Senior Associate

Thomas Dubuisson

Languages

French
English
Dutch
Spanish

Social media

Thomas specialises in data protection (GDPR), intellectual property, artificial intelligence (AI), technology, and cybersecurity. His experience, for multinational corporations, innovative startups, and public sector entities, includes both contentious and non-contentious work in these areas. He is also acting as external Data Protection Officer (DPO) for various clients across multiple sectors.

He also holds an LL.M. degree in the Netherlands (Maastricht University) and in the United States (The George Washington University), giving him a thorough understanding of the civil and common law in this area.

He then developed his knowledge and practical skills through traineeships at the major intellectual property institutions, namely the European Union Intellectual Property Office (EUIPO), the European Patent Office (EPO) and the World Intellectual Property Organisation (WIPO).

First-class Tech&Data team is recognized for its excellence in Tier 1 in the "Privacy and Data protection" category of Legal500’s shortlist and is also ranked in Band 1 in the International Chambers

Directory. Thomas is also recommended in the Legal500 as key lawyer in the EU Privacy and Data Protection category, more specifically on data-related litigation.

Thomas is also a Certified Information Privacy Professional/Europe (CIPP/E) by the IAPP. IAPP certified professionals are recognised worldwide as members of an elite group of competent and dedicated data protection professionals. This CIPP/E certification attests to a high level of knowledge of data protection issues.

He is also a member of the Incubator of the Brussels Bar and CMS Belgium AI Group.

Moreover, he writes numerous articles in the press (e.g. Echo, Trends, Financier Worldwide Magazine, La Libre Belgique) and legal journals (e.g. European Data Protection Law Review).

Thomas has an extensive knowledge in the following areas, among others

Privacy and data protection
Artificial intelligence (AI)
Intellectual property
Cybersecurity (e.g. NIS2 Directive, Cyber Resilience Act (CRA))
Data-related legislation (e.g. GDPR, Data Act (DA))
Personal data breaches
IT and data-related litigation
Technology law
Technology, Media and Telecommunications

Publications

Thomas has contributed to prestigious publications.

In January 2025, Thomas Dubuisson published an article in the journal European Data Protection Law Review (EDPL) on the interaction between the GDPR and the EU regulation on artificial intelligence, based on the guidelines of the Belgian Data Protection Authority.

In December2024, Thomas Dubuisson authored an article in the “Revue Expertises des systèmes d’information – Droit, technologies et prospectives” Law Review, providing crucial insights into ensuring compliance with data protection laws in the evolving landscape of AI technologies.

In October 2023, Thomas Dubuisson and Tom De Cordier authored an article in the “Revue Expertises des systèmes d’information – Droit, technologies et prospectives” Law Review, exploring the implications of the Data Act. Their article delves into the legal, technical, and financial challenges that this regulatory framework is poised to present to a wide spectrum of economic stakeholders.

In August 2021, Thomas contributed, together with other lawyers, to the Belgian chapter of the book "Law of Raw Data", published by Wolters Kluwer. This book gives an overview of the legislation on raw data around the world. For more information click here.

In October 2021, Thomas published an article in the European Data Protection Law Review (EDPL) on new policies on GDPR infringement aspects and litigation before the Belgian Data Protection Authority.

Thomas also publishes numerous articles in the press and on our CMS.law website:

