Open navigation
Search
Offices – Belgium
Explore all Offices
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
Insights – Belgium
Explore all insights
Search
Expertise
Insights

CMS lawyers can provide future-facing advice for your business across a variety of specialisms and industries, worldwide.

Explore topics
Offices
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
Insights
About CMS
Contact us

Learn more

Select your region

Thomas Dubuisson
Senior Associate

Thomas Dubuisson

Languages
  • French
  • English
  • Dutch
  • Spanish
Social media

Thomas specialises in data protection (GDPR), intellectual property (IP), artificial intelligence (AI), technology, and cybersecurity. His experience, for multinational corporations, innovative startups, and public sector entities, includes both contentious and non-contentious matters in these areas. He has also conducted various due diligence reviews for M&A transactions involving technology-driven investments. Additionally, Thomas is acting as an external Data Protection Officer (DPO) for various clients across multiple sectors.

He holds an LL.M. degree from Maastricht University in the Netherlands and The George Washington University in the United States. This dual qualification provides him with a comprehensive understanding of both civil and common law systems. He further honed his skills through traineeships at the major IP institutions, namely the EU Intellectual Property Office (EUIPO), the EU Patent Office (EPO) and the World Intellectual Property Organisation (WIPO).

The Tech&Data team, of which Thomas is a key member, is recognised for its excellence, achieving Tier 1 status in the “Privacy and Data Protection” category of Legal500’s shortlist and Band 1 ranking in the International Chambers Directory. Since 2021, Thomas has been consistently recognised by Legal500 as a key lawyer in the EU Privacy and Data Protection category, particularly for data-related litigation.

Thomas is also a Certified Information Privacy Professional/Europe by the IAPP. He is also a member of the EU Incubator of the Brussels Bar and of the CMS Belgium AI Group, positioning him at the forefront of legal innovation in technology and data protection.

He is also a regular speaker at client-related events and international conferences, such as the “AI Legal Summit 2025” in Brussels. Recently, he has been appointed as a professor within the Brussels Bar School program, where he will be teaching 2 courses on AI: “Introduction to Artificial Intelligence” and “Advanced AI for legal professionals”.

Thomas is a prolific writer, contributing numerous articles to the press (e.g. Echo, Trends) and legal journals (e.g. European Data Protection Law Review, Revue Expertises des systèmes d’information – Droit, technologies et prospective).

Thomas has an extensive knowledge in the following areas:

  • Privacy and data protection
  • Artificial intelligence (AI)
  • IT and data-related litigation
  • Intellectual property
  • Cybersecurity (e.g. NIS2 Directive, Cyber Resilience Act (CRA))
  • Data-related legislation (e.g. GDPR, Data Act (DA))
  • Data breaches and cyberattacks
  • Technology law

Publications

Thomas has contributed to prestigious publications.

In January 2025, Thomas Dubuisson published an article in the journal European Data Protection Law Review (EDPL) on the interaction between the GDPR and the EU regulation on artificial intelligence, based on the guidelines of the Belgian Data Protection Authority.

In December2024, Thomas Dubuisson authored an article in the “Revue Expertises des systèmes d’information – Droit, technologies et prospectives” Law Review, providing crucial insights into ensuring compliance with data protection laws in the evolving landscape of AI technologies.

In October 2023, Thomas Dubuisson and Tom De Cordier authored an article in the “Revue Expertises des systèmes d’information – Droit, technologies et prospectives” Law Review, exploring the implications of the Data Act. Their article delves into the legal, technical, and financial challenges that this regulatory framework is poised to present to a wide spectrum of economic stakeholders.

In August 2021, Thomas contributed, together with other lawyers, to the Belgian chapter of the book "Law of Raw Data", published by Wolters Kluwer. This book gives an overview of the legislation on raw data around the world. For more information click here.

In October 2021, Thomas published an article in the European Data Protection Law Review (EDPL) on new policies on GDPR infringement aspects and litigation before the Belgian Data Protection Authority.

