AP (The Netherlands) - mobiele camera-auto's Rotterdam - besluit tot boeteoplegging
From GDPRhub
| AP - mobiele camera-auto's Rotterdam - besluit tot boeteoplegging | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 4c(1) of the Dutch Police Data Act |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | 17.11.2022 |
| Published: | |
| Fine: | 50,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | mobiele camera-auto's Rotterdam - besluit tot boeteoplegging |
| European Case Law Identifier: | n/a |
| Appeal: | Appealed - Partly Confirmed Rb. Den Haag (Netherlands) 23_8425 |
| Original Language(s): | Dutch |
| Original Source: | Dutch DPA (in NL) |
| Initial Contributor: | CBMPN |
The Dutch police were fined €50,000 for failing to conduct a DPIA before deploying mobile camera cars to monitor public spaces during the COVID-19 pandemic. After appeal, the fine was reduced to €30,000 by the District Court of The Hague.
English Summary
Facts
The Dutch police, under the responsibility of the Chief of Police, deployed two mobile camera cars (MCAs) in Rotterdam during the COVID-19 pandemic to monitor and enforce public health measures, such as social distancing. The MCAs captured 360-degree video footage of public spaces, including streets, parks, and residential areas, where individuals (including children) were identifiable. The footage was transmitted to a central monitoring room and could be forwarded to other police units. The police failed to conduct a Data Protection Impact Assessment (DPIA) before deploying the MCAs, despite the high-risk nature of the data processing. A DPIA was only conducted after the processing had already begun.
Holding
The Dutch Data Protection Authority (AP) held that the Chief of Police violated Article 4c(1) of the Dutch Police Data Act (Wpg), which requires a DPIA for processing activities likely to result in a high risk to individuals' rights and freedoms. The AP emphasized that the use of MCAs, which involved innovative technology for monitoring public spaces and capturing identifiable individuals, posed a high risk. The failure to conduct a DPIA before deploying the MCAs constituted a breach of the law, regardless of the police's subsequent efforts to conduct a DPIA during the processing.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Authority for Personal Data
PO Box 93374, 2509AJ The Hague
HogeNieuwstraat 8, 2514EL The Hague
T0708888500-F0708888501
PolitieNederland autoriteitpersoonsgegevens.nl
t.a.v.depolitiechief,deheermr.H.P.vanEssen
PO Box 17107
2502CC THE HAGUE
Date Our reference
17 November 2022 z2021-17798
Contact person
[CONFIDENTIAL]
Subject
mobile camera cars Rotterdam-decision to impose a fine
Dear Mr. VanEssen,
The Authority for Personal Data (hereinafter: AP) has decided to an administrative fine of €50,000 for violation of article 4c, first paragraph, of the Police Data Act (hereinafter: Wpg). This is because the chief of police failed to carry out a data protection impact assessment prior to the intended processing of police data – namely the recording of camera images using two so-called mobile camera cars in Rotterdam – while the processing of police data probably entailed a high risk for the rights and freedoms of individuals.
This decision explains the administrative fine. To this end, (1) the reasons for the course of the proceedings, (2) the facts established, (3) the violation and (4) the amount of the fine are discussed in succession. Finally, (5) the dictum and legal remedies clause follow.
Public version Date Our reference
17 November 2022 z2021-17798
1 Reasons for the process
1 In the spring of 2020, the Netherlands was confronted with the COVID-19 pandemic. The cabinet then announced
measures to combat the spread of the virus. These measures were laid down at local
level in emergency regulations. An emergency regulation with corona measures also
came into force in the municipality of Rotterdam (hereinafter: "emergency
regulation"). These measures included, among other things,
the ban on gatherings and the obligation for people to keep a distance of
1.5 metres (in public spaces). In order to monitor and enforce
compliance with the corona measures, two cars with a camera mounted on the roof,
also known as mobile camera cars (hereinafter: "MCAs"), were deployed
in the municipality of Rotterdam from 10 April 2020.
2 Following media reports, the AP contacted the municipality of Rotterdam.
It turned out that two MCAs were indeed deployed between 10 April 2020 and 17 April 2020,
but this deployment was stopped again after a week at the request of the police. When the AP
received signals that the MCAs were being deployed again from 26 April 2020, the AP
decided to launch an investigation. Among other things, the AP investigated whether the chief of police
acted in breach of the obligation to carry out a timely data protection impact assessment (hereinafter
also: "DPIA") as referred to in Article 4c of the Wpg. Since the AP has no authority to
sanction violations of Article 3 of the Wpg with a fine, the AP does not, in this decision,
comment on the answer to the question of whether the chief of police
acted in accordance with Article 3 of the Wpg.
This also leads to the AP not commenting in this decision on the answer
to the question of whether Article 3 of the Police Act 2012 (hereinafter: the Police Act) can
serve as a basis for deploying the MCAs.
3 The investigation resulted in the Customer Contact Directorate's Control Investigation of the AP establishing a report of findings on 26 November 2021 (hereinafter: the investigation report). In the
investigation report, it was concluded, insofar as relevant, that the chief of police was obliged to
carry out a GE prior to processing the camera images using the MCAs and that
he failed to do so by only carrying out a GE during the processing, whereby the chief of police
acted in violation of Article 4c of the Wpg.