DE CORDIER (T.), DUBUISSON (T.), “CMS GDPR Enforcement Tracker Report”, 23 May 2025, available here
DE CORDIER (T.), DUBUISSON (T.), “Avec moins de 50 amendes en sept ans, le raz-de-marée de sanctions en lien avec le RGPD n'a pas eu lieu”, Interview in l’Echo, 22 May 2025, available here
DE CORDIER (T.), DUBUISSON (T.), et al., “The comeback is on: how the EU plans to reclaim digital sovereignty”, 29 April 2025, available here
DUBUISSON (T.), “Rançongiciel : un hôpital sanctionné pour manquement à la sécurité de ses données”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 510, March 2025, available here
DUBUISSON (T.), “Deepseek AI - What is it and what do legal teams need to know about it?”, 25 February 2025, LexisNexis, available here
DE CORDIER (T.), DUBUISSON (T.), et al., “Should privacy professionals take on AI governance roles?”, 11 February 2025, available here
DE CORDIER (T.), DUBUISSON (T.), “Is the EU-U.S. Data Privacy Framework in danger”, 28 Jan. 2025, available here
DUBUISSON (T.), “Belgium – AI under the microscope of the GDPR: the Belgian Data Protection Authority deciphers the challenges of data protection in the development and use of AI”, European Data Protection Law Review, Volume 10 (2024), Issue 4, Jan. 2025, available here
DE CORDIER (T.), DUBUISSON (T.), “Compulsory or optional? AI literacy a central component of compliance with AI Act”, 18 December 2024, available here
DUBUISSON (T.), “L’IA sous la loupe du RGPD”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 507, December 2024, available here
DE CORDIER (T.), DUBUISSON (T.), “EU Cyber Resilience Act comes into effect on 10 December”, 03/12/2024, available here
DE CORDIER (T.), DUBUISSON (T.), “EU’s NIS 2 enters into force: compliance is now mandatory”, 22/10/2024, available here
DE CORDIER (T.), DUBUISSON (T.), “The Belgian Data Protection Authority publishes an informative brochure on artificial intelligence systems and the GDPR”, 25/09/2024, available here
DE CORDIER (T.), DUBUISSON (T.), DOBBELAERE (D.) and DE PAUW (V.), and Co., “News from the CJEU on GDPR compensation”, 02/02/2024, available here
DUBUISSON (T.), “Corporate Disputes - Ransomware and data privacy: class action litigation”, Financier Worldwide Magazine, Jan-Mar 2024 issue, 01/2024, available here
DE CORDIER (T.), DUBUISSON (T.), DOBBELAERE (D.) and DE PAUW (V.), « With EU Cyber Resilience Act, EU gets tough on IoT supply chain cybersecurity », 13/12/23, available here
DE CORDIER (T.), DUBUISSON (T.), “How to draft an AI policy?” 23/10/2023, available here
DUBUISSON (T.), “Phishing : Votre employé est-il responsable ?”, Trends-Tendances, 19/10/2023, available here
DUBUISSON (T.), “Un cybercriminel m’a contacté par e-mail, SMS, téléphone et j’ai malheureusement partagé mes informations personnelles. Que puis-je faire ?”, La Libre Belgique, 16/10/2023, available here
DUBUISSON (T.), “EU Cybersecurity Month: The looming threat of a single phishing click to your business”, 09/10/2023, available here
DE CORDIER (T.), DUBUISSON (T.), “Règlement sur les données (Data Act) : Un pas décisif vers une société fondée sur les données”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 494, October 2023, available here
DE CORDIER (T.), DUBUISSON (T.), “Summer Snapshot: Tech and Data Highlights You Might Have Missed”, 11/09/2023, available here
DUBUISSON (T.), "Data Protection and Privacy" (Belgium), InDepth Features, Financier Worldwide, 13/07/2023, available here
DE CORDIER (T.), DUBUISSON (T.), “Adequacy decision on EU-US Data Privacy Framework adopted”, 10/07/2023, available here;
DE CORDIER (T.), DUBUISSON (T.), “The GDPR turns 5 | Europe-wide analysis reveals data protection fines totaling EUR 2.7 billion in over 1,500 cases”, 23/05/2023, available here
DE CORDIER (T.), DUBUISSON (T.), “The Belgian Whistleblowing Act enters into force. What do you need to know regarding data protection?”, 15/02/2023, available here
DE CORDIER (T.), DUBUISSON (T.), “Happy Data Protection Day! What’s on the horizon for 2023?”, 27/01/2023, available here
DE CORDIER (T.), DUBUISSON (T.), « Les cybercriminels vont-ils profiter du succès de ChatGPT pour tromper votre entreprise? », l’Echo, 23/01/2023, available here
DE CORDIER (T.), DUBUISSON (T.), « Quelle stratégie adopter face aux attaques par rançongiciel? », l’Echo, 11/01/2023, available here
DUBUISSON (T.), FONTEYN (B.), “Belgian DPA again clarifies the right of access to medical records”, 20/12/2022, available here
DUBUISSON (T.), HEREMANS (T.), “The Digital Services Act has entered into force: Here's a quick recap”, 25/11/2022, available here
DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: mobile devices can pose a risk to your business”, 20/10/2022, available here
