The transition period for notifying your surveillance closed-circuit television cameras (“CCTV cameras”) to the Belgian police ends on 25 May 2020. Meanwhile, the European Data Protection Board (“EDPB”) has published its final guidelines on processing personal data (including facial images) through video devices. This is the perfect time to review your compliance obligations.
The Law on the installation and use of surveillance closed-circuit television cameras (“CCTV cameras”) was modified and modernised in 2018. This revised Belgian Surveillance Camera Act (“Act”) entered into force on 25 May 2018, at the same time as the General Data Protection Regulation (“GDPR”). The transition period for notifying your CCTV cameras to the Belgian police expires on 25 May 2020. There could be sanctions for non-compliance with the Act and the GDPR.
Does the Act apply to all CCTV cameras?
Yes and no. The Act applies only to cameras installed and used for the purpose of control and surveillance of premises, in particular cameras for preventing, proving or identifying offences/anti-social behaviour against persons or property; for instance, CCTV cameras installed by a store manager to monitor store shelves; or CCTV cameras installed by a company to prevent theft or damage.
The Act does not apply to workplace CCTV cameras that are used for health and safety purposes to protect the company’s property, control the production process or supervise employees. Such CCTV cameras are regulated by the Collective Bargaining Agreement No. 68 (“CBA No. 68”). If the CCTV cameras fall within the scope of both the Act and the CBA No. 68 (e.g. employees and third parties), the two regulations will apply simultaneously, with the Act taking precedence in the event of a conflict between the two. Finally, the Act does not apply to CCTV cameras regulated by specific legislation (e.g. the Law on safety at football matches).
Who must notify, when, and how?
Companies installing CCTV cameras must notify the Belgian police via an online platform at www.declarationcamera.be (in French)/www.aangiftecamera.be (in Dutch). Access to this platform requires an identity check using an electronic identity card, a citizen token or a unique security code via a mobile application.
CCTV cameras must be notified to the Belgian police no later than the day before the cameras are put into service. CCTV cameras that were already notified under the previous regime to the Commission de la Protection de la vie privée/Privacycommissie must be notified under the new regime by 25 May 2020. The notification must be validated annually and updated if necessary.
Do controllers have to notify fake cameras?
No. The Act and the GDPR do not apply to fake cameras (i.e. cameras that do not function as a camera and thereby do not process any personal data).
Do companies have other obligations?
Yes. Companies using CCTV cameras must also comply with the GDPR, also detailed in the EDPB 3/2019 guidelines on processing of personal data through video devices. Such obligations include:
- Legal basis under GDPR: Companies must determine a legal basis for processing personal data via CCTV cameras. For special category data (see below), companies must identify both an exception for such data (such as consent; in Article 9 GDPR) and a legal basis (in Article 6 GDPR). The purposes for using CCTV cameras should be documented in writing and specified for every camera in use.
- Proportionality: CCTV cameras should only monitor areas that are useful for the intended purpose(s). Companies should therefore avoid monitoring irrelevant areas, taking into account people’s reasonable expectations (e.g. avoid monitoring toilets, changing rooms and fitness facilities). The camera footage should only be made available to authorised individuals (e.g. security staff, lawyers, CCTV providers and police authorities).
- Security measures: Companies must adequately protect all CCTV systems and the data collected by implementing both organisational and technical security measures.
- Data protection impact assessment: This is particularly necessary if the CCTV cameras perform systematic monitoring (i.e. observing or monitoring individuals) and process personal data on a large scale (i.e. based on the number of individuals or the geographical area that is monitored, or whether the cameras operate on a 24/7 basis).
Are there specific considerations when processing special categories of data (e.g. biometric data, people’s facial images)?
Yes, but only if the video footage is processed to deduce special category data or to contribute to the unique identification of an individual (i.e. facial recognition technology).
It is important to remember that such processing is in principle illegal, unless the processing falls within an exception under the GDPR. Otherwise, companies cannot process biometric data.
If one of the GDPR exceptions applies, companies should take additional steps to minimise the risks, such as:
- building data protection and privacy safeguards into both the design specifications of the technology and organisational practices;
- offering an alternative solution that does not involve biometric processing (e.g. a separate entrance to a building, concert hall, etc.);
- implementing measures to preserve the availability, integrity and confidentiality of the data processed; and
- implementing data retention limitation measures.
Finally, according to the Belgian Data Protection Authority’s strategic plan 2020–2025, the Authority intends to focus on privacy compliance for cameras and applications using biometric data. Better safe than sorry.
For more information, please contact your usual CMS advisor or local CMS experts: Thomas Dubuisson or Tom De Cordier.