Belgium

Fining practice

Trend: to date, have the national data protection authorities in Belgium focused on certain types of non-compliance with data protection law, or have the authorities stated that they will investigate certain types of non-compliance more closely in future? Do you see a focus on certain industries/sectors? If so, which ones?

So far, it can be observed that the majority of all fines imposed by the Belgian Data Protection Authority ("Autorité de protection des données" / "Gegevensbeschermingsautoriteit", “DPA”) were issued either due to there being an insufficient legal basis for data processing (Art. 5, 6 GDPR), lack of transparency (Art. 12 GDPR) or due to failure to comply with the rights held by data subjects (Art. 15 – 17 GDPR). The fines imposed in Belgium cover a fairly balanced range of industries: insurance, telecommunications, etc. Also, the DPA not only imposes fines on companies, but also on other data controllers/processors, such as: private individuals, schools, bailiff offices, non-profit organisations, mayors and councillors. At a swift glance at the amount of fines, it can be observed that the largest fines were imposed owing to there being an insufficient legal basis, a lack of transparency in privacy policies and a violation of the right to be forgotten.

On 15 November 2022, the new Executive Committee of the Belgian DPA communicated its key priorities for 2023. Subject to sufficient resources, the following will be the key priorities: cookies, data protection officers, smart cities and data brokers.

Overall, what was the most significant fine in Belgium to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?

The highest fine that the DPA has imposed so far under the GDPR was a fine of EUR 600,000 against Google Belgium for not respecting the right held by a Belgian citizen to be forgotten, and for lack of transparency in its request form for delisting. Google Belgium refused to comply with the request made by the Belgian citizen to remove from search results outdated articles which were damaging to their reputation.

Before the Litigation Chamber ("Geschillenkamer”; “Chambre Contentieuse”), Google argued that the complaint was unfounded because it was filed against Google Belgium, whereas the data controller is not the Belgian subsidiary of Google, but Google LLC based in California. The Litigation Chamber did not accept this argument. In its view, the activities of Google Belgium and Google LLC are inextricably linked and the Belgian subsidiary could therefore be held liable. However, the Litigation Chamber followed Google's argument that its main branch in Europe (Google Ireland) is not responsible for removing internet pages from the search results. The decision can be found under the following link.

Google appealed the decision before the Court of Appeal arguing that:

• the order was addressed to Google Belgium which is not the controller in this case;
• the DPA did not sufficiently demonstrate how it could be established that Google Belgium was linked to the activities performed by Google LCC as the controller;
• article 58 GDPR does not establish the possibility to impose a corrective measure on an entity other than the controller (i.e. Google LLC);
• the DPA published the decision without removing Google's name and even communicated with the press as to its decision.

The Court of Appeal annulled the decision on the grounds that the decision imposed a corrective measure on Google Belgium whereas the controller in question is Google LLC (and it was against the latter that the complaint should have been filed), without sufficiently establishing how Google Belgium's activities would be inextricably linked to the controller (Google LLC). Google Belgium could only be subject to a corrective measure if the DPA could prove the link between both companies.

Organisation of authorities, procedure and publicising of fine proceedings

How is the data protection authority organised in Belgium? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

• The DPA is an independent body, established by the Belgian Federal Chamber of Representatives (Federal Parliament). 
• The DPA consists of five directorates and a Management Committee. These 5 directorates are: (i) General Secretariat (“Algemeen secretariaat”, “Secrétariat Général”), (ii) “Knowledge Centre” (“Kenniscentrum”, “Centre de Connaissances”), (iii) the First-line Service (“Eerstelijnsdienst”, “Service de Première Ligne”), (iv) the Inspectorate (“Inspectiedienst”, “Service d’Inspection”) and (v) the Litigation Chamber (“Geschillenkamer”, “Chambre Contentieuse”).
• The Management Committee consists of the Directors of those five directorates. 
• The DPA employed about 60 people in 2022. This number will most likely increase in the near future as the Belgian DPA considers that to perform its mission, there is a need for more FTEs.

How does a fine procedure work in Belgium? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• Proceedings usually start following (i) a complaint from a data subject holding the opinion that his/her personal data has been processed in an incorrect manner, (ii) the DPA may initiate proceedings at its own initiative;
• Fines may be imposed by the DPA after proceedings before the Litigation Chamber;
• Companies may appeal the decisions made by the Litigation Chamber, within 30 days after notification of the decision has been provided, before the Court of Appeal in Brussels.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the State treasury, the authority's budget)?

• Fines are transferred to the State treasury.

Is there a common, official calculation methodology of fines in Belgium (such as the fining models in the Netherlands or Germany)?

There is no official calculation method for fines in Belgium. There is only a so-called "penalty form" which is sent to the parties after the hearing before the Litigation Chamber and the DPA's initial decision.

