Offices – Belgium
Explore all Offices
Global Reach
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
Insights – Belgium
Explore all insights
Expertise
Insights
Insights

CMS lawyers can provide future-facing advice for your business across a variety of specialisms and industries, worldwide.

Explore topics
Offices
Global Reach
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
Insights
About CMS
Contact us
Contact us

Learn more

Select your region

Thomas Dubuisson
Senior Associate

Thomas Dubuisson

Languages
  • French
  • English
  • Dutch
  • Spanish
Social media

Thomas specialises in data protection (GDPR), intellectual property, artificial intelligence (AI), technology, and cybersecurity. His experience, for multinational corporations, innovative startups, and public sector entities, includes both contentious and non-contentious work in these areas. He is also acting as external Data Protection Officer (DPO) for various clients across multiple sectors.

He also holds an LL.M. degree in the Netherlands (Maastricht University) and in the United States (The George Washington University), giving him a thorough understanding of the civil and common law in this area.

He then developed his knowledge and practical skills through traineeships at the major intellectual property institutions, namely the European Union Intellectual Property Office (EUIPO), the European Patent Office (EPO) and the World Intellectual Property Organisation (WIPO).

First-class Tech&Data team is recognized for its excellence in Tier 1 in the "Privacy and Data protection" category of Legal500’s shortlist and is also ranked in Band 1 in the International Chambers

Directory. Thomas is also recommended in the Legal500 as key lawyer in the EU Privacy and Data Protection category, more specifically on data-related litigation.

Thomas is also a Certified Information Privacy Professional/Europe (CIPP/E) by the IAPP. IAPP certified professionals are recognised worldwide as members of an elite group of competent and dedicated data protection professionals. This CIPP/E certification attests to a high level of knowledge of data protection issues.

He is also a member of the Incubator of the Brussels Bar and CMS Belgium AI Group.

Moreover, he writes numerous articles in the press (e.g. Echo, Trends, Financier Worldwide Magazine, La Libre Belgique) and legal journals (e.g. European Data Protection Law Review).

Thomas has an extensive knowledge in the following areas, among others

  • Privacy and data protection
  • Artificial intelligence (AI)
  • Intellectual property
  • Cybersecurity (e.g. NIS2 Directive, Cyber Resilience Act (CRA))
  • Data-related legislation (e.g. GDPR, Data Act (DA))
  • Personal data breaches
  • IT and data-related litigation
  • Technology law
  • Technology, Media and Telecommunications

Publications

Thomas has contributed to prestigious publications.

In January 2025, Thomas Dubuisson published an article in the journal European Data Protection Law Review (EDPL) on the interaction between the GDPR and the EU regulation on artificial intelligence, based on the guidelines of the Belgian Data Protection Authority.

In December2024, Thomas Dubuisson authored an article in the “Revue Expertises des systèmes d’information – Droit, technologies et prospectives” Law Review, providing crucial insights into ensuring compliance with data protection laws in the evolving landscape of AI technologies.

In October 2023, Thomas Dubuisson and Tom De Cordier authored an article in the “Revue Expertises des systèmes d’information – Droit, technologies et prospectives” Law Review, exploring the implications of the Data Act. Their article delves into the legal, technical, and financial challenges that this regulatory framework is poised to present to a wide spectrum of economic stakeholders.

In August 2021, Thomas contributed, together with other lawyers, to the Belgian chapter of the book "Law of Raw Data", published by Wolters Kluwer. This book gives an overview of the legislation on raw data around the world. For more information click here.

In October 2021, Thomas published an article in the European Data Protection Law Review (EDPL) on new policies on GDPR infringement aspects and litigation before the Belgian Data Protection Authority.

Thomas also publishes numerous articles in the press and on our CMS.law website:

  • DE CORDIER (T.), DUBUISSON (T.), “CMS GDPR Enforcement Tracker Report”, 23 May 2025, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Avec moins de 50 amendes en sept ans, le raz-de-marée de sanctions en lien avec le RGPD n'a pas eu lieu”, Interview in l’Echo, 22 May 2025, available here
  • DE CORDIER (T.), DUBUISSON (T.), et al., “The comeback is on: how the EU plans to reclaim digital sovereignty”, 29 April 2025, available here
  • DUBUISSON (T.), “Rançongiciel : un hôpital sanctionné pour manquement à la sécurité de ses données”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 510, March 2025, available here
  • DUBUISSON (T.), “Deepseek AI - What is it and what do legal teams need to know about it?”, 25 February 2025, LexisNexis, available here
  • DE CORDIER (T.), DUBUISSON (T.), et al., “Should privacy professionals take on AI governance roles?”, 11 February 2025, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Is the EU-U.S. Data Privacy Framework in danger”, 28 Jan. 2025, available here
  • DUBUISSON (T.), “Belgium – AI under the microscope of the GDPR: the Belgian Data Protection Authority deciphers the challenges of data protection in the development and use of AI”, European Data Protection Law Review, Volume 10 (2024), Issue 4, Jan. 2025, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Compulsory or optional? AI literacy a central component of compliance with AI Act”, 18 December 2024, available here
  • DUBUISSON (T.), “L’IA sous la loupe du RGPD”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 507, December 2024, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cyber Resilience Act comes into effect on 10 December”, 03/12/2024, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU’s NIS 2 enters into force: compliance is now mandatory”, 22/10/2024, available here
  • DE CORDIER (T.), DUBUISSON (T.), “The Belgian Data Protection Authority publishes an informative brochure on artificial intelligence systems and the GDPR”, 25/09/2024, available here
  • DE CORDIER (T.), DUBUISSON (T.), DOBBELAERE (D.) and DE PAUW (V.), and Co., “News from the CJEU on GDPR compensation”, 02/02/2024, available here
  • DUBUISSON (T.), “Corporate Disputes - Ransomware and data privacy: class action litigation”, Financier Worldwide Magazine, Jan-Mar 2024 issue, 01/2024, available here
  • DE CORDIER (T.), DUBUISSON (T.), DOBBELAERE (D.) and DE PAUW (V.), « With EU Cyber Resilience Act, EU gets tough on IoT supply chain cybersecurity », 13/12/23, available here
  • DE CORDIER (T.), DUBUISSON (T.), “How to draft an AI policy?” 23/10/2023, available here
  • DUBUISSON (T.), “Phishing : Votre employé est-il responsable ?”, Trends-Tendances, 19/10/2023, available here
  • DUBUISSON (T.), “Un cybercriminel m’a contacté par e-mail, SMS, téléphone et j’ai malheureusement partagé mes informations personnelles. Que puis-je faire ?”, La Libre Belgique, 16/10/2023, available here
  • DUBUISSON (T.), “EU Cybersecurity Month: The looming threat of a single phishing click to your business”, 09/10/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Règlement sur les données (Data Act) : Un pas décisif vers une société fondée sur les données”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 494, October 2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Summer Snapshot: Tech and Data Highlights You Might Have Missed”, 11/09/2023, available here
  • DUBUISSON (T.), "Data Protection and Privacy" (Belgium), InDepth Features, Financier Worldwide, 13/07/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Adequacy decision on EU-US Data Privacy Framework adopted”, 10/07/2023, available here;
  • DE CORDIER (T.), DUBUISSON (T.), “The GDPR turns 5 | Europe-wide analysis reveals data protection fines totaling EUR 2.7 billion in over 1,500 cases”, 23/05/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “The Belgian Whistleblowing Act enters into force. What do you need to know regarding data protection?”, 15/02/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Happy Data Protection Day! What’s on the horizon for 2023?”, 27/01/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), « Les cybercriminels vont-ils profiter du succès de ChatGPT pour tromper votre entreprise? », l’Echo, 23/01/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), « Quelle stratégie adopter face aux attaques par rançongiciel? », l’Echo, 11/01/2023, available here
  • DUBUISSON (T.), FONTEYN (B.), “Belgian DPA again clarifies the right of access to medical records”, 20/12/2022, available here
  • DUBUISSON (T.), HEREMANS (T.), “The Digital Services Act has entered into force: Here's a quick recap”, 25/11/2022, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: mobile devices can pose a risk to your business”, 20/10/2022, available here
  • DOMOKOS (M.), DUBUISSON (T.), HORVATH (K.), PETRANYI (D.), “European Commission proposes new Cyber Resilience Act”, 12/10/2022, available here
  • DE VISSCHER (F.), DUBUISSON (T.), MARIANO (M.), JANSSENS (M-C.), VAN DE GEHUCHTE (T.), Moral rights in « Les travaux de l’AIPPI », Revue de droit intellectuel - L'ingénieur conseil / Tijdschrift intellectuele eigendom, 2022/2 - 1 septembre 2022, p. 297-324.
  • DE GRAAF (E.), DUBUISSON (T.), “How to handle your (ex)-employees’ health data? The BDPA provides new guidelines regarding manager’s communication”, 08/08/2022, available here
  • DUBUISSON (T.), FONTEYN (B.) “Belgian DPA clarifies the interaction between Belgian Patient's Rights Law and GDPR”, 13/07/2022, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Another cookie enforcement case: Belgian privacy watchdog reconfirms cookie consent rules”, 31/01/2022, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Éradiquer le fléau des ransomware en interdisant le paiement des rançons?”, l’Echo, 23/11/2021, available here
  • DUBUISSON (T.), “Data Protection Authority Provides New Policies on GDPR Infringements and Litigation Proceedings Aspects”, 15/10/2021, European Data Protection Law Review, 2021/3, p. 435-449
  • Van den Brande (S.), Lens (S.), Dubuisson (T.), Lhote (A-N.), Meyer (G.), Law of Raw Data, Belgium chapter, Kluwer Law International, 2021, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: Hybrid working makes phishing attacks harder to spot”, 13/10/2021, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Summer legal recap of data protection law”, 3/09/2021, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU finally adopts new data transfer clauses”, 09/06/2021 available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Court of Justice clarifies concept of “informed consent” for collection of personal data”, 17/11/2020, available here
  • DUBUISSON (T.), « Télétravail et cybersécurité : vos employés sont-ils bien formés ? »,Trends Tendances, 12/11/2020, available on Linkedin
  • DUBUISSON (T.), “Que faire en cas de chantage à la pornographie ?”, 03/11/2020, available on Linkedin
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cyber Security Month: learn how multi-factor authentication can protect your company's most valuable assets”, 29/10/2020, available in The Wire
  • DUBUISSON (T.), Simonart (B.), “How to handle your ex-employees’ mailboxes? The Belgian Data Protection Authority provides guidelines and a EUR 15,000 fine”, 23/10/2020, available here
  • DUBUISSON (T.), “Le « revenge porn » (vengeance pornographique) est désormais dans le Code pénal !” 25/08/2020, available on Linkedin
  • DE CORDIER (T.), DUBUISSON (T.), VAN DAELE (J.), “Schrems strikes again: EU-US Privacy Shield invalid; Standard Contractual Clauses upheld but due diligence required”, 17/07/2020, available here
  • DUBUISSON (T.), Van den Brande, S., de Visscher, F., Lens, S., Vandewynckel, S., Anne Namalie Lhote and Meyer, G., Rights in Data in « Les travaux de l'AIPPI », 19/05/2020, Revue de droit intellectuel - L'ingénieur conseil / Tijdschrift intellectuele eigendom, 2020/2, p.360-395
  • DE CORDIER (T.), DUBUISSON (T.), “Belgian Data Protection Authority provides new guidance on cookies”, 25/05/2020, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Deadline approaching for notifying CCTV cameras to Belgian police”, 14/05/2020, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Belgian DPA publishes new detailed guidelines on direct marketing”, 14/02/2020, available here
  • DE CORDIER (T.), DUBUISSON (T.), VAN DAELE (J.), “EU Advocate-General opinion hints Europe’s top court is unlikely to disrupt international data flows in pending decision”, 20/12/2019, available in The Wire
  • DUBUISSON (T.), “L'employé est-il responsable lorsqu’il mord au “phishing””, 28/11/2019, Trends Tendances, available on Trends
  • DE CORDIER (T.), DUBUISSON (T.),” EU Cybersecurity Month: When a simple phishing click can severely harm your company”, 10/10/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Time to update your cookie consent and policy! CJEU says preticked checkboxes are not valid”, 02/10/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Using social plug-ins on your website? You and the social network will be jointly liable for the data processing”, 31/07/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), “First Belgian GDPR sanction: DPA fines mayor EUR 2,000”,31/05/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), "EU Advocate General gives Internet cookie opinion that could impact data privacy regs”, 02/04/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), GORIS (A-M), “Belgium's privacy watchdog publishes guidance on the notions of controller and processor”, 17/01/2019, available here