Thomas also publishes numerous articles in the press and on our CMS.law website:

  • DUBUISSON (T.), “Un avocat condamné pour avoir remis des conclusions fantaisistes rédigées par l’intelligence artificielle”, Interview in RTBF, 25 December 2025, available here.
  • DE CORDIER (T.), DUBUISSON (T.), et al., “The EU Digital Omnibus: Consolidation, Simplification and Realignment Across the EU’s Digital Rulebook”, 22 December 2025, available here.
  • DUBUISSON (T.), UYTTERS (M.), et al., “Cyber-fraud and banking vigilance: French case law and lessons for Belgium”, 31 October 2025, available here.
  • DE CORDIER (T.), DUBUISSON (T.), et al., “EU Cybersecurity Month: Protecting your business from investment fraud”, 16 October 2025, available here.
  • VAN DEN BRANDE (S.),  DUBUISSON (T.), et al., “AIPPI 2025 – Study Question. Copyright and Artificial Intelligence”, Ing.-Cons., 2025/2, 4 September 2025, p. 274-326, available here.
  • DE CORDIER (T.), DUBUISSON (T.), et al., “Decoding the NIS2 Directive: Practical guidelines from the EU Agency for Cybersecurity on NIS2 risk management and skills”, 21 August 2025, available here.
  • DE CORDIER (T.), DUBUISSON (T.), “Launch of new portal for data breach notification by the Belgian Data Protection Authority”, 17 June 2025, available here.
  • DE CORDIER (T.), DUBUISSON (T.), “CMS GDPR Enforcement Tracker Report”, 23 May 2025, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Avec moins de 50 amendes en sept ans, le raz-de-marée de sanctions en lien avec le RGPD n'a pas eu lieu”, Interview in l’Echo, 22 May 2025, available here
  • DE CORDIER (T.), DUBUISSON (T.), et al., “The comeback is on: how the EU plans to reclaim digital sovereignty”, 29 April 2025, available here
  • DUBUISSON (T.), “Rançongiciel : un hôpital sanctionné pour manquement à la sécurité de ses données”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 510, March 2025, available here
  • DUBUISSON (T.), “Deepseek AI - What is it and what do legal teams need to know about it?”, 25 February 2025, LexisNexis, available here
  • DE CORDIER (T.), DUBUISSON (T.), et al., “Should privacy professionals take on AI governance roles?”, 11 February 2025, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Is the EU-U.S. Data Privacy Framework in danger”, 28 Jan. 2025, available here
  • DUBUISSON (T.), “Belgium – AI under the microscope of the GDPR: the Belgian Data Protection Authority deciphers the challenges of data protection in the development and use of AI”, European Data Protection Law Review, Volume 10 (2024), Issue 4, Jan. 2025, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Compulsory or optional? AI literacy a central component of compliance with AI Act”, 18 December 2024, available here
  • DUBUISSON (T.), “L’IA sous la loupe du RGPD”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 507, December 2024, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cyber Resilience Act comes into effect on 10 December”, 03/12/2024, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU’s NIS 2 enters into force: compliance is now mandatory”, 22/10/2024, available here
  • DE CORDIER (T.), DUBUISSON (T.), “The Belgian Data Protection Authority publishes an informative brochure on artificial intelligence systems and the GDPR”, 25/09/2024, available here
  • DE CORDIER (T.), DUBUISSON (T.), DOBBELAERE (D.) and DE PAUW (V.), and Co., “News from the CJEU on GDPR compensation”, 02/02/2024, available here
  • DUBUISSON (T.), “Corporate Disputes - Ransomware and data privacy: class action litigation”, Financier Worldwide Magazine, Jan-Mar 2024 issue, 01/2024, available here
  • DE CORDIER (T.), DUBUISSON (T.), DOBBELAERE (D.) and DE PAUW (V.), « With EU Cyber Resilience Act, EU gets tough on IoT supply chain cybersecurity », 13/12/23, available here
  • DE CORDIER (T.), DUBUISSON (T.), “How to draft an AI policy?” 23/10/2023, available here
  • DUBUISSON (T.), “Phishing : Votre employé est-il responsable ?”, Trends-Tendances, 19/10/2023, available here
  • DUBUISSON (T.), “Un cybercriminel m’a contacté par e-mail, SMS, téléphone et j’ai malheureusement partagé mes informations personnelles. Que puis-je faire ?”, La Libre Belgique, 16/10/2023, available here
  • DUBUISSON (T.), “EU Cybersecurity Month: The looming threat of a single phishing click to your business”, 09/10/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Règlement sur les données (Data Act) : Un pas décisif vers une société fondée sur les données”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 494, October 2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Summer Snapshot: Tech and Data Highlights You Might Have Missed”, 11/09/2023, available here
  • DUBUISSON (T.), "Data Protection and Privacy" (Belgium), InDepth Features, Financier Worldwide, 13/07/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Adequacy decision on EU-US Data Privacy Framework adopted”, 10/07/2023, available here;
  • DE CORDIER (T.), DUBUISSON (T.), “The GDPR turns 5 | Europe-wide analysis reveals data protection fines totaling EUR 2.7 billion in over 1,500 cases”, 23/05/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “The Belgian Whistleblowing Act enters into force. What do you need to know regarding data protection?”, 15/02/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Happy Data Protection Day! What’s on the horizon for 2023?”, 27/01/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), « Les cybercriminels vont-ils profiter du succès de ChatGPT pour tromper votre entreprise? », l’Echo, 23/01/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), « Quelle stratégie adopter face aux attaques par rançongiciel? », l’Echo, 11/01/2023, available here
