APD/GBA (Belgium) - 60/2023

From GDPRhub
Revision as of 08:17, 6 June 2023 by FeestHoed (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=60/2023 |ECLI= |Original_Source_Name_1=Gegevensbeschermingsautoriteit |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-60-2023.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Origin...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 60/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 12 GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 13 GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 14 GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 31.05.2022
Decided: 24.05.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 60/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA reprimands a supermarket for lack of legal basis to check CCTV images to resolve a customer complaint. The DPA stated that the employees accessing the CCTV also should have received more in-depth training.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller is a supermarket, and the data subject a customer. After receiving an unsatisfactory customer satisfaction score from a customer satisfaction survey, the controller contacted the data subject to see how it could improve its service. The data subject complained about an unfriendly cashier. The controller then informed the data subject that they would start an investigation, without providing more information on how this would happen.

To check which cashier was meant by the data subject, the controller checked the CCTV footage, which did not show any unpleasant behaviour. The controller informed the data subject about this, and also included a picture of the data subject laughing together with the cashier. This picture was taken from the CCTV. The data subject was not pleased with this and submitted a complaint with the DPA.

In their defense, the controller stated that this was a one time mistake done by an employee without the intent to infringe the privacy of the data subject. In hindsight, the controller and its employees found the processing to be unlawful and contradictory to internal practices. The controller suspended the processing of all surveys while waiting for the decision of the DPA. On top of that, the controller reached out to the data subject to apologise and to search an amicable solution.

Holding[edit | edit source]

The Belgian DPA began by assessing if they CCTV images were accessed lawfully in light of the customer satisfaction survey follow-up based on Article 5. The controller did not dispute the fact that there was no legal basis for this processing and that it should not have happened. Never the less, the DPA assessed whether Article 6(1)(f) could be applicable. The DPA found that the balancing test conducted for the legitimate interest basis was in favour of the data data subject as there was no way to know, nor reasonably expect that the CCTV images would be used for the surveys. As such, the DPA concluded a lack of legal basis for processing and a breach of Article 5(1)(a) and Article 6(1)(a).

The Belgian DPA continued by checking the taken technical and organizational measures to prevent abuse of CCTV images in light of Article 5(2), Article 24(1) and Article 24(2). The DPA verified that the controller took the following measures: access was limited to a limited number of employees, these employees had received elaborate instructions and the access was protected with passwords. The DPA concluded that the selected employees should have received a more in-depth training about the processing of personal data. The DPA concluded a breach of Article 5(2), Article 24(1) and Article 25(1).

Lastly, the DPA assessed whether the data subject was sufficiently informed about the usage of the CCTV images for the purpose of the customer satisfaction survey. The DPA reconfirmed that Article 12(1) obligates the controller to take adequate measures to inform the data subject about the processing as stated in Article 13 and Article 14. The DPA concluded that the data subject was not informed about the usage of the CCTV images specifically for the survey, namely that an employee would check them. As such, the DPA concluded a breach of Article 12(1), Article12(2), Article 13(1) and Article 13(2).

The DPA added that the controller showed honest intent and good will when dealing with the DPA. Additionally, the processing did not happen systematically nor at great scale as it was outside the main activity of the controller. Coupled with the fact that this was a human error, not a technical incident, the DPA reprimanded the controller for breach of transparency and information obligations under Article 5(1)(a), Article 6(1), Article 12, Article 13, Article 24(1), Article 25(1) and Article 25(2).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/13




                                                                       Litigation room


                                      Decision on the substance 60/2023 of 24 May 2023


File number : DOS-2022-02378


Subject: Consulting camera images in the context of a

satisfaction survey



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Messrs. Frank De Smet and Christophe Boeraeve, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereafter WOG;


Having regard to the rules of internal order, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;


Having regard to the documents in the file;


Made the following decision regarding:



The complainant: Mrs X, hereinafter referred to as “the complainant”;


The Defendant: Y as Counsel Mr. Erik Greeve, with office at 2600 Berchem,
                  Koninklijkelaan 60, hereinafter referred to as “the defendant. Decision on the substance 60/2023 – 2/13


I. Factual Procedure


 1. On 31 May 2022, the complainant submits a complaint to the Data Protection Authority

       against the defendant.