4 By letter dated 16 December 2021, the AP sent the chief of police a notice of intention to enforce. The chief of police submitted a written opinion on this intention and the
research report on which it was based on 21 January 2022. A hearing on the opinion was held on 22 February 2022, at which the chief of police further explained his written opinion orally.
1
Municipal Gazette 2020, 85971. Officially announced on 30 March 2020: https://www.rijnmondveilig.nl/lichameijke-
2oodsituatie/noodverordening-covid-19-30-maart-2020/
The police appeared not to have been formally involved in the decision to deploy the MCAs.
Public version 2/18 Date Our reference
17 November 2022 z2021-17798
2 Factual findings
5 The following is a summary of the relevant facts established in the investigation report. The
chief of police has not disputed the facts laid down in the investigation report.
2.1TheuseofMCAs
6 InMay2020,theEurovisionSongContestwouldhavetakenplaceinRotterdam.Inthecontextofthepreparationsforthesafetymeasuresaroundthisevent,thedesirearosetouseMCAs.TheSupervisionandEnforcementdepartmentoftheMunicipalityofRotterdamsubsequentlyrealisedtherentoftwoMCAsfortheperiod1Aprilto1June2020.ThedayaftertheMunicipalityofRotterdamhadsignedtherentoffer,theEurovisionSongContestwascancelledduetotheCOVID-19pandemic.
7 Subsequently, the plan was made to deploy the two rented MCAs in the context of enforcing the corona measures. In a memo dated 1 April 2020, the mayor of the municipality of Rotterdam was informed in writing by the Safety Directorate of the intention to deploy the MCAs. The relevant memo explained that the corona measures would require a lot of deployment of law enforcement officers and
the police, while capacity was scarce. The MCAs could support these parties in
carrying out their tasks. In addition, the memo explained that the authority to
deploy mobile camera surveillance to maintain public order in the event of a (threatened)
disruption of public order is based on Article 3 of the Police, knowing that the
MCAs would be deployed temporarily for this purpose on these grounds, namely as long as the
emergency ordinance applied in the Rotterdam-Rijnmond Safety Region. 8 Asof10April2020,thetwoMCAswereactuallydeployed.However,attherequestofthepolice,theMCAswerestoppedon17April2020,becausethedeploymenthadtakenplacewithouttheinvolvementofthe
police.
9 Subsequently,thepoliceandthemunicipalityofRotterdamjointlydrawnupadeploymentframeworkforthe
deploymentoftheMCAs.ThedeploymentframeworkcontainsadescriptionofthepurposeforwhichtheMCAsweredeployed,thelegalframeworkandthepracticalmethodthatshouldbefollowed.
10 Accordingtothedeploymentframework,thedeploymentoftheMCAswasintendedtoachieveamultiplepurpose.TheMCAsweredeployedtoobtainanup-to-datepictureofthesituationonsiteandonthatbasistobeabletodeterminethedeploymentofthecapacityofspecial
investigation officersandpolice officers. In addition, the MCAs would have a preventive effect and the presence of camera surveillance could have a de-escalating effect.3
3According to the deployment framework, violent incidents during the enforcement of the rules in the emergency ordinance were partly the reason for the deployment of the two MCAs.
Public version 3/18 Date Our reference
17 November 2022 z2021-17798
11 The deployment framework also states that the MCAs were deployed as flexible camera surveillance on the basis of
article 3 of the Police Act, which places responsibility for the deployment of the two MCAs with the police
and that the deployment of the MCAs would in any case last as long as the emergency ordinance was in force.
12 In addition, the deployment framework states that the two MCAs were managed by an employee of the Municipality of Rotterdam's Supervision and Enforcement Department with a BOA certification from 26 April 2020. The
4
driver received a list of pre-designated areas and locations at the start of the service. The
camera could only be turned on at the designated location if there was a group formation or
another observable violation of the emergency ordinance. The camera could not be turned on during the
journey from location A to location B. In exceptional cases, the MCAs could continue to
record camera images of the deployment of units due to the escalating operation. 13 On 25 April 2020, the members of the Rotterdam triangle approved the deployment framework, on condition
that a few more adjustments were made. The two MCAs were deployed again the following day, i.e. from
26 April 2020, between 12:00 and 23:00. The evaluation of the police, among other things, shows
that the MCAs drove daily until 31 May 2020.
2.2Collecting, receiving, viewing and forwarding camera images
14 The rental offer for the MCAs shows that both cars were equipped with a so-called ‘Rooftop Unit’
with which camera images could be taken by means of a so-called ‘Panorama Video
Subsystem’. The system specifications show that the image format was HD megapixels and that the
panoramic cameras contained 2 megapixel colour sensors and could provide a good image with sufficient
detail. It also follows from the rental offer that each of the MCAs could take camera images from one to
ten metres around the vehicle. The further explanation of the ‘Panorama Video Subsystem’ shows that
camera images could be taken on both sides of the vehicle with a large opening
angle.
According to the rental offer, the MCAs could take sharp camera images at a speed of fifty kilometres
per hour.
15 From the camera images viewed by AP supervisors, it follows that they show a lot of detail and the cameras also took sharp camera images while driving. The cameras took images from four
angles: front left, front right, rear left and rear right. Together, this gives a 360-degree
total image of the situation around the vehicle. From the advanced and viewed camera images, it follows that camera images were taken far outside the vehicle. The camera images show parks,
4 These areas and locations were determined by the Large-scale and Special Corona Action Staff. The Chief Officer of the Police Service
could provide additions to this, with the intervention of the Police Operational Center.
