You are here

GDPR: Implementing Rules Are Becoming Clearer and Clearer

Gregory Sorreaux's picture
Published: 09/01/18 - Country: Belgium
Economic:

Co-authors

The deadline for the entry into force of the General Regulation on Data Protection ("GDPR") on 25 May 2018 is fast approaching and it is becoming increasingly urgent to adopt the necessary measures to comply with it.

New texts specify how fines will have to be precisely calculated, on the one hand, and how infringements will be prosecuted, on the other.

I. Draft law establishing the Belgian Data Protection Authority

On 23 August 2017, a bill creating the Belgian Data Protection Authority was introduced before the Parliament. Once adopted, the law will transform the current Commission for the Protection of Privacy into a national reference authority for the protection of personal data within the meaning of Article 51 of the GDPR. Its new structure has been designed in particular on the basis of the operating model of other independent administrative authorities, such as the Belgian Competition Authority. 

In concrete terms, the bill amends the structure of the Commission by establishing six main bodies: a steering committee, a general secretariat, a front-line service, a knowledge centre, an inspection service and a litigation chamber. The steering committee will be composed of the executives of the other five bodies, who will be appointed by the Parliament. In addition, a reflection council, independent of the authority, will also be set up and will issue non-binding opinions on all subjects relating to the protection of personal data. 

The Authority's objectives will be to inform and advise data subjects and controllers, to assist them and their subcontractors in the performance of their tasks, to monitor them via an inspection service and to punish them for non-compliance with the provisions of the GDPR.

This power of sanction is probably the most important new feature of the bill. As the Commission currently has only a power of opinion and recommendation, it will soon be given the power to impose sanctions, which until now had been entirely devolved to the judicial authorities. The litigation chamber will be able to pronounce various sanctions, ranging from a decision to close the case to the transfer of the case to the Public Prosecutor's Office, warnings, reprimands, penalties, administrative fines and multiple and varied injunctions. An appeal against the decisions of the litigation chamber will also be possible before a specialised chamber of the Brussels Court of Appeal called "Cour des marchés".

II. Guidelines on the application and setting of administrative fines 

The "Article 29 Data Protection Working Party", considered to be the European Data Protection Committee ("EDPB"), aims to communicate guidelines in order to ensure a uniform and equivalent understanding between Member States of the provisions of the GDPR. Since the adoption of the Regulation in April 2016, Article 29 WP has issued a series of guidelines on certain articles of the GDPR. Those already published relate to the right to data portability, the appointment of a Data Protection Officer and the lead supervisory authority.

On 3 October, new guidelines on the application and setting of administrative fines that may be imposed on a data controller or data processor in the event of a breach of a provision of the GDPR were published. As a reminder, Article 83 of the Regulation provides that these fines may amount to up to EUR 10 million (if it is a company, up to 2% of its annual worldwide turnover) or EUR 20 million (if it is a company, up to 4% of its annual worldwide turnover) depending on the type of infringement.

In these guidelines, Article 29 WP recalls the general principles for setting the administrative fines, namely that it must be adequate, proportionate and dissuasive and that it must be determined on a case-by-case basis. In making this assessment, the supervisory authority will have to take into account several criteria, including the nature, duration and seriousness of the offence, the number of persons who are the subject of the offence, the purpose of the processing of their data, the possible damage suffered by those persons, the manner in which the offence was revealed, the degree of cooperation of the controller with the supervisory authority, the possible situation of "recidivism", the categories of data, etc., and the nature, duration and severity of the offence.In making this assessment, the supervisory authority will have to take into account several criteria, including the nature, duration and seriousness of the offence, the number of persons who are the subject of the offence, the purpose of the processing of their data, the possible damage suffered by those persons, the manner in which the offence was revealed, the degree of cooperation of the controller with the supervisory authority, the possible situation of "recidivism", the categories of data, the measures taken by the data controller to minimize the negative consequences for the data subject, etc.

In the event of a breach of one of the provisions of the GDPR, it is recommended that controllers and their processors keep evidence of concrete measures taken to comply with the obligations arising from the GDPR. Since the level of liability of the controller or processor can also be taken into account in determining the amount of the fine, the latter must, in the event of an infringement, provide proof that all measures which might have prevented the infringement had been taken internally.

We are a global services company with local knowledge.
We meet You wherever You are and lead You wherever You want.
Ask us how

Article Rating: 
Average: 4 (7 votes)
Total reads: 781
Gregory Sorreaux's picture

Grégory provides strategic, business-oriented advice and has litigation skills under IP law, food law, market practices, product regulation and commercial disputes.

Grégory regularly advises and represents clients before national and EU courts in these matters. This practice includes administrative negotiations and procedures. He has gained experience in advising clients in a range of business sectors including food, pharma, cosmetics, fast-moving consumer goods, telecommunications and media.

Grégory has written numerous articles on Belgian and EU food law and IP law, including an authoritative book in 2016 on advertising and labelling of foodstuffs under Belgian and EU law. He is general reporter of the International League of Competition Law and the Belgian Association on competition law and gives regularly lectures at conferences and universities.

Co-authors

Catherine Thiry is a member of the Brussels Bar since January 2017. She obtained her Master’s Degree in Law at the Catholic University of Louvain-la-Neuve (UCL 2015). She also studied a semester at The Universität Wien under the Erasmus program. Catherine also holds a Master of Laws (L.L.M.) in Intellectual Property from the Queen Mary University of London (QMUL 2016).

She specializes in IP law, food law, market practices, product regulation and commercial disputes.