25/12/18

GDPR, Six Months On: The First Analysis Of The Belgian Data Protection Authority

Following the release by several foreign data protection authorities of their statistics, the Belgian data protection authority (“DPA”) has now also made its first analysis.

In a press release “Zes maanden AVG: een eerste balans” (available via the link), the DPA has published some interesting figures (see 1 below), has explained what progress has been made in the transformation of the Privacy Commission into the DPA (see 2) and in the exercise of its control and sanction powers (see 3).

The conclusion is that the DPA has made a start, also in terms of inspections, but that it is not yet as far advanced as some of the foreign data protection authorities (see 4).

1. The first figures of the DPA

The first figures of the DPA cover the period from the entry into force of the GDPR on 25 May 2018 to 21 November 2018. During this period:

  • 317 data breaches were reported as against 13 in 2017 (only in the telecommunications sector). The top five of the sectors for which the DPA has received the most reports are:
  1. Health care;
  2. Insurance;
  3. Public administration and defence;
  4. Telecommunication & BIPT (“Belgian Institute for Postal services and Telecommunications”);
  5. Financial services

Since September, the DPA has modified its notification form (available in Dutch and French) to make it GDPR-proof.

  • 3,599 requests for information were made as against 2,145 in 2017; 
  • 148 complaints/requests were made as against 76 in 2017; 
  • 137 advice dossiers were opened as against 44 in 2017; 
  • 2,551 notifications from DPOs (“data protection officers”) have been received. If we add the notifications received before 25 May 2018, we reach a total of 3,540 notifications.

The DPA also reports that the number of cases has increased exponentially under the GDPR. To illustrate this, the DPA dealt with almost 5,000 cases in 2017 (information, mediation/complaint and control), while the number of cases in 2018 will exceed 7,000.

2. The transformation of the Privacy Commission into the DPA

The DPA explains in its press release that the transformation of the Privacy Commission is not yet completed.

Compared with the former Privacy Commission, the management committee has been extended and an inspection service and dispute chamber have been added to the organisation chart.

Even though the members of the management committee, the knowledge centre and the dispute chamber have still to be appointed by the House of Representatives, it was decided that the members of the Privacy Commission will execute the tasks of the DPA for now.

After its appointment, the management committee will decide on a strategic plan and a management plan and will determine the yearly priorities of the DPA. After drawing up the strategic plan, the DPA will subsequently publish its vision and mission.

3. The exercise of its control and sanction powers

The DPA did not wait for the appointment of the new management committee to exercise its inspection tasks. According to a press release, the first inspections are under way.

However, so far, no cases have been transferred to the dispute chamber for a procedure on the substance and no administrative sanctions have been imposed.

4. Control and sanctions by foreign data protection authorities

It is not surprising that some foreign data protection authorities are a step ahead. Unlike the Belgian supervisory authority, many of them already had far-reaching powers before the GDPR. Administrative sanctions have already been imposed in some countries: in France an administrative sanction of €10,000 has been imposed on a company that did not have an adequate information security system and another employer has been fined €30,000 for using a biometric system to verify the working hours of his employees without having informed them. Four administrative sanctions have already been imposed in Austria, ranging from €300 to €4,800, where video surveillance was in each case not correctly implemented. In a recent case in Germany, an administrative sanction of €20,000 was imposed on a social media company because no adequate information security measures were in place, which left the way open for the hacking of user data. As the company cooperated well with the supervisory authority, the amount of the sanction was low. The highest GDPR sanction until now has been imposed in Portugal. A hospital received an administrative sanction of €400,000 because the personnel could easily access the data of patients and the hospital had no system to guarantee the confidentiality and integrity of such data.

dotted_texture