Home / People / Thomas Dubuisson
Portrait ofThomas Dubuisson

Thomas Dubuisson

Senior Associate

CMS DeBacker
Chaussée de La Hulpe 178
1170 Brussels
Belgium
Languages French, English, Dutch, Spanish

Thomas specialises in data protection (GDPR), intellectual property, digital law and advanced technologies, e-commerce and marketplaces, and computer crime. His experience, for private and public law entities, includes both contentious and non-contentious work in these areas.

He also holds an LL.M. degree in the Netherlands (Maastricht University) and in the United States (The George Washington University), giving him a thorough understanding of the civil and common law in this area.

He then developed his knowledge and practical skills through traineeships at the major intellectual property institutions, namely the European Union Intellectual Property Office (EUIPO), the European Patent Office (EPO) and the World Intellectual Property Organisation (WIPO).

First-class Tech&Data team is recognized for its excellence in Tier 1 in the  "Privacy and Data protection" category of LEGAL500’s shortlist and is also ranked in Band 1 in the International Chambers Directory. Thomas is also recommended in the Legal500’s 2023 edition as key lawyer in the EU Privacy and Data Protection category, more specifically on data-related litigation.

Thomas is also a Certified Information Privacy Professional/Europe (CIPP/E) by the IAPP. IAPP certified professionals are recognised worldwide as members of an elite group of competent and dedicated data protection professionals. This CIPP/E certification attests to a high level of knowledge of data protection issues.

He is also a member of the Incubator of the Brussels Bar.

Moreover, he writes numerous articles in the press (e.g. Echo, Trends) and legal journals (e.g. European Data Protection Law Review).

Thomas has an extensive knowledge in the following areas, among others

  • Privacy and data protection
  • Intellectual property
  • Cybercrime (fraud, hacking, computer fraud, phishing, ransomware, cyberbullying)
  • Cookies and other tracking technology
  • Security breaches and personal data breaches
  • New technologies used in commerce and marketing
  • IT litigation
  • Digital and advanced technology law
  • Technology, Media and Telecommunications
more less

Relevant experience

  • September 2012 - March 2013 - European Union Intellectual Property Office (EUIPO) - Trademark Law Division, Alicante, Spain
  • April - August 2013 - European Patent Office (EPO) - Patent Law Directorate, Munich, Germany
  • November 2013 - November 2014 - World Intellectual Property Organization (WIPO) - IP Enforcement Division, Geneva, Switzerland
more less

Memberships & Roles

  • Member of the International Association of Privacy Professionals (IAPP)
  • Member of the Belgian National Association for the Protection of Industrial Property (ANBPPI / BNVBIE)
  • Member of the International Association for the Protection of Intellectual Property (AIPPI)
  • Member of the Robotics Law Association (ADDR)
more less

Publications

Thomas has contributed to prestigious publications.

In October 2023, Thomas Dubuisson and Tom De Cordier authored an article in the “Revue Expertises des systèmes d’information – Droit, technologies et prospectives” Law Review, exploring the implications of the Data Act. Their article delves into the legal, technical, and financial challenges that this regulatory framework is poised to present to a wide spectrum of economic stakeholders.

In August 2021, Thomas contributed, together with other lawyers, to the Belgian chapter of the book "Law of Raw Data", published by Wolters Kluwer. This book gives an overview of the legislation on raw data around the world. For more information click here.

In October 2021, Thomas published an article in the European Data Protection Law Review (EDPL) on new policies on GDPR infringement aspects and litigation before the Belgian Data Protection Authority.

Thomas also publishes numerous articles in the press and on our CMS.law website:

