The General Data Protection Regulation ("GDPR") finally came into force on 25 May 2018, but that is not the only new development with an impact on the processing of personal data. Here is a selection of some other developments that have occurred during the last quarter.
Changes to legislation on surveillance cameras: new notification requirements, new mandatory record of image processing activities, and new details to be added to pictograms
Along with GDPR, the new act on surveillance cameras came into force on 25 May 2018. The Act of 21 March 2018 and its implementing decrees of 8 May 2018 and 28 May 2018 reform the existing act on surveillance cameras of 21 March 2007 (all documents in French). This new act stipulates, among other things, that the controller must keep a record of image processing activities and that, from now on, the installation of a surveillance camera must be declared in a register maintained by the police authorities (and no longer a register maintained by the data protection authority). In addition, a number of new details must be added to the pictogram indicating that camera surveillance is taking place.
What do you need to do?
-
First of all, you will have to keep a record of image processing activities. This record must contain the following information in addition to the information which is mandatory for a record of processing activities (on the basis of Article 30 GDPR):
- the legal basis for the processing;
- an indication of the type of location of surveillance cameras;
- a technical description of the surveillance cameras and, in the case of fixed surveillance cameras, their location, where appropriate indicated on a plan;
- in the case of temporary or mobile surveillance cameras, a description of the zones monitored by these surveillance cameras and the periods of use;
- information with regard to the method of processing;
- the location where the images are processed; and
- whether or not viewing is organised in real time, and, where appropriate, the way in which it is organised.
- You will also need to replace your existing notifications to the data protection authority and file new notifications with the central e-counter via the website www.declarationcamera.be. In order to allow regularisation of existing notifications, there is a grace period of two years until 25 May 2020.
- Finally, you will also have to adapt the pictograms which inform people that camera surveillance is taking place. In addition to the details that were already required, from now on you will also have to include your telephone number and, where appropriate, the details of the data protection officer and the website where data subjects can consult all information about the processing activities (e.g. via a privacy policy). You have until 11 December 2018 to add the missing information to your pictograms.
The Privacy Commission is now the Data Protection Authority: new contact details and website
In one of our previous contributions, we already reported on the new Data Protection Authority ("DPA"). Now that the Act of 3 December 2017 (in French) has actually entered into force, the Privacy Commission has been replaced by the new DPA with effect from 25 May 2018. The DPA is accessible via a new website and the contact details have also been changed (contact@apd-gba.be). So be sure to check whether your information documents need to be updated in this respect.
Portal for registration of data protection officers: notify the contact details of your data protection officer to the Data Protection Authority
On the new website of the DPA you will also find an e-form portal (in French), where you can notify the contact details of your data protection officer using the data protection officer reporting form (in French).
The Article 29 Working Party ("WP 29") is now the European Data Protection Board ("EDPB")
It was not only the Belgian Privacy Commission that was significantly reformed. The Article 29 Working Party, an independent European body composed of representatives of the national data protection authorities, has also undergone major change and has become the European Data Protection Board ("EDPB"). From now on, the EDPB will contribute to the consistent application of GDPR throughout all EU member states. As was the case for its predecessor, the EDPB will regularly publish guidelines and working documents explaining the application of GDPR. During its first plenary meeting of 25 May 2018, the EDPB already took a number of steps, including:
- endorsement of the GDPR-related WP 29 Guidelines;
- adoption of a draft version of the Guidelines on certification; and
- calling for swift adoption of the new ePrivacy Regulation.
Administrators of Facebook fan pages are (jointly) responsible with Facebook for the processing of data of visitors to the page
Administrators of Facebook fan pages are jointly responsible with Facebook for the processing of personal data. This was established by the European Court of Justice in a remarkable judgment dated 5 June 2018. According to the Court, this is the case because administrators contribute to the determination of the purposes and means of processing of the personal data of visitors to the fan page (i.e. compiling statistics) by defining the parameters thereof, even if administrators only receive anonymous data. As a result of this judgment, administrators of a fan page have an obligation to inform their visitors about what happens to their data when they visit the fan page.
More legislation expected
On 11 June 2018, a draft act (in French and Dutch) on the protection of natural persons in relation to the processing of personal data was submitted to the Chamber of Representatives. The draft act, which further implements certain aspects of GDPR, is currently being examined by the Chamber of Representatives. The (former) Privacy Commission issued an unfavourable opinion with regard to an earlier draft of the text (in French). The extent to which the final act will take into account the observations of the Privacy Commission, and the date when the new act will actually take effect, are not yet known.
GDPR after 25 May 2018: the work continues
Although companies have made considerable efforts in their final sprint towards the entry into force of GDPR, this should not be seen as an end but rather as a beginning. Going forward, companies will need to ensure that they handle personal data carefully, taking into account the constantly evolving case law of the Court of Justice and the approach that the new (European) authorities will take in interpreting and applying the legislation.