Home / People / Tom De Cordier
Portrait ofTom De Cordier

Tom De Cordier


CMS DeBacker
Chaussée de La Hulpe 178
1170 Brussels
Languages Dutch, French, English

Tom is a seasoned technology lawyer with a strong focus on data privacy law, technology, media and communications law, technology-related IP and life sciences. Clients praise him for his commercial acumen and his pragmatic and down-to-earth style. 

His practice covers a wide range of advisory, transactional and litigation work in international and domestic matters relating to data privacy, TMC and life sciences. Tom has experience in:

  • Data protection - Tom regularly assists clients in domestic and multi-jurisdictional privacy compliance projects. He advises clients on all aspects of data protection compliance, including data protection policies and procedures, the use of data in the provision of consumer and business products, big data, responding to data subject access requests, cross-border data transfers, cloud computing, data security breaches, transfers of data to regulators, data privacy in life sciences, the use of data in customer relationship management systems and processes, employee monitoring and website compliance issues, BYOD, whistleblowing hotlines, fintech, data privacy litigation, etc.
  • IT transactions including IT sourcing projects; cloud projects; digital transformation projects; etc.
  • IT advisory work (eg. advising on legal aspects of digital disruption, e-archiving, electronic signatures, etc.)
  • Legal aspects of e-commerce (eg. advising on how to ensure that websites comply with e-commerce laws and regulations; drafting or reviewing website policies, online privacy policies; etc.)
  • Network & information security (eg. advising clients on cyber security requirements and risks; etc.)
  • Telecom & media regulatory matters including pre-contentious and contentious regulatory work (eg. assisting telecoms clients in their dealings with the regulatory authorities; representing clients in court proceedings regarding telecoms regulatory disputes; etc.)
  • IP transactional work (eg. drafting and negotiating cross-border patent & know-how license agreements; drafting and negotiating complex R&D agreements; drafting and negotiating IP assignment agreements; drafting and negotiating IP reps & warranties; etc.)

Tom is perfectly trilingual.

Tom is ranked tier 1 in Legal 500’s latest shortlist of leading practitioners in EU data protection. Chambers Europe ranks Tom as “Up and coming” in the category Technology, Media & Telecommunications in Belgium. Corporate International Magazine recently recommended Tom as “rising star of the year in Belgium” for telecommunications law.

Tom frequently speaks at conferences and seminars on technology-related and privacy-related topics. He is also frequently asked by the international press to share his views on recent trends and developments in this area. Recent examples include: 

  • Financial Times (13 September 2020): Data privacy expert, Tom De Cordier comments in Financial Times on the concerns of EU companies seeking guidance on data transfers to the US after the recent ECJ ruling on the Privacy Shield. Read more here
  • SC Media (17 August 2020): Data protection expert, Tom De Cordier, discusses the challenge businesses face after the recent invalidation of the Privacy Shield. Read more here 
  • Euractive Digital Brief (25 June 2020): Tom has been quoted in the Euractive Digital Brief:'To GDPR or not?', about the review of the application of the GDPR across the EU. Read more here 
  • Computer Weekly (24 June 2020): data privacy expert, Tom De Cordier, comments on the effectiveness of the GDPR and on the role of technology in economic revival. Read more here
  • Bloomberg (2 June 2020): "Tech That Saves EU Firms From Covid-19 Could Kill Them in Court". Read more here
more less

"He [Tom de Cordier] knows our risk appetite and really makes an effort to customise his way of working to our style."

TMT: Data Protection client - Chambers Europe, 2024

"He [Tom de Cordier] is a fantastic all-rounder who provides a good sense of pragmatism."

TMT: Data Protection client - Chambers Europe, 2024

"He [Tom de Cordier] knows our risk appetite and really makes an effort to customise his way of working to our style."

Telecommunications client - Chambers Europe, 2024

"He [Tom de Cordier] is a fantastic all-rounder who provides a good sense of pragmatism."

Telecommunications client - Chambers Europe, 2024

"Virginie Frémat, Julie De Pauw, and Tom De Cordier all have good work skills, get the work done (with no excuses), and are flexible in their way of working."

Feedback from a client - Legal 500, 2023

"Tom De Cordier is a very impressive partner who has very deep knowledge in the areas of data protection and telecommunication in the EU and Belgium."

Feedback from a client - Legal 500, 2023

"Tom de Cordier and Deven Dobbelaere provide practical and down-to-earth advice and try to think broader than the privacy practice."

Feedback from a client - Legal 500, 2023

"broad experience, knowledge of the market, politeness and resourcefulness"

Feedback from a client - Chambers Europe, 2022

Feedback about Tom De Cordier: "I appreciate the down to earth approach, the willingness to underpin advice with context, and most of all willingness to listen, really listen to the points being raised, perhaps in defence of a different viewpoint."

