Privacy & Information Security Law Blog

On June 11, 2021, the Belgian Data Protection Authority (“Belgian DPA”) released its 2020 Annual Report (the “Report”). Notably in 2020, the Belgian DPA focused on the supervision of initiatives to fight the COVID-19 pandemic involving data processing, while not losing sight of its other priorities, as identified in its Strategic Plan 2020-2025.

Due to the increased awareness of the importance of the protection of personal data, 2020 had a significant increase in the number of complaints, which were up 290.64%, and data breach notifications, which were up 25.09%, received by the Belgian DPA.

The Biggest Privacy Challenge: COVID-19

2020 was marked by an unprecedented health crisis that had a significant impact on data protection and the work of the Belgian DPA:

• The Belgian DPA created a dedicated COVID-19 page on its website (in Dutch and French), which is regularly updated with new guidelines and frequently asked questions for citizens and organizations alike.
• The Belgian DPA issued opinions on the collection, recording and use of health data in the context of contact tracing, vaccination, monitoring compliance with respect to testing and quarantines, a mobility index considered by the Government and the COVID-19 app (“Coronalert”).
• The Belgian DPA also addressed numerous initiatives, such as conducting temperature checks at Brussels Airport and a municipal initiative to require COVID-19 tests. Several COVID-19-related files were opened and currently are being examined by the Inspection Service or the Litigation Chamber of the Belgian DPA.
• The Litigation Chamber published its first COVID-19 decision specifically related to the use of cameras on the Belgian coast to monitor tourism (available in French or Dutch).

Major Themes in 2020

In addition to the work done in the context of the COVID-19 health crisis, the Belgian DPA continued working on its 2020-2025 priorities:

• Direct Marketing: The Belgian DPA published a comprehensive recommendation on the processing of personal data for direct marketing purposes.
• Online Privacy: The Belgian DPA launched a large-scale “pilot” investigation on the use of cookies by several popular Belgian media websites. The largest fine ever levied by the Belgian DPA (i.e., EUR 600,000) was imposed on Google Belgium for failing to respect a citizen’s right to be forgotten (this decision is currently under appeal).
• Awareness: The Belgian DPA worked on various initiatives and developed various tools for children and young people (i.e., www.jedecide.be or www.ikbeslis.be), as well as for data protection officers (“DPOs”) and small and medium enterprises (“SMEs”). It also has redesigned its website and reworked the communication of its First Line Service, which is in direct contact with citizens and data controllers.
• DPO: A toolbox was set up to assist and coach DPOs. The Belgian DPA also is working on a collaboration platform for DPOs (in the context of the European Commission DPO-Connect project).
• Public Authorities: In 2020, the Belgian DPA also focused on various data processing activities of public authorities, as it received and handled numerous complaints on the subject, for example, regarding the use of the National Register of natural persons.

2020 by the Numbers

The press release also highlighted the following figures:

• The number of complaints increased sharply in 2020 with 668 This represents a growth of 290.64% in comparison to the number of complaints filed in 2019. Additionally, the Belgian DPA opened 89 mediation cases and processed 4,123 requests for information.
• The Belgian DPA received 1,097 data breach notifications (in comparison to 877 in 2019) and received 146 requests for opinions.
• The Inspection Service launched 149 investigations in 2020, up from 85 in 2019. Investigations mainly related to direct marketing, COVID-19, the functioning of cities and municipalities, and the use of cameras.
• In 2020, the Belgian DPA’s Litigation Chamber dealt with 533 incoming cases and issued 83 decisions, 34 of these were decisions on the merits. Overall, 78 sanctions were imposed, including 19 fines collectively totaling EUR 885,000.

Read the press release (available in English) and the full Report (available in Dutch and in French).