GDPR Enforcement in Belgium

Trend: Have the national data protection authorities in Belgium focused on certain types of non-compliance with data protection law or have the authorities announced that they will investigate certain types of non-compliance more closely in the future? Do you see a focus on certain industries/sectors? If so, which ones?

In its Strategic Plan 2020-2025, the Executive Committee of the Belgian Data Protection Authority ("Autorité de protection des données"/"Gegevensbeschermingsautoriteit", “DPA”) identifies three categories of priorities for its mandate running from 2020 to 2025. First, it prioritises five sectors: telecommunications and media, government, direct marketing, education and small and medium-sized enterprises (SMEs). Next, it prioritises three instruments from the GDPR that it considers to be key building blocks for better protection of citizens' privacy: the role of the DPO, the legitimacy principle and the rights of data subjects. Finally, it will prioritise the following societal topics: photos and cameras, online data protection and use of sensitive data. Please note that the priorities may well change because of societal developments and changes in the playing field. The main priorities for 2025 are DPOs, cookies, direct marketing, transparent privacy notices and “smart” solutions.

So far, the majority of all fines imposed by the Belgian DPA were issued either due to an insufficient legal basis for data processing (Articles 5 and 6 GDPR), lack of transparency (Article 12 GDPR), failure to comply with the rights held by data subjects (Articles 15-17 GDPR) and/or insufficient technical and organisational measures to ensure information security (security TOMs) (Article 30 GDPR). The fines imposed in Belgium cover a fairly balanced range of industries: telecommunications, media, banking, insurance, etc. Also, the DPA not only imposes fines on companies, but also on other data controllers/processors, such as private individuals, schools, bailiff offices, non-profit organisations, mayors and councillors. Looking at the amount of the fines imposed by the DPA, it can be observed that the largest fines were imposed for processing with an insufficient legal basis, a lack of transparency in privacy and cookie policies, a lack of data security, a conflict of interest on the part of the DPO, a breach of cookie rules and a violation of the rights of data subjects.

Overall, what was the most significant fine in Belgium to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?

The highest fine that the Belgian DPA has imposed so far under the GDPR was a fine of EUR 600,000 against Google Belgium for not respecting the right held by a Belgian citizen to be forgotten and for lack of transparency in its request form for delisting. Google Belgium refused to comply with the request made by the Belgian citizen to remove outdated articles that were damaging to their reputation from search results.

Before the Litigation Chamber ("Geschillenkamer”; “Chambre Contentieuse”), Google argued that the complaint was unfounded because it was filed against Google Belgium, whereas the data controller is not the Belgian subsidiary of Google, but Google LLC based in California. The Litigation Chamber did not accept this argument. In its view, the activities of Google Belgium and Google LLC are inextricably linked, and the Belgian subsidiary could therefore be held liable. However, the Litigation Chamber followed Google's argument that its main branch in Europe (Google Ireland) is not responsible for removing internet pages from the search results. The decision can be found by clicking on the following link.

Google appealed the decision before the Court of Appeal arguing that:

• the order was addressed to Google Belgium which is not the controller in this case;
   
• the DPA did not sufficiently demonstrate how it could be established that Google Belgium was linked to the activities performed by Google LLC as the controller;
   
• Article 58 GDPR does not establish the possibility of imposing a corrective measure on an entity other than the controller (i.e. Google LLC);
   
• the DPA published the decision without removing Google's name and even communicated with the press as to its decision.

The Court of Appeal annulled the decision on the grounds that the decision imposed a corrective measure on Google Belgium, whereas the controller in question is Google LLC (and it was against the latter that the complaint should have been filed), without sufficiently establishing how Google Belgium's activities would be inextricably linked to the controller (Google LLC). Google Belgium could only be subject to a corrective measure if the DPA could prove the link between both companies.

How is the data protection authority organised in Belgium? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

• The Belgian DPA is an independent body, established by the Belgian Federal Chamber of Representatives (Federal Parliament). 
   
• The DPA consists of five directorates and a Management Committee. These five directorates are: (i) the General Secretariat (“Algemeen secretariaat”, “Secrétariat Général”), (ii) the “Knowledge Centre” (“Autorisatie- en Adviesdienst”, “Service d’Autorisation et d’Avis”), (iii) the First-line Service (“Eerstelijnsdienst”, “Service de Première Ligne”), (iv) the Inspectorate (“Inspectiedienst”, “Service d’Inspection”) and (v) the Litigation Chamber (“Geschillenkamer”, “Chambre Contentieuse”).
   
•  The Management Committee consists of the Directors of those five directorates.
   
• The DPA employed about 68 people by the end of 2023.

How does a fine procedure work in Belgium? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• Proceedings usually start (i) following a complaint from a data subject alleging that their personal data has been processed in a manner violating data protection legislation or (ii) on the initiative of the DPA. Third parties whose interests are likely to be harmed by the proceedings on the merits may also intervene in the proceedings before the Litigation Chamber itself.
   
• Fines may be imposed by the DPA after proceedings before the Litigation Chamber.
   
• Companies may appeal the decisions rendered by the Litigation Chamber, within 30 days after notification of the decision before the Court of Appeal in Brussels (the “Market Court”). 
   
• Any interested third party affected by a decision of the DPA, who was not a party to the proceedings before the Litigation Chamber, but who suffers personal, direct, certain, current and legitimate harm due to the decision of the Litigation Chamber, may also lodge an appeal before the Market Court within 30 days of the publication of the decision on the DPA’s website.
   
