Category: Belgium

Belgian DPA releases Guidance and FAQs on Cookies and Trackers

23. April 2020

On Thursday, April 9th 2020, the Belgian Data Protection Authority (Belgian DPA) has issued a guidance along with frequently asked question on the subject of cookies and other tracking technologies.

The key points presented by the guidance revolve around the definitions of cookies, what needs to be presented in a cookie policy, how the consent of data subjects needs to be obtained and which requirements it needs to fulfill, as well as the storage period of a cookie on a user’s device.

The Belgian DPA made it clear that of the utmost importance is the transparency of the cookie usage. That entails that the users need to be informed about the scope of each individual cookie used. This should be done through a cookie policy on the website. The cookie policy needs to be written in a language the targeted users of the website can understand, as well as be easily accessible, e.g. through a hyperlink.

Specifically, these cookie policies need to include and inform about:

  • identification of the cookies used;
  • their purposes and duration;
  • whether third-parties have access to such cookies;
  • information about how to delete cookies;
  • the legal basis relied upon for the use of cookies;
  • information about individuals’ data protection rights and the ability to lodge a complaint to the competent data protection authority;
  • information about any automated decision making, including profiling.

In order to be able to use cookies, the consent of the user needs to be obtained. The Belgian DPA stated in their guidance that the consent has to be obtained for the use of all non-essential cookies, which means all cookies that are not necessary for a user requested function of the website. A necessary cookie would be, for example, the cookie to remember the item in a user’s cart, or cookies that enable booking communication with a user.

The consent especially needs to be:

  • obtained for the use of all non-essential cookies, as well as all social media plugins;
  • informed, specifically, prior to giving their consent to the use of cookies, users must be provided with information regarding the use of cookies: The information that needs to be given to the data subjects are the entity responsible for the use of cookies, the cookies’ purposes,  the data collected through the use of cookies, and their expiration. Users must also be informed about their rights with respect to cookies, including the right to withdraw their consent;
  • granulated, whereas in a first instance, users need to decide between what types of cookies they want to give consent to, and in a second instance, users can decide exactly which cookies they want to give consent to;
  • unambiguous and provided through a clear affirmative action.

Further, it is also important to keep in mind that the Belgian DPA has confirmed that cookie walls are unlawful, and that companies must show proof of obtained consent through keeping logs.

The Belgian DPA has also given guidance on the lifespan of cookies. Cookies should not have unlimited lifespans, but rather follow basic data protection rules: once a cookie is no longer necessary for the purpose or it has fulfilled its determined purpose, it needs to be removed. If the cookie cannot be deleted from the controller’s side, it is important to give the users the information on how to do it themselves.

Overall, the Belgian DPA’s guidance has given controllers a clear way to maneuvering their cookie usage, and has provided a new list of FAQs in case of further questions. In this regard, the Belgian DPA has made sure that cookies and their use are easy to comprehend and handle, hopefully helping data protection compliance within the subject.

Belgian DPA releases Direct Marketing Recommendation

4. March 2020

On February 10, 2020, Belgium’s Data Protection Authority (the Belgian DPA) has released their first recommendation of 2020 in relation to data processing activities for direct marketing purposes.

In the recommendation the Belgian DPA addressed issues and action proposals in regards to the handling of direct marketing and the personal data which is used in the process. It emphasized the importance of direct marketing subjects in the upcoming years, and stated that the DPA will have a special priority in regards to issues on the matter.

In particular, the recommendation elaborates on the following points, in order to help controllers navigate through the different processes:

  • The processing purposes must be specific and detailed. A simple mention of “marketing purposes” is not deemed sufficient in light of Art. 13 GDPR.
  • It is important to guarantee data minimization, as the profiling that accompanies direct marketing purposes calls for a careful handling of personal data.
  • The right to object does not only affect the direct marketing activities, but also the profiling which takes places through them. Furthermore, a simple “Unsubscribe” button at the end of a marketing E-Mail is not sufficient to withdraw consent, it is rather recommended to give the data subject the opportunity to a granular selection of which direct marketing activities they object to.
  • Consent cannot be given singularly for all channels of direct marketing. A declaration for each channel has to be obtained to ensure specification towards content and means used for direct marketing.

The Belgian DPA also stated that there are direct marketing activities which require special attention in the future, namely purchasing, renting and enriching personal data, e.g. via data brokers. In such cases, it is necessary to directly provide appropriate information to the data subject in regards to the handling of their data.

Further topics have been brought forth in the recommendation, which overall represents a thorough proposal on the handling of direct marketing activities for controller entities.

Belgian DPA announces GDPR fine

7. October 2019

The Belgian data protection authority (Gegevensbeschermingsautoriteit) has recently imposed a fine of €10,000 for violating the General Data Protection Regulation (GDPR). The case concerns a Belgian shop that provided the data subject with only one opportunity to get a customer card, namely the  electronic identity card (eID). The eID is a national identification card, which contains several information about the cardholder, so the authority considers that the use of this information without the valid consent of the customer is disproportionate to the service offered.

