Menu

The legal framework for the establishment of a new Data Protection Authority (“DPA”) in Belgium: what you need to know

glasses in front of servers

The General Data Protection Regulation (hereinafter “GDPR”) shall be applicable as from 25 May 2018. In this respect the GDPR requires Member States to “provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation”. In order to meet this requirement, the Belgian Chamber of Representatives introduced a proposition for a new law: The draft law of 23 August 2017 for the establishment of a Data Protection Authority, the text of which was in the amended and voted in the Belgian Chamber of Representatives and finally adopted as the draft law of 16 November 2017 for the establishment of a Data Protection Authority. The draft law will become an actual statutory law after ratification by the King.

This draft law is mainly an instrument to modernize the existing Belgian Privacy Commission and to align it with the provisions of the GDPR. To achieve this goal, several changes to the existing framework were necessary.

1. Change of the nature of the authority

The first fundamental modification can be found in a shift of mentality and nature. The Belgian Privacy Commission will transform from a mere advisory body to a full-fledged controlling and sanctioning authority: the Data Protection Authority (hereinafter “DPA”). The previous dual supervisory system for the data controllers in the private sector on the one hand and data controllers in the governmental sector on the other hand will be replaced by this supervisory body that will monitor the processing of data concerning civilians and customers with the same rigidness.

2. Change of structure

The draft law must be considered more as the forerunner of the organic law to reform an institution than as a law governing data protection. This is reflected in the second innovation of the new structure of the DPA. The DPA will consist of six committees: a management committee, a general secretariat, a first line service, a knowledge center, an inspection service and a dispute chamber.

The management committee is formed by the executives of the other five committees who are each appointed by the Belgian Chamber of Representatives. They will hold a fulltime position for a period of six years (which can be renewed once). The DPA will be granted means and personnel by the Belgian Chamber of Representatives in order to perform its tasks in an efficient way. Finally, the DPA can consult a reflection board which shall be “representative for the entire society for supporting its orientations”. (The DPA will of course need to respect its independence when doing so.)

This new structure differs from the current structure of the Belgian Privacy Commission which currently embodies sixteen representatives of whom only two have a fulltime position.

3. Restructuring of functions

In addition to the change of mentality and the new structure, the competences and powers of the DPA are restructured and updated as well. Some of these functions already exist for the Belgian Privacy Commission but are broadened or accompanied by new functions and instruments.

In short, the functions of the DPA can be divided into the following four categories, in order of priority:

  1. Providing information and advice to private individuals, data controllers (and their processors) and policy makers with regard to compliance with the laws concerning data protection;
  2. Assisting data controllers (and their processors) to maximize the use of preventive instruments (for example certification, data protection officers, …) as provided for in the GDPR;
  3. Supervision and control of the data controllers (and their processors) by a specially trained inspection department;
  4. Broad spectrum of sanctions that allows a case-by-case judgement depending on the seriousness of the situation and enable a balanced and proportionate treatment.

The replacement of the current Belgian Privacy Commission with the DPA aims at creating a modern data protection authority, which will give the opportunity to effectively control the use of the personal data while taking into account the legal, economic, technological and ethical features of the swiftly altering and growing digital society.

General Data Protection Regulation (GDPR) Data privacy Data protection

Latest News

Koen Selleslags
New partner at KPMG Law: welcome Koen Selleslags!
laptop on desk
Financial Regulatory Update: February 2024

Contact us

Share this

How can we help?

Discover our expertise

All expertise