Beware for the upcoming inspections of the Belgian Privacy Commission

The establishment of an inspection service within the Belgian Privacy Commission. The Belgian Privacy Commission has recently announced that it will take a more forensic stance in its fight against privacy infringements. A special task force (inspection service) will be created within the Privacy Commission to search actively for organisations and companies infringing the Belgian Data Protection Act. The task force will mainly focus on organisations and companies processing sensitive (and health-related) data such as hospitals and insurance companies. It is possible however that other sectors will be targeted as well in due course (as is already the case in other EU countries).

Background. This recent initiative of the Belgian Privacy Commission does not completely come as a surprise. Several data breaches occurred in Belgium in 2012 and 2013 (SNCB Europe, the Ministry of Defense, Jobat, Belgacom). The setting up of a special inspection service seems to be a first logical step towards a more preventive data protection approach. This can only be applauded. This new approach is also perfectly in line with the new proposal for a General Data Protection Regulation. This proposal expressly reinforces the role of the national supervisory authorities and gives them the power to conduct investigations either at their own initiative or on the basis of a complaint or request.

Sanctions? The new proposal for a General Data Protection Regulation provides that supervisory authorities can impose (administrative) fines, which may be running up to 1.000.000 EUR, or in case of an enterprise even up to 2% of its annual worldwide turnover. Although such a sanction mechanism does not yet exist in Belgian data protection legislation, one can infer from recent press communications of the Belgian Privacy Commission that it has additional plans to impose alternative sanctions in the future, such as the prohibition of the further use of infringing databases. This would however require an amendment of the Belgian Data Protection Act.

Implications. While at present companies and organisations mainly focus on their notification obligation vis-à-vis the Belgian Privacy Commission, they will need to be prepared to have their data protection policies (and other underlying documents) ready for inspection and review in the future. If they want to avoid possible sanctions further to such inspections, they will need to make sure their policies are compliant with applicable legislation. This also fits in with the proposal for the new Data Protection Regulation, which abandons the notification obligation and replaces it by mandatory data protection impact assessments, the obligatory appointment of data protection officers and other new data protection measures that are to guarantee the security and confidentiality of the processed data.

Recommendations. Any company or organisation established in Belgium should therefore conduct a data protection compliance audit to identify and remediate any possible loopholes in their data protection strategy. The main action points while conducting such an audit are the following:

- compile per category of data subjects (i.e. employees, customers, etc) an inventory of all personal data flows (including all categories of processed data, the purposes of the data processing and all data communications);
- check whether the company has a legal basis to process these data (such as the consent of the data subjects) and whether all related conditions are met (e.g. did the company obtain the required consent in a correct way?);
- review whether the prior notices given to the data subjects contain all legally required information about the processing of their data;
- check whether all required notifications are filed with the Belgian Privacy Commission (and are up-to-date);
- verify whether the company has taken all appropriate technical and organisational security measures (by reviewing the employment contracts of the employees having access to the personal data and checking all documentation related to information security, etc);
- review the contractual relationship with all third service providers processing personal data under the authority and on behalf of the company;
- check whether all adequate safeguards are taken when transferring personal data outside the European Economic Area.

These action points will serve as a basis for drafting a complete data protection strategy in order -not only- to ensure compliance with the actual data protection legislation, but also to be prepared for the upcoming initiatives of both the Belgian Privacy Commission and the European legislator.

Sources: N. VANHECKE, "Commissie maakt werk van privacy-politie", press article published in De Standaard, Monday 21 October 2013, available on www.standaard.be; Proposal for a Regulation of the European parliament and of the Council on the protection of individuals with regard to the processing of personal data (General Data Protection Regulation), COM (2012) 11 final - 2012/0011 (COD); www.privacycommission.be (see in particular the section "Prevent data breaches").