You cannot read this e-mail properly? Have a look at the online version

  CMS Belgium | The Wire - Your Technology, Media & Communications Update | 14 May 2020  
  Deadline approaching for notifying CCTV cameras to Belgian police

The transition period for notifying your surveillance closed-circuit television cameras (“CCTV cameras”) to the Belgian police ends on 25 May 2020. Meanwhile, the European Data Protection Board (“EDPB”) has published its final guidelines on processing personal data (including facial images) through video devices. This is the perfect time to review your compliance obligations.

The Law on the installation and use of surveillance closed-circuit television cameras (“CCTV cameras”) was modified and modernised in 2018. This revised Belgian Surveillance Camera Act (“Act”) entered into force on 25 May 2018, at the same time as the General Data Protection Regulation (“GDPR”). The transition period for notifying your CCTV cameras to the Belgian police expires on 25 May 2020. There could be sanctions for non-compliance with the Act and the GDPR.

Does the Act apply to all CCTV cameras?

Yes and no. The Act applies only to cameras installed and used for the purpose of control and surveillance of premises, in particular cameras for preventing, proving or identifying offences/anti-social behaviour against persons or property; for instance, CCTV cameras installed by a store manager to monitor store shelves; or CCTV cameras installed by a company to prevent theft or damage.

The Act does not apply to workplace CCTV cameras that are used for health and safety purposes to protect the company’s property, control the production process or supervise employees. Such CCTV cameras are regulated by the Collective Bargaining Agreement No. 68 (“CBA No. 68”). If the CCTV cameras fall within the scope of both the Act and the CBA No. 68 (e.g. employees and third parties), the two regulations will apply simultaneously, with the Act taking precedence in the event of a conflict between the two. Finally, the Act does not apply to CCTV cameras regulated by specific legislation (e.g. the Law on safety at football matches).

Who must notify, when, and how?

Companies installing CCTV cameras must notify the Belgian police via an online platform at (in French)/ (in Dutch). Access to this platform requires an identity check using an electronic identity card, a citizen token or a unique security code via a mobile application.

CCTV cameras must be notified to the Belgian police no later than the day before the cameras are put into service. CCTV cameras that were already notified under the previous regime to the Commission de la Protection de la vie privée/Privacycommissie must be notified under the new regime by 25 May 2020. The notification must be validated annually and updated if necessary.

Do controllers have to notify fake cameras?

No. The Act and the GDPR do not apply to fake cameras (i.e. cameras that do not function as a camera and thereby do not process any personal data).

Do companies have other obligations?

Yes. Companies using CCTV cameras must also comply with the GDPR, also detailed in the EDPB 3/2019 guidelines on processing of personal data through video devices. Such obligations include:

  • Transparency: In addition to providing pictograms (a warning symbol), companies must also provide a (separate) privacy policy setting out all relevant information regarding their CCTV cameras.
  • Legal basis under GDPR: Companies must determine a legal basis for processing personal data via CCTV cameras. For special category data (see below), companies must identify both an exception for such data (such as consent; in Article 9 GDPR) and a legal basis (in Article 6 GDPR). The purposes for using CCTV cameras should be documented in writing and specified for every camera in use.
  • Proportionality: CCTV cameras should only monitor areas that are useful for the intended purpose(s). Companies should therefore avoid monitoring irrelevant areas, taking into account people’s reasonable expectations (e.g. avoid monitoring toilets, changing rooms and fitness facilities). The camera footage should only be made available to authorised individuals (e.g. security staff, lawyers, CCTV providers and police authorities).
  • Security measures: Companies must adequately protect all CCTV systems and the data collected by implementing both organisational and technical security measures.
  • Data protection impact assessment: This is particularly necessary if the CCTV cameras perform systematic monitoring (i.e. observing or monitoring individuals) and process personal data on a large scale (i.e. based on the number of individuals or the geographical area that is monitored, or whether the cameras operate on a 24/7 basis).
Are there specific considerations when processing special categories of data (e.g. biometric data, people’s facial images)?

Yes, but only if the video footage is processed to deduce special category data or to contribute to the unique identification of an individual (i.e. facial recognition technology).

It is important to remember that such processing is in principle illegal, unless the processing falls within an exception under the GDPR. Otherwise, companies cannot process biometric data.

If one of the GDPR exceptions applies, companies should take additional steps to minimise the risks, such as:
  • building data protection and privacy safeguards into both the design specifications of the technology and organisational practices;
  • offering an alternative solution that does not involve biometric processing (e.g. a separate entrance to a building, concert hall, etc.);
  • implementing measures to preserve the availability, integrity and confidentiality of the data processed; and
  • implementing data retention limitation measures.
Finally, according to the Belgian Data Protection Authority’s strategic plan 2020–2025, the Authority intends to focus on privacy compliance for cameras and applications using biometric data. Better safe than sorry.

For more information, please contact your usual CMS advisor, or local Tier 1 Chambers and Legal 500 experts: Thomas Dubuisson or Tom De Cordier.

Any questions?
Contact us: 

Tom De Cordier

Partner | CMS Brussels

T +32 2 743 69 13

Thomas Dubuisson

Associate | CMS Brussels

T +32 2 743 69 97


  Share with a colleague!

> Register for our newsflashes




CMS DeBacker, Chaussée de La Hulpe | Terhulpsesteenweg 178, 1170 Brussels, Belgium
T +32 2 743 69 00 – F +32 2 743 69 01

CMS DeBacker, Uitbreidingstraat 2, 2600 Antwerp, Belgium
T +32 3 206 01 40 – F +32 3 206 01 50

CMS DeBacker Luxembourg, rue Goethe 3, L-1637, Luxembourg
T +352 26 27 53-1 – F +352 26 27 53-53

CMS DeBacker is a member of CMS, the organisation of independent European law and tax firms. CMS provides a deep local understanding of legal, tax and business issues and delivers client-focused services through a joint strategy executed locally across 43 jurisdictions with 75 offices in Europe and beyond. CMS was established in 1999 and today comprises ten CMS firms, employing 4,800 lawyers and is headquartered in Frankfurt, Germany.

CMS locations:
Aberdeen, Algiers, Amsterdam, Antwerp, Barcelona, Beijing, Belgrade, Berlin, Bogotá, Bratislava, Bristol, Brussels, Bucharest, Budapest, Casablanca, Cologne, Dubai, Duesseldorf, Edinburgh, Frankfurt, Funchal, Geneva, Glasgow, Hamburg, Hong Kong, Istanbul, Kyiv, Leipzig, Lima, Lisbon, Ljubljana, London, Luanda, Luxembourg, Lyon, Madrid, Manchester, Mexico City, Milan, Monaco, Moscow, Munich, Muscat, Paris, Podgorica, Poznan, Prague, Reading, Rio de Janeiro, Riyadh, Rome, Santiago de Chile, Sarajevo, Seville, Shanghai, Sheffield, Singapore, Skopje, Sofia, Strasbourg, Stuttgart, Tirana, Utrecht, Vienna, Warsaw, Zagreb and Zurich.

Unsubscribe from all our Technology, Media and Communications-related newsletters.
To unsubscribe from all mailings sent by CMS Belgium, please send an email to
For our full privacy policy, please click here.


To unsubscribe from this mailing list, please click here