News

🔍 Guestbook, video surveillance, privacy policy: when a company underestimates the GDPR (way too much).

📌 The Belgian Data Protection Authority (GBA/APD) sanctioned a private club!

Source: 53/2025

🕵️ Initial context and complaint

• Complaint from a neighbor regarding two surveillance cameras filming the public street without any signage.
• GBA inspectors discovered that the issues went far beyond video surveillance:
→ non-compliant website privacy policy,
→ absence of a processing register,
→ a guestbook containing sensitive data without legal basis.

⚖️ Key violations

🎥 1. Surveillance cameras

• Cameras were properly registered, but:
o ❌ No mandatory signage.
o ❌ Processing purpose not clearly defined (Article 8 of the Camera Act).
• ✅ Cameras were later disabled and disconnected → no further action on this point.

📄 2. No processing register (Article 30 GDPR)

• No processing register was maintained (only for image recordings).
• Wrong justification: the data controller claimed no personal data was being processed!
He failed to realize that the guestbook entries (first names, initials, nicknames, cities, comments) were personal data.

🌐 3. Incomplete privacy policy (Article 13 GDPR)

• Initially:
o ❌ No identification of the data controller.
o ❌ No mention of legal basis, retention period, or data subject rights.
o ❌ Ambiguous legal language.
• ➕ Partial update, but still no explicit mention of the legal basis → continued non-compliance.

📘 4. Guestbook on the website

• ❌ No legal basis for data collection (Articles 6 and 9 GDPR).
• ❌ No sufficient anonymization or moderation safeguards.
• ⚠️ The controller was unable to demonstrate compliance (Article 5.2 GDPR).
Article 5.2 clearly states that the controller must demonstrate compliance with Article 5.1, particularly the lawfulness of processing.

🛠️ Measures and sanction

✅ Corrective measures imposed:
• Clarify the legal basis for processing (Articles 6.1 and 9.2 GDPR).
• Make the legal basis visible and understandable to users (Article 13 GDPR).
• Maintain an up-to-date processing register accessible during inspections (Article 30 GDPR).

⚠️ Sanction:
• 📌 Formal warning (no fine), justified by:
o Voluntary improvements made by the controller,
o Good faith efforts to minimize data,
o And the time elapsed (4 years of proceedings).

💡 Key takeaways

• Even private clubs must comply with transparency and security obligations.
• Online guestbook entries may contain sensitive data: their collection requires a legal basis and a clear privacy policy.
• A vague or incomplete privacy policy is enough to be non-compliant.

🔍 What about you ?

🧠 Have you set up a guestbook, contact form, or do you collect sensitive data?
➡️ Time to review your data processing and compliance documentation!