The Belgian Data Protection Authority assesses in this decision a processing carried out by an autonomous agency active in the tourism sector which has placed smart cameras in order to provide a count of passers-by at specific places in order to limit gatherings of the epidemic. of Covid-19.
Here the Authority examines in particular whether this processing is justified by a sufficient and adequate legal basis and whether the principles of data protection by design and by default are respected. The authority also examines whether sufficiently transparent information concerning this processing is provided to the data subjects.
1 / The defendant is an autonomous agency created by the province of West Flanders which is active in the tourism sector.
2 / This entity has decided to place smart cameras in order to provide a count of passers-by at specific locations (on the dike) as part of the measures taken to combat the Covid-19 epidemic.
3 / To achieve this goal, the defendant launched a public contract on behalf of the coastal municipalities which was awarded on June 9, 2020 to company X, which acts as a subcontractor (in terms of data protection staff.).
4 / An investigation has been opened by the Data Protection Authority because there are serious risks that the use of smart cameras by the defendant could give rise to a violation of the fundamental principles of the protection of personal data.
The inspection service concludes as follows:
1) The inspectorate finds a violation by the defendant of the principles of legality, proportionality and transparency as well as of the principle of data minimization. The Inspectorate first declares that the responding party does not adequately demonstrate that the data subjects are correctly (and transparently) informed about the processing and that it is not sufficiently demonstrated by the responding party that the processing is proportional, relevant and adequate.
2) The inspection service also finds a violation of article 6.1 GDPR and is of the opinion that the defendant does not demonstrate why it is necessary for the performance of its public interest mission to process personal data via smart cameras.
3) The inspection service determines that the information provided by the defendant through its privacy statement published on the site www.westtoer.be/nl/data treatment is not complete, correct and transparent.
4) The Inspectorate determines that the impact assessment carried out by the defending party does not comply with the requirements of the GDPR and that the data protection officer has not been sufficiently involved in this process.
5) The Inspectorate also makes a number of additional observations, outside the scope of serious violations, in particular:
- the register of the processing activities of the defendant is not complete.
- the data protection officer is not employed full time and does not report directly to the highest official of the defendant.
- What requirements must be met (by the controller) regarding the lawfulness of the processing of personal data via a smart camera system within the meaning of Article 6 of the GDPR. ?
- Is an intelligent system of cameras that involves a passers-by counting system and where passers-by are blurred after one second before data transfer respects the principles of data protection by default and by design (Article 25 of the GDPR) ?
- What obligations must a data controller fulfill (in this context) in terms of transparency and information to data subjects?
Findings of the Litigation Chamber:
: 1) The legal basis is sufficient for the intended processing.
A full review of the legal basis is not carried out by the Litigation Chamber which concludes that the defendant plausibly argues that the processing is necessary for the performance of a task of public interest.
The Litigation Chamber specifies that it is mainly the task of the authorities at whose request the processing is carried out - in this case, the province of West Flanders and the coastal municipalities concerned - to ensure that a legal basis in force meets the requirements requirements of article 6.3 of the GDPR.
On the other hand, the Litigation Chamber recalls that it is the responsibility of the processing manager, as the defendant, to verify to what extent an adequate legal basis is provided to justify the processing. In this decision, the Litigation Chamber limits itself to these general considerations as the legal basis for processing.
2) The processing is proportional and necessary to fulfill the purpose
The defendant proves that the processing meets the principles of necessity and proportionality with a view to its implementation and its purpose in that the defendant succeeds in demonstrating the absence of a less intrusive alternative system which would also achieve the same Goals.
3) Data protection by default and by design:
The Litigation Chamber concludes that the defendant has included data protection by default and from the design stage at an early stage in the design of processing operations, in particular, through the inclusion of appropriate technical and organizational measures from the launch of the market. public.
In practice, the defendant (via the subcontractor who won the public contract) has opted for an autonomous system, not connected to a network, in which the processing of personal data by means of video equipment is reduced to a minimum and no other personal data is processed.
4) Transparency of processing:
5) Other remarks:
The Litigation Chamber considers that the way in which the defendant justifies the processing of personal data on its website is not sufficient and that the data protection officer does not report to the highest level of management.
The Data Protection Authority:
- notes that the smart camera system implemented by the defendant does not violate Article 5.1 a), b) and c) and complies with Article 25 of the GDPR;
- orders the defending party to complete the information it provides on its processing in its privacy statement in accordance with Articles 12 and 13 of the GDPR, in particular with regard to the additional information requested from the data subject in the context of a request on the basis of Articles 15 to 21 of the GDPR.
- orders the defendant to align its register of processing activities with the requirements of Article 30 of the GDPR and in particular to specify to which third countries the transfer of personal data takes place within one month after notification of this decision.
- Formulates a reprimand against the defendant for violation of articles 6.1 a), 7.1, 7.3 (validity of consent at the level of cookies) and 38.3 of the GDPR (the data protection officer must give his opinions directly to the highest level of management of the controller).
You have questions relating to this subject, do not hesitate to contact me by sending me an email. at the address indicated in the “contact” section.