APD/GBA (Belgium) - 81/2023
APD/GBA - 81/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 6(1)(e) GDPR Article 30(2)(a) GDPR Article 38(6) GDPR Article 1 Koninklijk besluit tot vaststelling van de wijze waarop wordt aangegeven dat er camerabewaking plaatsvindt Article 4 Koninklijk besluit tot vaststelling van de wijze waarop wordt aangegeven dat er camerabewaking plaatsvindt Article 5 Camerawet |
Type: | Complaint |
Outcome: | Rejected |
Started: | 01.02.2021 |
Decided: | 22.06.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 81/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA confirmed that CCTV images made to protect against littering and illegal dumping can be used to fine a data subject doing the littering, based on public interest under Article 6(1)(e) GDPR.
The DPA also noted that person combining the roles of DPO and safety consultant could pose a breach of Article 38(6) GDPR.
English Summary
Facts
An area was plagued by illegal dumping. To combat this, a CCTV camera was placed. A data subject received a letter stating that he could receive a fine for leaving bottles next to the designated deposit area.
The data subject asked the DPA whether the CCTV images could be used to impose a fine.
Holding
The DPA started by clarifying that there are two parties involved in the CCTV data processing. The controller of the images itself (a municipality), and a processor who used these images to impose fines.
The DPA held that the controller can rely on public interest under Article 6(1)(e) GDPR to prevent illegal dumping, littering, and protecting public cleanliness. On top of that, the controller followed all the requirements as set out by article 5 Camerawet and articles 1 and 4 of KB 10 februari 2008.
The DPA did find several shortcomings in the Record of Processing Activities of the processor: incomplete contact details of the processor and the controller, incomplete & unclear categories of data subjects. As such, the DPA concluded a breach of article 30(2)(a) GDPR. The DPA noted that the DPO of the processor is also a safety consultant. This could result in a breach of Article 38(6) GDPR when the DPO has tasks that enable him to decide the purpose and means of processing.
The DPA reprimanded the processor for not having a complete Record of Processing Activities. The DPA dismissed all other grievances.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/11 Litigation room Decision on the substance 81/2023 of 22 June 2023 File number : DOS-2021-00731 Subject: Complaint about camera surveillance (illegal dumping) The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs. Christophe Boeraeve and Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Made the following decision regarding: The complainant: Mr X, hereinafter referred to as “the complainant”; The Defendants: Y1, hereinafter “first Defendant”; and Y2, hereinafter “second defendant”. Decision on the substance 81/2023 – 2/11 I. Factual Procedure 1. On 1 February 2021, the complainant submits a complaint to the Data Protection Authority against the second defendant. The complaint concerns the placement of a security camera by the first defendant at a bottle bank. The complainant received a letter from the second defendant stating that he probably committed a violation because after placing his empty bottles in the bottle bank has left one or more bottles next to the container. This allowed him one fine be imposed. 2. On February 16, 2021, the complaint will be declared admissible by the First Line Service on pursuant to Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG submitted to the Disputes Chamber. 3. On March 18, 2021, in accordance with Article 96, § 1 WOG, the request of the Disputes Chamber to carry out an investigation submitted to the Inspection Service, together with the complaint and the inventory of the documents. 4. The investigation by the Inspection Service will be completed on 13 April 2021, according to the report appended to the file and the file is transferred by the Inspector General to the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG). The report contains findings regarding the subject of the complaint and decision that: 1. there is no infringement of Article 5 (1) (a) and (2), Article 6 (1) GDPR and Article 24 GDPR 2. there is no infringement of Article 5 of the Act of 21 March 2007 until 1 regulation of the installation and use of surveillance cameras (hereinafter: Camera Act) and articles 1 and 4 of the Royal Decree of 10 February 2008 to establishing the manner in which it is indicated that there is camera surveillance takes place (hereinafter: Royal Decree of 10 February 2008). The report also contains findings that go beyond the subject of the complaint. The Inspectorate has established, broadly speaking, that: 3. there is a violation of Article 30, paragraph 1, paragraph 2 and paragraph 3 GDPR. 5. On October 27, 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for treatment on the merits. 1BS 31 May 2007. 