5Thetriangleofacertainareaistheconsultationbodybetweenthemayor,the(chief)public prosecutorandpolicechieforteamchiefofpoliceoftheteamwhichthemunicipalityinquestioncomesunder–inthiscasethemunicipalityofRotterdam.
6CitymanagementSupervision,PoliceandSafetydirection,EvaluationPilotdeploymentmobilecameracardated15July2020,p.5(filedocument43).
Publicversion 4/18 Date Ourreference
17November2022 z2021-17798
publicroads,residentialareas,shoppingareas,beaches,boulevardsandparkinglotssee,where
adultsandchildrenarerecognizablyintheimage.
16 EachofthetwoMCAswasmountedwithanimageprocessingsystem,theso-calledScanGenius
SLIMsystem.Theinvestigationreportestablishedthatfrom26April2020–thestartdateofthedeploymentofMCAs–thecameraimagestakenbythetwoMCAsweresentdirectlytotheso-called‘Enforcementcontrolroom’:thecentralcontrolroomoftheEnforcement
departmentofRotterdam,locatedattheKleinpolderpleinlocation. 7
17 ThesecameraimagesthathadbeenreceivedintheEnforcementcontrolroomwerethenforwardedviaadatalinetotheso-called‘camerasurveillanceviewroom’,whichislocatedatthesamelocation.The
cameraimageswereenteredhereinthe‘Genetec’programandthenviewedlivewiththe‘Coppweb’programbyauthorizedoperatorsofthemunicipalityofRotterdamunderthesupervision
ofthepolice.8
18 Thecameraimagescould–alsowiththehelpofthe‘Coppweb’program–beforwardedtoseveralotherpartsofthepolice.Theinvestigationreportestablishedthat
thecameraimageswerealsoinfactsenttootherpolicelocationsonce. 10
2.3Storinganddestroyingcameraimages
19 ThecameraimagesofMCAsthatdidnotcontainanyincidentswerestoredforsevendays
andthendestroyed.Intheevents,thecameraimageswerestoredinaccordancewiththeWpgatthecamerasurveillanceviewingroom.IntheGEBadoptedon26May2020,itwasrecommendedtoreducethestorageperiodforcameraimagesofMCAswithoutincidentsfromsevendaystozerodays.Intheevaluation,thisrecommendationwasrepeatedanditwasalsonotedthatthecameraimageswereunnecessarily
stored.
20 Furthermore,theGEBstatedthatthestoredcameraimagesweredestructedviaanautomatedprocessinlinewithArticle14oftheWpg,includingbackups.
7
8A4GSIMcardintheprocessingunitoftheimageprocessingsystemensuredtheconnection. Atthecamerasurveillanceviewingcenter,cameraimagesareautomaticallyrecordedinthebasicprogramGenetec.The
programCoppwebenablesimagestobeviewedlivefromGenetec.
9ThesupervisorcoulddecidetoswitchthecameraimagestothePoliceOperationalCenterifnecessary.
ThecameraimagesfromtheOperationalCentercouldthenbetransmittedtothePolice
CoordinationCenteratapolicestationortothescreensdesignatedforthispurposeinthepoliceDistrictApproachTeamroom.
1TheinvestigationreportestablishedthatfindingsmadewiththehelpofMCAs–afteranassessmentbyasupervisorintheKleinpolderpleinviewingroomandthePoliceOperationalCenter–haveseveraltimesledtopolicedeployment.
Public version 5/18 Date Our reference
17 November 2022 z2021-17798
2.4 Carrying out a data protection impact assessment
21 The investigation report established that [CONFIDENTIAL] the police had drawn up a so-called pre-GEB, which was
adopted on 10 May 2020. According to the pre-GEB, this document is intended to
assess whether carrying out a GEB is required. The pre-GEB concluded that this
was not necessary for the deployment of MCAs.
22 Accordingtothepre-GEB,theuseofMCAswouldnotinvolvesystematicandlarge-scalemonitoringinpublicspace,amongotherthings,becauseitconcernedalimitednumberoflocationswherecameraimagescouldberecordedandwherethecamerawouldonlybeturnedoniftherewasreasontodoso.Accordingtothepre-GEB,therewasalsonolarge-scaleprocessing,becausenocameraimagesoflargegroupsofpeoplewouldberecorded.Accordingtothepre-GEB,thesizeofthegroupofpeopledependedontheextenttowhichthepermittednumberofpeoplebasedontheemergencyordinancewasexceeded.Furthermore,accordingtothepre-GEB,therewasnonewtechnology,becausecamerasthatareinstalledbasedonArticle151coftheMunicipalActcanalsorecordcameraimagesfrommultipleangles. 23 The evaluation shows that, following questions from the Rotterdam municipal council and questions from the AP, the police and the municipality of Rotterdam have still jointly drawn up a GEB. The GEB shows that the GEB was definitively established and approved by [CONFIDENTIAL] the municipality of Rotterdam and the police on 26 May 2020.