DOMOKOS (M.), DUBUISSON (T.), HORVATH (K.), PETRANYI (D.), “European Commission proposes new Cyber Resilience Act”, 12/10/2022, available here
DE VISSCHER (F.), DUBUISSON (T.), MARIANO (M.), JANSSENS (M-C.), VAN DE GEHUCHTE (T.), Moral rights in « Les travaux de l’AIPPI », Revue de droit intellectuel - L'ingénieur conseil / Tijdschrift intellectuele eigendom, 2022/2 - 1 septembre 2022, p. 297-324.
DE GRAAF (E.), DUBUISSON (T.), “How to handle your (ex)-employees’ health data? The BDPA provides new guidelines regarding manager’s communication”, 08/08/2022, available here
DUBUISSON (T.), FONTEYN (B.) “Belgian DPA clarifies the interaction between Belgian Patient's Rights Law and GDPR”, 13/07/2022, available here
DE CORDIER (T.), DUBUISSON (T.), “Another cookie enforcement case: Belgian privacy watchdog reconfirms cookie consent rules”, 31/01/2022, available here
DE CORDIER (T.), DUBUISSON (T.), “Éradiquer le fléau des ransomware en interdisant le paiement des rançons?”, l’Echo, 23/11/2021, available here
DUBUISSON (T.), “Data Protection Authority Provides New Policies on GDPR Infringements and Litigation Proceedings Aspects”, 15/10/2021, European Data Protection Law Review, 2021/3, p. 435-449
Van den Brande (S.), Lens (S.), Dubuisson (T.), Lhote (A-N.), Meyer (G.), Law of Raw Data, Belgium chapter, Kluwer Law International, 2021, available here
DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: Hybrid working makes phishing attacks harder to spot”, 13/10/2021, available here
DE CORDIER (T.), DUBUISSON (T.), “Summer legal recap of data protection law”, 3/09/2021, available here
DE CORDIER (T.), DUBUISSON (T.), “EU finally adopts new data transfer clauses”, 09/06/2021 available here
DE CORDIER (T.), DUBUISSON (T.), “EU Court of Justice clarifies concept of “informed consent” for collection of personal data”, 17/11/2020, available here
DUBUISSON (T.), « Télétravail et cybersécurité : vos employés sont-ils bien formés ? »,Trends Tendances, 12/11/2020, available on Linkedin
DUBUISSON (T.), “Que faire en cas de chantage à la pornographie ?”, 03/11/2020, available on Linkedin
DE CORDIER (T.), DUBUISSON (T.), “EU Cyber Security Month: learn how multi-factor authentication can protect your company's most valuable assets”, 29/10/2020, available in The Wire
DUBUISSON (T.), Simonart (B.), “How to handle your ex-employees’ mailboxes? The Belgian Data Protection Authority provides guidelines and a EUR 15,000 fine”, 23/10/2020, available here
DUBUISSON (T.), “Le « revenge porn » (vengeance pornographique) est désormais dans le Code pénal !” 25/08/2020, available on Linkedin
DE CORDIER (T.), DUBUISSON (T.), VAN DAELE (J.), “Schrems strikes again: EU-US Privacy Shield invalid; Standard Contractual Clauses upheld but due diligence required”, 17/07/2020, available here
DUBUISSON (T.), Van den Brande, S., de Visscher, F., Lens, S., Vandewynckel, S., Anne Namalie Lhote and Meyer, G., Rights in Data in « Les travaux de l'AIPPI », 19/05/2020, Revue de droit intellectuel - L'ingénieur conseil / Tijdschrift intellectuele eigendom, 2020/2, p.360-395
DE CORDIER (T.), DUBUISSON (T.), “Belgian Data Protection Authority provides new guidance on cookies”, 25/05/2020, available here
DE CORDIER (T.), DUBUISSON (T.), “Deadline approaching for notifying CCTV cameras to Belgian police”, 14/05/2020, available here
DE CORDIER (T.), DUBUISSON (T.), “Belgian DPA publishes new detailed guidelines on direct marketing”, 14/02/2020, available here
DE CORDIER (T.), DUBUISSON (T.), VAN DAELE (J.), “EU Advocate-General opinion hints Europe’s top court is unlikely to disrupt international data flows in pending decision”, 20/12/2019, available in The Wire
DUBUISSON (T.), “L'employé est-il responsable lorsqu’il mord au “phishing””, 28/11/2019, Trends Tendances, available on Trends
DE CORDIER (T.), DUBUISSON (T.),” EU Cybersecurity Month: When a simple phishing click can severely harm your company”, 10/10/2019, available here
DE CORDIER (T.), DUBUISSON (T.), “Time to update your cookie consent and policy! CJEU says preticked checkboxes are not valid”, 02/10/2019, available here
DE CORDIER (T.), DUBUISSON (T.), “Using social plug-ins on your website? You and the social network will be jointly liable for the data processing”, 31/07/2019, available here
DE CORDIER (T.), DUBUISSON (T.), “First Belgian GDPR sanction: DPA fines mayor EUR 2,000”,31/05/2019, available here
DE CORDIER (T.), DUBUISSON (T.), "EU Advocate General gives Internet cookie opinion that could impact data privacy regs”, 02/04/2019, available here
DE CORDIER (T.), DUBUISSON (T.), GORIS (A-M), “Belgium's privacy watchdog publishes guidance on the notions of controller and processor”, 17/01/2019, available here

