APD/GBA (Belgium) - 98/2024
APD/GBA - 98/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(3) GDPR Article 15 GDPR Article 31 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 24.07.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 98/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | APD/GBA (Belgium) (in FR) |
Initial Contributor: | wp |
The DPA issued a warning to the operator of a video surveillance system for ignoring an access request by a data subject and failing to cooperate with the DPA. Thus, the controller violated Article 12(1), Article 12(3) and Article 31 GDPR
English Summary
Facts
A resident (controller) installed five cameras (CCTV) within their premises (a house). The controller obtained the consent of their neighbour (data subject) to process the CCTV data.
A data subject claimed two cameras covered their garden, which was contrary to what they agreed to. Then, the data subject asked the controller to move the cameras adequately and give the data subject access to the recordings to verify their content. Despite multiple tries by the data subject, the controller did not respond to the request.
In the meantime, the controller installed an additional camera – a doorbell camera facing the data subject’s driveway and private entrance.
The data subject consulted the Belgian DPA (APD/GBA) on what further actions they should take. The DPA suggested to contact the local police or to start proceedings before the DPA.
Following the DPA's advice, the data subject contacted the Police who found that the setting of two cameras was changed, so they did not cover the data subject’s premises. Nevertheless, the doorbell camera was programmed to send a notification every time someone showed up within its range. The data subject, requested the controller to change the setting of the doorbell camera as well, but the controller did not reply.
Later, the controller replaced two cameras with new, advanced models (vide-angle lenses) and changed the location of the doorbell, which covered not only the data subject’s premises but also a pavement and a street.
As the mediation before the DPA was unsuccessful (the controller did not respond to official letter of DPA), the data subject decided to lodge a complaint with the DPA.
Holding
The DPA decided to close the case due to the expediency.
First, the DPA noted the controller was obliged to answer data subject’s access request under Article 15 GDPR, which they obviously failed to do. Hence, the controller violated Article 12(3) GDPR.
Second, the DPA noted that the controller violated Article 31 GDPR, because they did not respond to any official mails sent by the DPA.
For both violations, the DPA issued a warning against the controller.
Nevertheless, the DPA found the subject matter of the case at hand was a broader dispute and should be heard by a court. Furthermore, the complainant did not provide enough evidence to confirm the CCTV violated the GDPR. Also, there was a parallel proceeding before the Police, making a potential investigation of the DPA pointless.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Contentious Chamber Decision 98/2024 of July 24, 2024 File number: DOS-2023-00957 Subject: Complaint regarding the installation of surveillance cameras in the context of a neighborly dispute The Contentious Chamber of the Data Protection Authority, constituted by Mr. Hielke Hijmans, President, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the Law of December 3, 2017, establishing the Data Protection Authority (hereinafter LCA); Having regard to the Law of July 30, 2018, on the protection of natural persons with regard to the processing of personal data (hereinafter LTD); Having regard to the Rules of Procedure as approved by the House of Representatives on December 20, 2018, and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Has made the following decision regarding: The complainants: X1 and X2, hereinafter "the complainants"; The defendants: Mr. and Mrs. Y, hereinafter "the defendant party"; # I. Facts and Procedure 1. On August 29, 2023, the complainants filed a complaint with the Data Protection Authority (hereinafter "the DPA") against the defendant party, a neighboring couple who installed a video surveillance system around their house. 2. The subject of the complaint concerns unlawful data processing and an intrusion into the complainants' privacy caused by the installation of exterior cameras by the defendant party, which, according to the complainants, film their home. 3. In July 2022, the defendant party installed surveillance cameras: one at the front of the house and three at the back. Among the latter, two cameras were allegedly directed toward the complainants' garden, prompting them to request that the defendant party adjust the cameras to stop filming their garden and to allow them to verify the recorded images. 4. On August 2, 2022, the complainants sent a registered letter to the defendant party, reminding them that they had allegedly given their consent for the installation of surveillance cameras on the condition that they would not record images of their property. Therefore, they again requested that the cameras be adjusted and that they be allowed to verify the recorded images. 5. On February 24, 2023, the defendant party installed an additional camera, according to the complainants, which appeared on the doorbell of the front entrance and was directed toward their driveway and private entrance. 6. On February 25, 2023, the complainants requested information from the DPA to understand their options for action. 