2.5 Conclusion
24 The above shows that the MCAs have been deployed since 26 April 2020 and that the police and the municipality of Rotterdam established a definitive GEB on 26 May 2020.
3Assessment
3.1ApplicabilityPoliceDataLawandAuthorityPersonalData
3.1.1LegalFramework
25 TheGeneralDataProtectionRegulation(hereinafter:GDPR)containsageneralregulationfortheprotectionofpersonaldatathatisdirectlyapplicableinallMemberStatesoftheEU.Directive2016/680wasestablishedfortheprotectionofpersonaldataprocessedbythepoliceandjudicialauthoritiesinthecontextoftheirtasks(hereinafter:theDirective).MemberStatesmustimplementthis
1Directive2016/680ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposesoftheprevention,investigation,detectionandprosecutionofcriminaloffencesortheexecutionofpenalties,andonthefreemovementofsuchdata,andrepealingFrameworkDecision2008/977/JHA.
Public version 6/18 Date Our reference
17 November 2022 z2021-17798
Implement the Directive in their national law. The Netherlands has implemented the Directive in the
12
Wpg.
26 It follows from Article 2, paragraph 2, opening words and under, of the GDPR that the GDPR does not apply to
processing that falls within the scope of the Directive. The GDPR and the Directive – as
implemented in the Netherlands in the Wpg – are therefore mutually exclusive.
27 Article 2, paragraph 1, of the Wpg stipulates that the Wpg applies to the
processing of police data by a competent authority that are included in a file or
intended to be included in it.
28 Article 1, opening paragraph, of the Wpg defines a competent authority as any government body
which is competent for the tasks referred to in part a, or any other body that or any other entity that
is authorized to exercise public authority and public powers in view of the tasks referred to
inparta.
29 Pursuant to Article 1, opening paragraphs, of the Wpgi, a police data “any person data that
is processed in the context of the execution of the police task referred to in Articles 3 and 4 of the
Police Act 2012”.
30 According to article 3 of the Police Act, the police are tasked with ensuring the effective enforcement of the legal order and providing assistance to those who need it. The effective enforcement of the legal order is divided into criminal enforcement of the legal order and enforcement of public order.3
31 Article 35 of the Wpg states that the AP is authorised to supervise the processing of personal data in accordance with the provisions of the Wpg.
3.1.2 Assessment
32 The established facts show that the camera surveillance with the use of MCAs in the investigation period
was carried out by a competent authority, namely the police. The deployment framework determined that the
police were responsible for the deployment of the MCAs. It also appears from the established facts that the
police had control over the viewing and, if necessary, forwarding of the camera images. In addition, the
MCAs were deployed with a view to maintaining public order, as part of the police task. As
explained above, the deployment framework determined that the deployment of the MCAs took place on the basis of
12
13tb.2018,401.
Articles 11 and 12 of the Police Act.
Public version 7/18 Date Our reference
17 November 2022 z2021-17798
Article 3 of the Police Act, namely to be able to enforce the corona measures more efficiently and
in a more targeted manner.
33 Furthermore, it follows from the established facts that the camera images were recorded in a file. The
camera images entered the program 'Genetec' and could be viewed and possibly
forwarded using the program 'Coppweb'. It also appears from the established facts that
camera images were stored for seven days.
3.1.3Conclusion
34 The APconcludesthatthecamerasurveillancewiththeuseofMCAsduringtheinvestigationperiodwasperformedbyacompetentauthorityinthecontextoftheexecutionofthepolicetaskandthatthecameraimageswererecordedinafile.Totheextentthatthisinvolvedtheprocessingofpolicedata(seeparagraph3.2ofthisdecree),thisprocessingfallsunderthescopeoftheWpgen
theAPisauthorisedtosupervisethisandenforcethis.
3.2 Processingofpolicedataandprocessingresponsibility
3.2.1Legalframework
35 PursuanttoArticle1,introductionandsubparagrapha,oftheWp,policedatais“anypersonaldatathatisprocessedinthecontextoftheexecutionofthepolicetask,asreferredtoinArticles3and4ofthePoliceAct2012”.
36 Article 1, introductory paragraph (b), of the Wpg defines personal data as “all information about an identified or identifiable natural person”.
37 Article 1, introductory paragraph (c), of the Wpg stipulates that the processing of police data is
understood to mean “any operation or set of operations which is performed on police data or a set of
police data, whether or not carried out by automated means, such as collecting, recording,
organising, structuring, storing, updating or modifying, retrieving, consulting, using,
providing by means of transmission, dissemination or otherwise making available,
combining, linking, shielding or destroying police data.
38 Article 1, introductory paragraph and subsection 1, of the Wpg stipulates that the controller for the
processing of personal data at the police is the chief of police, as referred to in
Article 27 of the Police Act 2012.
Public version 8/18 Date Our reference
17 November 2022 z2021-17798
3.2.2 Assessment
Personal data
39 The established facts show that camera images were made with the MCAs on which
identified or identifiable natural persons were observable. The technical
specifications show that camera images could be made with a ‘Rooftop Unit’. In addition,
the facts established in the investigation report show that camera images were made with the two
MCAs on which persons were recognisably depicted that it was also intended to be able to
identify. For this reason, for example, no ‘blurring’ was applied.
