Bastiaan Bruyndonckx
Information Communication Technology
Information Governance & Data Protection
Telecommunications, Media & Technology
Commercial law
Dispute Resolution
Intellectual Property (IP)
bastiaan.bruyndonckx@lydian.be
On 16 November 2022, the Belgian Data Protection Authority (the DPA) released its long awaited Annual Report of 2021. It is a voluminous report of more than 55 pages. Below we summarise for you the main points of this Annual Report.
The report highlights the DPA’s major activities from last year, naming 2021 as the year the number of cases burst at the seams. It was a true record year in terms of workload for the DPA. The number of incoming files increased dramatically, with 279 requests for advice (+87.25% over 2020) and almost triple the amount of complaints compared to 2020. The large difference from previous years is largely explained by a rain of complaints about 1 specific data breach at the social network Facebook (1,120 complaints). The DPA also received 142 mediation requests (+67.06% over 2020) and processed 4,207 information requests (+2.43%).
“Look before you leap”, with these wise words, brand new President Cédrine Morlière began the introduction to the report, in which she emphasised the importance of the data protection impact assessment (DPIA).
The DPA's focus in 2021 was on several key themes, which were also included in the DPA's 5-year strategic plan, including:
Dealing with data breaches continued to be a major focus for the DPA in 2021. The DPA opened 1,435 data breach files, up from 1,054 in 2020 (+36.15%). It also opened 35 monitoring files, compared to 30 in 2020 (+16.67%). Almost half of the data breach notifications concerned human errors, and almost a quarter involved phishing, hacking or malware. Moreover, the DPA also acted more proactively, in part by identifying potentially unreported data breaches. Concerning awareness, the DPA contributed to the new EU practical guidelines with examples of data breaches.
In 2021, several important developments occurred in the area of international data transfers. To help controllers and processors in the EU determine whether a processing operation constitutes an international transfer and to achieve a common understanding of the concept of international transfer, the DPA within the EDPB contributed to the publication of Guidance 05/2021 and Recommendations 01/2020. Following the European Commission's decisions on the adequacy of the level of data protection in the United Kingdom and the Republic of Korea and the publication of new standard contractual clauses (SCCs), the DPA has regularly updated its website to provide data controllers and processors with comprehensive and up-to-date information on this topic. The DPA has also assisted controllers and processors in the application and approval of instruments for transfers, with the General Secretariat approving six binding corporate rules in accordance with the consistency mechanism provided for in Article 63 of the GDPR, and took a decision approving an administrative arrangement between the Public Company Accounting Oversight Board (PCOAB) and the College of Supervision of Company Auditors / Collège de Supervision des Réviseurs d'Entreprise (CTR-CSR) in accordance with Article 4(3)(b) of the GDPR.
The Knowledge Centre received nearly 50% more requests for advice in 2021 as in 2020. In addition to opinions on measures related to the fight against COVID-19, the Knowledge Centre had to express its opinion on various topics such as the retention of metadata on telecommunications, public statistics or the expanded access to the banking data of Belgians. The key advices are included and further explained in the Annual Report.
Neither did the Inspection Service stand still in 2021. However, the ongoing Covid-19 situation threw a spanner in the works and caused regular adjustments to the objectives set by the Inspection Service. Investigative actions of a site visit and/or interrogation proved to have particular potential in terms of efficiency and speed of investigation compared to the traditional way of questioning through sending out letters and emails. In total, the Inspection Service conducted 142 investigations in 2021 compared to 152 in 2020 (-6.58%), most of them on the initiative of the Litigation Chamber.
Finally, the DPA carried out a lot of work in the field of enforcement in 2021. The Litigation Chamber paid great attention to the consistent performance of its duties and further developed its methodology. The Litigation Chamber's mission was threefold:
However, due to the large volume of complaints, the Litigation Chamber was forced to prioritise, in part by issuing a dismissal policy. The Litigation Chamber was also confronted with a number of "mass complaints" (thematic files involving a large number of data controllers) and files that are urgent because of the public interest, such as Covid-related complaints. In total, the Litigation Chamber issued 143 decisions in 2021 compared to 83 in 2020 (+72.29%). The total amount of fines imposed through these decisions was EUR 301,000.
10 new appeals were filed in 2021 against decisions of the Litigation Chamber. In 2021, the Market Court ruled in 15 ongoing appeals, in which 12 final decisions and 3 interlocutory decisions were rendered and in which 9 decisions were overruled – in whole or in part. In its case law, the Market Court sets high procedural requirements for the functioning of the Litigation Chamber. In the majority of cases, annulment decisions were also issued in 2021 on procedural grounds, but in some cases, however, the Market Court substituted its own substantive assessment for that of the Litigation Chamber.
On the occasion of its budget request for the year 2023, the newly appointed Executive Committee of the DPA communicated to the House of Representatives the major priorities for the coming year.
In carrying out its duties, the DPA tries to strike a balance between, on the one hand, good information on the applicable rules (prevention/awareness-raising) and, on the other hand, enforcement (supervision/sanctions). Accordingly, the DPA has chosen to list priorities for all its bodies together. Subject to sufficient resources - a criticism also addressed in the Annual Report of 2021 - the following will be the DPA's main priorities in 2023:
In addition to these common points for all DPA bodies, priorities specific to certain bodies may also be identified in the coming year, especially based on recurring requests for information or complaints. For example, the Inspection Service and the Litigation Chamber will continue to investigate and, if necessary, sanction data brokers who often process personal data on a very large scale.
It is therefore our expectation that many companies will face this active regulator, be it in proceedings before the Litigation Chamber, investigations by the Inspection Service, or questions posed to or by the DPA. In any case, Lydian closely follows the developments of the DPA so that it can assist its clients in case they come into contact with the DPA.
Information Communication Technology
Information Governance & Data Protection
Telecommunications, Media & Technology
Commercial law
Dispute Resolution
Intellectual Property (IP)
bastiaan.bruyndonckx@lydian.be
Commercial law
Dispute Resolution
Information Communication Technology
Information Governance & Data Protection
Intellectual Property (IP)
Telecommunications, Media & Technology
liese.kuyken@lydian.be