7. On February 27, 2023, the Frontline Service (hereinafter the "FLS") responded to this request and suggested, based on the Law of March 21, 2007, regulating the installation and use of surveillance cameras (hereinafter "the Camera Law"), that they contact the local police or, based on the GDPR, file a complaint or a mediation request with the DPA. 8. On March 2, 2023, police officers visited the defendant party's residence. They confirmed to the complainants that their garden was not visible in the images filmed by the cameras. However, the camera installer allegedly told the complainants that the cameras could have their settings and caches modified at any time by their users. Additionally, the doorbell camera would send a notification every time the complainants entered or exited their home. They complained about this to the defendant party, to no avail. 9. On March 25, 2023, the complainants filed a mediation request, seeking to change the orientation of the cameras installed at the back of the house so that they would no longer film the complainants' garden, as well as to adjust the installation of the connected doorbell. 10. On April 4, 2023, the FLS declared the mediation request admissible. 11. On April 14, 2023, the FLS sent a letter to the defendant party, asking them to respond to the registered letter the complainants had sent on August 2, 2022. 12. On July 6, 2023, the FLS sent a registered letter to the defendant party, requesting a response to the letter sent on April 14, 2023. 13. On July 19, 2023, the complainants informed the DPA of changes to the installation of the defendant party's cameras. Specifically, the defendant party had replaced two cameras with more advanced models equipped with wide-angle lenses. Furthermore, the connected doorbell had been repositioned facing the street, allowing it to film, in addition to the complainants' driveway, their car, the sidewalk, and the street from left to right over 180°. Additionally, the complainants and the defendant party live in adjoining houses with gardens measuring approximately 5.60 meters in width by 15 meters in length. Given that three cameras are installed at the back of the defendant party's house, with the width of the garden, there would be one camera every 1.80 meters; according to the complainants, it would be impossible for these cameras not to film their garden, and therefore, the number of cameras installed would be disproportionate. 14. On August 18, 2023, the complainants emailed the DPA to inquire about the status of the situation. 15. On August 21, 2023, the DPA informed them that the two letters they had sent to the defendant party remained unanswered, declaring the mediation unsuccessful and informing them of the possibility of converting their mediation request into a complaint, in accordance with Article 62, §2, 1° of the LCA. 16. On August 29, 2023, the complainants converted their mediation request into a complaint. 17. On September 6, 2023, the Frontline Service of the Data Protection Authority declared the complaint admissible based on Articles 58 and 60 of the LCA and forwarded it to the Contentious Chamber in accordance with Article 62, §1 of the LCA. 18. On October 11, 2023, the Contentious Chamber asked the complainants if they had exercised their right of access again and if they had received a response from the defendant party. 19. On October 12, 2023, the complainants informed the Contentious Chamber that they had not reintroduced a request for the right of access and that the defendant party had responded to their exercise of the right of access dated August 2, 2022. The complainants indicated that they were not satisfied. 20. On November 19, 2023, the complainants emailed the Contentious Chamber, indicating that they had again observed on November 16, 2023, around 8:30 p.m., that the camera placed at the front of the defendant party's house was triggered when they moved from their garden driveway to their entrance. Following this, the complainants rang the defendant party's doorbell, to no avail. Approximately 30 minutes later, the police reportedly arrived at the complainants' residence following a call from the defendant party. Attached to the email, the complainants included photos of the front façade of the defendant party's house. 21. On December 1, 2023, the complainants added a new element to the file: they noticed on Thursday, November 30, that the connected doorbell was triggered as soon as they appeared on their private driveway, doing so with each of their entries and exits. The complainants added that they have photos and videos. 22. On January 11, 2024, the complainants added that the defendant party had modified the installation of their cameras by connecting them to the electrical network so that they are now fixed and permanent. One of the three cameras located at the back of the defendant party's house had been moved and reoriented further towards the complainants' property. # II. Motivation ## II.1. Warning 23. Article 4.7 of the GDPR defines the "controller" as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing." 24. The controller must respond to a request made pursuant to Articles 15 to 22 of the GDPR by the data subject, in accordance with the conditions set out in Article 12 of the GDPR. 25. The European Data Protection Board (hereinafter "EDPB") has specified in its guidelines that the information – or a copy of the personal data – provided to the data subject under Article 15 of the GDPR must be in a permanent and thus durable form. 26. Pursuant to Article 12.1 of the GDPR, it is the responsibility of the controller "to take appropriate measures to provide any information referred to in Articles 13 and 14 as well as any communication under Articles 15 to 22 and 34 regarding processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language [...]." 