  • DUBUISSON (T.), “Corporate Disputes - Ransomware and data privacy: class action litigation”, Financier Worldwide Magazine, Jan-Mar 2024 issue, 01/2024, available here
  • DE CORDIER (T.), DUBUISSON (T.), DOBBELAERE (D.) and DE PAUW (V.), « With EU Cyber Resilience Act, EU gets tough on IoT supply chain cybersecurity », 13/12/23, available here
  • DE CORDIER (T.), DUBUISSON (T.), “How to draft an AI policy?” 23/10/2023, available here
  • DUBUISSON (T.), “Phishing : Votre employé est-il responsable ?”, Trends-Tendances, 19/10/2023, available here
  • DUBUISSON (T.), “Un cybercriminel m’a contacté par e-mail, SMS, téléphone et j’ai malheureusement partagé mes informations personnelles. Que puis-je faire ?”, La Libre Belgique, 16/10/2023, available here
  • DUBUISSON (T.), “EU Cybersecurity Month: The looming threat of a single phishing click to your business”, 09/10/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Règlement sur les données (Data Act) : Un pas décisif vers une société fondée sur les données”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 494, October 2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Summer Snapshot: Tech and Data Highlights You Might Have Missed”, 11/09/2023, available here
  • DUBUISSON (T.), "Data Protection and Privacy" (Belgium), InDepth Features, Financier Worldwide, 13/07/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Adequacy decision on EU-US Data Privacy Framework adopted”, 10/07/2023, available here;
  • DE CORDIER (T.), DUBUISSON (T.), “The GDPR turns 5 | Europe-wide analysis reveals data protection fines totaling EUR 2.7 billion in over 1,500 cases”, 23/05/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “The Belgian Whistleblowing Act enters into force. What do you need to know regarding data protection?”, 15/02/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Happy Data Protection Day! What’s on the horizon for 2023?”, 27/01/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), « Les cybercriminels vont-ils profiter du succès de ChatGPT pour tromper votre entreprise? », l’Echo, 23/01/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), « Quelle stratégie adopter face aux attaques par rançongiciel? », l’Echo, 11/01/2023, available here
  • DUBUISSON (T.), FONTEYN (B.), “Belgian DPA again clarifies the right of access to medical records”, 20/12/2022, available here
  • DUBUISSON (T.), HEREMANS (T.), “The Digital Services Act has entered into force: Here's a quick recap”, 25/11/2022, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: mobile devices can pose a risk to your business”, 20/10/2022, available here
  • DOMOKOS (M.), DUBUISSON (T.), HORVATH (K.), PETRANYI (D.), “European Commission proposes new Cyber Resilience Act”, 12/10/2022, available here
  • DE VISSCHER (F.), DUBUISSON (T.), MARIANO (M.), JANSSENS (M-C.), VAN DE GEHUCHTE (T.), Moral rights in « Les travaux de l’AIPPI », Revue de droit intellectuel - L'ingénieur conseil / Tijdschrift intellectuele eigendom, 2022/2 - 1 septembre 2022, p. 297-324.
  • DE GRAAF (E.), DUBUISSON (T.), “How to handle your (ex)-employees’ health data? The BDPA provides new guidelines regarding manager’s communication”, 08/08/2022, available here
  • DUBUISSON (T.), FONTEYN (B.) “Belgian DPA clarifies the interaction between Belgian Patient's Rights Law and GDPR”, 13/07/2022, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Another cookie enforcement case: Belgian privacy watchdog reconfirms cookie consent rules”, 31/01/2022, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Éradiquer le fléau des ransomware en interdisant le paiement des rançons?”, l’Echo, 23/11/2021, available here
  • DUBUISSON (T.), “Data Protection Authority Provides New Policies on GDPR Infringements and Litigation Proceedings Aspects”, 15/10/2021, European Data Protection Law Review, 2021/3, p. 435-449
  • Van den Brande (S.), Lens (S.), Dubuisson (T.), Lhote (A-N.), Meyer (G.), Law of Raw Data, Belgium chapter, Kluwer Law International, 2021, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: Hybrid working makes phishing attacks harder to spot”, 13/10/2021, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Summer legal recap of data protection law”, 3/09/2021, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU finally adopts new data transfer clauses”, 09/06/2021 available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Court of Justice clarifies concept of “informed consent” for collection of personal data”, 17/11/2020, available here
  • DUBUISSON (T.), « Télétravail et cybersécurité : vos employés sont-ils bien formés ? »,Trends Tendances, 12/11/2020, available on Linkedin
  • DUBUISSON (T.), “Que faire en cas de chantage à la pornographie ?”, 03/11/2020, available on Linkedin
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cyber Security Month: learn how multi-factor authentication can protect your company's most valuable assets”, 29/10/2020, available in The Wire
  • DUBUISSON (T.), Simonart (B.), “How to handle your ex-employees’ mailboxes? The Belgian Data Protection Authority provides guidelines and a EUR 15,000 fine”, 23/10/2020, available here
  • DUBUISSON (T.), “Le « revenge porn » (vengeance pornographique) est désormais dans le Code pénal !” 25/08/2020, available on Linkedin
  • DE CORDIER (T.), DUBUISSON (T.), VAN DAELE (J.), “Schrems strikes again: EU-US Privacy Shield invalid; Standard Contractual Clauses upheld but due diligence required”, 17/07/2020, available here
  • DUBUISSON (T.), Van den Brande, S., de Visscher, F., Lens, S., Vandewynckel, S., Anne Namalie Lhote and Meyer, G., Rights in Data in « Les travaux de l'AIPPI », 19/05/2020, Revue de droit intellectuel - L'ingénieur conseil / Tijdschrift intellectuele eigendom, 2020/2, p.360-395
  • DE CORDIER (T.), DUBUISSON (T.), “Belgian Data Protection Authority provides new guidance on cookies”, 25/05/2020, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Deadline approaching for notifying CCTV cameras to Belgian police”, 14/05/2020, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Belgian DPA publishes new detailed guidelines on direct marketing”, 14/02/2020, available here
  • DE CORDIER (T.), DUBUISSON (T.), VAN DAELE (J.), “EU Advocate-General opinion hints Europe’s top court is unlikely to disrupt international data flows in pending decision”, 20/12/2019, available in The Wire
  • DUBUISSON (T.), “L'employé est-il responsable lorsqu’il mord au “phishing””, 28/11/2019, Trends Tendances, available on Trends
  • DE CORDIER (T.), DUBUISSON (T.),” EU Cybersecurity Month: When a simple phishing click can severely harm your company”, 10/10/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Time to update your cookie consent and policy! CJEU says preticked checkboxes are not valid”, 02/10/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Using social plug-ins on your website? You and the social network will be jointly liable for the data processing”, 31/07/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), “First Belgian GDPR sanction: DPA fines mayor EUR 2,000”,31/05/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), "EU Advocate General gives Internet cookie opinion that could impact data privacy regs”, 02/04/2019, available here
  • DE CORDIER (T.), DUBUISSON (T.), GORIS (A-M), “Belgium's privacy watchdog publishes guidance on the notions of controller and processor”, 17/01/2019, available here
more less