The Authority had learnt of the case following a complaint from a customer. He was denied a customer card because he did not want to provide his electronic identity card. Instead, he had offered the shop to send his data in writing.

According to the Belgian data protection authority, this action violates the GDPR in several respects. On the one hand, the principle of data minimisation is not respected. This requires that the duration and the quantity of the processed data are limited by the controller to the extent absolutely necessary for the pursued purpose.

In order to create the customer card, the controller has access to all the data stored on the eID, including name, address, a photograph and the barcode associated with the national registration number. The Authority therefore believes that the use of all eID data is disproportionate to the creation of a customer card.

The DPA also considers that there is no valid consent as a legal basis. According to the GDPR, the consent must be freely given, specific and informed. However, there is no voluntary consent in this case, since no other alternative is offered to the customer. If a customer refuses to use his electronic ID card, he will not receive a customer card and will therefore not be able to benefit from the shops’ discounts and advantages.

In view of these violations, the authority has imposed a fine of €10,000.

Category: Belgian DPA · Belgium · GDPR · General
Tags: ,

Google data breach notification sent to IDPC

18. July 2019

Google may face further investigations under the General Data Protection Regulation(GDPR), after unauthorized audio recordings have been forwarded to subcontractors. The Irish Data Protection Commission (IDPC) has confirmed through a spokesperson that they have received a data breach notification concerning the issue last week.

The recordings were exposed by the Belgian broadcast VRT, said to affect 1000 clips of conversations in the region of Belgium and the Netherlands. Being logged by Google Assistant, the recordings were then sent to Google’s subcontractors for review. At least 153 of those recordings were not authorized by Google’s wake phrase “Ok/Hey, Google,” and were never meant to be recorded in the first place. They contained personal data reaching from family conversations over bedroom chatter to business calls with confidential information.

Google has addressed this violation of their data security policies in a blog post. It said that the audio recordings were sent to experts, who understand nuances and accents, in order to refine Home’s linguistic abilities, which is a critical part in the process of building speech technology. Google stresses that the storing of recorded data on its services is turned off by default, and only sends audio data to Google once its wake phrase is said. The recordings in question were most likely initiated by the users saying a phrase that sounded similar to “Ok/Hey, Google,” therefore confusing Google Assistant and turning it on.

According to Google’s statement, Security and Privacy teams are working on the issue and will fully review its safeguards to prevent this sort of misconduct from happening again. If, however, following investigations by the IDPC discover a GDPR violation on the matter, it could result in significant financial penalty for the tech giant.

Belgian DPA imposes first fine since GDPR

11. June 2019

On 28 May 2019, the Belgian Data Protection Authority (DPA) imposed the first fine since the General Data Protection Regulation (GDPR) came into force. The Belgian DPA fined a Belgian mayor 2.000 EUR for abusing use of personal data.

The Belgian DPA received a complaint from the data subjects alleging that their personal data collected for local administrative purposes had been further used by the mayor for election campaign purposes. The parties were then heard by the Litigation Chamber of the Belgian DPA. Finally, the Belgian DPA ruled that the mayor’s use of the plaintiff’s personal data violated the purpose limitation principle of the GDPR, since the personal data was originally collected for a different purpose and was incompatible with the purpose for which the mayor used the data.

In deciding on the amount of the fine, the Belgian DPA took into account the limited number of data subjects, the nature, gravity and duration of the infringement, resulting in a moderate sum of 2.000 EUR. Nevertheless, the decision conveys the message that compliance with the GDPR is the responsibility of each data controller, including public officials.

Belgium publishes new data protection law

12. September 2018

On September 5 2018, the new data protection law (“Law of 30 July”) was published in the Belgian Official Gazette (“Belgisch Staatsblad”) and entered into force with this publication.

After the “Law of 3 December 2017”, which replaced the Belgian Privacy Commission with the Belgian Data Protection Authority (“Gegevensbeschermingsautoriteit”), the Law of 30 July is the second law that implements the General Data Protection Regulation (GDPR).

The laws regulate various essential areas of data protection. New regulations are for instance, the reducing of the age of consent from 16 (as regulated in GDPR) to 13 years old for information society services or the requirement to list persons who have access to genetic, biometric and health-related data. Therewith, Belgium has also made use of the possibility to deviate from the GDPR in different scopes.

With the law of 30 July, Belgium has thus completed the incorporation of the GDPR into national law. The Law is available in French and Dutch.

Category: Belgium · GDPR
Tags: ,

How to rule a Data Protection Impact Assessment (DPIA)?

9. May 2018

Pursuant to Art. 35 of the General Data Protection Regulation (GDPR) the controller of personal data shall carry out an assessment of the impact of the data processing that takes place in the controller’s responsibility. That means mostly, to anticipate the possible data breaches and to fulfil the requirements of the GDPR before the personal data is processed.