2BS 21 February 2008. Decision on the merits 81/2023 – 3/11 6. On 27 October 2022, the parties concerned will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as of these in Article 98 WOG. They are also informed of the terms for their to file defenses. As regards the findings relating to the subject matter of the complaint, the deadline for receipt of the statement of defense from the defendants recorded on 7 December 2022, this for the complainant's statement of reply 28 December 2022 and finally those for the defendants' statement of rejoinder on January 18, 2023. With regard to the determinations outside the subject of the complaint, the deadline was set for receipt of the statement of defense of the defendants recorded on December 7, 2022. 7. On October 28, 2022, the second Respondent electronically accepts all communications about the case. 8. On 3 November 2022, the second defendant requests a copy of the file (Article 95, § 2, 3° WOG), which was sent to him on November 21, 2022. 9. On 7 December 2022, the Litigation Chamber will receive an amended version of the register of processing activities of the second defendant. II. Motivation II.1. Identification of the controller and processor 10. The Disputes Chamber finds that both the complaint and the complainant's answer to the questions from the Inspectorate clearly stipulate that the complaint is directed against the second defendant. In his complaint, the complainant asks whether the security camera collected footage of him that was used for the imposition of a GAS fine was validly imposed. However, investigations by the Inspectorate show that the first defendant is the data controller for the surveillance camera described in the complaint and that the second defendant acts as a processor in this context the framework of the writing of the GAS fine based on the camera images. The parties do not dispute this finding. The first defendant must therefore be qualified as controller and the second defendant as processor as regards the processing at issue. II.2. Article 5, paragraph 1, a) (lawfulness) in conjunction with Article 6, paragraph 1 GDPR and Article 5, paragraph 2 in conjunction with Article 24, paragraph 1 GDPR 11. The contested processing in the present case concerns the making of visual material by one or multiple cameras at the bottle bank where this footage was used afterwards in Decision on the substance 81/2023 – 4/11 in the context of imposing a GAS fine. The question arises whether the processing of personal data by these surveillance cameras is done lawfully and or in this framework, appropriate technical and organizational measures have been taken to ensure the to ensure compliance with the GDPR. 12. The Litigation Chamber recalls that pursuant to Article 5(1)(a) GDPR personal data must be lawfully processed. This means that the processing must be done on on the basis of the processing grounds as set out in Article 6(1) GDPR. 13. Based on its investigation, the Inspectorate determines that the processing is necessary for the performance of a task of general interest or of a task within the framework of the exercise of public authority vested in the controller assigned (Article 6(1)(e) GDPR). The public interest task in question is it preventing and combating illegal dumping, litter and protecting the public cleanliness and health. The inspection report also refers to Article 9.3 of this the general police regulation Y1, which stipulates that, when a violation of a determination is committed with a motor vehicle, in the absence of the driver, the administrative fine is imposed on the holder of the registration plate of the vehicle. The holder of the registration plate may prove by any means who is on the was driving the vehicle at the time of the facts. If the license plate holder has the does not rebut or deny the infringement, the administrative fine will be charged to him. In in its privacy statement, the first defendant also informs the data subjects that personal data can be processed in the context of the public interest. Having based on the above, the Inspectorate comes to the conclusion that the processing of the personal data of the complainant takes place in the context of the public interest and that this processing is necessary for the performance of that task of public interest, as a result of which no infringement of Article 5 (1) a) and Article 6 (1) GDPR is established. 