05/02/18

Belgian Data Protection Authority Act published

On 10 January 2018, the Act from 3 December 2017 on the creation of the Belgian Data Protection Authority (DPA) was published in the Belgian Official Gazette.

On 10 January 2018, the Act establishing the Data Protection Authority (DPA) was published.

This Act will enter into force on 25 May 2018.

The provisions concerning the appointment of the members of the Executive Committee, the Knowledge Center and the Disputes Resolution Body already entered into force on the publication date.

This law regulates the creation and functioning of the Belgian authority supervising the processing of personal data, ie the Data Protection Authority (replacing the former Privacy Commission).

The Data Protection Authority or DPA is competent for the territory of Belgium, regardless of the national law that applies to the processing concerned.

The Data Protection Authority will consist of six bodies:

  1. The Executive Committee + Chairman of the Data Protection Authority
  2. The General Secretariat
  3. The Frontline Service Center,
  4. The Knowledge Center,
  5. The Inspection Service,
  6. The Dispute Resolution Chamber.

The DPA can also be assisted by external experts and will be supported by an independent Reflection Council.

The Executive Committee is chaired by the Chair of the Data Protection Authority and is composed of the directors of the General Secretariat, the Frontline Service Center, the Knowledge Center, the Inspector-General and the chair of the Dispute Resolution Chamber.

The General Secretariat supports the functioning of the DPA in a horizontal way (HR, IT, finance, legal).

The Knowledge Center provides recommendations and written and reasoned advice at its own initiative or further to a request.

The Frontline Service Center receives and examines the complaints that are sent to the DPA.

The Inspection Service is the investigative body of the Data Protection Authority. It is headed by an Inspector-General and is composed of inspectors.

The Inspection Service investigates:

  • based on determined serious indications of a practice which may give rise to an infringement of the principles related to the  personal data protection, or
  • when the Disputes Resolution Body decides on the basis of a complaint that investigation by the Inspection Service is necessary, or
  • in the context of an international investigation, or
  • if it itself has serious indications of the existence of an offending practice.

The competence of the Inspection Service is very broad.
They may, for example, hear persons, gather information, identify persons, conduct on-site inspections, access information by electronic means, take provisional measures (including suspending, freezing and limiting the processing operation if deemed necessary to prevent a serious, immediate and difficult to recover issue) as well as seizing or placing under seal objects, documents or computer systems.

The means used by inspectors of the Inspection Service must be "appropriate and necessary", but this leaves room for interpretation and contradictory opinions.
Infringing facts will expire at the end of five years.

An appeal against decisions of the Disputes Chamber must be filed with the Market Court, which will deal with the case as in summary proceedings.

These provisions will apply from 25 May 2018.

Griet Verfaillie
griet.verfaillie@peeters-law.be

dotted_texture