World Data Privacy Day – What can we expect from the Belgian Data Protection Authority in 2020?

News

28-01-2020

28 January is World Data Privacy Day in the US, in Canada and in 47 European countries. Since 2007, this day is dedicated to raising awareness about the importance of protecting the privacy of personal information and to create a dialogue between international stakeholders. We would like to take this occasion to briefly reflect on the 2019 case law of the Belgian Data Protection Authority (BDPA) and to highlight the BDPA’s enforcement priorities for 2020-2025.

Case law of the BDPA: 13 decisions on the merits in 2019, including 6 fines

The table below provides an overview of the 2019 case law of the BDPA.

World Data Privacy Day - Table 1.png

In all cases but one (the "cookies” decision) an investigation was conducted following a complaint by a data subject.

In almost half of the decisions, an administrative fine was imposed (ranging from EUR 2,000 to EUR 15,000). Out of the six administrative fines that were imposed in 2019, three were imposed for reuse of personal data for incompatible (direct marketing) purposes in the context of the municipal elections.

In the cases based on a complaint, the BDPA almost always requested a formal inspection to be carried out, examining not only the complaint but the GDPR-compliance of the alleged infringer’s data processing activities as a whole.

Almost all decisions were published after full anonymization (except for case 05/2019).

‘Other’ decisions and the real cost of (non-)compliance

In 2019, the BDPA also published six ‘other’ decisions. These are preliminary decisions (e.g. warnings or orders to comply with a data subject access or rectification request) taken prior to an examination on the merits of the case.

The most noteworthy decision relates to the refusal of a bank to comply with a data rectification request. The BDPA stated very clearly in this case that the technical incapacity to comply with a well-founded data subject request (in this case, the bank’s IT system was technically unable to correctly register the complainant’s name in its database) is not an acceptable justification to refuse to comply with such request. The infringement was deemed to be proven and the bank was ordered to update its database within a period of one month. This case clearly shows that the ‘cost of (non-)compliance’ should not just be linked to the risk of administrative fines. Alternative sanctions (such as binding orders to comply or to cease a certain data processing activity) can have far-reaching consequences as well.

This decision was appealed before the Brussels Markets Court, but the appeal was dismissed.

Priorities for 2020-2025: “Guiding towards a digital world where privacy is a reality for everyone”

In its strategic plan for 2020-2025, the BDPA has identified the following priority sectors:

Telecommunication and media
Government
Direct marketing
Education
SMEs

The BDPA also emphasised its focus on the following important GDPR instruments:

The role of the Data Protection Officer
Legitimacy of processing
Data subject rights

Finally, also the following key social issues will be proactively addressed by the BDPA in the coming five years:

Photos and cameras
Online data protection
Sensitive data

Next year, on World Data Privacy Day, we will have a look at how these priorities have been addressed after one year. In the meanwhile, do not hesitate to reach out to the Loyens & Loeff Privacy and Data Protection Team for data protection guidance in the Benelux and Switzerland.