   2. The Defendant operates a[…]supermarket as a franchisee.For the purpose of customer satisfaction

       franchisor […] conducts its own satisfaction surveys. Every customer who has

       about a loyalty card, including the complainant, is invited through the application (…)

       to give a score from 1 to 10 on the satisfaction with the store visit. At a score
       of 6 or lower, […] forwards it to the affected retailer/franchisee who then deems it

       is contacted with the customer to see what is the cause of the low score and

       therefore low satisfaction, which has happened in the present case. At the request of the defendant

       informed the complainant that the low score was due to the fact that the

       (checkout) employees would not always be friendly. In order to good

       services left the responsible employee of the defendant to the complainant
       know they will conduct an investigation, without providing more information about the

       how this investigation would proceed. To find out where or by whom the complainant

       would have been treated unfriendly during her visit, the

       controller consulted the camera images. From these CCTV footage

       According to the employee concerned, it could not be concluded that the complainant had been killed by one
       whether several members of staff had been treated unkindly. The

       The responsible employee also informed the complainant of this and sent her a

       image showing both the cashier and the complainant herself smiling

       goods. The complainant then sent a complaint to the customer service of […] and has

       she also filed a complaint with the GBA.

 3. On 29 June 2022, the complaint will be declared admissible by the First Line Service on the grounds

       of Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG

       submitted to the Disputes Chamber.

 4. On 30 June 2022, in accordance with Article 96, § 1 WOG, the request of the

       Disputes Chamber to carry out an investigation submitted to the Inspection Service,

       together with the complaint and the inventory of the documents.

 5. The investigation by the Inspectorate will be completed on August 16, 2022, it will be

       report is appended to the file and the file is reviewed by the Inspector General

       sent to the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG).

       The report contains findings regarding the subject of the complaint and decision

       that there is:

          1. a breach of Article 5(1)(a) and Article 6(1) of the GDPR; Decision on the substance 60/2023 – 3/13


         2. a breach of Article 5(2), Article 24(1) and Article 25(1) and (2) of the GDPR; and


         3. an infringement of Article 12(1) and (2), Article 13(1) and (2), Article 5(2), Article 24,
            paragraph 1 and Article 25 paragraph 1 of the GDPR.


6. On 17 August 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98

     WOG that the file is ready for treatment on the merits.

7. On 17 August 2022, the parties involved will be notified by registered mail

     of the provisions as stated in Article 95, § 2, as well as of these in Article 98 WOG.

     They are also informed of the terms for their

     to file defenses.

     As regards the findings relating to the subject matter of the complaint, the

     deadline for receipt of the statement of defense from the defendant

     recorded on 12 October 2022, this for the complainant's statement of reply on 2

     November 2022 and finally those for the defendant's reply on 23
     November 2022.


8. On August 18, 2022, the complainant electronically accepts all communication regarding the

     case and informs the Disputes Chamber that it does not wish to add anything to the investigation report

     to add.

9. On October 12, 2022, the Disputes Chamber will receive the statement of defense from the

     defendant. The defendant states that the camera images were consulted with the

     best intentions, namely to remediate the complainant's experience
     as a customer, but that she realizes that she should not have been allowed the camera images

     consult. The defendant maintains that they have taken various security measures

     and that this incident is a one-off human error. As for the

     information obligations regarding the consultation of the images, argues the

     defendant that the complainant was indeed not informed in advance about the –

     unlawful - use of the camera images in the context of the investigation of the
     allegations of the complainant.


