APD/GBA (Belgium) - 81/2023
From GDPRhub
| APD/GBA - 81/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 6(1)(e) GDPR Article 30(2)(a) GDPR Article 38(6) GDPR Article 1 Koninklijk besluit tot vaststelling van de wijze waarop wordt aangegeven dat er camerabewaking plaatsvindt Article 4 Koninklijk besluit tot vaststelling van de wijze waarop wordt aangegeven dat er camerabewaking plaatsvindt Article 5 Camerawet |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | 01.02.2021 |
| Decided: | 22.06.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 81/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Gegevensbeschermingsautoriteit (in NL) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA confirmed that CCTV images made to protect against littering and illegal dumping can be used to fine a data subject doing the littering, based on public interest under Article 6(1)(e) GDPR.
The DPA also noted that person combining the roles of DPO and safety consultant could pose a breach of Article 38(6) GDPR.
English Summary
Facts
An area was plagued by illegal dumping. To combat this, a CCTV camera was placed. A data subject received a letter stating that he could receive a fine for leaving bottles next to the designated deposit area.
The data subject asked the DPA whether the CCTV images could be used to impose a fine.
Holding
The DPA started by clarifying that there are two parties involved in the CCTV data processing. The controller of the images itself (a municipality), and a processor who used these images to impose fines.
The DPA held that the controller can rely on public interest under Article 6(1)(e) GDPR to prevent illegal dumping, littering, and protecting public cleanliness. On top of that, the controller followed all the requirements as set out by article 5 Camerawet and articles 1 and 4 of KB 10 februari 2008.
The DPA did find several shortcomings in the Record of Processing Activities of the processor: incomplete contact details of the processor and the controller, incomplete & unclear categories of data subjects. As such, the DPA concluded a breach of article 30(2)(a) GDPR. The DPA noted that the DPO of the processor is also a safety consultant. This could result in a breach of Article 38(6) GDPR when the DPO has tasks that enable him to decide the purpose and means of processing.
The DPA reprimanded the processor for not having a complete Record of Processing Activities. The DPA dismissed all other grievances.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/11
Litigation room
Decision on the substance 81/2023 of 22 June 2023
File number : DOS-2021-00731
Subject: Complaint about camera surveillance (illegal dumping)
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman, and Messrs. Christophe Boeraeve and Frank De Smet, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereafter WOG;
Having regard to the rules of internal order, as approved by the Chamber of
Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Having regard to the documents in the file;
Made the following decision regarding:
The complainant: Mr X, hereinafter referred to as “the complainant”;
The Defendants: Y1, hereinafter “first Defendant”; and
Y2, hereinafter “second defendant”. Decision on the substance 81/2023 – 2/11
I. Factual Procedure
1. On 1 February 2021, the complainant submits a complaint to the Data Protection Authority
against the second defendant.
The complaint concerns the placement of a security camera by the first defendant at a
bottle bank. The complainant received a letter from the second defendant stating that he
probably committed a violation because after placing his empty bottles
in the bottle bank has left one or more bottles next to the container. This allowed him one
fine be imposed.
2. On February 16, 2021, the complaint will be declared admissible by the First Line Service on
pursuant to Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG
submitted to the Disputes Chamber.
3. On March 18, 2021, in accordance with Article 96, § 1 WOG, the request of the
Disputes Chamber to carry out an investigation submitted to the Inspection Service,
together with the complaint and the inventory of the documents.
4. The investigation by the Inspection Service will be completed on 13 April 2021, according to the report
appended to the file and the file is transferred by the Inspector General to
the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG).
The report contains findings regarding the subject of the complaint and decision
that:
1. there is no infringement of Article 5 (1) (a) and (2), Article 6 (1) GDPR and
Article 24 GDPR
2. there is no infringement of Article 5 of the Act of 21 March 2007 until
1
regulation of the installation and use of surveillance cameras (hereinafter:
Camera Act) and articles 1 and 4 of the Royal Decree of 10 February 2008 to
establishing the manner in which it is indicated that there is camera surveillance
takes place (hereinafter: Royal Decree of 10 February 2008).
The report also contains findings that go beyond the subject of the complaint.