• Finally, the Litigation Chamber has the power to propose a settlement. To facilitate faster resolution of cases, the DPA has adopted a (non-binding) settlement policy to help companies navigate DPA settlements.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

• Fines are transferred to the state treasury.

Is there a common, official calculation methodology of fines in Belgium (such as the fining models in the Netherlands or Germany)?

There is no official method for calculating fines in Belgium. There is only a "penalty form" which is sent to the parties after the hearing before the Litigation Chamber and the DPA's initial decision.

Broadly speaking, there are two tiers of administrative fines for non-compliance with the Belgian Act of 30 July 2018 on the Protection of Individuals with regard to the Processing of Personal Data (“Belgian Data Protection Act”) and GDPR. Fines are imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”:

• The first tier is up to EUR 10 million or 2 % of annual global turnover of the previous year, whichever is higher (for infringements of Article 11 (processing that does not require identification) and Articles 25 – 39 (general obligations held by processors and controllers);
• The second tier is up to EUR 20 million or 4 % of annual turnover of the previous year, whichever is higher (may be issued for infringements of Articles 5 (data processing principles); 6 (lawfulness of processing); 7 (conditions for consent); 9 (processing of special data categories); 12 – 22 (data subjects’ rights); and 44 – 49 (data transfers to third countries or international organisations).

In addition to the administrative fines provided for in the GDPR, the Belgian Data Protection Act also introduces different tiers of criminal penalties for violations of the Data Protection Act (as well as the GDPR itself), with a maximum penalty of EUR 30,000. Taking into account the mandatory multiplication of criminal fines, this equals a de facto maximum fine of EUR 240,000. The Belgian Data Protection Act also clarifies that a controller and/or processor is in principle civilly liable for the payment of the fines which have been imposed on its contractor or agent.

The DPA follows the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR.

Can public authorities be fined in Belgium? If they can: Where does this money go?

Except in cases where public bodies would offer services or goods on the free market, no administrative fines may be imposed on public authorities and other public bodies.

In Belgium, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

All decisions (including reprimands) issued by the General Secretariat and the Litigation Chamber, and the judgements of the Court of Appeal are published on the website of the DPA (here in Dutch and here in French). These decisions contain information on the relevant facts, imposed fines and other procedural steps. Often the involved parties are anonymised (e.g. Party X and Party Y).

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

See our answer to previous question.

Does Belgium have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

The Belgian Code of Economic Law sets out the rules for class actions in Belgium (Article 35 ff. Book XVII of the Code). Since 2014, it has been possible to file class actions in Belgium called “actions for collective redress.” Actions for collective redress are only open to consumers and to small and medium-sized enterprises represented by a “group representative” and are brought when these parties suffer damages as the result of a common cause.

The group representative for claims of consumers must be either:

• an association representing the consumers’ interests and recognised by the Minister of Economic Affairs;
• an association which is actively pursuing the consumers’ interests in collective redress matters and which has existed for more than three years;
• the public service of the Ombudsman;
• a representative body recognised by a member state of the European Union or the European Economic Area able to act in collective redress cases.

The group representative for claims made by small and medium-sized enterprises (SMEs) must be either:

• an interprofessional association which represents the SMEs’ interests and which is recognised by the government;
• an association which is actively pursuing the SMEs’ interests in collective redress matters and which has existed for more than three years;
• a representative body recognised by a Member State of the European Union or the European Economic Area as able to act in collective redress cases.

Article 220 of the Belgian Data Protection Act (transposing Article 80 of the GDPR) states that data subjects have the right to instruct an organisation or a non-profit association to lodge a complaint on their behalf and to exercise the administrative or judicial remedies, either with the competent supervisory authority or with the judiciary, as set out in special laws, the Judicial Code and the Code of Criminal Procedure.

The organisations or non-profit associations referred to in Article 220 must:

• be duly constituted in accordance with Belgian law; 
• have legal personality;
• have statutory public interest objectives;
• have been active in protecting the rights and freedoms of data subjects in the context of the protection of personal data for at least three years.

In September 2020, the Belgian Official Journal published a Ministerial Decree of 30 September 2020 approving NOYB European Center of Digital Rights (None of Your Business), Max Schrems' privacy rights organisation, as a qualified entity under the collective action scheme set out by the Belgian Code of Economic Law. This means that NOYB is able to file representative actions in Belgium and claim damages for violations of various laws relating to consumer protection, including data protection legislation in Belgium.

What is more relevant in Belgium: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

• At present, fines imposed by the DPA occur more frequently than private litigation regarding data protection infringements. This is most likely due to the relatively high litigation costs compared to the low amount of damages that claimants can obtain.
   
• In the short to medium-long term we expect the number of fines being imposed by the DPA not to increase and possibly even to decline for the following reasons:
  
  • According to the DPA’s 2025 management plan, the Litigation Chamber intends to:
    • be more selective in the cases it will handle, focusing instead on cases with important societal impact
    • apply so-called “light” orders or reprimands via shortened proceedings more often
    • settle cases more often
  • Effective from 25 April 2025 the Litigation Chamber will consist of only one person (instead of the collegial body it has been until 25 April). This may negatively affect the number of cases the Litigation Chamber will be able to handle each year.