  • DUBUISSON (T.), FONTEYN (B.), “Belgian DPA again clarifies the right of access to medical records”, 20/12/2022, available here
  • DUBUISSON (T.), HEREMANS (T.), “The Digital Services Act has entered into force: Here's a quick recap”, 25/11/2022, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: mobile devices can pose a risk to your business”, 20/10/2022, available here
  • DOMOKOS (M.), DUBUISSON (T.), HORVATH (K.), PETRANYI (D.), “European Commission proposes new Cyber Resilience Act”, 12/10/2022, available here
  • DE VISSCHER (F.), DUBUISSON (T.), MARIANO (M.), JANSSENS (M-C.), VAN DE GEHUCHTE (T.), Moral rights in « Les travaux de l’AIPPI », Revue de droit intellectuel - L'ingénieur conseil / Tijdschrift intellectuele eigendom, 2022/2 - 1 septembre 2022, p. 297-324.
  • DE GRAAF (E.), DUBUISSON (T.), “How to handle your (ex)-employees’ health data? The BDPA provides new guidelines regarding manager’s communication”, 08/08/2022, available here
  • DUBUISSON (T.), FONTEYN (B.) “Belgian DPA clarifies the interaction between Belgian Patient's Rights Law and GDPR”, 13/07/2022, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Another cookie enforcement case: Belgian privacy watchdog reconfirms cookie consent rules”, 31/01/2022, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Éradiquer le fléau des ransomware en interdisant le paiement des rançons?”, l’Echo, 23/11/2021, available here
  • DUBUISSON (T.), “Data Protection Authority Provides New Policies on GDPR Infringements and Litigation Proceedings Aspects”, 15/10/2021, European Data Protection Law Review, 2021/3, p. 435-449
  • Van den Brande (S.), Lens (S.), Dubuisson (T.), Lhote (A-N.), Meyer (G.), Law of Raw Data, Belgium chapter, Kluwer Law International, 2021, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: Hybrid working makes phishing attacks harder to spot”, 13/10/2021, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Summer legal recap of data protection law”, 3/09/2021, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU finally adopts new data transfer clauses”, 09/06/2021 available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Court of Justice clarifies concept of “informed consent” for collection of personal data”, 17/11/2020, available here
  • DUBUISSON (T.), « Télétravail et cybersécurité : vos employés sont-ils bien formés ? »,Trends Tendances, 12/11/2020, available on Linkedin
  • DUBUISSON (T.), “Que faire en cas de chantage à la pornographie ?”, 03/11/2020, available on Linkedin
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cyber Security Month: learn how multi-factor authentication can protect your company's most valuable assets”, 29/10/2020, available in The Wire
  • DUBUISSON (T.), Simonart (B.), “How to handle your ex-employees’ mailboxes? The Belgian Data Protection Authority provides guidelines and a EUR 15,000 fine”, 23/10/2020, available here
  • DUBUISSON (T.), “Le « revenge porn » (vengeance pornographique) est désormais dans le Code pénal !” 25/08/2020, available on Linkedin
  • DE CORDIER (T.), DUBUISSON (T.), VAN DAELE (J.), “Schrems strikes again: EU-US Privacy Shield invalid; Standard Contractual Clauses upheld but due diligence required”, 17/07/2020, available here
  • DUBUISSON (T.), Van den Brande, S., de Visscher, F., Lens, S., Vandewynckel, S., Anne Namalie Lhote and Meyer, G., Rights in Data in « Les travaux de l'AIPPI », 19/05/2020, Revue de droit intellectuel - L'ingénieur conseil / Tijdschrift intellectuele eigendom, 2020/2, p.360-395
  • DE CORDIER (T.), DUBUISSON (T.), “Belgian Data Protection Authority provides new guidance on cookies”, 25/05/2020, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Deadline approaching for notifying CCTV cameras to Belgian police”, 14/05/2020, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Belgian DPA publishes new detailed guidelines on direct marketing”, 14/02/2020, available here
  • DE CORDIER (T.), DUBUISSON (T.), VAN DAELE (J.), “EU Advocate-General opinion hints Europe’s top court is unlikely to disrupt international data flows in pending decision”, 20/12/2019, available in The Wire
  • DUBUISSON (T.), “L'employé est-il responsable lorsqu’il mord au “phishing””, 28/11/2019, Trends Tendances, available on Trends
  • DE CORDIER (T.), DUBUISSON (T.),” EU Cybersecurity Month: When a simple phishing click can severely harm your company”, 10/10/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Time to update your cookie consent and policy! CJEU says preticked checkboxes are not valid”, 02/10/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Using social plug-ins on your website? You and the social network will be jointly liable for the data processing”, 31/07/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), “First Belgian GDPR sanction: DPA fines mayor EUR 2,000”,31/05/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), "EU Advocate General gives Internet cookie opinion that could impact data privacy regs”, 02/04/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), GORIS (A-M), “Belgium's privacy watchdog publishes guidance on the notions of controller and processor”, 17/01/2019, available here

