- On 11 February 2020
By Patrick Van Eecke, Frederik Ringoot and Thomas Gils.
The Belgian Data Protection Authority published its strategic plan setting out its policy priorities and strategic objectives for the next five years. It will focus its attention on specific industry sectors as well as on specific GDPR topics and societal themes. Companies active in these sectors and/or having business activities close to these societal themes should realize they may be on the radar screen.
5 INDUSTRY SECTORS ON THE RADAR SCREEN
The DPA will be especially focussing on enhancing GDPR compliance in the following industry sectors:
- Telecom and media sector, due to the large amount of data they process. Adequate security and the re-use of data are of special importance to the BDPA;
- Public authorities, due to the large amount of (sensitive) data they process. Data minimisation and purpose limitation are mentioned specifically.
- Direct marketing sector, due to the possibly highly intrusive nature of the underlying processing activities;
- Education sector, due to the presence of minors who need greater protection and the increased usage of digital technologies;
- Small & Medium Enterprise (SMEs), due to their limited capacity or expertise to assess the impact of the GDPR on their activities.
3 GDPR TOPICS OF PARTICULAR ATTENTION
The DPA considers the following GDPR-topics to be of great importance to achieve an increased level of data protection:
- The role of the DPO, whereby the BDPA hints at investigating organisations which appointed a DPO, but which do not allow the DPO to act in accordance with the applicable rules;
- The lawfulness of processing, citing the goal to limit the inappropriate use of the ‘legitimate interests’-legal ground;
- Data subject rights, explaining that it will try to ensure that data subjects are able to exercise their rights, while also aiming to clarify the extent of such rights.
3 SOCIETAL THEMES IN THE PICTURE
The DPA lists three topics of high social significance and wishes to ensure compliance by data controllers and processors.
- Pictures and camera’s, focussing on the capturing of images of citizens (children, employees, police forces, etc) and distribution of these images.
- Online data protection, with a special role for cookies and the related transparency and lawfulness obligations.
- Sensitive data (including biometric data), whereby the DPA intends to further clarify the applicable rules.
INFORMATION BUT ALSO ENFORCEMENT
The DPA intends to keep informing data subjects and data controllers in order to raise GDPR-awareness and stimulate a privacy reflex. At the same time, it also pledges to become an alert DPA effectively enforcing the rules. In this regard, it furthermore stipulates that it intends to act in a consistent and proportionate manner, taking into account the various interests at stake.
Based on these “Resolutions”, we can identify some action points that should be taken as a priority, also for companies not that are not active in one of the 5 “priority sectors” identified by the DPA:
- Investigate the role of the DPO inside your organisation;
- Validate the legal grounds for processing personal data (as listed in your records of processing activities and/or your privacy statements; perform “balancing tests” when invoking the “legitimate interest” legal ground;
- Make sure an appropriate procedure is in place for data subjects to exercise their rights;
- Make sure you comply with the direct marketing recommendations as issued by the Belgian DPA;
- Comply with “CCTV legislation”, g. by drafting a records of CCTV processing activities, updating the “icons” used to inform on CCTV and notifying the police;
- Review your privacy and cookie statements and cookie consent mechanism (we refer to our earlier blogpost on this topic);
- Reassess whether you process “special categories of personal data” (g. health data, biometric data,…) and, if so, make sure it is processed lawfully.
David Stevens, the President of the Belgian DPA emphasizes that it has already taken some first steps to abide by its ambitious “new year’s resolutions”:
- In January 2020, Project Boost has been kicked off, which intends to further assist SME’s: in achieving GDPR compliance;
- The new direct marketing recommendation has been published on the day of this publication (available in Dutch and French only);
- A dedicated website was launched in 2019 to better inform the public on their rights related to data protection.
Another important step has been taken by the Belgian DPA end of 2019, i.e. imposing the largest fine yet for non-compliance with cookie legislation (we refer to our earlier blogpost). Other fines may follow and it is very likely they will relate to the abovementioned priorities/action points.
Please contact the authors or your usual DLA Piper contact person if you would like further assistance on any of these action points.