Memberships & Roles

  • Member of the International Association of Privacy Professionals (IAPP)
  • Member of the Belgian National Association for the Protection of Industrial Property (ANBPPI / BNVBIE)
  • Member of the International Association for the Protection of Intellectual Property (AIPPI)

Lectures list

Thomas is a frequent speaker at conferences in his fields of interest, such as:

  • AI Legal Summit 2025, “What are the biggest known and unknown risks associated with integrating AI into our law practice and operations? How can we proactively address and mitigate these potential threats?” (27-28 February, 2025)
  • Luxembourg House of Cybersecurity – « Retour de 12 mois de réponse à incident par le team CSIRT d’Excellium – Panorama des types d’incidents et principaux enseignements à retenir » (18th October 2022)
  • New York University (NYU) « Cybersecurity, An International & Commercial Perspective » (14th July 2022)
  • « Lutte contre le blanchiment / Les défis du Compliance Officer : Le RGPD souffle ses 6 bougies. Tant de choses à accomplir (encore) ? » (31st May 2022)

Education

  • 2015 - Bar admission (Brussels, Belgium)
  • 2012 - George Washington University Law School - United States of America (LL.M in Intellectual Property Law)
  • 2011 - Maastricht University - Netherlands (LL.M in Intellectual Property Law and Knowledge Management) 
  • 2010 - University of Louvain, UCLouvain - Belgium (Law Degree)