1. Meet with BE DPA
OESO 21 September 2023
21/09/2023
Cédrine Morlière Chairwomen

2. I. General presentation of the Belgian DPA
Previously, “Privacy Commission” established in 1992
In 2023, 5th year since the entry into application of the GDPR:
► 66 collaborators across all directorates -> 83 collaborators in 2023
► Annual budget of 9.993.740,56 EUR (2022)/ 13.269.000 EUR (2023)
► Significant number of tasks (prevention/complaint handling)
► 2985 requests for information
► 177 mediation requests
► 279 advices on legislative proposals, decrees and acts
► 1426 notification of data incidents
► NEW since 2018 :
► 1902 complaints
► 189 decisions leading to a sanction in 2022 (738.600 EUR)
Source: hhttps://www.gegevensbeschermingsautoriteit.be/publications/jaarverslag-2022.pdf

3. I. General presentation of the Belgian DPA
Structure – Act of 13 December 2017
establishing the BE DPA (entry into force 25 May 2028)
Board of Directors – Chairwomen (Dir. Knowledge Center) [
Articles 3 – 7 of the Act establishing the Data Protection Authority ]
First Line Service
Awareness raising,
information, mediation,
and complaint handling
[ Art. 22 ]
General
Secretariat
Horizontal Supporting
Tasks (HR, finances) -
Executive Tasks (BCRs)
[ Art. 19 – 21 ]
Knowledge
Centre
Advice on draft legislation
and recommendations
[ Art. 23 – 27 ]
Inspection
Service
Investigations
[ Art. 28 – 31 ]
Litigation
Chamber
Administrative litigation –
Enforcement (sanctions,
fines)
[ Art. 32 – 34 ]
Director Director
Previous Chairman of the
BDPA (3y)
Director
Chairwomen of
the BDPA (3y)
+ 6 Members
Inspector-General Chairman
+ 6 Members

4. I. General presentation of BE DPA
First Line Office
New: receives the complaints and submissions sent to the DPA
can initiate a mediation procedure
promotes data protection among the public, with a specific focus on minors
promotes awareness among controllers and processors with regard to their
obligations
provides the data subject with information regarding the exercising of their rights

5. I. General presentation of BE DPA
First Line Office /Best off

6. The Knowledge Centre shall issue, either on its own initiative or upon request:
Advice concerning any matter relating to the processing of personal data
Recommendations relating to social, economical and technological developments that
can impact on the processing of personal data
I. General presentation of BE DPA
Knowledge Centre - missions

7. I. General presentation of BE DPA
Knowledge Centre / Best-off

8. I. General presentation of BE DPA
General Secretariat
Manages questions relating to human resources, the budget and the IT of the DPA
Manages any legal matter relating to the management and operation of the DPA
Manages internal and external communication
Monitors the social, economic and technological developments that have an impact on the protection of
personal data
Gives advice as part of the consultation by the controller responsible for the processing conducted by the DPA
Approves codes of conduct
Promotes the introduction of certification mechanisms and approve certification criteria

9. I. General presentation of BE DPA
General Secretariat/Best off

10. I. General presentation of BE DPA
Inspection
Identification of persons
Hearing
Written investigation
On-site inspection
Consult computer systems and copy of data
Seizure and sealing order

11. I. General presentation of BE DPA
Litigation Chamber
The Litigation Chamber is the administrative dispute body of the Data
Protection Authority
Disputes based on complaints and on own initative InvestigationsNational cases and Cross Border Cases
Build Consistent Jurisprudence
Warnings, Reprimands and Orders based on GDPR
Impose penalties, administrative fines
Litigation before the national court
EU and International Enforcement Cooperation

12. I. General presentation of BE DPA
Litigation Chamber/Inspection – Best off
Cooperation with EDPB: one stop shop decisions as a lead
Decisions upheld by the ECJ
…
Cf. next presentation!

13. II. Some challenges
How to combine the various roles (new
sanctioning powers /prevention)
NEW SANCTIONING ROLE (2018) – advisor role to be
framed (no lobbying)
Focus on prevention or mild sanctions first – appeal
court inclined to reduce fines (foreseeability/mitigating
circumstances)
Defining transverse priorities (DPO – cookies – smart
cities) and working on a good balance between
prevention/sanction

14. II. Some challenges – workload
Since 25th May 2018,
the Belgian DPA has received :
21581
requests for
information
3749
queries or
complaints
535 decisions by
the Litigation
Chamber by 2022
5815
data breach
notifications
1249 requests for
legislative advice
-
205 pieces of advice
delivered in 2022
Most complaints in 2022: direct marketing, surveillance camera’s, cookies

15. II. Some challenges
Workload - dealing with complaints
20 new agents in 2023 with a focus on the First Line Service:
more mediations/non contentious solutions to complaints
New processes in order to select the best complaints before
handing them over to the Litigation Body
• Cease and desist letters by the Inspectorate
• Contacting the company before the DPA and favouring mediation
Quid impact of the role of the claimant in the BE procedure
and in international EDPB cooperation (cf. draft Regulation
on procedural rules)?

16. II. Some challenges - Recent EU legislative
initiatives (Digital package and AI)
Citizen’s expectations towards DPA’s in the context of AI >
complaints re. generative AI filed with BE DPA
AI
BE DPA investigates complaints under the GDPR (a.o. art. 22 – right not
to be subject to automatic decisions…)
BE DPA provides legislative advice on draft legislation organizing data
mining/ processing of data by AI (DPIA, no use of mere test data,
appropriate legal framing in case of self learning algorithms – refers to
control measures in the future AI ACT)
Future?
Intricate relationship between GDPR and the AI Act to be clarified
BE one stop shop mechanism still to be defined
Importance of cooperation with EDPB (support pool of experts)

17. Questions ?