Privacy Commission becomes Data Protection Authority

10 January 2018

On 10 January 2018, the act of 3 December 2017 on "the creation of the Data Protection Authority" was published in the Belgian Official Gazette. The act aims to bring the current Belgian Privacy Commission in line with the General Data Protection Regulation. 

As of 25 May 2018, companies that process personal data must comply with the General Data Protection Regulation ("GDPR"). The penalties for non-compliance, including significant fines of up to EUR 20,000,000 or 4% of the total worldwide annual turnover of a company, are already well known (Article 83 of the GDPR). The act of 3 December 2017 converts the Privacy Commission into a Data Protection Authority ("DPA") with the necessary powers (among other things) to enforce these sanctions (see the adopted text in Dutch and French).

What does the new Data Protection Authority look like?

In order to be able to carry out these new tasks in an efficient manner, the act provides for a particular structure for the Data Protection Authority. From now on, the DPA will be composed of six internal bodies (Article 7): 

  • The executive committee determines the general policy and the priorities of the DPA.
  • The general secretariat manages the daily support tasks.
  • The first line service receives and deals with complaints and requests, and examines their admissibility.
  • The knowledge centre provides advice and recommendations with regard to technological developments that may have an impact on the processing of personal data. The inspection service is responsible for investigation and has extensive investigative powers (cf. infra).
  • The dispute chamber will act as the administrative body of the DPA and is empowered, among other things, to impose administrative fines. Decisions of the dispute chamber can be appealed before the Market Chamber of the Brussels Court of Appeal.

In addition to these bodies forming the DPA, the act provides for the establishment of an independent reflection council, consisting of representatives of the business world, professional federations, consumer organisations and the academic world. If necessary, the reflection council will be consulted by the DPA and will provide non-binding advice on all issues regarding the protection of personal data (Article 8).

What are the powers of the Data Protection Authority?

While the current Privacy Commission focuses on its advisory role, the new DPA will be a true supervisory authority, with full powers in the field of investigation and prosecution. 

The general task of the DPA is to monitor compliance with the basic principles for the protection of personal data and the provisions on the protection of personal data processing in other legislation (Article 4). In addition, the DPA can report infringements to judicial authorities (Article 6) and even initiate legal action to enforce the legislation relating to the protection of personal data (Article 7).

In particular, the DPA can:

  • Give advice and provide information to individuals, companies and policy makers on how to comply with data protection legislation.
  • Guide companies so that they make maximum use of the preventive instruments provided in the GDPR such as certification, compliance with codes of conduct and the involvement of a data protection officer.
  • Monitor controllers and their processors via the inspection service. The inspection service can impose provisional measures (e.g. suspension of the processing of personal data), has the authority to gather information and identify or hear persons, can carry out on-site investigations (with the permission of the resident or the authorisation of an investigating judge), and can consult and copy computer systems and seize or seal goods (Articles 64–91).
  • Impose a wide range of sanctions, including the notorious administrative fines (Article 100).

The act will enter into force on 25 May 2018 (with the exception of Chapter III on the appointment of members of the DPA, which entered into force upon publication of the act). However, the King may decide that certain parts of the act will enter into force at an earlier stage.

Would you like to know more about the GDPR and how your company can prepare for it?

Consult our website or contact one of our specialists.