14. Article 24(1) of the GDPR obliges the controller to, account taking into account the nature, scope, context and purpose of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, take appropriate technical and organizational measures to to ensure and be able to demonstrate that the processing is in accordance with GDPR is carried out. These measures should also be evaluated and if necessary updated. This article reflects the principle laid down in Article 5(2) of the GDPR of "accountability", according to which "the controller responsible for compliance with paragraph 1 and must be able to demonstrate this". Article 24(2). of the GDPR stipulates that, when proportionate to the processing activities, the measures referred to in Article 24(1) of the GDPR, an appropriate include data protection policies to be adopted by the controller Substantive decision 81/2023 – 5/11 executed. Since no infringement of Article 5 (1) (a) and Article 6 (1) GDPR was made established, the Inspectorate concludes that there is no infringement of Article 5 (2) and Article 24 (1) GDPR. 15. Based on the inspection report and considering that the complainant has no arguments arguments to the contrary, the Disputes Chamber sees no reason to do so to take a different position in this regard. Consequently, the Litigation Chamber that there is no violation of Article 5(1)(a) and (2), Article 6(1) and Article 24(1) of the GDPR in respect of the first defendant. II.3. Article 5 Camera Act and Articles 1 and 4 Royal Decree of 10 February 2008 16. Based on article 5 of the Camera, articles 1 and 4 of the KB of 10 February 2008. it is necessary for the controller to comply with certain rules if he wants to proceed to the installation and use of one or more permanent surveillance cameras an unenclosed place. The obligations from the aforementioned articles, the compliance of which is examined in the context of the inspection investigation can be summarized as follows: a. the decision to place is made by a public authority that is the controller; b. even before the placement, the controller must receive a positive advice from the relevant municipal council, which consults the chief of police for this purpose; c. access to the data is not decided by the controller place an icon indicating that camera surveillance is taking place. That pictogram must be in accordance with Articles 1 and 4 of the Royal Decree of February 10, 2008 are applied to an aluminum plate of at least 1.5 mm thickness with dimensions of 0.60 x 0.40 m and determined in a visible and legible manner contain entries. 17. During the inspection investigation, the first defendant alleges the following: “ a. This concerns a temporary fixed surveillance camera in a non-enclosed place, throughout the territory of the municipality. The municipality uses permanent temporary surveillance cameras. That is why there are on all approach roads of the municipality icons applied. You can find photos and examples of these icons can be found in appendix 2, as well as the work order to place the pictograms (attachment 3). The pictograms are drawn up in accordance with the Royal Decree of February 10, 2008 about reporting camera surveillance. An example of one inscription under the pictogram can be found in appendix 4. Decision on the substance 81/2023 – 6/11 b. The camera is said to have been in use since March 2019 to the present as the municipality regarded this location as a fly-tipping sensitive location and still do case would be. c. An advice was obtained from the chief constable for the placement of this camera and you can find this advice in appendix 5, in particular in point 2.1 on portable ones (temporarily fixed) cameras. d. The chief of police was consulted before the camera was placed as well as the social security service, environment service, community guards and other members of the local police force. e. A decision was taken by the Y1 City Council in this regard. It an extract can be found in appendix 6.” 18. After examining these answers and the appendices, the Inspectorate concludes that article 5 of the Camera Act and articles 1 and 4 of the Royal Decree of 10 February 2008 were complied. 19. In view of the inspection report and the fact that the complainant does not put forward any counterarguments, sees the Disputes Chamber has no reason to take a different position in this regard. The Disputes Chamber therefore concludes that there is no question of a violation of Article 5 of the Camera Know Articles 1 and 4 of the Royal Decree of 10 February 2008 of the first defendant. II.4. Article 30, paragraph 1, paragraph 2 and paragraph 3 GDPR 20. Based on the register of processing activities, the Inspectorate determines that the second defendant carries out processing of personal data, both as processor and in the capacity of controller. The Inspectorate will therefore also check the assess compliance of the second defendant with the requirements regarding this register in the light of the applicable capacity and respective obligations. 