On the second anniversary of the EU General Data Protection Regulation (the “GDPR”), the Belgian Data Protection Authority (the “Belgian DPA”) published a Statement with some key GDPR-related numbers (the “Statement”).

Since May 2019, the Belgian DPA has received:

  • 937 data breach notifications;
  • 4,438 information requests;
  • 351 complaints;
  • 128 opinions requests on draft laws, decrees or orders; and
  • 5,416 data protection officer (“DPO”) notifications.

Since May 2019, the Investigation Service of the Belgian DPA has led more than 100 investigations. In the Statement, the Belgian DPA indicated that the Investigation Service had previously adopted a more reactive approach consisting of following up on complaints. From now on, the Investigation Service of the Belgian DPA intends to take a proactive approach and launch large-scale investigations relating to specific sectors or topics. For example, the Belgian DPA indicated it recently closed an investigation on compliance with cookie requirements across popular websites. In addition, in one year, the Litigation Chamber of the Belgian DPA imposed 59 sanctions, including 9 fines totaling €189,000. The Belgian DPA also was involved in several international cases with other European data protection authorities.

In the Statement, the Director of the Litigation Chamber, Hielke Hijmans, explained that the first aim of the Litigation Chamber is to actively and lastingly contribute to the effective protection of personal data and privacy by building case law that will guide organizations in their processing activities. Furthermore, David Stevens, President of the Belgian DPA, also stressed the importance of the Belgian DPA finding the right balance between monitoring the correct implementation of the rules and offering guidance to organizations on how to implement those rules. In light of this, the Belgian DPA has published a recommendation on direct marketing, launched a specific project for small and medium-sized enterprises and organized various events aimed at DPOs.

Read the Statement (in French and Dutch).