BELGIUM: Belgian DPA provides first status update after six months of GDPR

The Belgian DPA has released a first status update six months after the GDPR became applicable. Some interesting statistics relate to the number of data breach notifications and complaints received.

In the six months ‪since May 25th, the Belgian Data Protection Authority was notified of 317 data breaches (compared to last year when only 13 breaches were notified). The Authority also received 148 complaints during the past six months. That comes down to almost one complaint a day.

According to the Belgian DPA, the spectacular increase in the number of notified breaches can be explained by the mandatory notification that was expanded in the GDPR. Previously, only telecommunication companies were obliged to notify a data breach, while since the GDPR is in effect, every data controller has to fulfill this obligation to notify.

The top five industry sectors notifying data breaches are: 1) health care, 2) insurance, 3) public administrations and defense, 4) telecoms and 5) financial services.

The other released figures are also remarkable. In six months only, the DPA received:

  • 3599 information requests (compared to 2145 information requests in 2017)
  • 137 requests for advice (compared to 44 information requests in 2017)
  • 2551 notifications of the appointment of a DPO (compared to 989 before May 2018)

In addition, the Authority announced that it has initiated the first inspections, but that it is yet to forward the first case to the litigation chamber. Unlike in Portugal and Austria, no GDPR fines have been issued.

In that regard, it is worth mentioning that the members of the new Belgian DPA still need to be appointed by the Belgian Parliament. Once the Belgian DPA is fully operational it may be expected it will further increase its advisory, inspection and sanctioning activities.

For further information, please contact Patrick Van Eecke (Partner, Brussels) and Laetitia Mouton (Associate, Brussels).