21. Pursuant to Article 30(1) GDPR, each controller must maintain a register keep track of the processing activities that come under its responsibility executed. Article 30(1)(a) to (g) GDPR stipulates that, with regard to the processing operations carried out in the capacity of controller, the following information must be available: a) the name and contact details of the controller and any joint controllers and, where applicable, of the representative of the controller and of the officer for data protection; b) the processing purposes; Decision on the substance 81/2023 – 7/11 c) a description of the categories of data subjects and of the categories of personal data; d) the categories of recipients to whom the personal data have been or will be provided, including recipients in third countries or international organisations; e) where applicable, transfers of personal data to a third country or a international organisation, including the reference to that third country or countries international organization and, in the case of the organizations referred to in Article 49(1) second subparagraph GDPR, such transfers, the documents concerning the appropriate safeguards; f) if possible, the envisaged time limits within which the different categories of data must be erased; g) if possible, a general description of the technical and organizational security measures as referred to in Article 32 (1) GDPR. 22. Pursuant to Article 30(2) GDPR, the processor shall keep a record of all categories of processing activities they perform for a controller have done. This register contains the following information: a) the name and contact details of the processors and of each controller on behalf of which the processor is acting, and, in where applicable, of the representative of the controller or the processor and of the data protection officer; b) the categories of processing operations carried out on behalf of each controller have been carried out; c) where applicable, transfers of personal data to a third country or a international organisation, specifying that third country or international organisation organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documents on the appropriate safeguards; d) if possible, a general description of the technical and organizational security measures as referred to in Article 32(1). 23. The Inspection Service deals with the register of processing activities of the second the following findings, as summarized below. 24. The record of the processing activities of the second defendant that was provided to the Inspection Service does not meet the aforementioned minimum requirements. Specifically, the Inspectorate established the following infringements in that regard: Decision on the substance 81/2023 – 8/11 a) the contact details of the second defendant are not complete (cf. Article 30(1)(a)) and paragraph 2, a) of the GDPR) since the e-mail addresses […] and […] from the website and the privacy statement of the second defendant (documents 13 and 14) are not mentioned; b) the description of the categories of data subjects is incomplete (cf. Article 30(1)(c)) of the GDPR) since in the columns “Category data subject” the words are used several times become “employees”, “politicians” and “contact persons of affiliated partners”. mentionwhile it is not clear through a description what those words concretely mean c) the description of the categories of personal data is incomplete (cf. Article 30, paragraph 1, c) of the GDPR) since in the columns “Category of personal data” repeatedly the words “personal identification data”, “criminal data”, “medical data”, and “financial data” are mentioned while not it is clear through a description what those words mean concretely; d) the name and contact details of each controller responsible for processing of which the second defendant acts as a processor are not listed (cf. Article 30, paragraph 2, a) AVG) and are therefore missing in the tabs "Administrative enforcement" and, among other things “Neighborhood works”. 25. The Litigation Chamber points out that in order to effectively fulfill the obligations contained in the GDPR can apply, it is essential that the controller and the processors have an overview of the processing of personal data they carry out to carry out. This register is therefore primarily an instrument for assist controller or processor in GDPR compliance for the various data processing operations that it performs because the registry is the most important reveal its features. The Disputes Chamber is of the opinion that this processing register is an essential tool in the context of the already mentioned accountability (article 5, paragraph 2, and article 24 GDPR) and that this register is the basis to all obligations that the GDPR imposes on the controller and processor imposes. It is therefore important that it is complete and correct. 26. On December 7, 2022, the Disputes Chamber has an amended register of processing activities from the second defendant. The Disputes Chamber states established that this register of processing activities meets various requirements findings of the Inspectorate. 