Belgian DPA planning to suspend websites that infringe GDPR
The Belgian Data Protection Authority (DPA) signed a Cooperation Agreement on November 26, 2020, with DNS Belgium, the organization behind the management of the “.be” country-code domain name. The background is to allow DNS Belgium to suspend “.be” websites that are infringing the GDPR. The Agreement builds up a two-tier cooperation system, which aims at identifying infringements and suspending the websites if no action is taken.
The first step is a cooperative investigation, for which DNS Belgium has to support the Belgian DPA by providing all information necessary for the investigation.
The second step is the “Notice and Action” procedure, during which, if the Belgian DPA’s Investigation Service considers a data processing activity conducted via a website with a “.be” domain name to infringe one of the data protection principles under the GDPR, and the responsible data controller or data processor does not comply with the DPA’s order to suspend, limit, freeze or end the data processing activity, the Investigation Service is authorized to send a “Notice and Action” notification to DNS Belgium. Once DNS Belgium receives the “Notice and Action” notification, they will proceed to inform the website owner about the infringement and re-direct the relevant domain name to a warning page of the Belgian DPA.
The website owner can take remedial measures within 14 days to remedy the infringement, upon which he can indicate it to the Belgian DPA. If the Belgian DPA does not contest the measures taken, the relevant domain name will be restored. However, if the infringement is not remediated during the 14-day period, the website will continuously to be re-directed to the Belgian DPA’s warning page for a period of six months. After this time the website will be cancelled and placed in quarantine for 40 days before becoming available for registration once again.
Due to the heavy penalty in cases of a controller not taking any action to remedy the infringement, this action by the Belgian DPA is only possible in cases of infringements that cause very serious harm and are committed by natural or legal persons who deliberately infringe the law, or continue a data processing activity despite a prior order by the Investigation Service of the Belgian DPA to suspend, limit, freeze or end the processing activity.
It is to note that the Inspector General of the Belgian DPA can provide extra time to a website owner to comply with the relevant data protection requirements at the Inspector General’s discretion. However, this will depend on a case by case basis and on the cooperation of the website owner.