Police data
40 The established facts show that these personal data are processed in the context of the execution
of the police task. As explained above, maintaining public order is part of the
police task as referred to in Article 3 of the Police Act. The camera images that were
made with the MCAs were used to maintain public order, more specifically
for maintaining corona measures.
Processing
41 It has been explained above how the camera images were collected, sent, received, viewed,
forwarded, stored and destroyed. It has also been established that the two MCAs actually
collected camera images during the deployment. The camera images were sent directly from the MCAs
to the Enforcement control room. The received camera images were then
forwarded via a data line to the camera surveillance viewing room and viewed there under the
supervision of the police. It has also been established that the camera images could be
forwarded to other police locations, which also happened on a few occasions. It has also been
established that the camera images were stored and destroyed after seven days. Controller
42 It has been explained above that the members of the Rotterdam triangle agreed to the deployment framework on 25 April 2020, subject to a number of adjustments, after which the MCAs were deployed under the responsibility of the police on 26 April 2020, based on Article 3 of the Police Act. It follows from the legal framework that the chief of police has been designated by law as controller for the processing of police data at the police. The AP therefore concludes that the chief of police qualifies as the controller for the processing of camera images using the MCAs.
Chief of Police’s Opinion
43 The Chief of Police notes that the implementation of both the GEB and the pre-GEB has been a joint process
of the municipality and the police. After all, decision-making on the deployment of the MCA
was a battle between the Rotterdam triangle and camera surveillance – both on the basis of Article 151c of the Municipal Act
and on the basis of Article 3 of the Police Act – the municipality had the impression that there was
a joint processing responsibility. This was partly prompted by the text on the AP’s website at
that time. ResponseAP
44 TheAPseestheadministrativecontextwithintheRotterdamtriangleandsituationinwhichthepoliceandthemunicipalityofRotterdamfoundthemselves,aswellasthecircumstancethatatthetimeoftheintendedprocessingatthemunicipalityofRotterdamtherecouldbeunclearastowhowouldbethecontrollerintheprocessingofcameraimagesonthebasisofArticle151coftheMunicipalAct.InthiscontextitisconceivablethatboththepoliceandthemunicipalityofRotterdamfeltresponsibletostriveforajointlysupportedanalysisofpossibleeffectsofthe(intended)processingofcameraimagesontheprotectionofpersonal
data. 45 However, it appears from, among other things, the memo of 1 April 2020 from the Directorate of Safety to the mayor and the deployment framework established by the Rotterdam triangle on 25 April 2020 that the MCAs were not deployed as flexible camera surveillance on the basis of Article 151c of the Municipal Act, but on the basis of Article 3 of the Police Act. The deployment framework also shows that the responsibility for the deployment of the MCAs lies with the police. There was therefore no uncertainty about the basis and responsibility for the deployment of this tool at the municipality of Rotterdam. From the legal framework set out above, it follows irrefutably that the police data for which the chief of police is the controller was processed. The fact that the municipality may have had doubts about this does not alter this. In any case, the text on the AP website at that time could not have provided any concrete reason for this, since that text only related to Article 151c of the Municipal Act and not to Article 3 of the Police Act. 3.2.3Conclusion
46 Based on the above, the AP concludes that the camera images contain information about
identified or identifiable natural persons and that this constituted
personal data within the meaning of Article 1, opening paragraph and under b, of the Wpg. These
personal data were processed in the context of the execution of the police task and
this constituted police data as referred to in Article 1, opening paragraph and under a, of the
Wpg. The collection, sending, receiving, viewing, forwarding, storing and destroying
police data constituted processing of police data as referred to in Article 1, opening paragraph and
under c, of the Wpg. The chief of police qualifies as the
controller for the processing of camera images with the MCAs, as referred to in
Article 1, opening paragraph and under f, section 1, of the Wpg.
Public version 10/18 Date Our reference
17 November 2022 z2021-17798
3.3 Carrying out a data protection impact assessment
3.3. 1 Legal framework
47 Article 4c, first paragraph, of the Data Protection Act stipulates that in the event that a type of processing, in particular a processing involving the use of new technologies, is likely to result in a high risk to the rights and freedoms of individuals, taking into account its nature, scope, context or
purposes, the controller must carry out an assessment of the impact of the intended processing activities on the protection of personal data prior to the processing.
3.3. 2 Assessment
48 Article 4c of the Data Protection Act provides for the obligation to carry out a GEB on processing of police data that is
likely to result in a high risk to the rights and freedoms of individuals. This applies in particular to processing where new technologies are used.
Article 35, first paragraph, first sentence of the GDPR contains an identically formulated obligation for processing personal data that falls within the scope of the GDPR.
Probably high risk
49 The established facts show that there is an innovative application of new technology or
organizational solutions. Given the nature, scope, contexts and purposes of the processing of camera images
using the two MCAs, the processing probably resulted in a high risk to the rights and freedoms of individuals.
The AP explains this below.