10. On October 12, 2022, the Disputes Chamber informs the defendant that the complainant has nothing

     wish to add to the Inspection Report. Decision on the substance 60/2023 – 4/13


II. Motivation


    II.1. Article 5, paragraph 1, a) (lawfulness) j° Article 6, paragraph 1, and Article 5, paragraph 2, Article 24 paragraph 1 and
         Article 25 (1) and (2) GDPR (accountability)


        II.1.1. Article 5, paragraph 1, a) (lawfulness) j° Article 6, paragraph 1 GDPR

            II.1.1.1. Findings in the Inspection Report


 11. The Inspectorate comes to the following conclusions during the inspection:


            a. During the inspection investigation, the defendant argues that it had not done any
               personal data were processed in the context of the satisfaction survey.

               The employee would only have access to the data that becomes him

               delivered by […] Belgium.

            b. The claim that the defendant does not process personal data is incorrect.

               After all, it appears from the file that at the request of the defendant

               personal data of the complainant have been processed in the context of the complaint

               the defendant know during the inspection investigation that the trajectory of the

               the complainant was followed by the defendant's shop and that a screenshot

               of the CCTV footage was taken and provided to the complainant.

            c. In view of the above elements, the defendant does not demonstrate in its answer

               on what legal basis the personal data of the complainant were obtained

               processed in the context of the investigation in response to the aforementioned
               satisfaction survey.


 12. The Inspectorate therefore finds that the defendant has complied with the obligations imposed by

       has not complied with Article 5 (1) (a) and Article 6 (1) GDPR.

            II.1.1.2. Defendant's position


 13. The defendant does not dispute the finding of the Inspectorate per se, but wishes one

       and others to explain. The facts occurred in the context of a
       satisfaction survey via the application (…), which only takes place among persons with a

       loyalty card. Through the privacy conditions of the loyalty card of […], the

       informed of the legal bases on which […] the

       processes personal data in the context of a satisfaction survey, as well as the

       retention period.When a score is given through such a satisfaction survey of

       6 or less out of 10, then the franchisee is asked by[…] to record this and to
       to research.


 14. First, the defendant points out that it is important to make the distinction

       between the data processed in response to the request of[…] – via the (…) Decision on the substance 60/2023 – 5/13


       application – to survey the customer through the satisfaction survey on the one hand and

       on the other hand, the improper use of the camera images for the further follow-up of the

       score of 6 or less out of 10. For the use of the (…) application, the defendant notes

       that […] is the controller who has a contract with (…).

       Consequently, the defendant does not consider itself as a controller for the collection

       of the personal data in the context of the satisfaction surveys

       indicated.

 15. Upon receipt of the report from […] about the complainant's lower satisfaction score,

       the defendant has contacted her for the reasons for the lower score

       to know. During this conversation, the complainant indicated that she was not satisfied with the

       friendliness of the (checkout) employees of the store. Out of genuine concern

       the authorized employee of the defendant initiated an investigation. He did this
       by viewing the camera images, in order to determine whether the complainant is indeed

       were treated unkindly in cases where there could be a remedial action. Althoughde

       involved employee has done this with the best of intentions, realize and acknowledge

       the defendant and the employee that this resulted in incorrect use of the

       camera images.

 16. For the sake of completeness, the defendant adds that it processes the camera images

       for the purpose of monitoring the store, in principle on the basis of consent, by

       through the placement of the required pictogram with symbol as provided by the

       Camera Act and the Royal Decree of 10 February 2008 establishing the manner in which

       indicated that camera surveillance is taking place .1


           II.1.1.3. Review by the Litigation Chamber

 17. First of all, the Disputes Chamber notes that the defendant has argued in its conclusions

      objection to the lawfulness of the processing of personal data via the app (…)

      and the placement of the surveillance cameras. Since the object of the complaint is no

      relates to the lawfulness of these processing operations, and in the absence of a

      dispute, the Litigation Chamber will not investigate these aspects.