Memberships & Roles

  • Member of the International Association of Privacy Professionals (IAPP)
  • Member of the Belgian National Association for the Protection of Industrial Property (ANBPPI / BNVBIE)
  • Member of the International Association for the Protection of Intellectual Property (AIPPI)

Lectures list

Thomas is a frequent speaker at conferences in his fields of interest, such as:

  • EU Commission LITEL project: “How to draft an AI policy?” (4 and 5 December 2025)
  • Brussels Bar School program: “Introduction to Artificial Intelligence” and “Advanced AI for legal professionals” (September 2025 - June 2026)
  • CMS webinar: “Decoding the definition of AI system under the AI Act” (10 June 2025)
  • European Company Lawyers Association (ECLA), “AI systems in the context of the AI Act” (30 April 2025)
  • AI Legal Summit 2025, “What are the biggest known and unknown risks associated with integrating AI into our law practice and operations? How can we proactively address and mitigate these potential threats?” (27-28 February, 2025)
  • Luxembourg House of Cybersecurity – « Retour de 12 mois de réponse à incident par le team CSIRT d’Excellium – Panorama des types d’incidents et principaux enseignements à retenir » (18th October 2022)
  • New York University (NYU) « Cybersecurity, An International & Commercial Perspective » (14th July 2022)
  • « Lutte contre le blanchiment / Les défis du Compliance Officer : Le RGPD souffle ses 6 bougies. Tant de choses à accomplir (encore) ? » (31st May 2022)

Education

  • 2015 - Bar admission (Brussels, Belgium)
  • 2012 - George Washington University Law School - United States of America (LL.M in Intellectual Property Law)
  • 2011 - Maastricht University - Netherlands (LL.M in Intellectual Property Law and Knowledge Management) 
  • 2010 - University of Louvain, UCLouvain - Belgium (Law Degree)

Further reading

  • Summer Snapshot: Tech and Data Highlights You Might Have Missed

  • The Belgian Whistleblowing Act enters into force. What do you need to know regarding data protection?

Back to top Back to top