News
π§ Private club and GDPR
π Guestbook, video surveillance, privacy policy: when a company underestimates the GDPR (way too much).
π The Belgian Data Protection Authority (GBA/APD) sanctioned a private club!
Source: 53/2025
π΅οΈ Initial context and complaint
• Complaint from a neighbor regarding two surveillance cameras filming the public street without any signage.
• GBA inspectors discovered that the issues went far beyond video surveillance:
→ non-compliant website privacy policy,
→ absence of a processing register,
→ a guestbook containing sensitive data without legal basis.
βοΈ Key violations
π₯ 1. Surveillance cameras
• Cameras were properly registered, but:
o β No mandatory signage.
o β Processing purpose not clearly defined (Article 8 of the Camera Act).
• β
Cameras were later disabled and disconnected → no further action on this point.
π 2. No processing register (Article 30 GDPR)
• No processing register was maintained (only for image recordings).
• Wrong justification: the data controller claimed no personal data was being processed!
He failed to realize that the guestbook entries (first names, initials, nicknames, cities, comments) were personal data.
π 3. Incomplete privacy policy (Article 13 GDPR)
• Initially:
o β No identification of the data controller.
o β No mention of legal basis, retention period, or data subject rights.
o β Ambiguous legal language.
• β Partial update, but still no explicit mention of the legal basis → continued non-compliance.
π 4. Guestbook on the website
• β No legal basis for data collection (Articles 6 and 9 GDPR).
• β No sufficient anonymization or moderation safeguards.
• β οΈ The controller was unable to demonstrate compliance (Article 5.2 GDPR).
Article 5.2 clearly states that the controller must demonstrate compliance with Article 5.1, particularly the lawfulness of processing.
π οΈ Measures and sanction
β
Corrective measures imposed:
• Clarify the legal basis for processing (Articles 6.1 and 9.2 GDPR).
• Make the legal basis visible and understandable to users (Article 13 GDPR).
• Maintain an up-to-date processing register accessible during inspections (Article 30 GDPR).
β οΈ Sanction:
• π Formal warning (no fine), justified by:
o Voluntary improvements made by the controller,
o Good faith efforts to minimize data,
o And the time elapsed (4 years of proceedings).
π‘ Key takeaways
• Even private clubs must comply with transparency and security obligations.
• Online guestbook entries may contain sensitive data: their collection requires a legal basis and a clear privacy policy.
• A vague or incomplete privacy policy is enough to be non-compliant.
π What about you ?
π§ Have you set up a guestbook, contact form, or do you collect sensitive data?
β‘οΈ Time to review your data processing and compliance documentation!