-checked and there is none possibility to uncheck this. The other - not required - cookies can be checked but in principle unchecked. 146. The cookie policy in its current form does give data subjects the option to use the to withdraw given consent as easily as giving it. After all, it window for managing the cookies states as follows: “Do you want to enjoy an optimal experience? Click “agree” below if you agree to the use of cookies for all 36 Underlining by the Disputes Chamber. Decision on the merits 24/2021 - 40/44 above purposes. You can also set your own preferences. You can choose any moment again. ” Next to the “agree” button is a button with “Adjust preferences” which makes it easy to give consent withdrawn. 147. The Disputes Chamber takes note of the above. Given that the cookie policy has since been amended, the Disputes Chamber limits itself to imposing a reprimand for the violations of article 6.1 a) and article 7.1 and 7.3 GDPR by the Inspection Service established. 2.4.2. Register of processing activities (Article 30 GDPR) 148. Pursuant to Article 30.1 GDPR, the controller must - and where applicable his representative - keep a record of the processing activities that are under responsibility take place. The Inspection Service has come to the conclusion that the defendant does not comply with Article 30.1. According to the Inspection Service: the contact details of the controller not complete and therefore not conformm Article 30.1, a) (this because the e-mail address data processing@westtoer.be which is not mentioned); the description of the categories of data subjects incomplete (Article 30.1 c), because in the column “categories of natural persons” the word “other” is mentioned in several places; the third countries to which personal data is not disclosed (Article 30.1, e) and there are several mentions of “(email addresses to Mailchimp)” without it being clear which countries it is; there are no reports of the processing of personal data anywhere in the register of website visitors through the use of cookies. 149. The defendant argues in its conclusion that there can be no question of incompleteness of the Westtoer's contact details only because of the absence of the email address data processing@westtoer.be. According to the defendant, Article 30.1 a) of the GDPR does not require to indicate each e-mail address of the controller. After all, the register contains the contact details of both Westtoer and the data protection officer. According to the respondent, this complies with article 30.1 a. That the description of the categories of data subjects is incomplete because of the use of the word “other” is also incorrect according to the defendant. The respondent indicates that: ”the following categories are chosen via a" dropdown menu ": (i) white-collar workers, (ii) customers, (iii) suppliers, (iv) other, (v) applicants, (vi) website visitors. The "other" category therefore refers to data subjects who are not employees, customers, suppliers, applicants or website visitors - such as the passers-by in the passer-by counting system. Decision on the merits 24/2021 - 41/44 In view of the comments of the Inspection Service, Westtoer will adjust the register to more precisely to refer to the "Other" category. ”. 150. The Disputes Chamber has taken cognizance of the register of processing activities and establishes that the contact details of both the controller and the be a data protection officer (as also indicated by the respondent) included. The e-mail address data processing@westtoer.be is indeed not listed data of the controller. However, there are both contact details the controller as well as the data protection officer in the register. The Disputes Chamber considers it for completeness and good accessibility it is advisable to include the above e-mail address in the register as well. The fixing of the Inspectorate states that the description of the categories of data subjects is incomplete because of the use of the word "other", is factually correct. However as by defendant in its Opinion, there are several categories included in the register of which “other” is one and which is a number of times mention. By clicking on “detail processing activity” from the register of processing activities Clicking to determine which category is meant by “other”. The The Disputes Chamber does not consider the register to be inconsistent on this point of categories (Article 30.1, c) with the GDPR, but recommends that the defendant also use the “other” category from now on make explicit. 151. The Disputes Chamber finds that the description of the third countries to which the personal data is passed on is insufficiently clear. In the register of processing activities are listed under the tab on transfer of personal data to third parties countries after all “yes (email addresses to Mailchimp)” with a link next to it. By on Clicking the given link will take you to the Privacy policy of Mailchimp from which it appears in which country this organization is located. The defendant has to know by conclusion given that the inclusion of the link to Mailchimp's Privacy Policy indicates that there are transfer of personal data can take place to the United States. The The Disputes Chamber considers it important to enter the register of processing activities from now on to state explicitly and unambiguously to which countries it is transferred personal data takes place. 