 18. In this case, the Disputes Chamber will have to assess whether the camera images of the complainant have already been

      were not lawfully consulted.


 19. The Litigation Chamber recalls that pursuant to Article 5(1)(a) GDPR personal data

      must be lawfully processed.

 20. As already mentioned above, the object of the complaint concerns the consultation of the

      camera images in the context of the investigation in response to the lower score on the


1In full: Act of 21 March 2007 regulating the installation and use of surveillance cameras and Royal Decree of
10/02/2008 establishing the way in which it is indicated that camera surveillance takes place, BS 21 February 2008. Decision on the substance 60/2023 – 6/13


      satisfaction survey. The defendant acknowledges that this processing is not based on a legal basis

      was based on Article 6 (1) GDPR and that this contested processing should therefore not have been allowed

      take place.


 21. According to Article 6.1.f) of the GDPR and the case law of the Court of Justice of the European
      Union (hereinafter "the Court"), three cumulative conditions must be met for a

      controller can validly rely on this lawful basis

      professions. 2


 22. In order to be able to rely on the legal basis in accordance with Article 6(1)(f) of the GDPR

      of the "legitimate interest", the controller must indicate
      show that:

      a) the interests he pursues with the processing can be considered legitimate

      recognized (the “goal test”);

      b) the envisaged processing is necessary for the pursuit of these interests (de

      “necessity test”); and

      c) the balancing of these interests against interests, fundamental rights and the

      fundamental freedoms of the data subjects in favor of the

      controller (the “balancing test”).

 23. The Litigation Chamber is of the opinion that the controller in the context of the

      exercise of its commercial activities meets the first condition a priori

      fulfilled, namely to pursue customer satisfaction.

 24. The second condition also appears to be met, as the camera images

      are necessary to get a clear picture of the nature of the interactions of the

      complainant with the (checkout) staff.


 25. However, the third condition is not met. The complainant's footage was

      consulted without its knowledge (contrary to
      Article 13 of the GDPR, as indicated below) and without the data subject

      processing could be expected. At least for these reasons, the trade-off between the

      interests, freedoms and fundamental rights of the complainant and the defendant in favor of

      the complainer.


 26. In view of the above, the Litigation Chamber determines that there has been a violation
      to Article 5 (1) (a), Article 6 (1) GDPR.









22See in particular Court of Justice of the European Union (CJEU), judgment of 11 November 2019 (C - 708/18) TK v.
Asociatia de Porpietari bloc MA-ScaraA, rulings and regarding Article 7 f) of Directive 95/46/EC. Decision on the substance 60/2023 – 7/13


  II.2. Article 5, paragraph 2 Article 24 paragraph 1 and Article 25, paragraph 1 and paragraph 2 GDPR (accountability)


      II.2.1. Findings in the Inspection Report


27. In the context of the inspection investigation, the Inspectorate asked the

    defendant which technical and organizational measures have been taken
    to ensure that the complainant complies with the processing principles

    to safeguard personal data. In its answer to this question, the defendant states

    briefly which personal data of the complainant have been processed in the context of the investigation

    in response to the aforementioned satisfaction survey with a score of 6/10. The Inspection Service

    notes, however, that this question covers all the basics of the GDPR

    which must be applied by each data controller since 25 May 2018
    (that is the date on which the GDPR became applicable based on Article 99(2) of the GDPR

    GDPR), which makes the answer given incomplete, according to the Inspection Report. The

    The Inspectorate therefore finds that the defendant has committed an infringement of Article

    5, Article 24 (1) and Article 25 (1) and (2) of the GDPR.

      II.2.2. Defendant's position


28. The defendant points out that it does indeed have organizational and technical measures

    has taken with regard to the processing of the camera images.Only a very limited number

    persons, including the employee in question, can consult these camera images.

