In line with its 2020 priorities (see the previous article ‘Two years of the GDPR’), the Belgian Data Protection Authority (APD/GBA) recently published Decision 16/2020 (Decision) clarifying the regulatory requirements for use of surveillance cameras (CCTV) and keeping of compliant records.
Plaintiff (“P”) complained that his image was captured without his consent while walking on the pavement outside the defendant’s shop in violation of the applicable law. P stated that he could see his image displayed on a screen at the rear of the shop. He assumed the images had been recorded. The APD/GBA Litigation Chamber formally reprimanded the defendant (D) for D’s failure to declare the use of CCTV as well as failure to establish a Register of its personal data processing activities. It also required D to establish a record of all processing activities within 3 months.
Rules on the installation and use of CCTV
Article 6 § 2 of the « Camera Law » (Law of 21 March 2007 on the installation and use of surveillance cameras as amended and up-dated), requires a data controller who intends to install surveillance cameras in an “enclosed place accessible to the public”, such as a shop or supermarket, to notify the APD/GBA and police authorities using the mandatory electronic form before the surveillance cameras are put into operation. They must also display signs showing that CCTV is in use.
Register of CCTV image processing
A Royal Decree of 8 May 2018 (Royal Decree) defines the record of the image processing activities that must be kept. In addition to the data controller’s record of personal data processing (required by article 30(1) General Data Protection Regulation (GDPR) – see below) the image processing register must include information such as:
- The legal basis for the processing;
- What type of premises are concerned;
- A technical description of the surveillance cameras and, in the case of fixed cameras, a plan of the premises showing where they are installed;
- Whether or not viewing in real-time is organized and, if so, how it is organized.
The image processing register must be made available to the APD/GBA or to the police on request.
Record of personal data processing under GDPR
According to article 30(1) GDPR, any controller of personal data must keep a record of data processing activities carried out under his/her responsibility including, amongst other things:
- Name and contact details of the controller and the purpose(s) of the processing;
- Description of the categories of data subjects and the categories of personal data processed.
The article 30 GDPR register of processing activities is a living document which needs to evolve as the data controller’s activities change. It must be kept up to date.
Clarifications and confirmations made by the APD/GBA Decision
The APD/GBA Decision clarifies that it is not necessary to maintain two separate registers. A single Register can be kept, provided that it contains all the mandatory entries – including those specifically required by the Royal Decree for surveillance cameras.
The Decision also confirms that keeping of an article 30(1) GDPR register will be mandatory for most small and medium sized businesses. The four exceptions for enterprises with fewer than 250 employees set out in article 30(5) GDPR will be considered separately and interpreted narrowly.
In particular, the exception for ‘occasional’ processing of personal data is unlikely to apply in the majority of cases, because data processing related to customer management, personnel management (human resources) or supplier management is routine (in practice often monthly) and therefore not occasional.
Disclaimer: This general memorandum may not deal with every important topic or cover all important aspects of the subject matter. It is not intended, and should not be used, as a substitute for seeking appropriate legal advice on specific questions. FLINN stands ready to provide any further information that you may require.