APD/GBA (Belgium) - 16/2020: Difference between revisions
No edit summary |
m (Ar moved page APD/GBA - 16/2020 to APD/GBA (Belgium) - 16/2020) |
Latest revision as of 16:55, 12 December 2023
APD/GBA - 16/2020 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(2) GDPR Article 24 GDPR Article 30(1) GDPR Article 30(5) GDPR Article 6 §2 (1) of the videosurveillance law Article 6 §2 (4) of the videosurveillance law |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 20.04.2020 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 16/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Official Belgian DPA website (in FR) |
Initial Contributor: | n/a |
The Belgian DPA finds that videosurveillance is a processing likely to result in a risk to the rights and freedoms and that a data controller that employs fewer than 250 persons is therefore still subject to Article 30(1) GDPR in this regard, having to establish a record of processing activities for videosurveillance.
English Summary
Facts
The plaintiff, a data subject which had seen themself being filmed on the street outside of the data controller's store, lodged a complaint with the Belgian DPA. They presumed the footage to be recorded and therefore reported the absence of a formal information as required by data protection law. After formal inquiry, it was found that the CCTV system had not been declared to the data privacy commission (commission pour la protection de la vie privée, CPVP) as required by article 6 §2(1) of the national videosurveillance law and that the record of processing activities was lacking information.
Dispute
Is the data controller subject to Article 30(1) GDPR despite employing fewer than 250 employees?
Holding
After stating the conditions for a CCTV system filming spaces open to the public to be legal (declaration to the national data privacy commission (CPVP), article 6 §2(1) of the national videosurveillance law), the Belgian DPA holds that not only the absence of declaration but also the lack of information about the data processing in the record of processing activities results in a breach of the GDPR and the national videosurveillance law. The data controller had to both declare the CCTV system and establish a detailed record of the videosurveillance activities in accordance with Article 30(1) GDPR, despite employing fewer than 250 persons, because of the risk to the rights and freedoms of the data subject (article 30(5) GDPR).
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.