Even if the date of enforcement of the GDPR (25th May 2018) comes closer and closer, just a few of the EU member states are well-prepared. Only Austria, Belgium, Germany, Slovakia and Sweden have enact laws for the implementation of the new data protection rules. Additional to this legislation the national data protection authorities have to publish some advises on how to rule a DPIA. Pursuant to Art. 35 (4) sent. 2 GDPR these handbooks on DPIA’s should be gathered by the European Data Protection Board for an equal European-wide data protection level. The Board as well seems not to work yet, as the Article 29 Working Part (WP29) is still the official authority.

But at least, Belgium and Germany have published their DPIA recommendations and listed processes for which a DPIA is required, pursuant to Art. 35 (4) GDPR, and in which cases a DPIA is not required, see Art. 35 (5) GDPR.

For example, in the following cases the Belgian authority requires a DPIA:

  • Processing, that involves biometric data uniquely identifying in a space—public or private—which is publicly open,
  • Personal data from a third party that determines whether an applicant is hired or fired,
  • Personal data collected without given consent by the data subject (e.g. electronic devices like smart phones, auditory, and/or video devices),
  • Processing done by medical implant. This data may be an infringement of rights and freedoms.
  • Personal data that affects the vulnerable members of society (e.g., children, mentally challenged, physically challenged individuals),
  • Highly personal data such as financial statement; employability; social service involvement; private activities; domestic situation.
Category: Article 29 WP · Belgium · Data breach · EU · GDPR

How to be prepared for the GPDR in 13 Steps

26. September 2016

Last week, the Belgian Data Protection Authority “Privacy Commission”, published Guidelines containing 13 Steps that will help organizations in order to prepare for the EU General Data Protection Regulation. The Guidelines were published in French and in Dutch.

The Belgian Data Protection Authority recommended to follow the steps shown below in order to be compliant with the GDPR:

  • Awareness: Instruct the relevant persons about the upcoming changes.
  • Internal Records: Document the stored data, where it came from and to whom it is transfered.
  • Privacy Notice: Review and update the Privacy Notice.
  • Individuals’ Rights: Check existing procedures in order to comply with individuals’ rights.
  • Access Requests: Review current procedures about access requests. Consider how these requests will be handled in accordance with the new GDPR time limits.
  • Legal Basis: Document all data processing procedures. Demonstrate the respective legal basis for each data processing procedure.
  • Consent: Review how consent is collected and recorded.
  • Children’s Personal Data: Plan procedures in order to verify the ages of individuals. Determine how to gather parental or legal guardian consent for processing procedures that involve children’s data.
  • Data Breach: Guarantee that procedures are implemented on how to handle data breaches.
  • Data Protection by Design and Data Protection Impact Assessments: Check these concepts. Consider how to implement them.
  • Data Protection Officer: Appoint and review the Data Protection Officer.
  • International: Check which Data Protection Authority will be responsible for you.
  • Existing Contracts: Review the current contracts.

Request for European Commission to investigate “Pokemon Go”

25. August 2016

A Belgian Minister of European Parliament wants that the European Commission investigates the App “Pokemon Go” in order to determine whether the App is compliant with European data protection law and furthermore, to warn European citizens of the dangers caused by the App.

Therefore, the respective Minister of European Parliament, Marc Tarabella, commented that the App violates not only the General Data Protection Regulation but furthermore, that it might violate the Europeans E-Privacy Directive due to the fact that the App stores cookies and trackers on users’ smartphones. He added  “In their eyes, tracking personal data of people is clearly considered a game and a source of research or revenue” and concluded “In Europe, the protection of privacy remains a fundamental right. We have to react, warn and strongly condemn these massive scams.”

Belgian DPA against Facebook for tracking of non-users

30. June 2016

The Belgian DPA sued Facebook about a year ago for tracking the online activities of non-users who visit the Facebook´s sites in Belgium without their consent.

In the first instance, the Court ruled that Facebook should stop tracking non-users without their consent or to face a fine of 250,000 euros per day. Facebook appealed this sentence to the Brussels Court of Appeal. The Court of Appeal has now stated that the Belgian DPA has no jurisdiction over Facebook Inc. The Belgian DPA will appeal to the Court of Cassation, which cannot deliver new sentences but throw out previous judgements.

In the meanwhile, Facebook has confirmed that it will not track non-users without their consent when they visit Facebook sites or click the “like” button.

Moreover, Facebook stated that only the Irish DPA has jurisdiction regarding data protection issues that involve Facebook´s use of EU citizens’ personal data, as this is where the European Headquarters are located.

After the decision of the Court of Appeal, the Belgian DPA said that the decision “simply and purely means that the Belgian citizen cannot obtain the protection of his private life through the courts and tribunals when it concerns foreign actors”.