Memberships & Roles

Member of the International Association of Privacy Professionals (IAPP)
Member of the Belgian National Association for the Protection of Industrial Property (ANBPPI / BNVBIE)
Member of the International Association for the Protection of Intellectual Property (AIPPI)

Lectures list

Thomas is a frequent speaker at conferences in his fields of interest, such as:

AI Legal Summit 2025, “What are the biggest known and unknown risks associated with integrating AI into our law practice and operations? How can we proactively address and mitigate these potential threats?” (27-28 February, 2025)
Luxembourg House of Cybersecurity – « Retour de 12 mois de réponse à incident par le team CSIRT d’Excellium – Panorama des types d’incidents et principaux enseignements à retenir » (18th October 2022)
New York University (NYU) « Cybersecurity, An International & Commercial Perspective » (14th July 2022)
« Lutte contre le blanchiment / Les défis du Compliance Officer : Le RGPD souffle ses 6 bougies. Tant de choses à accomplir (encore) ? » (31st May 2022)

Education

2015 - Bar admission (Brussels, Belgium)
2012 - George Washington University Law School - United States of America (LL.M in Intellectual Property Law)
2011 - Maastricht University - Netherlands (LL.M in Intellectual Property Law and Knowledge Management)
2010 - University of Louvain, UCLouvain - Belgium (Law Degree)

Practice Areas

Intellectual Property Commercial Law

sectors

TMC - Technology, Media & Communications

Insights

Global Reach

Contact us

Insights

Global Reach

Contact us

Select your region

Thomas Dubuisson

Languages

Social media

Publications

Memberships & Roles

Lectures list

Education

Practice Areas

sectors

Insights by Thomas

Launch of new portal for data breach notification by the Belgian Data Protection...

The comeback is on: how the EU plans to reclaim digital sovereignty

NIS2 registration deadline is here. Have you made your assessment?

Should privacy professionals take on AI governance roles?