    The persons who have access to the images, including this employee

    instructed when and how these images may or may not be consulted. The
    access to the images is protected by means of passwords, and the necessary backups

    be present.


      II.2.3. Review by the Litigation Chamber


29. Article 24(1) of the GDPR obliges the controller to, account
    taking into account the nature, scope, context and purpose of the processing, as well as the

    risks of varying likelihood and severity to the rights and freedoms of

    natural persons, take appropriate technical and organizational measures to

    to ensure and be able to demonstrate that the processing is in accordance with GDPR

    is carried out. These measures should also be evaluated and if necessary

    updated. This article reflects the principle laid down in Article 5(2) of the GDPR
    of "accountability", according to which "the controller

    is responsible for compliance with paragraph 1 (accountability) and must be able to do so

    demonstrate". Article 24(2) of the GDPR states that, when this is proportionate to the

    processing activities, the measures listed in Article 24(1) of the GDPR, a

    include appropriate data protection policies issued by the

    controller is carried out. Decision on the substance 60/2023 – 8/13


30. It is also the controller's responsibility to,

     in accordance with Articles 24 (responsibility) and 25 of the GDPR

     (data protection by design and by default), the necessary compliance with the
     effectively integrate the rules of the GDPR into the design of its

     processing activities and in its procedures.


31. With regard to the measures that were taken before the questionable processing, the

     defendant that access to the camera images was limited to a few well-defined ones
     persons who had received the necessary instructions, and that access to the images

     was protected with passwords.


32. The incident involving the unlawful consultation of the camera images by an employee
     of the defendant, points out that there are technical and

     organizational measures had been taken by the defendant, but that these

     were insufficient. An example of a preliminary technical and

     organizational measure that should have been taken is more thorough information

     regarding the processing of personal data to employees.

33. In view of the above, and the established infringement of Article 5(1)(a) (lawfulness)

     j° Article 6, paragraph 1 GDPR, the Disputes Chamber determines that there has been a violation of

     Article 5 (2) Article 24 (1) and Article 25 (1) and (2) GDPR with regard to the
     legality.


34. With regard to the other fundamental principles of Article 5(1)(b) to inclusive. f) sets the

     Litigation Chamber finds that the Inspection Report contains insufficient indications or evidence

     demonstrating a breach of these principles.

   II.3. Article 12 (1) and (2) GDPR, Article 13 (1) and (2) GDPR


      II.3.1. Findings in the Inspection Report


35. In the context of the Inspectorate investigation, the defendant was asked how the law
     transparency and information of the complainant was guaranteed by it. The

     The defendant replied that the sticker of the camera surveillance at the entrance

     of the store is visible.

36. The Inspectorate argues that this answer from the defendant does not demonstrate that it has the

     the complainant effectively transparently and when obtaining her personal data

     informed of the information to be provided in accordance with Articles 12

     and 13 GDPR. After all, this information had to be provided to the complainant in the context of

     following the investigation carried out by an employee of the defendant
     of a satisfaction survey in which the complainant gave a score of 6 out of 10. Substantive decision 60/2023 – 9/13


 37. According to the Inspectorate, the defendant does not demonstrate which technical and

       organizational measures have been taken to exercise the rights of

       the data subjects (such as the right of access of the complainant) to facilitate and adequately

       can follow up in accordance with Article 12 of the GDPR. The Inspectorate refers in that

       related to:

           a. the finding 1 from the Inspection Report showing that the defendants

               falsely claims that no personal data has been processed;


           b. the fact that the defendant does not mention anything in its answer and copy

               provides documents that in practice:

                    i. inform and inform the management and employees of the defendant

                       raising awareness about the facilitation and adequate follow-up of the rights of

                       the data subjects, and;

                   ii. contribute to preventing infringements and (human) errors regarding the rights of

                       those involved are followed up effectively and efficiently and where necessary

                       be sanctioned.