50 Marginalnumbers47and48ofthisdecreefollowthattheobligationtoimplementaGEparticularlycomesinsightinprocessinginwhichnewtechnologiesareused.Theuseofsuchtechnologiesmayincludenewformsofdatacollectionanduse,possiblywithahighrisktotherightsandfreedomsofnaturalpersons. 14
51 It was established that cameras were mounted on the roof of the two MCAs, which could produce 360-degree camera images. These cameras were intended to provide a good image with sufficient detail up to ten metres around the vehicle. Even at a speed of fifty kilometres per hour, these cameras produce sharp images. It was also established that the cameras were able to capture recognisable images of people, including children. Although the technique of producing 360-degree camera images is not new in itself, the use of such cameras on (fast) moving cars is. Taking sharp images of people with these cameras under these circumstances is, in the opinion of the AP, an innovative use of this technology. Unlike, for example, the
1 Compare recitals 89 and 90 of the GDPR, as well as the Guidelines for data protection impact assessments and the determination of whether
a processing operation is “likely to involve a high risk” within the meaning of Regulation 2016/679 (WP248rev.01), p.12.
Public version 11/18 Date Our reference
17 November 2022 z2021-17798
use of 360-degree cameras in fixed camera surveillance or on a mobile mast, the use of
such cameras on a moving car, for example, makes it possible to follow people and
take camera images of them. 52 There was also monitoring of publicly accessible spaces, in which personal data are collected from both adults and children, in circumstances in which they may not know that data is being collected or how it is being used. Furthermore, it may be impossible for individuals to prevent being subjected to such processing in a public (or publicly accessible) space. The MCAs also actually recorded camera images during the deployment period in, among other places, residential areas, shopping areas, parks, recreational areas and beaches. 53 In addition, one of the purposes of deploying mobile cameras was to obtain an up-to-date image during the emergency ordinance in areas “where it was known that during certain periods more people came together per day than was permitted”. In view of this, the police should have taken into account – unlike what happened in the pre-GEBis – the possibility that camera images would also be made of large groups and that this could go beyond the nature of incidental monitoring.
54 In view of the above and the sensitive nature of the monitoring of the public space, the
processing of the camera images using the MCAs probably resulted in a high risk to the
rights and freedoms of individuals.
55 Furthermore, the context in which the purpose for which the camera images were
made resulted in an increased risk to the rights and freedoms of individuals.
The purpose of making the camera images
was, after all, to ensure more efficient and targeted enforcement of the
corona measures in the emergency ordinance by enforcement officers and the
police. It has been established that the intention was also to identify individuals
and that a violation of the emergency ordinance could result in the imposition of a fine.
In addition, the camera images were not only viewed live but also further processed,
now that the camera images could and, in appropriate cases, were actually
forwarded to other police locations.
Furthermore, it was intended to store the camera images taken with the MCAs for a standard period of seven days - a period for which attention was drawn up in the final GE Book. In the event of an incident, the camera images could be stored by the police (even) for longer.
Conclusion
56 Based on the above, the AP concludes that the intended processing of the camera images
using the MCAs is likely to pose a high risk to the rights and freedoms of individuals
15
Compare Article 35, third paragraph, of the GDPR and Guidelines for data protection impact assessments and the determination of whether an
16 effect is “likely to pose a major risk” within the meaning of Regulation 2016/679 (WP248 rev. 01), p. 11.
See file document 42, ‘Deployment framework for mobile cameras for cars (MCAs)’, p. 1.
Public version 12/18 Date Our reference
17 November 2022 z2021-17798
resulted. The above means that the chief of police was obliged to carry out an assessment of the effect on the protection of
personal data prior to the intended processing of camera images.
57 The AP also notes that this conclusion of the AP is in line with the decision of the AP in which
the AP established a list of processing operations for which no DPIA is required under the GDPR.
It also follows from that decision that a DPIA is required for permanent and flexible camera surveillance.7
Prior to processing
58 It follows from the above that the chief of police was obliged to carry out an assessment of the effect on the protection of
personal data prior to the intended processing of camera images.
TheAPhasestablishedthatthepoliceandthemunicipalityofRotterdamhavedecidedtojointly
carryoutaGEBoutafterallandthatthemunicipalityofRotterdamandthepolicecompletedthisassessmenton26May2020.However,processingwasalreadystartedon26April2020.Indoingso,thechiefofpolice
failedtocarryoutaGEBoutpriortoprocessingthecameraimagesusingtheMCAs.
Opinionofthechiefofpolice
59 Thechiefofpolicewishedtoemphasizethatatnotimewasthereignoringaspects
regardingcompliancewiththeWpg.Accordingtothechiefofpolice,thisisalsoevidentfromthefactthatthepre-GEBwascarriedout
andwiththeoutcomeofthepre-GEBitwasassumedthatprocessingcouldbestarted.
ResponseAP
60 TheAPhasfoundthatprocessingwasstartedon26April2020,whilethepre-GEBwasonlyestablishedfourteendayslater,namelyon10May2020.Forthatreason,therecanbenospeakofoutcomesthatwerealreadyestablishedinthepre-GEB.Moreover,inthepre-GEB,thepoliceinsufficientlyrecognisedthefactorssetoutinparagraph3.3.2.ofthisdecision,withtheresultthatatthattimeitdecidednottoexecuteaGEB.TheAPthereforeestablishesthatalthoughattentionwaspaidtoaspectsregardingcompliancewiththeWp,sincethepolicedraftedapre-GEB,thatattentionwasinadequate. 3.3.3Conclusion
61 The processing of camera images made with the help of the MCAs involved the processing of
police data with a probable high risk to the rights and freedoms of individuals.
For that reason, the chief of police should have carried out a DPIA prior to the intended processing of those camera images.