152. In view of the above, the Disputes Chamber is of the opinion that the register of processing activities on this point is not in accordance, resulting in a breach of it Article 30 of the GDPR can be determined. This infringement is not of such a nature that a sanction must be imposed for this. Decision on the merits 24/2021 - 42/44 2.4.3. The data protection officer (Articles 37 and 38 GDPR) 153. According to Article 37.5 GDPR, the data protection officer is designated at based on his professional qualities and in particular his expertise in the field of data protection law and practice. From the documents that defendant to the Inspectorate, according to the Dispute Chamber in sufficient degree that the level of education and practicearing of the officer for data protection complies with the requirement in the aforementioned article. 37 The defendant satisfies also to Article 37.7 GDPR, since the personal data of the officer for data protection have been communicated by the defendant to the Data protection authority. 154. Article 38.2 GDPR stipulates that the controller is responsible for the officer for data protection supports in its tasks by allowing it access to make personal data and the necessary resources available to perform its duties to carry out. According to the Inspectorate, an infringement of Article 38.2 of the GDPR has been established now that the the respondent's replies do not reveal to how many and to which agencies the data protection officer advises. Respondent responds as follows the determination of the Inspectorate: “It is not clear what the Inspectorate is correct accuses Westtoer, but it seems that the Inspectorate states that the official would not have enough time to perform his duties now that he is only in a 4/5 system is working ” 155. The defendant denies that the officer would have insufficient time, also in view of the opinion issued in the file that is the subject of these proceedings. The The Disputes Chamber notes that the GDPR does not require an officer for data protection work full-time.38 The advice of the officer is also drawn up in detail. The Disputes Chamber is of the opinion that this is not the case from the present documents it can be deduced that there has been a violation of Article 38.2 GDPR. 156. Under Article 38.3, the officer may not be instructed to perform his duties and report directly to the highest management level of the controller. The defendant replied to questions from the Inspectorate to know the following: ”An employee was appointed within Westtoer who acts as contact person for the officer. The officer is through this contact person on an ad hoc basis - by phone or e-mail - involved in the implementation of 37 Appendices 11 and 12 to an e-mail message from the defendant to the Inspection Service of 18 August 2020 38 See also Working Group 29, Guidelines for Data Protection Officers (DPO), WP 243 rev. 01. Decision on the merits 24/2021 - 43/44 the GDPR within Westtoer and gives advice to this contact person in function of Art. 38 paragraph 3. " The Working Group 29 already pointed out the importance of being able to report to the highest supervisor with the following wording: “Via such a direct report assured that senior management (eg the board of directors) is aware of the advice and recommendations provided by the data protection officer in the as part of its mission to inform the controller or processor and to advise. “It appears from the answer of the respondent that the officer gives advice to a contact person within the defendant's organization. According to the Disputes Chamber establishes a violation of Article 38.3. No infringement was found on article 38.6 as the data protection officer has no other duties and powers exercises for the defendant. Publication of the decision 157. Considering the importance of transparency with regard to the decision-making of the Disputes Chamber, this decision is published in accordance with Article 95, §1, 8 ° WOG on the website of the Data Protection Authority, stating the identification data of the defendant39 and this because of the specificity of the present decision - which leads to the re-identification is inevitable - as is the public interest of this decision. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority will decide, after deliberation: - that the system of intelligent cameras implemented by the defendant no violates article 5.1 a), b) and c) and is in accordance with article 25 GDPR; - pursuant to Article 58.2, d) GDPR and Article 100, §1, 9 ° WOG to order the defendant the information that it provides about its processing operations in its privacy statement in accordance with Articles 12 and 13 GDPR, in particular with regard to the additional information requested from the data subject in the context of a request on the basis of Articles 15 to 15 inclusive. 21 GDPR (Article 12.6 GDPR), the legal bases of the processing (Article 13.1 c) GDPR) as well as the retention periods of the collected personal data (art.13.2 a) GDPR) and this within one month after the 39 However, with the omission of the name of the defendant's data protection officer. Decision on the merits 24/2021 - 44/44 notification of this decision and the Disputes Chamber about this within the same period to inform; - on grond of article 58.2, d) GDPR and article 100, §1, 9 ° WOG to order the defendant align its register of processing activities with the requirements of Article 30 GDPR and in particular to specify to which third countries transfer of personal data takes place within the period of one month after the notification of this decision and the Disputes Chamber about this within the same period to inform; and - on the basis of Article 100, §1, 5 ° WOG formulate a reprimand with regard to the defendant for violation of articles 6.1 a), 7.1, 7.3 (consent cookies) and 38.3 GDPR (report directly to the highest management level of the controller). On the basis of Article 108, §1 WOG, an appeal can be lodged against this decision within a period of thirty days from the notification at the Marktenhof, with the Data protection authority as defendant. Hielke Hijmans (get.) Chairman of the Disputes Chamber