The Inspectorate has established, broadly speaking, that:
3. there is a violation of Article 30, paragraph 1, paragraph 2 and paragraph 3 GDPR.
5. On October 27, 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98
WOG that the file is ready for treatment on the merits.
1BS 31 May 2007.
2BS 21 February 2008. Decision on the merits 81/2023 – 3/11
6. On 27 October 2022, the parties concerned will be notified by registered mail
of the provisions as stated in Article 95, § 2, as well as of these in Article 98 WOG.
They are also informed of the terms for their
to file defenses.
As regards the findings relating to the subject matter of the complaint, the
deadline for receipt of the statement of defense from the defendants
recorded on 7 December 2022, this for the complainant's statement of reply
28 December 2022 and finally those for the defendants' statement of rejoinder on
January 18, 2023.
With regard to the determinations outside the subject of the complaint, the deadline was set
for receipt of the statement of defense of the defendants recorded on
December 7, 2022.
7. On October 28, 2022, the second Respondent electronically accepts all communications
about the case.
8. On 3 November 2022, the second defendant requests a copy of the file (Article 95,
§ 2, 3° WOG), which was sent to him on November 21, 2022.
9. On 7 December 2022, the Litigation Chamber will receive an amended version of the register
of processing activities of the second defendant.
II. Motivation
II.1. Identification of the controller and processor
10. The Disputes Chamber finds that both the complaint and the complainant's answer to the
questions from the Inspectorate clearly stipulate that the complaint is directed against the second
defendant. In his complaint, the complainant asks whether the security camera
collected footage of him that was used for the imposition of a GAS
fine was validly imposed. However, investigations by the Inspectorate show that the
first defendant is the data controller for the surveillance camera
described in the complaint and that the second defendant acts as a processor in this context
the framework of the writing of the GAS fine based on the camera images. The parties
do not dispute this finding. The first defendant must therefore be qualified
as controller and the second defendant as processor as regards
the processing at issue.
II.2. Article 5, paragraph 1, a) (lawfulness) in conjunction with Article 6, paragraph 1 GDPR and Article 5, paragraph 2 in conjunction with Article 24,
paragraph 1 GDPR
11. The contested processing in the present case concerns the making of visual material by one
or multiple cameras at the bottle bank where this footage was used afterwards in Decision on the substance 81/2023 – 4/11
in the context of imposing a GAS fine. The question arises whether the processing of
personal data by these surveillance cameras is done lawfully and or in this
framework, appropriate technical and organizational measures have been taken to ensure the
to ensure compliance with the GDPR.
12. The Litigation Chamber recalls that pursuant to Article 5(1)(a) GDPR personal data
must be lawfully processed. This means that the processing must be done on
on the basis of the processing grounds as set out in Article 6(1) GDPR.
13. Based on its investigation, the Inspectorate determines that the processing is necessary
for the performance of a task of general interest or of a task within the framework of the
exercise of public authority vested in the controller
assigned (Article 6(1)(e) GDPR). The public interest task in question is it
preventing and combating illegal dumping, litter and protecting the public
cleanliness and health. The inspection report also refers to Article 9.3 of this
the general police regulation Y1, which stipulates that, when a violation of a
determination is committed with a motor vehicle, in the absence of the driver, the
administrative fine is imposed on the holder of the registration plate of
the vehicle. The holder of the registration plate may prove by any means who is on the
was driving the vehicle at the time of the facts. If the license plate holder has the
does not rebut or deny the infringement, the administrative fine will be charged to him. In
in its privacy statement, the first defendant also informs the data subjects that
personal data can be processed in the context of the public interest. Having
based on the above, the Inspectorate comes to the conclusion that the processing of the
personal data of the complainant takes place in the context of the public interest and that
this processing is necessary for the performance of that task of public interest,
as a result of which no infringement of Article 5 (1) a) and Article 6 (1) GDPR is established.
