The New Belgian Data Protection Authority under the GDPR
This new entity is called the Data Protection Authority (in Dutch: 'Gegevensbeschermingsautoriteit', in French: 'L'Autorité de protection des données'). The law will enter into force on 25 May 2018, apart from the nomination of its new members, which is possible since the publication of this law on 10 January 2018.
The new Data Protection Authority (DPA) has received new competences, and is expected to take a more active role than the old Privacy Commission, which mainly had an advisory function. The DPA is charged with, amongst others, the following responsibilities: provision of information and general awareness, following up developments that can impact data protection and provide advice on impact assessments, receipt of requests and complaints, mediation procedures, investigation and imposition of sanctions. It consists of six main bodies to take care of its main tasks and daily organization, and a separate advisory board. This advisory board is composed to reflect society, and has as its core task the advising of the DPA's Executive Committee regarding the needs and challenges for various actors in society.
First and perhaps foremost, the DPA is tasked to provide information and assistance. It is intended that the DPA can be reached by any person, including physical and legal persons but also public institutions through the First-line Service. This Service works on general awareness and information, receives requests and complaints and starts mediation procedures. Data subjects can acquire advice with regard to their rights and the exercise thereof. The DPA is also charged with the task to assist data controllers and processors with preventative measures, including assistance with the conducting of data protection risk-assessments. Specific advice regarding impact assessments is provided by the General Secretariat. Public institutions specifically are also advised by the Knowledge Center, which consists of technical experts.
The DPA further also has the task of reviewing and investigating alleged breaches of data protection law. It will review measures taken by data controllers and processors, whether or not this is based on a complaint, through its Inspection Service which has investigative competences. These competences include the interrogation of people, investigation on the premises, searches through IT systems and the creation of copies of the information they contain, the seizure of property or IT systems and the identification of users of electronic communications services. The persons subject to an investigation are required to cooperate. In order to identify persons related to an investigation, the Inspection Service can demand the assistance of providers of electronic communications services. The Inspection Service can also take temporary measures, such as the prohibition, limitation or freezing of the processing of data that is subjected to an investigation. To assist them with the investigation, the Inspection Service can request assistance from law enforcement.
Finally, the DPA can impose sanctions, which include warnings, the obligatory taking of specific measures, and fines up until four percent of worldwide turnover. The body that takes care of these sanctions is the Litigation Chamber. The DPA can also bring a case before the Belgian courts, despite the fact that its core focus is conciliation (through, for instance, mediation), and not litigation.
The new DPA's competences are much broader than those of its predecessor, the Privacy Commission. It now has the possibilities to take a far more active role. Initially, it was reported that no additional budget was foreseen to take on these additional responsibilities, but the cabinet of state secretary De Backer has reassured that extra budgetary means will be provided so the DPA can effectively fulfil its new role.
Article provided by: Steven De Schrijver (Astrea Law, Belgium)