        II.3.2. Defendant's position


 38. The defendant reiterates the importance of making a distinction between the
       data processed in response to the request of […] – via the (…)

       application – to question the customer in response to a lesser score on it

       satisfaction survey on the one hand and the improper use of the

       camera images for further follow-up.


 39. For the use of the (…) application, the defendant remarks once again that […] the
       controller who has an agreement with (…).


 40. With regard to the camera images, the customer is normally informed of the processing by
                                3
       by means of the pictogram as provided for in the Camera Act that is located at the entrance of the store

       was placed. However, the defendant notes that this is less relevant in this case

       since the camera images should not have been used here. So that's it
       correct that the complainant was not informed about the - unlawful - use of the

       CCTV footage for the investigation of the complainant's allegations. The Defendant

       emphasizes that camera images will no longer be used under any circumstances

       for investigating customer complaints or concerns.


 41. Furthermore, the defendant wishes to emphasize that as soon as the complainant's complaint – via
       […]– became known to her, she immediately took the necessary steps to



3Law of 21 March 2007 regulating the installation and use of surveillance cameras and Royal Decree of
10/02/2008 establishing the way in which it is indicated that camera surveillance takes place, BS 21 February 2008. Decision on the substance 60/2023 – 10/13


       handle this complaint and search for a solution that satisfies the complainant, which

       was also found. In this context, the defendant refers to an email from the complainant

       in which she thanks the defendant for the mediation and states that the file may be
       closed.


        II.3.3. Review by the Litigation Chamber


 42. The Disputes Chamber notes that the defendant raises arguments with regard to
       the transparency and information obligations regarding the placement of the camera and the

       processing via the (…) app. Since the object of the complaint does not concern

       on the information obligations regarding surveillance cameras by way of the aforementioned

       icon, nor on the processing via the (…) app, and in the absence of a dispute, the

       Litigation Chamber does not investigate these aspects.

 43. The Litigation Chamber must judge whether the complainant has been adequately informed about the

       disputed processing, being the consultation of the images in the context of the

       satisfaction survey, to meet the requirements of articles 12, paragraph 1, paragraph 2, and 13, paragraph 1 and paragraph 2 GDPR

       comply.

 44. Article 12(1) GDPR requires the controller to “use appropriate

       measures” to ensure that the data subject receives the information referred to in Articles 13 and 14

       [...] related to processing in a concise, transparent, understandable and easy way
       accessible forms in a clear, simple language, especially when the

       information is specifically intended for a child”. Article 12(2) prescribes that the

       controller must exercise the rights of the data subject

       facilitate. According to recital 39 of the GDPR, the obligation of transparency means

       that persons must be informed in an accessible and understandable way,

       among other things about the way in which their rights are exercised
       could be.


 45. On the basis of the complaint, the Inspection Report and the conclusions of the defendant, the

       Litigation Chamber, the employee concerned informed the complainant that a
       investigation would be conducted based on the satisfaction survey, but that the complainant was not

       informed about the method of this research. After all, the complainant was not

       informed that the camera images would be consulted by the employee

       for this investigation, as a result of which the information as stipulated in Article 13, paragraphs 1 and 2 also does not meet

       the complainant was notified. In view of the above, the Disputes Chamber proposes a
       violation of Articles 12 (1) and (2) and Article 13 (1) and (2) GDPR.


III. Corrective Actions and Sanctions


 46. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to: Decision on the substance 60/2023 – 11/13


     1° to dismiss a complaint;

     2° to order the exclusion of prosecution;

     3° to order a suspension of the judgment;

     4° propose a settlement;
     5° formulate warnings and reprimands;

     6° to order that the data subject's requests to exercise his rights be complied with

     to practice;

     7° order that the data subject be informed of the security problem;

     8° order that the processing be temporarily or permanently frozen, restricted or prohibited;

     9° order that the processing be brought into compliance;
     10° rectification, restriction or deletion of data and notification

     of it

     order the recipients of the data;

     11° to order the withdrawal of the accreditation of certification bodies;

     12° to impose penalty payments;

     13° to impose administrative fines;
     14° the suspension of cross-border data flows to another State or

     to recommend an international institution;

     15° transfer the file to the prosecutor's office of the public prosecutor in Brussels, who

     informs it of the follow-up given to the file;

     16° decide on a case-by-case basis to publish its decisions on the website of

     the Data Protection Authority.

