The Belgian law of 19 November 2017 reforming the Belgian data protection authority (the “DPA”) was published in today’s State Gazette (Wet tot oprichting van de Gegevensbeschermingsautoriteit / Loi portant creation de l’Autorité de protection des données) (the “DPA Law”).
The main purpose of the DPA Law is to equip the DPA for its new responsibilities under the General Data Protection Regulation (2016/679), which will become applicable as of 25 May 2018.
1) New Name, New Structure
The most visible change brought by the DPA Law is the rebranding of the Privacy Commission as the “Data Protection Authority” (Autorité de protection
des données / Gegevensbeschermingsautoriteit). Much more has changed, however. The DPA Law sets up an entirely new structure and way of working
for the DPA.
The DPA is subdivided into six different divisions with a specific role defined by the DPA Law:
- Executive Committee (comité de direction/directiecomité) – The executive committee is composed of five members, being the heads of the five other divisions. The chair of the DPA will alternate between the head of the general secretariat and the head of the knowledge centre.
Among others, the executive committee is in charge of deciding on the strategy, management and budget of the DPA as well as setting out the
DPA’s internal rules.
- General Secretariat (algemeen secretariaat/secrétariat general) – The general secretariat is in charge of both internal tasks (such as
managing human resources, IT, budget, internal and external communications, etc.), as well as legal tasks (such as developing a list of
processing activities requiring a data protection impact assessment and approving codes of conduct, standard contractual clauses, binding
corporate rules, etc.).
- First Line Service (service de première ligne/eerstelijnsdienst) – The mission of the first line service is to receive the claims and requests addressed to the DPA, launch mediation procedures and raise public awareness about data protection.
- Knowledge Centre (kenniscentrum/centre de connaissances) – The knowledge centre issues opinions and recommendations on
questions regarding personal data processing as well as social, economic and technological developments having an impact on it.
- Inspection Service (service d’inspection/inspectiedienst) – This is the division of the DPA in charge of investigations. Its members
have specific legal powers to exercise their tasks (see below).
- Dispute Chamber (geschillenkamer/chambre contentieuse) – The dispute chamber is the body of the DPA in charge of rendering
decisions in the specific cases submitted to it (e.g. following a claim). It functions as an administrative judicial body with its own secretariat.
The DPA is also assisted by an independent reflexion committee, which provides non-binding opinions to the DPA on data protection related matters
2) Investigation and Enforcement Powers
Under the previous law, the Privacy Commission had certain investigation powers, but no enforcement powers. Violations of the data protection law had
to be referred to courts to obtain sanctions. One of the key changes brought about by the DPA Law is that it now grants the DPA specific enforcement
The investigation power enables the DPA to impose temporary measures (such as the suspension or the limitation of a data processing), obtain information
(through investigations, audits and hearings, in writing or on site), consult IT systems and obtain copies of personal data, as well as seize and seal objects,
documents and IT systems for a maximum period of 72 hours (which can be extended by an investigating magistrate).
Moreover, the DPA, through the dispute chamber, has among others the power to propose settlements, dismiss cases, issue warnings, suspend, limit or
prohibit data processing activities, impose rectifications, restrictions or erasures of personal data and impose the penalties or fines provided for under
the GDPR (i.e. up to the greater of EUR 20,000,000 and 4% of the annual worldwide turnover of a group of companies).
3) Entry into Force
The new law will enter into force at the same time as the GDPR becomes applicable, i.e. on 25 May 2018, with one exception. The chapter in relation to
the recruitment of the future members of the DPA entered into force upon publication to enable their recruitment ahead of this entry into force.