CCTV operator fined for illegally installing cameras Summary Decision of the Belgian DPA An individual filed a complaint to the Belgian Data A fine of 50,000 EUR was imposed on the operator for Protection Authority (DPA) regarding the installation processing personal data without a valid legal basis of surveillance cameras in an apartment building by (GDPR, Article 6(1)). one of the owners. The complaint was filed against Mr. Z, the delegated manager of the company overseeing Our remarks the apartment building. Mr. Z was also responsible for • The case highlights the complexities of data privacy determining the placement and usage of the cameras and protection in the context of shared living during the initial construction and development phase spaces. In these circumstances, understanding of the apartment complex. the roles of various parties connected to the The complaint was not concerned with the use of administration of a living complex is crucial. The cameras but rather the fact that only Mr. Z had access identity and responsibilities of the data controller to the recorded camera footage. As a homeowner must be clearly defined. This is essential in order association was being established for the apartment for the rights of individuals under the GDPR to be complex, arguments were made that the role of data respected, for example in relation to the processing controller should belong to this association rather of personal data through the installment and than Mr. Z. Additionally, it was disputed whether Mr. Z monitoring of video surveillance systems. had carried out the surveillance activities in a lawful manner, particularly whether a legal basis could be identified. Mr. Z contended that the installation of surveillance cameras was in the best interest of the homeowners, claiming that their consent had been obtained through the signing of the purchase contracts which incorporated clauses related to security and home safety regulations. Despite Mr. Z’s claim that neglecting to provide such surveillance cameras would constitute a breach of his contractual obligations, the DPA determined that the necessary consent was not actually given, making the data processing unlawful. Published: 09-07-2020 Journal number: DOS-2019-02649 Tags: 01 Legal basis and principles of processing 89
Complycloud EU GDPR Report Page 88 Page 90