1 Decision on the list of processing of personal data for which a data protection impact assessment (DPIA) is
mandatory, Stcrt.2019,64418, points 9 and 10.
Public version 13/18 Date Our reference
17 November 2022 z2021-17798
The processing started on 26 April 2020, while at that time no DPIA had
yet been carried out. Consequently, the chief of police acted in violation of Article 4c, first paragraph, of the Wpg.
4Fine
4.1Introduction
62 The chief of police failed to carry out a GE prior to the intended processing of police data –
namely the production of camera images using two MCAs – while that
processing probably entailed a high risk to the rights and freedoms of individuals.
In doing so, the chief of police violated article 4c, first paragraph, of the Wpg. The AP sees this as a reason to
impose an administrative fine on the chief of police. The AP motivates this in the following.
4.2 Fine policy rules Dutch Data Protection Authority2019
63 Based on article 35c, opening and under c, of the Wpg, read in conjunction with article 23, fourth paragraph,
of the Criminal Code, the AP is authorised, in the event of a violation of article 4c, first paragraph,
of the Wp, not to impose an administrative fine of at most the amount of the fine of the fifth
category, which at the time of the violation established amounts to an administrative fine of
18
at most €87,000.
64 In order to implement the aforementioned fine authority under the Wbp, the AP has established fine policy rules 19
(hereinafter: the Fine Policy Rules). In these Fine Policy Rules, a category classification and
bandwidth system has been chosen. Violation of article 4c of the Wp is classified in category III. Category III
has a fine bandwidth between €30,000 and €83,000 and a basic fine of €56,500. This follows from
article 5, under 5.1 and 5.2 of the Fine Policy Rules.
65 The AP adjusts the amount of the fine based on the factors mentioned in article 7 of the
Fine Policy Rules, by reducing or increasing the basic amount. This involves an assessment of the
seriousness of the violation in the specific case, the extent to which the violation can be
attributed to the offender and, if there is reason to do so, other circumstances.
18
See article I of the Decree of 31 October 2019 amending the amounts of the categories referred to in
article 23, fourth paragraph, of the Criminal Code (Stb2019, no. 399). Fine policy rules of the Dutch Data Protection Authority of 19 February 2019 with regard to determining the amount of administrative fines (Fine policy rules Dutch Data Protection Authority 2019), Stcrt. 2019, 14586, 14 March 2019.
Publicversion 14/18 Date Our reference
17November2022 z2021-17798
4.3 Fine amount
66 AGEBisaprocessintendedtodescribetheprocessingofpersonaldata,assessthenecessityandproportionalityofitandhelpmanageassociatedriskstotherightsandfreedomsofnaturalpersonsbyassessingtheserisksanddeterminingmeasurestoaddressthem.Itisanimportantaccountabilityinstrumentbecauseitnotonlyhelpsacontrollertomeettherequirementsof–inthiscase–theWpg,butalsotodemonstratethatappropriatemeasureshavebeentakentoensurethattheend
Wpglaysdowntheregulationsregardingdataprotectionarecompliedwith.Thepolicehas– contrarytothelegalprovision–onlyduringtheprocessingitwasdecidedtocarryoutaGE,andnotpriortotheintendedprocessing.AndalsoduringtheexecutionofthatGEBbeing
continued.Inviewofthis,theAPdeemstheviolationserioussothattheimpositionofafineisappropriate.
67 Asexplainedabove,violationofArticle4coftheWpintheFinePolicyRulesisclassifiedincategoryIII,withafinerangeofbetweenaminimumof€30,000andamaximumof€83,000andabasicfineof€56,500.
68 TheAPseesnoreasontoreduceorincreasethebasicamountofthefinebasedonthecircumstancesmentionedinArticle7oftheFinePolicyRules.
4.3.1cooperationinAPinvestigation
Opinionofthechiefofthepolice
69 Thechiefofthepolice
requeststheAPtotakeintoaccountintheassessmentthatboththemunicipalityandthepolicehavefullycooperatedwiththeAPinvestigation.
APresponse
70 IthasbeenestablishedthatboththemunicipalityofRotterdamandthepolicehavefullycooperatedwiththeAPinvestigation.However,theAPisoftheconsiderationthatthiscooperationdidnotgobeyondthelegalobligationunderArticle5:20oftheGeneralAdministrativeLaw(hereinafter:Awb).Therearethereforenogroundsforafinereduction.
4.4 Blameworthiness and proportionality
71 From the above it follows that the AP sets the fine at the basic fine of €56,500. Finally, the AP assesses, in accordance with articles 3:4 and 5:46 of the General Administrative Law Act, whether the application of its policy for determining the amount of the fine, given the circumstances of the specific case, does not lead to a disproportionate outcome.
Public version 15/18 Date Our reference
17 November 2022 z2021-17798
4.4.1 Blameworthiness
Opinion of the chief of police
72 The chief of police states, insofar as relevant here, that it must be recognised that a pre-GEB was
carried out from which it was concluded that a GEB was not necessary. In response to questions,
a GEB was subsequently carried out. Insofar as there was therefore no question of guilt or negligence, according to
the chief of police.
Response from the AP
73 Since this concerns an offence, in order to impose an administrative fine, in accordance
with established case law, the AP is not required to demonstrate that there is intent, and the
AP may assume blameworthiness if the perpetrator has been established.
