Belgium: Belgian Data Protection Authority issued 59 sanctions past 12 months

By Frederik Ringoot

The Belgian Data Protection Authority (BDPA) used the GDPR second anniversary as a milestone to issue a news alert with statistics on the actions it has taken since May 2019 (figures from 25/05/2019 to 20/05/2020).

Some statistics:

Topic Statistics
Reported data breaches 937
Information requests 4,438
Complaints (incl. mediation requests) 351
Requests for advice on draft laws, decrees and decisions 128
Registered DPO’s (currently active) 5,416
Inspections > 100
Sanctions 59
Administrative fines imposed 9 (for 189,000 EUR in total)

The BDPA emphasizes that, in the last year, it has heavily invested in awareness-raising and providing guidance (e.g. the direct marketing guidelines) and that it intends to keep doing so in the future (e.g. by organising DPO trainings, publishing guidance for SME’s,…). That being said, the news alert reads as a warning that the BDPA will enhance its inspections efforts (the BDPA also explicitly refers to its earlier request for additional funding for the Inspection Service):

Up to now, our inspection policy has mainly been reactive: we have followed up the many complaints received. From now on, we also want to be more proactive with, for example, sectoral or thematic large-scale investigations on our own initiative. (…) We are also in the process of completing a major study on how a range of popular websites manage their cookies” (free translation of the quote by the president of the Inspection Service).

The update by the BDPA also includes the following quote by the President of the Dispute Chamber: “It is important that we choose our priorities carefully in order to work effectively and to draw attention to issues that have a major impact on citizens. Through our decisions, we aim to develop case law that will guide organisations processing personal data.” (free translation).

For some, the risk of getting fined by the Dispute Chamber always felt like playing a game of “Russian roulette” (correction: without any bullet in the gun 99% of the time). Now the Dispute Chamber seems to indicate that it is executing on its Strategic Plan 2020-2025, i.e. by imposing fines relating to the priorities in the Strategic Plan. We therefore refer to the action points listed in our earlier blogpost.

A short list of topics for which sanctions were already imposed: CCTV legislation, political advertising, data subject rights, appointment of DPO’s, legal grounds and social media (direct marketing), use of cookies,… The decisions of the Dispute Chamber can be found here (in French and/or Dutch only). As many of these convictions are later on challenged before the Market Court, it will be key to take those decisions into account as well (in French or Dutch only).

If you have any further questions, please contact the author or your usual DLA Piper contact person.