27. The Contentious Chamber adds that it is the controller's responsibility to provide the data subject with information on the measures taken in response to a request made pursuant to Articles 15 to 22 of the GDPR as soon as possible and, in any case, within one month of receiving the request. Article 12.3 of the GDPR states that this period may be extended by two months if necessary, taking into account the complexity and number of requests. In such a case, the controller must inform the data subject of the extension and the reasons for the delay within one month of receiving the request. 28. In this case, the complainants exercised their right of access on August 2, 2022, by means of a registered letter. However, the defendant party did not satisfy this access request before – at the very least – March 2, 2023. 29. The Contentious Chamber thus finds that the defendant party may have violated Article 12.3 of the GDPR. 30. In addition to this potential violation, it also appears that the FLS, in the context of a mediation procedure, contacted the defendant party twice, including once via registered email (see points 11 and 12). However, these two contacts proved unsuccessful, as they received no response, leading the FLS to conclude the failure of the said procedure on August 21, 2023. Furthermore, the Contentious Chamber notes that this decision was adopted precisely because the complainants decided to convert their mediation request into a complaint in accordance with Article 62, §2, 1° of the LCA following this failure. 31. Article 31 of the GDPR provides that "The controller and the processor, and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks." 32. The GDPR, including its recitals, does not define what is meant by "cooperation." However, the Contentious Chamber has previously decided that failing, among other things, "to comply with the exercise of the complainant's rights and to inform the Contentious Chamber of the follow-up to this decision," failing "to present arguments against the injunction given as permitted by Article 99 LCA," and failing to respond to an email from the Contentious Chamber informing them of the proposed administrative fine amount constitutes an attitude displaying "a manifest lack of consideration and cooperation contrary to what is expected of a controller, particularly under Article 31 of the GDPR." 33. Article 3 of the LCA indeed establishes a supervisory authority within the meaning of Article 51 of the GDPR. 34. Article 4 of the LCA states that the Data Protection Authority (DPA) thus created ensures the enforcement of the fundamental principles of personal data protection. 35. This oversight by an independent authority is an essential element of the fundamental right to data protection specifically enshrined in Article 8, §3 of the Charter of Fundamental Rights of the European Union. 36. Furthermore, Article 22, §1, 2° of the LCA states that the FLS "may initiate a mediation procedure," establishing this mechanism as a tool for carrying out its tasks. 37. The Contentious Chamber does not overlook the voluntary nature of mediation, which can lead to an amicable agreement. Indeed, the Contentious Chamber in no way considers that a party can be forced to conclude an amicable agreement. This falls under the strictest discretion of each party. Moreover, expressing the refusal to engage in a mediation procedure could in no way be held against a controller or their processor. 38. However, this is not the case for exchanges with the DPA's bodies. Under Article 31 of the GDPR, it is expected of a controller to respond to one of the DPA's bodies when they receive two letters from one of them – including one by registered mail – asking them to communicate their position on an invitation to a mediation procedure (the content of this response being entirely free in itself). 39. Consequently, the Contentious Chamber finds that the defendant party may have violated Article 31 of the GDPR. 40. Based on the aforementioned facts, the Contentious Chamber concludes that the defendant party may have committed a violation of the GDPR provisions, justifying, in this case, the adoption of a decision in accordance with Article 95, §1, 4° of the LCA, specifically the adoption of a warning decision. ## II.2. Dismissal of the case 41. Based on the facts described in the complaint file as summarized above, and based on the powers assigned to it by the legislator under Article 95, §1 of the LCA, the Contentious Chamber decides on the further course of the case; in this case, the Contentious Chamber decides to dismiss the rest of the complaint, in accordance with Article 95, §1, 3° of the LCA, for the reasons stated below. 42. In matters of case dismissal, the Contentious Chamber is required to justify its decision in stages and to: - Pronounce a technical dismissal if the file does not contain or contains insufficient elements likely to lead to a sanction or if it contains a technical obstacle preventing it from rendering a decision; - Or pronounce an opportunity dismissal if, despite the presence of elements likely to lead to a sanction, it does not seem appropriate to pursue the examination of the file given the priorities of the Data Protection Authority as specified and illustrated in the Contentious Chamber’s Dismissal Policy. 43. In the case of a dismissal based on multiple reasons for dismissal, these (respectively, technical dismissal and opportunity dismissal) must be addressed in order of importance. 44. In this case, the Contentious Chamber decides to proceed with an opportunity dismissal. The Contentious Chamber's decision is based more specifically on three reasons why it considers it inappropriate to continue monitoring the case, and consequently decides not to conduct, among other things, a substantive examination of the matter. 