74 As explained above, the chief of police was legally obliged to carry out a GEB prior to processing in the context of the deployment of the MCAs. In the opinion of the AP, the police wrongly failed to recognise that there was a high risk to the rights and freedoms of individuals when carrying out the pre-GEB. This could have been expected of the police. The chief of police – as the controller – is therefore to blame for not having complied with the obligation laid down in Article 4c of the Wpg.
75 It is not disputed that the police (together with the municipality of Rotterdam) drew up a pre-GEB with the
aim of determining whether a GEB must be implemented for the processing of police data in the context of the deployment of the MCAs. However, this pre-GEB was not established until 10 May 2020, i.e. fourteen
days after the start of the deployment of the MCAs and (therefore after the start of) the processing of the
personal data. It was up to the police to wait with the deployment of the MCAs until
at least the moment that the pre-GEB had been established. The fact that the police and
the municipality of Rotterdam were already busy implementing the pre-GEB before 10 May 2020 – as the
the chief of police stated during the hearing –, does not alter this. Furthermore, the police also continued the processing during the preparation of the GEB, whereby the chief of police disregards the significance of a GEB.
4.4.2 Proportionality
20
76 The AP is of the opinion that (the amount of) the total fine amount is not disproportionate in itself.
In this opinion, the AP has taken into account the seriousness of the infringement and the extent to which the chief of police can be held responsible for it. The fine is also in line with the significance and role of a GEB in the processing of
personal data, namely improving data protection in processing that is likely to involve high risks in connection with the rights and freedoms of natural persons.
2 For the reasoning, see also marginal numbers 66 to 75.
Public version 16/18 Date Our reference
17 November 2022 z2021-17798
77 In this specific case, the AP nevertheless takes into account that the deployment of the MCAs took place at the beginning of the
COVID-19 outbreak in the Netherlands, namely in April and May 2020. At that time, there was a
national crisis situation with many uncertainties, in which the authorities were faced with the task
of establishing rapid measures and implementing them immediately to combat the COVID-19 outbreak. In
Rotterdam, where infections increased rapidly, this led, among other things, to the declaration of the
so-called GRIP4 situation. Giventheimpactthatthe(fightingthe)pandemicatthattimehadonmaintainingpublicorderinacitylikeRotterdam,themunicipalityofRotterdamandthepolicewerejointlyregardedasaimtoimmediatelystartactivemonitoringofthemeasuresincludedintheemergencyordinanceand,wherenecessary,todirectenforcementofthem.This
specialcircumstancemakesitexplainablefortheAPthatthechiefofpolicehadlessprecautionintheirrelevantreasonfortheexecutionofa(complete)GEBpriortoprocessingthecameraimages,oratleastthatthechiefofpolicecouldhavefeltforcedtomakeaconsiderationgiventhesecircumstances.
78 Basedonthesecircumstances,theAPseesreasontoreducethefine.Inthiscase,theAPconsidersafineof€50,000appropriate.
4.5Conclusion
79 TheAPsetsthetotalfineamountat€50,000.--.
21
GRIPstandsforCoordinatedRegionalIncidentControlProcedure.GRIPrelatestotheorganisationofdisastercontrolandcrisismanagementbytheemergencyservicesofthesafetyregion.TheGRIPstructurewascreatedtoorganisetheupscalingoftheemergencyservicesinanorderly manner. Therearefiveescalationlevels,withGRIPI
beingthelowestlevelandGRIPVthehighestlevel.
Public version 17/18 Date Our reference
17 November 2022 z2021-17798
5Opinion
TheAPdoesnotimposeanadministrativefineonthechiefofpoliceforviolationofarticle4c,firstparagraph,oftheWp,intheamountof:€50,000.--(inwords:fiftythousandeuros). 22
Yours sincerely,
DutchDataPrivacyAuthority,
w.g.
Mr.A.Wolfsen
chairman
Legalremediesclause
Ifyoudonotagreewiththisdecision,youcansubmitanobjectiontotheDutchDataPrivacyAuthoritywithinsixweeksafterthedateofsendingthedecision. In accordance with
article38 of the GDPR, submitting an objection suspends the effect of the decision
to impose an administrative fine. For submitting a digital objection, see
www.autoriteitpersoonsgegevens.nl, under the heading Objectingtoadecision, at the bottom of the
page under the heading ContactingtheDutchDataPersonalDataAuthority. Theaddressforsubmittingonpaper
is: DutchDataPersonalDataAuthority, postbus93374,2509AJTheHague.
State‘Awb objection’ontheenvelopeandput‘objection’inthetitleofyourletter.
In your objection, please include at least:
- yournameandaddress;
- thedateofyourobjection;
- thereference(casenumber)mentionedinthisletter;orattachacopyofthisdecision;
- thereason(s)whyyoudisagreewiththisdecision;
- yoursignature.
22
TheAPwilloutsourcetheaforementionedclaimtotheCentralJusticeCollectionAgency(CJIB).Thefinemustbepaidwithinsixweeksinaccordancewitharticle4:87,firstparagraph,oftheGeneralAdministrativeLawb.Forinformationand/orinstructionsaboutpayment,pleasecontacttheabovementionedcontactpersonattheAP.
Publicversion 18/18