47. As regards the penalty, the defendant argues that it realizes that consulting and

     using the CCTV footage when examining the complainant's comments to

     as a result of the satisfaction survey is inappropriate and in violation of the GDPR. The

     The defendant wishes to emphasize that it was a one-off error on the part of one of her
     employees who acted without any intention to invade the complainant's privacy

     harm. In retrospect, the employee also realizes that viewing the images

     was inappropriate and contrary to internal agreements. The defendant requests the

     Litigation Chamber in its assessment and possible sanctions

     to take into account.

48. When assessing the appropriate sanction and/or corrective action, the

     Litigation Chamber takes into account the admission by the defendant of a human error that

     caused the disputed processing. The Disputes Chamber also has an account

     taken into account with the measures taken by the defendant before and after the disputed

     fact has taken, namely the limited access to the camera images, both restricted
     in terms of the number of people, or limited through the use of passwords, and the instructions of

     the defendant to the employee regarding the use of the Substantive Decision 60/2023 – 12/13


      camera images. The Disputes Chamber also notes that discussions have taken place with the

      involved employee afterwards. The defendant also demonstrates good will by

      state that it refuses to use the aforementioned application for the
      satisfaction surveys pending the decision of the Litigation Chamber. The

      the defendant also contacted the complainant to apologize

      and to find an amicable solution, and that it was found. The

      Litigation Chamber also takes into account the mitigating circumstances of the

      processing involved. In this context, the defendant cites mitigating circumstances

      first, the fact that it was a one-off human and not a technical incident,
      and that there was no malicious intent. Finally, the Disputes Chamber notes that the

      contested processing is not carried out systematically and on a large scale and that it does not

      forms part of the main activities of the defendant.

 49. In these circumstances, the Litigation Chamber decides to award the defendant accordingly

      Article 100, §1,5 ° of the WOG to reprimand for consulting camera images on

      unlawfully, and without complying with applicable transparency and

      information obligations constitutes a breach of the GDPR.

IV. Publication of the decision


 50. Given the importance of transparency with regard to decision-making by the

      Litigation Chamber, this decision will be published on the website of the

      Data Protection Authority. However, it is not necessary for the

      identification data of the parties are disclosed directly.




    FOR THESE REASONS,

    the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:


    - formulate a reprimand based on article 100, §1, 5° WOG with regard to the

       consulting camera images in an unlawful manner, without complying with the

       applicable information obligations, which constitutes a breach of Articles 5, paragraph 1, a), paragraph
       2, article 6, paragraph 1, article 12, article 13, article 24, paragraph 1 and article 25, paragraph 1 and paragraph 2 GDPR.






Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notification against this decision may be appealed to the Marktenhof (court of

Brussels appeal), with the Data Protection Authority as defendant. Decision on the substance 60/2023 – 13/13


Such an appeal may be made by means of an inter partes petition

                                                                                                        4
must contain the information listed in Article 1034ter of the Judicial Code . It

a contradictory petition must be submitted to the Registry of the Market Court
                                                                       5
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).







(get). Hielke HIJMANS

Chairman of the Litigation Chamber

















































4 The petition states under penalty of nullity:

 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
     enterprise number;
 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
     summoned;
 4° the object and brief summary of the means of the claim;

 5° the court before which the action is brought;
 6° the signature of the applicant or his lawyer.
5 The petition with its appendix, in as many copies as there are parties involved, will be sent by registered letter
sent to the clerk of the court or deposited at the clerk's office.