Broadly speaking there are two tiers of administrative fines for non-compliance with the Belgian Act of 30 July 2018 on the Protection of Individuals with regard to the Processing of Personal Data (“Belgian Data Protection Act”) and GDPR. Fines are imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”:

• The first tier is up to EUR 10 million or 2 % of annual global turnover of the previous year, whichever is higher (for infringements of articles: 11 (processing that does not require identification); 25 – 39 (general obligations held by processors and controllers);
• The second tier is up to EUR 20 million or 4 % of annual turnover of the previous year, whichever is higher (may be issued for infringements of articles: 5 (data processing principles); 6 (lawfulness of processing); 7 (conditions for consent); 9 (processing of special data categories); 12 – 22 (data subjects’ rights); and 44 – 49 (data transfers to third countries or international organisations).

In addition to the administrative fines provided for in the GDPR, the Belgian Data Protection Act also introduces different tiers of criminal penalties for violations of the Data Protection Act (as well as the GDPR itself), with a maximum penalty of EUR 30,000. Taking into account the mandatory multiplication of criminal fines, this equals a de facto maximum fine of EUR 240,000. The Data Protection Act also clarifies that a controller and/or processor is in principle civilly liable for the payment of the fines which have been imposed on its contractor or agent.

The DPA also follows the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR issued by the EDPB.

Can public authorities be fined in Belgium? If they can: Where does this money go?

Except in cases where public bodies would offer services or goods on the free market, no administrative fines may be imposed on public authorities and other public bodies.

In Belgium, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

All decisions (including reprimands) issued by the General Secretariat, the Litigation Chamber and the judgements of the Court of Appeal are published on the website of the DPA (https://www.gegevensbeschermingsautoriteit.be/burger/publicaties/beslissingen). These decisions contain information on the relevant facts, imposed fines and other procedural steps. Often the involved parties are anonymised (e.g. Party X and Party Y).

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

See our answer to previous question. (In Belgium, does the data protection authority publish information on cases[...])

Other legal consequences of non-compliance

Does Belgium have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

With the Act of 28 March 2014 regarding collective redress, the Belgian legislature introduced the concept of class actions into Belgian law. Since the Act of 28 March 2014, it has been possible to file a class action in Belgium, which has been formally named an “action for collective redress.” Actions for collective redress are only open to consumers and to small and medium-sized enterprises represented by a “group representative”, when they suffer damages as the result of a common cause.

The group representative for claims of consumers must be either:

• An association representing the consumers’ interests and recognised by the Minister of Economic Affairs;
• An association actively pursuing the consumers’ interests in collective redress matters that has existed for more than three years;
• The public service of the Ombudsman;
• A representative body recognised by a member State of the European Union or the European Economic Area as able to act in collective redress cases.

The group representative for claims made by small and medium sized enterprises must be either:

• An interprofessional association representing the SME’s interests, which is recognised by the government;
• An association actively pursuing the SME’s interests in collective redress matters, which has existed for more than three years;
• A representative body recognised by a member State of the European Union or the European Economic Area as able to act in collective redress cases.

Article 220 of the Belgian Data Protection Act (transposing article 80 of the GDPR) states that the person concerned shall have the right to instruct a body, an organisation or a non-profit association to lodge a complaint on their behalf and to exercise the administrative or judicial appeal on their behalf, either with the competent supervisory authority or with the judiciary, as set out in special laws, the Judicial Code and the Code of Criminal Procedure.

A body, an organisation or a non-profit association must (as referred to in Article 220 of the Belgian Data Protection Act):

• be duly constituted in accordance with Belgian law;
• have legal personality;
• have statutory public interest objectives;
• have been active in protecting the rights and freedoms of data subjects in the context of the protection of personal data for at least three years.

Belgium is the only country to have a specific approval procedure for consumer organisations established outside its territory for the filing of class actions (“actions for collective redress”). In September 2020, the Belgian Official Journal published a Ministerial Decree of 30 September 2020 approving NOYB (None of Your Business), Max Schrems' privacy rights organisation, as a qualified entity under the collective action scheme set out by the Belgian Code of Economic Law. This means that NOYB is able to file representative actions in Belgium and claim damages on behalf of users of a company for violating various laws relating to consumer protection, including data protection legislation in Belgium, similarly to Test-Achats ("Test Aankoop") which already filed a lawsuit against Facebook for violating data protection legislation in relation to Cambridge Analytica, asking for EUR 200 in damages per user (see https://www.test-achats.be/).

What is more relevant in Belgium: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

• At present, fines imposed by data protection authorities occur much more often than private litigation regarding data protection infringements, which are relatively rare in Belgium. This is most likely due to high litigation costs, paired with low claims for damages.
• The Belgian DPA has stated that it is going to pursue a more proactive investigation policy through the inspection of entities. Even though we saw a substantial increase in the decisions issued by the Litigation Chamber between 2020 and 2022 (by around 120 %), the total amount of fines decreased (by around 20 %) due to a high amount of dismissal decisions and an increase of reprimands and orders (instead of fines).