27. With regard to the last determination of the Inspectorate, namely the statement of the name and contact details of each data controller of which the second defendant is acting, the Disputes Chamber notes that this is not yet the case was met. The Disputes Chamber finds that the second defendant for various processing operations as a processor, without clarifying for which Decision on the substance 81/2023 – 9/11 controller it acts. Thus, the Disputes Chamber rules that there is is an infringement of Art. 30(2)(a) GDPR. 28. For the sake of completeness, the Disputes Chamber points out that from the register of processing activities shows that the functions of data protection officer and the safety consultant are carried out by the same person. In this regard, the Litigation Chamber notes that the Court of Justice has recently ruled that there may be of a conflict of interest within the meaning of Article 38(6) GDPR when to an officer for data protection other tasks or duties are entrusted to him would convey the purposes of and means of the processing establish personal data with the controller or its processor. This has to be done on a case by case basis based on an assessment of all relevant circumstances, in particular the organizational structure of the controller or its processor, and in the light of the applicable regulation in its entirety, including any policy of the 3 controller or its processor. 29. The Disputes Chamber is of the opinion that the second defendant, the processing register, she it incomplete, has it transferred in electronic form by mail at the first request ? of the Inspectorate. Consequently, the Litigation Chamber rules that there is no infringement of Article 30 (3) GDPR. III. Sanctions 30. On the basis of the documents in the file, the Disputes Chamber establishes that there is a violation of Article 30 paragraph 2, a) GDPR. 31. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to: "1° to dismiss a complaint; 2° to order the exclusion of prosecution; 3° order the suspension of the judgment; 4° propose a settlement; 5° formulate warnings and reprimands; 6° to order that the data subject's requests to exercise his rights be complied with to practice; 7° order that the data subject be informed of the security problem; 8° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° order that the processing be brought into compliance; 10° rectification, restriction or deletion of data and notification 3 ECJ 9 February 2023, X-FAB Dresden GmbH & Co. KG t. FC, C-453/21, ECLI:EU:C:2023:79. Decision on the substance 81/2023 – 10/11 to recommend it to the recipients of the data; 11° to order the withdrawal of the accreditation of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° the suspension of cross-border data flows to another State or to recommend an international institution; 15° transfer the file to the prosecutor's office of the public prosecutor in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority." III.1. Infringement of Article 30 (2) (a) GDPR 32. The Disputes Chamber is of the opinion that a reprimand based on Article 100, §1, 5 WOG in this case is designated for the infringement of Article 30(2)(a) GDPR. The Dispute Room ruled that the register of processing activities provided by the second defendant is incomplete, as established in the inspection report. In this context the Litigation Chamber notes that, although the second defendant is admittedly currently steps to rectify these breaches, too little effort has been made are to finalize the register of processing activities as provided for in Article 30 AVG.Again in this regard, the Litigation Chamber once again points out that the AVG is already almost applicable for five years and entered into force seven years ago. III.2. Other grievances 33. The Litigation Chamber proceeds to a deposit of the other grievances and findings of the Inspectorate because, based on the facts and the documents in the file, they do not belong to the conclude that there has been a breach of the GDPR. These grievances and findings of the Inspectorate are therefore regarded as manifestly unfounded within the meaning of Art. 57(4) GDPR. IV. Publication of the decision 34. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for the identification data of the parties are disclosed directly. 4 See point 3.A.2 of the Litigation Chamber's Dismissal Policydd. June 18, 2021, available at https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf. Decision on the substance 81/2023 – 11/11 FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - formulate a reprimand based on article 100, §1, 5° WOG with regard to the infringement of Article 30(2)(a) GDPR by the second defendant; and - to dismiss the other grievances pursuant to Article 100, §1, 1° WOG. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification against this decision may be appealed to the Marktenhof (court of Brussels appeal), with the Data Protection Authority as defendant. Such an appeal may be made by means of an inter partes petition 5 must contain the information listed in Article 1034ter of the Judicial Code . The inter partes petition must be submitted to the Registry of the Market Court in accordance with article 1034quinquies of the Ger.W. , 6 or via the e-Deposit IT system of Justice (Article 32ter of the Ger.W.). (get). Hielke IJMANS Chairman of the Litigation Chamber 5"The petition states under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer." 6 The petition with its annex shall be sent, in as many copies as there are parties involved, by registered letter sent to the clerk of the court or deposited with the clerk of the court."