14. Article 24(1) of the GDPR obliges the controller to, account
taking into account the nature, scope, context and purpose of the processing, as well as the
risks of varying likelihood and severity to the rights and freedoms of
natural persons, take appropriate technical and organizational measures to
to ensure and be able to demonstrate that the processing is in accordance with GDPR
is carried out. These measures should also be evaluated and if necessary
updated. This article reflects the principle laid down in Article 5(2) of the GDPR
of "accountability", according to which "the controller
responsible for compliance with paragraph 1 and must be able to demonstrate this". Article 24(2).
of the GDPR stipulates that, when proportionate to the processing activities,
the measures referred to in Article 24(1) of the GDPR, an appropriate
include data protection policies to be adopted by the controller Substantive decision 81/2023 – 5/11
executed. Since no infringement of Article 5 (1) (a) and Article 6 (1) GDPR was made
established, the Inspectorate concludes that there is no infringement of
Article 5 (2) and Article 24 (1) GDPR.
15. Based on the inspection report and considering that the complainant has no arguments
arguments to the contrary, the Disputes Chamber sees no reason to do so
to take a different position in this regard. Consequently, the
Litigation Chamber that there is no violation of Article 5(1)(a) and (2),
Article 6(1) and Article 24(1) of the GDPR in respect of the first defendant.
II.3. Article 5 Camera Act and Articles 1 and 4 Royal Decree of 10 February 2008
16. Based on article 5 of the Camera, articles 1 and 4 of the KB of 10 February 2008.
it is necessary for the controller to comply with certain rules if he wants to
proceed to the installation and use of one or more permanent surveillance cameras
an unenclosed place. The obligations from the aforementioned articles, the compliance of which
is examined in the context of the inspection investigation can be summarized as
follows:
a. the decision to place is made by a public authority that
is the controller;
b. even before the placement, the controller must receive a positive advice
from the relevant municipal council, which consults the chief of police for this purpose;
c. access to the data is not decided by the controller
place an icon indicating that camera surveillance is taking place.
That pictogram must be in accordance with Articles 1 and 4 of the Royal Decree of
February 10, 2008 are applied to an aluminum plate of at least 1.5 mm
thickness with dimensions of 0.60 x 0.40 m and determined in a visible and legible manner
contain entries.
17. During the inspection investigation, the first defendant alleges the following:
“
a. This concerns a temporary fixed surveillance camera in a non-enclosed place,
throughout the territory of the municipality. The municipality uses permanent
temporary surveillance cameras. That is why there are on all approach roads of the municipality
icons applied. You can find photos and examples of these icons
can be found in appendix 2, as well as the work order to place the pictograms
(attachment 3). The pictograms are drawn up in accordance with the Royal Decree of
February 10, 2008 about reporting camera surveillance. An example of one
inscription under the pictogram can be found in appendix 4. Decision on the substance 81/2023 – 6/11
b. The camera is said to have been in use since March 2019 to the present as the municipality
regarded this location as a fly-tipping sensitive location and still do
case would be.
c. An advice was obtained from the chief constable for the placement of this camera
and you can find this advice in appendix 5, in particular in point 2.1 on portable ones
(temporarily fixed) cameras.
d. The chief of police was consulted before the camera was placed as well as the
social security service, environment service, community guards
and other members of the local police force.
e. A decision was taken by the Y1 City Council in this regard. It
an extract can be found in appendix 6.”
18. After examining these answers and the appendices, the Inspectorate concludes that
article 5 of the Camera Act and articles 1 and 4 of the Royal Decree of 10 February 2008 were
complied.
19. In view of the inspection report and the fact that the complainant does not put forward any counterarguments, sees
the Disputes Chamber has no reason to take a different position in this regard.
The Disputes Chamber therefore concludes that there is no question of a violation of
Article 5 of the Camera Know Articles 1 and 4 of the Royal Decree of 10 February 2008
of the first defendant.
II.4. Article 30, paragraph 1, paragraph 2 and paragraph 3 GDPR
20. Based on the register of processing activities, the Inspectorate determines that the
second defendant carries out processing of personal data, both as processor and
in the capacity of controller. The Inspectorate will therefore also check the
assess compliance of the second defendant with the requirements regarding this register in the
light of the applicable capacity and respective obligations.