Feedback from a client - Legal 500, 2022


  • DE CORDIER (T.), DUBUISSON (T.), DOBBELAERE (D.) and DE PAUW (V.), « With EU Cyber Resilience Act, EU gets tough on IoT supply chain cybersecurity », 13/12/23, available here
  • DE CORDIER (T.), HEREMANS (T.) and VAN LIEDEKERKE (D.), « International Digital Regulation Hub: Expert advice on navigating the Digital Regulation Tsunami », 07/12/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Règlement sur les données (Data Act) : Un pas décisif vers une société fondée sur les données”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 494, October 2023, available here
  • DE CORDIER (T.), “La dimension juridique des cyberattaques : ce qu’il faut savoir en tant que juriste”, Jubel, 12/07/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Adequacy decision on EU-US Data Privacy Framework adopted”, 10/07/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “The GDPR turns 5 | Europe-wide analysis reveals data protection fines totaling EUR 2.7 billion in over 1,500 cases”, 23/05/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “The Belgian Whistleblowing Act enters into force. What do you need to know regarding data protection?”, 15/02/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Happy Data Protection Day! What’s on the horizon for 2023?”, 27/01/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), « Les cybercriminels vont-ils profiter du succès de ChatGPT pour tromper votre entreprise? », l’Echo, 23/01/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), « Quelle stratégie adopter face aux attaques par rançongiciel? », l’Echo, 11/01/2023, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: mobile devices can pose a risk to your business”, 20/10/2022, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Another cookie enforcement case: Belgian privacy watchdog reconfirms cookie consent rules”, 31/01/2022, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Éradiquer le fléau des ransomware en interdisant le paiement des rançons?”, l’Echo, 23/11/2021, available here
  • DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: Hybrid working makes phishing attacks harder to spot”, 13/10/2021, available here
  • DE CORDIER (T.), DUBUISSON (T.), “Summer legal recap of data protection law”, 3/09/2021, available upon registration here
  • DE CORDIER (T.), DUBUISSON (T.), “EU finally adopts new data transfer clauses”, 09/06/2021, available upon registration here
  • T. DE CORDIER, « Losgeld betalen verbieden is geen gouden oplossing in de strijd tegen ransomware-aanvallen”, Datanews, 02/12/2021.
  • T. DE CORDIER, « Eradiquer le fléau des ransomware en interdisant le paiement des rançons ? », L’Echo, 23/11/2021.
  • T. DE CORDIER, T. DUBUISSON &  J. VAN DAELE &, « EU Advocate-General opinion hints Europe’s top court is unlikely to disrupt international data flows in pending decision », 17/07/2020. 
  • T. DE CORDIER & T. DUBUISSON, «Deadline approaching for notifying CCTV cameras to Belgian police», 14/05/2020.
  • T. DE CORDIER & T. DUBUISSON, « EU Cybersecurity Month: When a simple phishing click can severely harm your company », 11/10/2019.
  • T. DE CORDIER & T. DUBUISSON, « Time to update your cookie consent and policy! CJEU says pre-ticked checkboxes are not valid », 02/10/2019.
  • T. DE CORDIER & T. DUBUISSON, « Using social plug-ins on your website? You and the social network will be jointly liable for the data processing »,  31/07/2019.
  • T. DE CORDIER & T. DUBUISSON, « First Belgian GDPR sanction: DPA fines mayor EUR 2,000 », 31/05/2019.
  • T. DE CORDIER & T. DUBUISSON, « EU Advocate General gives Internet cookie opinion that could impact data privacy regs »,  02/04/2019.
  • T. DE CORDIER, A-M. GORIS &  T. DUBUISSON, « Belgium's privacy watchdog publishes guidance on the notions of controller and processor », 17/01/2019.


more less

Lectures list

  • 26/05/2020: Webinar “Smart Contracts: From Clauses to Code”, with D. Dobbelaere & F. Dubois.
  • 11/06/2020: Webinar CMS “Digitalisation of the in-House legal team…and what it means for you”, with J. Challoner.
  • 09/09/2020: Webinar  “Law and Beyond - Digital Transformation: seizing the opportunity whilst avoiding the pitfalls” with S. Viaene & P. Coffyn.
  • 27/10/2020: Webinar “Joint CMS-Marsh webinar : “The Changing Face of Cyber Claims “, with A-S. Coppens.
  • 25/11/2020, Webinar “Data, Data, Data“.
more less


  • 2000 - Bar admission (Brussels, Belgium)
  • 2000 - University of London - United Kingdom (LL.M. in Computers & Communications)
  • 1999 - University of Ghent, UGent - Belgium (Master of Laws)
more less
Summer Snapshot: Tech and Data Highlights You Might Have Missed
Have you taken a break from your usual spot in front of the computer screen over the past few weeks? No worries, this article provides a succinct overview of the significant advancements in the world of technology and data that have transpired over t
Adequacy Decision on EU-US Data Privacy Framework adopted
The European Commission has announced today 10 July 2023 the adoption of its "adequacy decision" on the EU - US Data Privacy Framework (“DPF") to allow EU-US data flows to businesses that will have...


