APD/GBA (Belgium) - 16/2020

From GDPRhub
Revision as of 12:57, 7 May 2020 by AD (talk | contribs)
APD/GBA - 16/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(2) GDPR
Article 24 GDPR
Article 30(1) GDPR
Article 30(5) GDPR
Article 6 §2 (1) of the videosurveillance law
Article 6 §2 (4) of the videosurveillance law
Type: Investigation
Outcome: Violation Found
Started:
Decided: 20.04.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: 16/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Official Belgian DPA website (in FR)
Initial Contributor: n/a

The Belgian DPA finds that videosurveillance is a processing likely to result in a risk to the rights and freedoms and that a data controller that employs fewer than 250 persons is therefore still subject to Article 30(1) GDPR in this regard, having to establish a record of processing activities for videosurveillance.

English Summary

Facts

The plaintiff, a data subject which had seen themself being filmed on the street outside of the data controller's store, lodged a complaint with the Belgian DPA. They presumed the footage to be recorded and therefore reported the absence of a formal information as required by data protection law. After formal inquiry, it was found that the CCTV system had not been declared to the data privacy commission (commission pour la protection de la vie privée, CPVP) as required by article 6 §2(1) of the national videosurveillance law and that the record of processing activities was lacking information.

Dispute

Is the data controller subject to Article 30(1) GDPR despite employing fewer than 250 employees?

Holding

After stating the conditions for a CCTV system filming spaces open to the public to be legal (declaration to the national data privacy commission (CPVP), article 6 §2(1) of the national videosurveillance law), the Belgian DPA holds that not only the absence of declaration but also the lack of information about the data processing in the record of processing activities results in a breach of the GDPR and the national videosurveillance law. The data controller had to both declare the CCTV system and establish a detailed record of the videosurveillance activities in accordance with Article 30(1) GDPR, despite employing fewer than 250 persons, because of the risk to the rights and freedoms of the data subject (article 30(5) GDPR).

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.