21. Pursuant to Article 30(1) GDPR, each controller must maintain a register
keep track of the processing activities that come under its responsibility
executed. Article 30(1)(a) to (g) GDPR stipulates that, with regard to the
processing operations carried out in the capacity of controller, the following
information must be available:
a) the name and contact details of the controller and any
joint controllers and, where applicable, of the
representative of the controller and of the officer for
data protection;
b) the processing purposes; Decision on the substance 81/2023 – 7/11
c) a description of the categories of data subjects and of the categories of
personal data;
d) the categories of recipients to whom the personal data have been or will be
provided, including recipients in third countries or international organisations;
e) where applicable, transfers of personal data to a third country or a
international organisation, including the reference to that third country or countries
international organization and, in the case of the organizations referred to in Article 49(1) second subparagraph GDPR,
such transfers, the documents concerning the appropriate safeguards;
f) if possible, the envisaged time limits within which the different categories of
data must be erased;
g) if possible, a general description of the technical and organizational
security measures as referred to in Article 32 (1) GDPR.
22. Pursuant to Article 30(2) GDPR, the processor shall keep a record of all
categories of processing activities they perform for a
controller have done. This register contains the following information:
a) the name and contact details of the processors and of each
controller on behalf of which the processor is acting, and, in
where applicable, of the representative of the controller or
the processor and of the data protection officer;
b) the categories of processing operations carried out on behalf of each
controller have been carried out;
c) where applicable, transfers of personal data to a third country or a
international organisation, specifying that third country or international organisation
organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the
documents on the appropriate safeguards;
d) if possible, a general description of the technical and organizational
security measures as referred to in Article 32(1).
23. The Inspection Service deals with the register of processing activities of the second
the following findings, as summarized below.
24. The record of the processing activities of the second defendant that was provided
to the Inspection Service does not meet the aforementioned minimum requirements. Specifically, the
Inspectorate established the following infringements in that regard: Decision on the substance 81/2023 – 8/11
a) the contact details of the second defendant are not complete (cf. Article 30(1)(a))
and paragraph 2, a) of the GDPR) since the e-mail addresses […] and […] from the website and the
privacy statement of the second defendant (documents 13 and 14) are not mentioned;
b) the description of the categories of data subjects is incomplete (cf. Article 30(1)(c))
of the GDPR) since in the columns “Category data subject” the words are used several times
become “employees”, “politicians” and “contact persons of affiliated partners”.
mentionwhile it is not clear through a description what those words concretely mean
c) the description of the categories of personal data is incomplete (cf. Article 30,
paragraph 1, c) of the GDPR) since in the columns “Category of personal data”
repeatedly the words “personal identification data”, “criminal
data”, “medical data”, and “financial data” are mentioned while not
it is clear through a description what those words mean concretely;
d) the name and contact details of each controller responsible for processing
of which the second defendant acts as a processor are not listed (cf. Article 30,
paragraph 2, a) AVG) and are therefore missing in the tabs "Administrative enforcement" and, among other things
“Neighborhood works”.
25. The Litigation Chamber points out that in order to effectively fulfill the obligations contained in the GDPR
can apply, it is essential that the controller and the
processors have an overview of the processing of personal data they carry out
to carry out. This register is therefore primarily an instrument for
assist controller or processor in GDPR compliance for the
various data processing operations that it performs because the registry is the most important
reveal its features. The Disputes Chamber is of the opinion that this
processing register is an essential tool in the context of the already mentioned
accountability (article 5, paragraph 2, and article 24 GDPR) and that this register is the basis
to all obligations that the GDPR imposes on the controller and processor
imposes. It is therefore important that it is complete and correct.
26. On December 7, 2022, the Disputes Chamber has an amended register of
processing activities from the second defendant. The Disputes Chamber states
established that this register of processing activities meets various requirements
findings of the Inspectorate.
27. With regard to the last determination of the Inspectorate, namely the statement of
the name and contact details of each data controller
of which the second defendant is acting, the Disputes Chamber notes that this is not yet the case
was met. The Disputes Chamber finds that the second defendant for
various processing operations as a processor, without clarifying for which Decision on the substance 81/2023 – 9/11
controller it acts. Thus, the Disputes Chamber rules that there is
is an infringement of Art. 30(2)(a) GDPR.
28. For the sake of completeness, the Disputes Chamber points out that from the register of
processing activities shows that the functions of data protection officer
and the safety consultant are carried out by the same person. In this regard, the
Litigation Chamber notes that the Court of Justice has recently ruled that there may be
of a conflict of interest within the meaning of Article 38(6) GDPR when to an officer
for data protection other tasks or duties are entrusted to him
would convey the purposes of and means of the processing
establish personal data with the controller or its processor.
