World Data Privacy Day – What can we expect from the Belgian Data Protection Authority in 2020?
28 January is World Data Privacy Day in the US, in Canada and in 47 European countries. Since 2007, this day is dedicated to raising awareness about the importance of protecting the privacy of personal information and to create a dialogue between international stakeholders.
We would like to take this occasion to briefly reflect on the 2019 case law of the Belgian Data Protection Authority (BDPA) and to highlight the BDPA’s enforcement priorities for 2020-2025.
Case law of the BDPA: 13 decisions on the merits in 2019, including 6 fines
The table below provides an overview of the 2019 case law of the BDPA.
|Decision No.||Date||Complaint or own initiative inspection||Subject - matter||Sanction|
|01/2019||2 April 2019||Complaint||Reuse of personal data for incompatible (direct marketing) purposes (elections)||Reprimand|
|02/2019||2 April 2019||Complaint||Accidental Cc instead of Bcc (purpose limitation principle)||Reprimand|
|03/2019||2 April 2019||Complaint||CCTV in common kitchen of student home||Prohibition + order to delete data|
|04/2019||28 May 2019||2 complaints||Reuse of personal data for incompatible (direct marketing) purposes (elections) by mayor||Reprimand + fine of EUR 2,000|
|05/2019||9 July 2019||Repeated complaint||Refusal to grant access to personal data (FPS PH)||Reprimand (annulled by Markets Court)|
|06/2019||17 September 2019||Complaint||Mandatory use of e-ID for customer loyalty card (no free consent)||Fine of EUR 10,000 + binding order|
|07/2019||17 September 2019||Complaint||Insufficient reply to request for access to personal data||Dismissal + order to comply (within 3 months)|
|08/2019||17 September 2019||Complaint||Refusal to comply with data deletion request candidate||Reprimand|
|09/2019||17 December 2019||Complaint||Refusal to comply with data deletion request||Dismissal|
|10/2019||25 November 2019||Complaint||Reuse of personal data for incompatible (direct marketing) purposes (elections)||Reprimand + fine of EUR 5,000|
|11/2019||25 November 2019||Complaint||Reuse of personal data for incompatible (direct marketing) purposes (elections)||Reprimand + fine of EUR 5,000|
|12/2019||17 December 2019||Own initiative inspection||Cookies: insufficient transparency + inadequate consent (pre-ticked boxes)||Fine of EUR 15,000|
|13/2019||17 December 2019||Complaint||Absence of response to data access and deletion request involving sensitive data (nursing home)||Order to comply + fine of EUR 2,000|
In all cases but one (the "cookies” decision, see our article on this topic) an investigation was conducted following a complaint by a data subject.
In almost half of the decisions, an administrative fine was imposed (ranging from EUR 2,000 to EUR 15,000). Out of the six administrative fines that were imposed in 2019, three were imposed for reuse of personal data for incompatible (direct marketing) purposes in the context of the municipal elections.
In the cases based on a complaint, the BDPA almost always requested a formal inspection to be carried out, examining not only the complaint but the GDPR-compliance of the alleged infringer’s data processing activities as a whole.
Almost all decisions were published after full anonymization (except for case 05/2019).
‘Other’ decisions and the real cost of (non-)compliance
In 2019, the BDPA also published six ‘other’ decisions. These are preliminary decisions (e.g. warnings or orders to comply with a data subject access or rectification request) taken prior to an examination on the merits of the case.
The most noteworthy decision relates to the refusal of a bank to comply with a data rectification request. The BDPA stated very clearly in this case that the technical incapacity to comply with a well-founded data subject request (in this case, the bank’s IT system was technically unable to correctly register the complainant’s name in its database) is not an acceptable justification to refuse to comply with such request. The infringement was deemed to be proven and the bank was ordered to update its database within a period of one month. This case clearly shows that the ‘cost of (non-)compliance’ should not just be linked to the risk of administrative fines. Alternative sanctions (such as binding orders to comply or to cease a certain data processing activity) can have far-reaching consequences as well.
This decision was appealed before the Brussels Markets Court, but the appeal was dismissed.
Priorities for 2020-2025: “Guiding towards a digital world where privacy is a reality for everyone”
In its strategic plan for 2020-2025, the BDPA has identified the following priority sectors:
- Telecommunication and media
- Direct marketing
The BDPA also emphasised its focus on the following important GDPR instruments:
- The role of the Data Protection Officer
- Legitimacy of processing
- Data subject rights
Finally, also the following key social issues will be proactively addressed by the BDPA in the coming five years:
- Photos and cameras
- Online data protection
- Sensitive data
Next year, on World Data Privacy Day, we will have a look at how these priorities have been addressed after one year. In the meanwhile, do not hesitate to reach out to the Loyens & Loeff Privacy and Data Protection Team for data protection guidance in the Benelux and Switzerland.
StéphanieDe SmedtSenior associate Attorney at Law
Stéphanie De Smedt is senior associate within the Litigation & Risk Management Practice Group of our Brussels office.
She is head of the IP/IT & Data Protection Team in Belgium and is team leader of the firm-wide Healthcare and Life Sciences Team.