Each week in July and August, our focus will be on a different topic that has been scrutinized by the Belgian Data Protection Authority. With a few simple tips, your summer cocktail of data protection news will be complete.
This week’s topic: Processing of photographs and (surveillance) video’s
In several decisions in cases initiated upon complaints of data subjects, the Litigation Chamber of the Belgian Data Protection Authority (“DPA”) has shed some light on GDPR compliance when processing photographs and/or video’s. The majority of the decisions relates to the (un)lawful use of video surveillance camera’s (CCTV), which are also governed by the Belgian Camera Act of 2007 (as updated to ensure alignment with the GDPR).
Below, we have summarised the main takeaways in relation to this topic.
1. Processing of photographs
- Use of a Facebook profile picture requires a proper legal basis (art. 6 GDPR) to be available, even if the photograph is publicly accessible, without restrictions. GDPR also applies to publicly available information.
- Information made publicly available on social media / Internet does not fall within “purely personal or household activity”.
- Balance of legitimate interests (art. 6.1.f GDPR) can be an appropriate legal basis under the GDPR (but quid image rights legislation?) for the processing of photographs. Data minimization can be achieved by cropping the photo and removing image of persons other than the data subject who needs to be identified.
- Balance of legitimate interests less likely to be achieved when photo’s of children are involved.
2. Processing of video’s / CCTV
- DPA reiterated the importance of correctly designating the data controller for the operation of any CCTV system (e.g. the Association of Co-Owners in case of CCTV for an entire apartment building).
- Balance of legitimate interests (art. 6.1.f GDPR) can be an appropriate legal basis for CCTV, if balance is in practice indeed respected. Consent is often less appropriate (e.g. not valid if acceptance of CCTV is mandatory element of apartment purchase agreement).
- CCTV implemented in full compliance with Camera Act of 2007 (notification to the police, use of mandatory pictogram, 30 days retention period, internal record, etc.) does not preclude the DPA from establishing an infringement of the GDPR (both types of legislation must be simultaneously applied and cumulatively complied with).
- Internal data processing record (art. 30 GDPR) may include section/tab with specific CCTV processing record (as required by the Camera Act of 2007), or alternatively, two separate records can be kept.
As the processing of personal data included in photographs and camera images has been identified as a key social issue and enforcement priority in the DPA’s Strategic Plan for 2020-2025, this topic certainly warrants prioritisation in any compliance programme. Reach out to us if you wish to receive more detailed guidance.