Category: Belgium
11. June 2019
On 28 May 2019, the Belgian Data Protection Authority (DPA) imposed the first fine since the General Data Protection Regulation (GDPR) came into force. The Belgian DPA fined a Belgian mayor 2.000 EUR for abusing use of personal data.
The Belgian DPA received a complaint from the data subjects alleging that their personal data collected for local administrative purposes had been further used by the mayor for election campaign purposes. The parties were then heard by the Litigation Chamber of the Belgian DPA. Finally, the Belgian DPA ruled that the mayor’s use of the plaintiff’s personal data violated the purpose limitation principle of the GDPR, since the personal data was originally collected for a different purpose and was incompatible with the purpose for which the mayor used the data.
In deciding on the amount of the fine, the Belgian DPA took into account the limited number of data subjects, the nature, gravity and duration of the infringement, resulting in a moderate sum of 2.000 EUR. Nevertheless, the decision conveys the message that compliance with the GDPR is the responsibility of each data controller, including public officials.
12. September 2018
On September 5 2018, the new data protection law (“Law of 30 July”) was published in the Belgian Official Gazette (“Belgisch Staatsblad”) and entered into force with this publication.
After the “Law of 3 December 2017”, which replaced the Belgian Privacy Commission with the Belgian Data Protection Authority (“Gegevensbeschermingsautoriteit”), the Law of 30 July is the second law that implements the General Data Protection Regulation (GDPR).
The laws regulate various essential areas of data protection. New regulations are for instance, the reducing of the age of consent from 16 (as regulated in GDPR) to 13 years old for information society services or the requirement to list persons who have access to genetic, biometric and health-related data. Therewith, Belgium has also made use of the possibility to deviate from the GDPR in different scopes.
With the law of 30 July, Belgium has thus completed the incorporation of the GDPR into national law. The Law is available in French and Dutch.
9. May 2018
Pursuant to Art. 35 of the General Data Protection Regulation (GDPR) the controller of personal data shall carry out an assessment of the impact of the data processing that takes place in the controller’s responsibility. That means mostly, to anticipate the possible data breaches and to fulfil the requirements of the GDPR before the personal data is processed.
Even if the date of enforcement of the GDPR (25th May 2018) comes closer and closer, just a few of the EU member states are well-prepared. Only Austria, Belgium, Germany, Slovakia and Sweden have enact laws for the implementation of the new data protection rules. Additional to this legislation the national data protection authorities have to publish some advises on how to rule a DPIA. Pursuant to Art. 35 (4) sent. 2 GDPR these handbooks on DPIA’s should be gathered by the European Data Protection Board for an equal European-wide data protection level. The Board as well seems not to work yet, as the Article 29 Working Part (WP29) is still the official authority.
But at least, Belgium and Germany have published their DPIA recommendations and listed processes for which a DPIA is required, pursuant to Art. 35 (4) GDPR, and in which cases a DPIA is not required, see Art. 35 (5) GDPR.
For example, in the following cases the Belgian authority requires a DPIA:
- Processing, that involves biometric data uniquely identifying in a space—public or private—which is publicly open,
- Personal data from a third party that determines whether an applicant is hired or fired,
- Personal data collected without given consent by the data subject (e.g. electronic devices like smart phones, auditory, and/or video devices),
- Processing done by medical implant. This data may be an infringement of rights and freedoms.
- Personal data that affects the vulnerable members of society (e.g., children, mentally challenged, physically challenged individuals),
- Highly personal data such as financial statement; employability; social service involvement; private activities; domestic situation.
26. September 2016
Last week, the Belgian Data Protection Authority “Privacy Commission”, published Guidelines containing 13 Steps that will help organizations in order to prepare for the EU General Data Protection Regulation. The Guidelines were published in French and in Dutch.
The Belgian Data Protection Authority recommended to follow the steps shown below in order to be compliant with the GDPR:
- Awareness: Instruct the relevant persons about the upcoming changes.
- Internal Records: Document the stored data, where it came from and to whom it is transfered.
- Privacy Notice: Review and update the Privacy Notice.
- Individuals’ Rights: Check existing procedures in order to comply with individuals’ rights.
- Access Requests: Review current procedures about access requests. Consider how these requests will be handled in accordance with the new GDPR time limits.
- Legal Basis: Document all data processing procedures. Demonstrate the respective legal basis for each data processing procedure.
- Consent: Review how consent is collected and recorded.
- Children’s Personal Data: Plan procedures in order to verify the ages of individuals. Determine how to gather parental or legal guardian consent for processing procedures that involve children’s data.
- Data Breach: Guarantee that procedures are implemented on how to handle data breaches.
- Data Protection by Design and Data Protection Impact Assessments: Check these concepts. Consider how to implement them.
- Data Protection Officer: Appoint and review the Data Protection Officer.
- International: Check which Data Protection Authority will be responsible for you.
- Existing Contracts: Review the current contracts.
25. August 2016
A Belgian Minister of European Parliament wants that the European Commission investigates the App “Pokemon Go” in order to determine whether the App is compliant with European data protection law and furthermore, to warn European citizens of the dangers caused by the App.
Therefore, the respective Minister of European Parliament, Marc Tarabella, commented that the App violates not only the General Data Protection Regulation but furthermore, that it might violate the Europeans E-Privacy Directive due to the fact that the App stores cookies and trackers on users’ smartphones. He added “In their eyes, tracking personal data of people is clearly considered a game and a source of research or revenue” and concluded “In Europe, the protection of privacy remains a fundamental right. We have to react, warn and strongly condemn these massive scams.”
30. June 2016
The Belgian DPA sued Facebook about a year ago for tracking the online activities of non-users who visit the Facebook´s sites in Belgium without their consent.
In the first instance, the Court ruled that Facebook should stop tracking non-users without their consent or to face a fine of 250,000 euros per day. Facebook appealed this sentence to the Brussels Court of Appeal. The Court of Appeal has now stated that the Belgian DPA has no jurisdiction over Facebook Inc. The Belgian DPA will appeal to the Court of Cassation, which cannot deliver new sentences but throw out previous judgements.
In the meanwhile, Facebook has confirmed that it will not track non-users without their consent when they visit Facebook sites or click the “like” button.
Moreover, Facebook stated that only the Irish DPA has jurisdiction regarding data protection issues that involve Facebook´s use of EU citizens’ personal data, as this is where the European Headquarters are located.
After the decision of the Court of Appeal, the Belgian DPA said that the decision “simply and purely means that the Belgian citizen cannot obtain the protection of his private life through the courts and tribunals when it concerns foreign actors”.