Lectures list

Thomas is a frequent speaker at conferences in his fields of interest, such as:

  • Luxembourg House of Cybersecurity – « Retour de 12 mois de réponse à incident par le team CSIRT d’Excellium – Panorama des types d’incidents et principaux enseignements à retenir » (18th October 2022)
  • New York University, New York (NYU) « Cybersecurity, An International & Commercial Perspective » (14th July 2022)
  • « Lutte contre le blanchiment / Les défis du Compliance Officer : Le RGPD souffle ses 6 bougies. Tant de choses à accomplir (encore) ? » (31st May 2022)
more less

Education

  • 2015 - Bar admission (Brussels, Belgium)
  • 2012 - George Washington University Law School - United States of America (LL.M in Intellectual Property Law)
  • 2011 - Maastricht University - Netherlands (LL.M in Intellectual Property Law and Knowledge Management) 
  • 2010 - University of Louvain, UCLouvain - Belgium (Law Degree)
more less
11/09/2023
Summer Snapshot: Tech and Data Highlights You Might Have Missed
Have you taken a break from your usual spot in front of the computer screen over the past few weeks? No worries, this article provides a succinct overview of the significant advancements in the world of technology and data that have transpired over t
15/02/2023
The Belgian Whistleblowing Act enters into force. What do you need to know...
The Belgian Parliament recently approved the Act implementing EU Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, commonly known as the Whistleblowing

Feed

13/12/2023
With EU Cyber Resilience Act, EU gets tough on IoT supply chain cybersecurity
On 30 November 2023, the EU took a decisive step towards bolstering cybersecurity in the Internet of Things (IoT) supply chain by reaching a political agreement over the Cyber Resilience Act (CRA). ...
20/11/2023
Data protection and cybersecurity laws in Belgium
Data protection 1. Local data protection laws and scope General Data Protection Regulation n° 2016/679 (GDPR);Law of 30 July 2018 on the protection of natural persons with regard to the processing...
Comparable
09/10/2023
EU Cybersecurity Month: The looming threat of a single phishing click to...
The EU Cybersecurity Month (ECSM) is an annual awareness campaign held every October throughout Europe, orchestrated by European and national institutions. Its primary objective is to elevate awareness...
11/09/2023
Summer Snapshot: Tech and Data Highlights You Might Have Missed
Have you taken a break from your usual spot in front of the computer screen over the past few weeks? No worries, this article provides a succinct overview of the significant advancements in the world...
10/07/2023
Adequacy Decision on EU-US Data Privacy Framework adopted
The European Commission has announced today 10 July 2023 the adoption of its "adequacy decision" on the EU - US Data Privacy Framework (“DPF") to allow EU-US data flows to businesses that will have...
29/06/2023
CMS advised Kereis in connection with the acquisition of a majority stakeholding...
CMS Belgium advised Kereis, the Europe’s largest insurance broker for specialist credit-related life insurance, backed by Bridgepoint, in connection with the acquisition of a majority stakeholding in...
15/02/2023
The Belgian Whistleblowing Act enters into force. What do you need to know...
The Belgian Parliament recently approved the Act implementing EU Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of...
27/01/2023
Happy Data Protection Day! What’s on the horizon for 2023?
28 January is Data Protection Day. The purpose of the day is to raise awareness and promote privacy and data protection best practices. To mark the day, our Tech & Data Team has summarised the key regulatory...
20/12/2022
Belgian DPA again clarifies the right of access to medical records
In its decision of 6 December 2022, the Belgian Data Protection Authority (“BDPA”) issued a reminder of the limits attached to the right of access to medical records, including personal notes of the...
20/10/2022
EU Cybersecurity Month: mobile devices can pose a risk to your business
The EU Cybersecurity Month (“ECSM”) is the EU’s annual awareness campaign that takes place every October across Europe. Through this initiative, European institutions aim to raise awareness about...
02/08/2022
How to handle your (ex)-em­ploy­ees’ health data. The BDPA provides new guidelines...
An employee is leaving your company. As a manager, you announce in the employee’s absence his/her departure to your team during a meeting. Such communication needs to be conducted intelligently to defuse...
13/07/2022
Belgian DPA clarifies the interaction between Belgian Patient's Rights...
In its decision of 6 July 2022, the Belgian Data Protection Authority (BDPA) has issued a reminder of the limits attached to the right of access and right to rectification of medical records. Available...