On 25 April 2019, the Data Protection Authority (DPA) published its Annual Activity Report for 2018, highlighting the main developments and accomplishments of the past year.
2018 in numbers
The Annual Report notes that the number of cases the DPA received in 2018 increased significantly. In total, 7,182 cases were processed by the Belgian DPA (an increase of 46% compared to 2017), among which 6,224 requests for information, 295 requests for mediation (of which 65% were settled amicably), 218 requests for investigation and 445 personal data breach notifications. The Belgian DPA also processed 215 requests for opinion in 2018, compared with 90 requests in 2017. The most common topics treated by the DPA relate to data subjects’ rights, CCTV, and direct marketing.
The Annual Report moreover mentions that, for the first time, 70 cases were submitted to the Inspection Service. Of these 70 cases, 67 originate from incoming complaints that were submitted to the Inspection Service by the Disputes Chamber. The Annual Report states that the first analyses of these cases, relating generally to the topics of the municipal elections, camera surveillance and data processing by public authorities, have started and the first contacts are being made with the parties involved (complainants, controllers and processors).
In 2018, also the Dispute Chamber received about 100 complaints, relating – in general terms – to the topics of the municipal elections, camera surveillance, direct marketing (right to unsubscribe from newsletters) and the general principles of lawfulness and proportionality.
Finally, the Annual Report states that 3 draft Codes of Conduct under the GDPR are currently being reviewed by the DPA.
Data breach notifications
In 2018, the Authority received 445 data breach notifications (compared to 17 notifications in 2017).
The data breaches reported to the DPA were caused by human error (28.09%), hacking, phishing and malware (22.70%), theft of materials (12.81%), system failures (10.56%) and improper use of access rights (5.17%).
DPO notifications
The Annual Report states that the DPA was notified of 3,666 DPO’s in 2018.
Other relevant developments and accomplishments in 2018
In 2018, the DPA focused, among other things, on the following topics:
-
Opinions: The DPA issued opinions on different topics such as the registration of fingerprints on eID card chips, the creation of an e-Box network and an e-Deposit system for lawyers and the creation of an electronic health data exchange platform (eHealth). The DPA also issued a recommendation on its own initiative on data protection impact assessments and prior consultation.
-
Template documents. A new online notification form to notify data breaches under the GDPR to the DPA was created and made available on the DPA’s website. A template ID for the members of the Inspection Service (which will allow them to properly identify themselves when conducting a dawn raid) was also published.
-
Cooperation within the EDPB: The DPA cooperated closely with the European Data Protection Board (EDPB) to contribute to a coherent and harmonised application of the GDPR, and more in particular to coordinate efforts on accreditation and certification at European level.
-
Facebook case: On 16 February 2018, the Brussels Court of First Instance followed the argumentation of the DPA and ordered Facebook to delete personal data that had been unlawfully collected via the use of cookies, social plug-ins and pixels. Facebook was also prohibited from collecting personal data via the use of certain cookies. Facebook immediately lodged an appeal with the Brussels Court of Appeal. The decision is expected in the coming days/weeks.
- “Je décide/Ik beslis”: The DPA developed a new project to make children and young adults aware of their data protection rights. The DPA created, for example, an educational curriculum, a privacy policy aimed at children/adolescents and an information campaign on how best to deal with smart toys.