Privacy & Information Security Law Blog

On September 30, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released its 2019 Annual Report (the “Report”). Notably, 2019 was the year of the Belgian DPA’s first fines under the EU General Data Protection Regulation (the “GDPR”) and the release of the Belgian DPA’s 2019-2025 Strategic Plan.

Relevant Initiatives in 2019

• In May 2019, the Belgian DPA imposed its first fine under the GDPR for abusive use of personal data in violation of the GDPR purpose limitation principle.
• At the end of 2019, the Belgian DPA implemented a system for monitoring technological and societal evolutions in relation to data protection and privacy. This enables the Belgian DPA to rapidly react when learning about processing activities that may result in risks to the rights and freedoms of data subjects. When that is the case, the Belgian DPA typically reaches out to the organization responsible for the processing activity and may start a formal investigation, where needed.
• The Belgian DPA worked on various projects to raise awareness about data protection and privacy. For example, the Belgian DPA launched a special initiative targeted at small and medium-sized enterprises, adopted new direct marketing guidelines, and worked on several websites aimed at raising awareness about the protection of personal data for vulnerable data subjects (such as “be” / “beschermjegegevens.be” and “Je Décide” / “Ik Beslis”).

2019 by the Numbers

• In 2019, the Belgian DPA handled 6,447 cases, including 5,168 information requests and 331 requests for mediation/complaints. This represents a small decrease in comparison to 2018. The types of cases handled by the Belgian DPA were related to: the GDPR (90.34% of the cases), the Belgian Camera Law (4.98%) and the Belgian Data Protection Act, in its pre-GDPR version (0.85%).
• The majority of the information requests received and mediation cases handled by the Belgian DPA were related to the GDPR, data subject rights, CCTV cameras, data protection principles and direct marketing.
• In 2019, 60 new cases were opened following complaints filed with the Investigation Service of the Belgian DPA’s Litigation Chamber. The majority of the cases focused on the functioning of cities and municipalities, the use of CCTV cameras and political elections.
• 869 data breaches were notified to the Belgian DPA in 2019. This represents a 95.28% increase in comparison to 2018, where only 445 breaches were notified to the Belgian DPA. According to the Report, 29.92% of the notified data breaches were due to a human error; 28.08% resulted from hacking, phishing and malware; 7.71% were caused by the theft of a device; 5.75% were due to a security vulnerability; and 4.72% were related to improper use of access rights.
• 4,908 data protection officers were notified to the Belgian DPA since May 25, 2018.

For the remainder of 2020, the Belgian DPA has indicated it will direct its efforts to raising awareness regarding data protection and privacy.

Read the press release (available in Dutch and French) and the full report (available in Dutch and in French).