The annual report of the DPA: a short summary

Author info

15/09/2021

This blog was co-written by Jolien Clemens.

In the year 2020, the news was almost exclusively about the COVID-19 crisis. For the Data Protection Authority (DPA), too, this theme was central. Indeed, the unprecedented health crisis brought new challenges to data protection, significantly increasing the workload of the DPA. For example, the number of complaints increased by 290.64% versus 2019. This blog post will provide an overview of the DPA's 2020 Annual Report (PDF) and covers the main themes.

The COVID-19 Crisis: The Challenge for Privacy

The COVID-19 crisis proved to be the privacy challenge of the year for the DPA. The DPA was confronted with new data processing methods such as contact tracing apps and mobility indexes. In the search for answers, the DPA tried to ensure a balance between the protection of public health and the protection of personal data as much as possible.

The crisis was also accompanied by an influx of new questions from citizens and data controllers. As many of them had the same questions, a thematic file on COVID-19 was launched.

The DPA also assisted the Belgian government with advice on various drafts of normative texts on the COVID-19 crisis. The DPA focused on compliance with the principles of lawfulness, foreseeability, necessity, proportionality and other principles and rules of the GDPR. The advices concerned the implementation of a system for tracing high-risk contacts, the Coronalert app, registrations and processing of data related to COVID-19 vaccinations. Common shortcomings to the normative texts related to:

(1) the lack of precision in the description of the purposes of the intended data processing;
(2) the non-exhaustive nature of the categories of data processed and of the persons concerned; and
(3) the fact that it was not specified to which third parties the collected data may be made accessible.

Finally, the DPA stated that the proactive stance proved necessary. For example, the DPA monitored the evolution of all manner of new technologies and practices that contributed to the fight against the virus to ensure that privacy was always at the forefront.

Other themes of the year

The focus of the DPA during the past year was of course not only on the COVID-19 crisis, but other important themes were also mentioned in the annual report. These will be briefly discussed below.

Governments

One of the priorities for the DPA in 2020 was compliance with the regulations of personal data protection by governments. Since governments often collect enormous amounts of (sensitive) personal data, protecting the privacy of citizens is essential. In many situations the citizen has no choice in whether or not to share personal data, since the processing is often based on a legal obligation. Since the government fulfils an exemplary function, the DPA considers its responsibility for compliance with privacy legislation to be higher.

The DPA's main focus this year was therefore on advising public data controllers and, if necessary, on enforcement. Advice was given on the lawfulness of the processing of personal data by the government, compliance with data protection principles (data protection by design), the obligations of transparency and the rights of data subjects, and access to and processing of personal data contained in the National Register and other registers by public authorities.

Direct Marketing

Another sector that received attention in 2020 was direct marketing. Every day, millions of people in Belgium are contacted by direct marketing communications based on the personal data that the companies have collected about them. They are often unaware of what their rights are and how they can exercise them. This is where the DPA intervened by handling requests for information, mediations and complaints about personal data processing operations related to direct marketing activities. The Litigation Chamber has also issued a number of decisions on this subject. One of the most important was the decision on the direct marketing practices of an organisation making offers to expectant mothers (decision 04/2021 of 27 January 201). There was also an important recommendation by the DPA's Knowledge Centre concerning the processing of personal data for direct marketing purposes.

Protection of personal data online

The protection of personal data online is certainly not a new issue for the DPA. With the rapid advancement of technologies, the online world is evolving along with it, creating new challenges for data protection. In particular, the cookie management of major Belgian media websites has been the subject of a large-scale pilot study. The Litigation Chamber has also issued numerous decisions on online privacy, such as a decision on dating sites, a decision on Google Belgium and a decision on access to FisconetPlus.

DPO

For the DPA, DPOs are essential for the protection of personal data of Belgian society in practice. The DPA therefore wants to support DPOs as much as possible in the performance of their tasks. The DPA has developed a number of support tools for DPOs in Belgium in the year 2020. For example, the DPA has made documents and ‘tools’ available to help DPOs, but also data controllers in general, to implement the GDPR obligations. In addition, an advice request document has also been created to enable DPOs to receive information in a simple manner about the processing of personal data by the organisation they are assisting. The DPA has also made available a presentation on the general principles of the GDPR for DPOs to use in informing organizations and employees about the principles of the GDPR. Finally, the DPA also put forward 10 basic rules that DPOs should generally respect.

Raising awareness

The DPA has the important competence to provide information to citizens and organisations. In 2020, three target groups received its attention, namely SMEs, children/young people and the general public. The awareness-raising projects are briefly mentioned in this section.

The BOOST project was launched in 2020 with the aim of supporting SMEs in complying with the GDPR. The result of the project was a number of tools such as a brochure with a comprehensive answer to the top 3 most frequently asked questions in 2020, a manual on how to deal with the rights of data subjects and a document and letter template for all requests from data subjects provided for by the GDPR.

The website Ikbeslis.be was an important achievement in protecting the privacy of children and young people. The website is the portal for young people and children to obtain tailor-made information on the protection of their personal data.

For the general population, the DPA’s First Line Service fulfilled an important role in raising awareness about data protection. Communicating on such a sensitive topic as data protection is not always easy. As a result, in 2020 the First Line Service's communication methods were thoroughly reviewed and an external service provider was used who was given exclusive authority to make the First Line Service's working materials readable and accessible. The DPA's website was also restyled to further contribute to improved accessibility of information. The 2020 figures show that this new approach was successful, as the DPA had to provide 19.44% less information on data processing questions.