APD/GBA - 16/2020
|APD/GBA - 16/2020|
|Relevant Law:||Article 5(2) GDPR|
Article 24 GDPR
Article 30(1) GDPR
Article 30(5) GDPR
Article 6 §2 (1) of the videosurveillance law
Article 6 §2 (4) of the videosurveillance law
|National Case Number/Name:||16/2020|
|European Case Law Identifier:||n/a|
|Original Source:||Official Belgian DPA website (in FR)|
The Belgian DPA finds that videosurveillance is a processing likely to result in a risk to the rights and freedoms and that a data controller that employs fewer than 250 persons is therefore still subject to Article 30(1) GDPR in this regard, having to establish a record of processing activities for videosurveillance.
English Summary[edit | edit source]
Facts[edit | edit source]
The plaintiff, a data subject which had seen themself being filmed on the street outside of the data controller's store, lodged a complaint with the Belgian DPA. They presumed the footage to be recorded and therefore reported the absence of a formal information as required by data protection law. After formal inquiry, it was found that the CCTV system had not been declared to the data privacy commission (commission pour la protection de la vie privée, CPVP) as required by article 6 §2(1) of the national videosurveillance law and that the record of processing activities was lacking information.
Dispute[edit | edit source]
Is the data controller subject to Article 30(1) GDPR despite employing fewer than 250 employees?
Holding[edit | edit source]
After stating the conditions for a CCTV system filming spaces open to the public to be legal (declaration to the national data privacy commission (CPVP), article 6 §2(1) of the national videosurveillance law), the Belgian DPA holds that not only the absence of declaration but also the lack of information about the data processing in the record of processing activities results in a breach of the GDPR and the national videosurveillance law. The data controller had to both declare the CCTV system and establish a detailed record of the videosurveillance activities in accordance with Article 30(1) GDPR, despite employing fewer than 250 persons, because of the risk to the rights and freedoms of the data subject (article 30(5) GDPR).
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.