The rudderless Belgian Data Protection Authority
Following the entry into force of the GDPR, the privacy and data protection watchdog known as the Privacy Commission was replaced by a new entity, the Data Protection Authority (the "DPA").
Expectations are high, as the DPA has wide-reaching powers. However, to date, the members of the DPA's executive committee have yet to be appointed by the House of Representatives. Members are selected based on skill, experience in the field of data protection, independence and moral authority.
The executive committee must be composed of an equal number of French and Dutch-speaking members, excluding the head of the dispute resolution body. In addition, each member must possess a working knowledge of English and other official language of Belgium. However, the real stumbling block is that no candidate is sufficiently proficient in German and at least one candidate is required to have a working knowledge of this language.
The GDPR has given rise to many questions and uncertainties and the DPA plays an important role in providing advice on how it should be interpreted. The DPA cannot be fully effective as long as the members of the executive committee are not appointed. Business organisations are in favour of a swift appointment given the legal uncertainty that accompanies the delay in the appointment process.
The Belgian privacy landscape after 25 May 2018
The Belgian framework law
Although the GDPR is directly applicable in the national legal order, the Belgian legislator adopted a framework law in July 2018 to complete the implementation of the regulation and to fill in the last open clauses of the GDPR.
Belgian Data Protection Authority (DPA)
In accordance with the law of 3 December 2017, the Belgian DPA was created which, as of 25 May 2018, replaced the Privacy Commission as the authoritative institution for data protection. Although the DPA has received many complaints and notifications and commenced a number of inspections, there are no records thus far of any files having been transferred for treatment on their merits. This does not mean that the complaints currently reported to the DPA will not be followed up or sanctioned in the future, upon full installation of the DPA. However, at that moment, the workload is likely to be substantial and a selection will probably have to be made between complaints according to their degree of severity.
Statistics
According to the statistics of the DPA, in six months’ time, a lot has changed since the GDPR came into force.
2017
May – November 2018
Notified data breaches to the DPA
13
317
Informative questions asked to the DPA
2.145
3599
Complaints and requests to the DPA
76
148
Number of “core” files
5000
7000 expected in 2018
Number of advisory files
44
137
The growing number of notifications indicates that more and more companies are complying with their obligations under the GDPR. The five sectors where most data leaks were reported concerned healthcare, insurance, public governance, telecommunication and finance.
Every company needs to maintain records of data processing activities in Belgium
Article 30,5 GDPR exempts companies with less than 250 employees from having to maintain records of processing activities. This exemption does not apply if the processing carried out by such company is not occasional, is likely to result in a risk to the rights and freedoms of data subjects, includes special categories of personal data or includes data related to criminal convictions or offences.
The Belgian Privacy Commission (the predecessor of the Belgian Data Protection Authority) expressed the opinion that (Recommendation 06/2017 of 14 June 2017, n° 14-19):
- every company has processing activities that are not occasional; and
- every company needs to establish records of processing activities to be able to organise the way it manages its personal data.
Consequently, the Privacy Commission "recommends" all companies with less than 250 employees to maintain records of processing activities, but "accepts" that these companies only mention the processing activities that are not occasional in these records.
Although this recommendation does not create a strict obligation for the concerned companies to effectively maintain records of processing activities, it is strongly recommended that it be complied with.
Belgian rules on the processing of health, biometric and genetic data
The Belgian Data Protection Act of 30 July 2018 imposes additional obligations on the processing of health, biometric or genetic data (both for processors and controllers).
Specifically:
- a list must be maintained containing:
o the categories of persons having access to such personal data; and
o a description of the role/function of these persons in relation to the processing of such data.
- this list must be made available to the data protection authority on request;
- the persons with access to such data must be bound by statutory or legal confidentiality obligations, or equivalent contractual confidentiality obligations; and
- if this data is processed for public interest, scientific or historical research or statistical purposes, the personal data should be processed in an anonymized or pseudonymized form.
We strongly recommend imposing these obligations on processors who process health, biometric or genetic data and make sure that they inform you of the categories of persons who will have access to such data.