This has to be done on a case by case basis based on an assessment of all
relevant circumstances, in particular the organizational structure of the
controller or its processor, and in the light of the applicable regulation
in its entirety, including any policy of the
3
controller or its processor.
29. The Disputes Chamber is of the opinion that the second defendant, the processing register, she
it incomplete, has it transferred in electronic form by mail at the first request ?
of the Inspectorate. Consequently, the Litigation Chamber rules that there is no infringement of
Article 30 (3) GDPR.
III. Sanctions
30. On the basis of the documents in the file, the Disputes Chamber establishes that there is
a violation of Article 30 paragraph 2, a) GDPR.
31. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to:
"1° to dismiss a complaint;
2° to order the exclusion of prosecution;
3° order the suspension of the judgment;
4° propose a settlement;
5° formulate warnings and reprimands;
6° to order that the data subject's requests to exercise his rights be complied with
to practice;
7° order that the data subject be informed of the security problem;
8° order that the processing be temporarily or permanently frozen, restricted or prohibited;
9° order that the processing be brought into compliance;
10° rectification, restriction or deletion of data and notification
3
ECJ 9 February 2023, X-FAB Dresden GmbH & Co. KG t. FC, C-453/21, ECLI:EU:C:2023:79. Decision on the substance 81/2023 – 10/11
to recommend it to the recipients of the data;
11° to order the withdrawal of the accreditation of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° the suspension of cross-border data flows to another State or
to recommend an international institution;
15° transfer the file to the prosecutor's office of the public prosecutor in Brussels, who
informs it of the follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of
the Data Protection Authority."
III.1. Infringement of Article 30 (2) (a) GDPR
32. The Disputes Chamber is of the opinion that a reprimand based on Article 100, §1, 5 WOG in
this case is designated for the infringement of Article 30(2)(a) GDPR. The Dispute Room
ruled that the register of processing activities provided by the
second defendant is incomplete, as established in the inspection report. In this context
the Litigation Chamber notes that, although the second defendant is admittedly currently
steps to rectify these breaches, too little effort has been made
are to finalize the register of processing activities as provided for in Article 30
AVG.Again in this regard, the Litigation Chamber once again points out that the AVG is already almost
applicable for five years and entered into force seven years ago.
III.2. Other grievances
33. The Litigation Chamber proceeds to a deposit of the other grievances and findings of the
Inspectorate because, based on the facts and the documents in the file, they do not belong to the
conclude that there has been a breach of the GDPR. These grievances and
findings of the Inspectorate are therefore regarded as manifestly unfounded
within the meaning of Art. 57(4) GDPR.
IV. Publication of the decision
34. Given the importance of transparency with regard to decision-making by the
Litigation Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary for the
identification data of the parties are disclosed directly.
4 See point 3.A.2 of the Litigation Chamber's Dismissal Policydd. June 18, 2021, available at
https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf. Decision on the substance 81/2023 – 11/11
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- formulate a reprimand based on article 100, §1, 5° WOG with regard to the
infringement of Article 30(2)(a) GDPR by the second defendant; and
- to dismiss the other grievances pursuant to Article 100, §1, 1° WOG.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notification against this decision may be appealed to the Marktenhof (court of
Brussels appeal), with the Data Protection Authority as defendant.
Such an appeal may be made by means of an inter partes petition
5
must contain the information listed in Article 1034ter of the Judicial Code .
The inter partes petition must be submitted to the Registry of the Market Court
in accordance with article 1034quinquies of the Ger.W. , 6 or via the e-Deposit
IT system of Justice (Article 32ter of the Ger.W.).
(get). Hielke IJMANS
Chairman of the Litigation Chamber
5"The petition states under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
enterprise number;
3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
summoned;
4° the object and brief summary of the means of the claim;
5° the court before which the action is brought;
6° the signature of the applicant or his lawyer."
6
The petition with its annex shall be sent, in as many copies as there are parties involved, by registered letter
sent to the clerk of the court or deposited with the clerk of the court."
