On May 2, 2018, the Belgian Privacy Commission (the “Belgian DPA”) published its Annual Activity Report for 2017 (the “Annual Report”), highlighting its main accomplishments for the past year.

In 2017, the Belgian DPA focused on the following topics:

EU General Data Protection Regulation (“GDPR”). The Belgian DPA issued a number of  documents to help companies and organizations with their GDPR compliance efforts, including a Recommendation on internal register of processing activities and a template register, FAQs on Codes of Conduct, and a Recommendation on the appointment and role of a Data Protection Officer.

Facebook case. Despite the changes Facebook made on its cookies policy and practices following the 2015 Recommendation, the Belgian DPA considered that the social networking site did not obtain valid consent from the individuals concerned. In April 2017, the Belgian DPA issued a new set of Recommendations that provides additional guidelines for external website operators that use Facebook technologies and services, as well as several recommendations for Internet users that wish to protect themselves against Facebook’s tracking practices.

Other issues. Among others, the Belgian DPA also worked on the following issues:

  • The Belgian DPA expressed an unfavorable Opinion to the long-term retention of fingerprints and recalled that data minimization must remain the norm.
  • The Belgian DPA criticized the mass screening of festival visitors and the screening of asylum-seekers using data available on social media platforms, highlighting the lack of free consent and insufficient privacy safeguards.
  • In addition, the Belgian DPA published a Report on Big Data with recommendations to assess projects in practice in light of the GDPR.

Finally, the Annual Report states that the Belgian DPA processed 4,934 requests or complaints (an increase of 443 from 2016), including requests for information, mediation and control. Most requests for information were related to the use of CCTV, applicable privacy principles, data subjects rights, the right to one’s image and notifications via the public register.