The Act of 31 March 2007 governing the installation and use of surveillance cameras (hereinafter the "Video Surveillance Act") has been revised due to the entry into force of the General Data Protection Regulation (hereinafter the "GDPR") on 25 May of this year.
This newsflash focuses on (1) the obligation to register the use of surveillance cameras, (2) the obligation to keep a record of processing activities, and (3) new notification requirements.
It should be noted that the Video Surveillance Act is applicable to video surveillance of an enclosed area regardless of whether the area is accessible to the public, if the cameras are installed for the sole purpose of preventing, identifying or detecting crimes against persons and property or a nuisance.
The Video Surveillance Act does not apply if:
- the installation and use of the surveillance cameras are governed by other specific legislation;
- the cameras are installed for the sole purpose of guaranteeing health and safety in the workplace, protecting the employer’s property, or monitoring the production process or the performance of employees; or
- the installation and use of surveillance cameras by public inspection or audit services is expressly permitted by law.
If the cameras are installed and used for multiple purposes, including any of those mentioned above, both the Video Surveillance Act and the other specific legislation will apply. In the event of an inconsistency, however, the Video Surveillance Act will prevail.
1. Obligation to register the use of surveillance cameras
With the entry into force of the GDPR, the obligation to notify the data protection authority of video surveillance and the existence of a public register has been abolished. It is now sufficient to notify the police authorities. This registration should be done no later than the day preceding that on which the cameras are put in use. The police should also be informed of any changes to the installation and use of the surveillance cameras.
To this end, a new online electronic registration system has been developed (www.aangiftecamera.be).
The registration must include certain items of information, including the identity of the data controller and the declarant, the type of area to be placed under surveillance (accessible or not accessible to the public), the type of camera (fixed or mobile, temporary or permanent) and the exact location of the cameras. The declarant can consult, adapt and delete this information at any time. On an annual basis, the declarant must verify the accuracy of the registration, validate it and, if necessary, adapt it. If the declarant fails to validate the registration annually, the registration can be deleted or declared invalid.
Persons that registered video surveillance prior to revision of the Video Surveillance Act have until 25 May 2020 to comply with the new registration requirements.
2. Obligation to keep a record of processing activities
The GDPR imposes an obligation to keep a record of processing activities, including the use of surveillance cameras. In addition to the information required by the GDPR, in the case of video surveillance the record must contain the following information:
- the legal basis for the processing;
- an indication of the type of place under surveillance;
- a technical description of the surveillance cameras as well as, for fixed cameras, their location, where applicable indicated on a map;
- for temporary or mobile surveillance cameras, a description of the areas under surveillance and the time periods during which the cameras are in operation;
- the means of providing information about the processing;
- the place where the images are processed; and
- whether viewing in real time is organised or not and, where applicable, the manner in which it is organised.
For video surveillance of an open (public) space or when surveillance cameras are directed at the perimeter of closed premises, in accordance with Article 8(2) of the Video Surveillance Act, the record shall also contain, where applicable, a positive opinion from the competent municipal council.
The data controller must keep the record as long as images are processed and verify the accuracy of the information contained therein on a regular basis.
3. New notification requirements
As already was the case prior to the revision of the Video Surveillance Act, the pictogram indicating video surveillance must meet certain requirements in terms of its size, shape and colour. However, the GDPR introduced a number of new notification requirements as well.
With the entry into force of the GDPR, the pictogram must mention the contact details of data protection officer, if any, and where applicable reference should be made to the data controller's website where more information about the video surveillance can be found. Thus, if the data controller has a website, it must post a notice on its site concerning the video surveillance.
Pictograms indicating video surveillance prior to the Royal Decree of 28 May 2018 must be brought into line with the new notification requirements before 11 December 2018.
Legislation
Video Surveillance Act of 31 March 2007
Royal Decree of 10 February 2008 on the notification of video surveillance
Royal Decree of 8 May 2018 on the registration of the installation and use of surveillance cameras and the record of video surveillance processing activities