Processing of personal data: New Act to create the Data Protection Authority

The European Regulation of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) provides for the setting up of independent supervisory authorities in each Member State to monitor the application of this Regulation. These independent supervisory authorities have to be set up at the national level. The Act of 3 December 2017, published today in the Belgian Official Gazette, creates such a Data Protection Authority in Belgium, which succeeds the current Privacy Commission. This Act will enter into force on the date the GDPR becomes applicable, 25 May 2018.

The legislator has given important competences and powers to the new Data Protection Authority in order to ensure compliance with the provisions of the GDPR and the applicable national provisions in this area. This new institution will consist of several bodies, including an inspection service and a dispute chamber.

An investigation can be initiated by a simple complaint from an individual, at the request of a supervisory authority from another state, or at the request of Belgian judicial or administrative bodies. An investigation can also be initiated by the Belgian Data Protection Authority if it suspects that an offence has been committed of the GDPR, which it is responsible to monitor.

The inspection service has extensive powers to carry out its investigations. In particular, it can hold hearings, conduct an on-the-spot examination, identify the persons where the checks are conducted or identify the users of the communications services, investigate the way of consulting or copying information systems where the data are held. The investigators may also test the security systems and even seize property. Permission must be obtained from the investigating judge for the conducting of investigative actions that most encroach on the freedom of the person being investigated.

After completion of the investigation, a procedure could be initiated before the dispute chamber, which will also examine complaints and appeals against certain inspection measures. Cases can also be sent to the national jurisdiction.

If the dispute chamber decides to judge a case on the merits, a proper quasi-judicial procedure must be set up, so that the parties can be heard and can exchange their arguments.

The dispute chamber can dismiss or propose an amicable settlement. Equally, it can impose the following penalties: order that the processing of data be brought into conformity, impose a definitive ban on processing, or even impose penalties and administrative fines. These can amount to EUR 20,000,000 or 4% of the total worldwide annual turnover (this can be doubled in case of multiple offences).

In order to help you be in compliance with the GDPR, our firm has developed a data mapping tool to map your processing of personal data. Our data protection team will be glad to help you in this process and to answer all your questions. You can also visit our GDPR website: www.gdprbelgium.be.

> Action point

Prepare for the entry into force of the GDPR on 25 May 2018 and keep in mind the important powers of the Data Protection Authority, as well as the robust sanctions.