Looking ahead to the EU AI Act
Introduction On 21 May 2024, the Council of the European Union adopted the Regulation laying down harmonised rules on artificial intelligence” (the so-called AI Act). As the world's first comprehensive law to regulate artificial intelligence, the AI Act aims to establish uniform requirements for the development and use of artificial intelligence in the European Union. Following the European Parliament's adoption of the draft on 13 March 2024, the AI Act has now been formally adopted . Once signed by the Presidents of the European Parliament and the Council, the Regulation will be published in the Official Journal of the EU and will enter into force twenty days after its publication. With this  adoption of the world’s most significant legislation on Artificial Intelligence, solidifying its position as a pioneer among global legislators. This initiative aims to establish and reinforce the EU’s role as a premier hub for AI while ensuring that AI development remains focused on human-centered and trustworthy principles. After a long and complex journey that began in 2021 with the European Commission’s proposal of a draft AI Act, this new regulation is expected to be passed into law in June  2024. The AI Act aims to ensure that the marketing and use of AI systems and their outputs in the EU are consistent with fundamental rights under EU law, such as privacy, democracy, the rule of law and environmental sustainability. Adopting a dual approach, it outright prohibits AI systems deemed to pose unacceptable risks while imposing regulatory obligations on other AI systems and their outputs. The new regulation, which also aims to strike a fair balance between innovation and the protection of individuals, not only makes Europe a world leader in the regulation of this new technology, but also endeavours to create a legal framework that users of AI technologies will be able to comply with in order to make the most of this significant development opportunity. In this article we provide a first overview of the key points contained in the text of the AI Act that companies should be aware of in order to prepare for the implementing regulation.
Data Act and Cloud Service Providers (Part 2): Switching Providers
The Data Act means cloud service providers need to take action. Part 2 of our article provides an overview of the process for switching providers.Next blog post in the #CMSdatalaw seriesAs part of its...
Data Act and Cloud Service Providers (Part 1): Contract drafting and information...
The Data Act means cloud service providers need to take action. Part 1 of our article provides an overview of contract drafting and information ob­lig­a­tions. With the new Data Act, the European Union...
The data access rights of the Data Act
The data access rights under the Data Act and their restrictions are extensive – we provide an over­view.European legislators have recognised that data is an essential resource which is required for...
The DGA is expected to spur on data altruism
Voluntary data donations are intended to make data widely usable. The DGA wants to build trust in data altruism or­gan­isa­tions.The range of applications in which the use of data and information is playing...
DGA: European data strategy for data intermediation services takes shape
Data intermediation services play a key role in the implementation of the European strategy for data. The DGA subjects these to regulation.In addition to the Data Act, the Data Governance Act (DGA), which...
Reusing data held by public sector bodies under the DGA
The Data Governance Act should allow data collected with public funds to be reused to benefit so­ci­ety. To­geth­er with the Data Act, the Data Governance Act (DGA) forms a key pillar of the European Commission's...
An overview of the Data Act
The Data Act is intended in particular to promote the flow and use of data. This article provides an overview.On 27 Novem­ber 2023, the Data Act was adopted by the Council of the European Union after...
Adapting to the new EU Data Act: implications for medical devices and other...
In recent years, the European Commission developed a European data strategy, which aims to create a single European market in which data can circulate freely. As the European Commission has emphasized...
With EU Cyber Resilience Act, EU gets tough on IoT supply chain cybersecurity
On 30 November 2023, the EU took a decisive step towards bolstering cybersecurity in the Internet of Things (IoT) supply chain by reaching a political agreement over the Cyber Resilience Act (CRA). ...
Data protection and cybersecurity laws in Belgium
Data protection 1. Local data protection laws and scope General Data Protection Regulation n° 2016/679 (GDPR);Law of 30 July 2018 on the protection of natural persons with regard to the processing...
CMS Belgium advised Howden Belgium on the acquisition of WDR Insurance...
CMS Belgium played a crucial role in advising Howden Belgium's acquisition of WDR Insurance Group, specialist in property, casualty, and employee benefits, catering to a diverse clientele that includes...