APD/GBA - 16/2020

From GDPRhub
Revision as of 16:36, 28 April 2020 by Maïlys Lemaître (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=16/2020 |ECLI= |Ori...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 16/2020
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(2) GDPR
Article 24 GDPR
Article 30(1) GDPR
Article 30(5) GDPR
Article 6 §2 (1) of the videosurveillance law
Article 6 §2 (4) of the videosurveillance law
Type: Investigation
Outcome: Violation Found
Decided: 20.04.2020
Fine: None
Parties: n/a
National Case Number/Name: 16/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Official Belgian DPA website (in FR)
Initial Contributor: n/a

The Belgian DPA finds that videosurveillance is a processing likely to result in a risk to the rights and freedoms and that a data controller that employs fewer than 250 persons is therefore still subject to article 30(1) GDPR in this regard, having to establish a record of processing activities for videosurveillance.

English Summary


The plaintiff, a data subject which had seen themself being filmed on the street outside of the data controller's store, lodged a complaint with the Belgian DPA. They presumed the footage to be recorded and therefore reported the absence of a formal information as required by data protection law. After formal inquiry, it was found that the CCTV system had not been declared to the data privacy commission (commission pour la protection de la vie privée, CPVP) as required by article 6 §2(1) of the national videosurveillance law and that the record of processing activities was lacking information.


Is the data controller subject to article 30(1) despite employing fewer than 250 employees?


After reminding the conditions for a valid CCTV system filming spaces open to the public (declaration to the national data privacy commission (CPVP), article 6 §2(1) of the national videosurveillance law), the Belgian DPA holds that not only the absence of declaration but also the lack of information about the data processing in the record of processing activities results in a breach of the GDPR and the national videosurveillance law. The data controller had indeed both to declare the CCTV system and to establish a detailed record of the videosurveillance activities in accordance with article 30(1) GDPR, despite employing fewer than 250 persons and because of the risk to the rights and freedoms of the data subject (article 30(5) GDPR).


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.