45. More precisely, the Contentious Chamber's decision is based on the fact that the remainder of the complaint is accessory to a broader dispute that needs to be addressed before judicial and administrative courts or another competent authority and that the complaint is not sufficiently supported by evidence that would allow the Contentious Chamber to rule on the existence or absence of a GDPR violation, and that it does not entail a high societal and/or personal impact (criteria B.3 and B.5 of the dismissal policy). 46. The Contentious Chamber recalls that the Law of March 21, 2007, regulating the installation and use of surveillance cameras (hereinafter: the Camera Law) designates the police as the primary authority responsible for monitoring compliance with the provisions of the Camera Law. Indeed, the installation of a surveillance camera must be notified to the local police. The local police are also empowered to make decisions under penal provisions sanctioning non-compliance with the Camera Law. In this case, it is precisely in this capacity that the complainants contacted their local police, who indeed visited the defendant party's residence on March 2, 2023 (see point 8). Consequently, the Contentious Chamber wishes to avoid a double investigation, where the police and the Contentious Chamber would act based on the same facts. 47. Furthermore, the Contentious Chamber notes that the complainants claim to have accessed images filmed by the defendant party's cameras. However, the complainants indicate that they are not satisfied with the images they accessed, as the cameras' technical settings would have been modified so that they did not film the images usually recorded. However, given that the complainants acknowledge not having proof of the access they were granted, the Contentious Chamber is unable to determine whether the follow-up given to their exercise of the right of access is satisfactory. 48. Since the complaint is not sufficiently supported by evidence that would allow the Contentious Chamber to rule on the existence or absence of a GDPR violation, it examines the criteria for high general or personal impact, as defined by the DPA in its Dismissal Policy Note of June 18, 2021. The Contentious Chamber first examines whether the criteria for high general or personal impact, as defined by the DPA in their dismissal policy, apply to the present case. Finally, if the criteria for high general or personal impact do not apply, the Contentious Chamber balances the personal impact of the circumstances of the complaint on the fundamental rights and freedoms of the data subject, and the efficiency of the Contentious Chamber’s intervention. 49. After evaluating the criteria for high general or personal impact, the Contentious Chamber concludes that none of the criteria apply to the present case. Consequently, the Contentious Chamber assesses the personal impact of the circumstances of the complaint on the fundamental rights and freedoms of the complainant against the efficiency of its intervention to decide on the appropriateness of a thorough investigation of the complaint. Without minimizing the facts alleged by the complainants, the Contentious Chamber notes that, in addition to the elements mentioned in points 40 to 42 of this decision, the alleged facts primarily concern the complainants. Consequently, the Contentious Chamber does not deem it appropriate to initiate an investigation by the Inspection Service to corroborate the complainants' allegations and, therefore, decides not to conduct, among other things, a substantive examination of the matter. # III. Publication and communication of the decision 50. Given the importance of transparency regarding the decision-making process and the decisions of the Contentious Chamber, this decision will be published on the Data Protection Authority's website. However, it is not necessary for this purpose to directly communicate the identifying data of the parties. FOR THESE REASONS, the Contentious Chamber of the Data Protection Authority decides, subject to the submission of a request by the defendant party for substantive treatment in accordance with Articles 98 et seq. of the LCA: Pursuant to Article 58.2.a) of the GDPR and Article 95, §1, 4° of the LCA, to warn the defendant party for the future that they must cooperate with the DPA under Article 31 of the GDPR and must respond to the exercise of rights under Articles 15 to 22 of the GDPR within the timeframe provided by Articles 12.3 and 12.4 of the GDPR; Pursuant to Article 95, §1, 3° of the LCA, to dismiss the grievances formulated by the complainant. The Contentious Chamber reminds that if the defendant party disagrees with the content of this prima facie decision and believes that they can present factual and/or legal arguments that could lead to a different decision, they may, on the one hand, address a request for substantive treatment of the matter to the Contentious Chamber via the email address litigationchamber@apd-gba.be within 30 days after the notification of this decision. If applicable, the execution of this decision is suspended during the aforementioned period. And, on the other hand, the defendant party may file an appeal against this decision in accordance with Article 108, §1 of the LCA, within 30 days from its notification, with the Market Court (Court of Appeal of Brussels), with the Data Protection Authority as the defendant. Such an appeal may be filed by means of an interlocutory petition that must contain the information listed in Article 1034ter of the Judicial Code. The interlocutory petition must be filed with the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code). (sgd.) Hielke HIJMANS President of the Contentious Chamber