The Belgian Data Protection Authority (BDPA) and DNS Belgium, responsible for the registration and management of all .be domain names (as well as .vlaanderen and .brussels domain names), have concluded a cooperation protocol that allows .be websites to be taken offline for GDPR infringements.
The cooperation protocol stipulates that DNS Belgium is to report to the BDPA Inspection Service:
If this information forms part of an ongoing investigative or judicial investigation, the cooperation protocol provides that it will be provided only with the prior authorisation of the public prosecutor or the investigating judge.
DNS Belgium already has existing and similar collaborations, for example with the FPS Economy. As a result, fraudulent websites, such as fake webshops, fake collection agencies or phishing websites, can be blocked very quickly. According to DNS Belgium, no fewer than 5,733 domain names were blocked in 2019.
The simplified N&A procedure, which complements other DNS Belgium procedures, allows fraudulent websites with correct identification data (or identification data that could not be proven to be false) to be blocked without theneed for a request to the public prosecutor. This can save a few weeks.
The intention is that this N&A procedure should only be applied to serious infringements. The registrant also has a period of two weeks in which to respond. Only after six months will the blocked domain name expire.
The protocol of cooperation between DNS Belgium and the BDPA, applicable since 1 December 2020, also allows the BDPA to make use of a similar N&A procedure in case of breaches of the GDPR.
However, the scope ofthe N&A procedure is limited to serious infringements, i.e.: “infringements which most seriously harm the interests to be protected, committed by organisations or individuals who knowingly infringe this legislation and yet continue to process personal data, even though the Inspection Service or the BDPA's Dispute Chamber previously ordered them to suspend, restrict, freeze or halt (temporarily) the processing of personal data.” (free translation and own emphasis)
It must therefore be an infringement:
According to the cooperation protocol, a limitation of the scope of the N&A procedure is necessary in order to maintain a fairbalance between:
The BDPA can send a request by e-mail to DNS Belgium to have a certain .be domain name blocked. DNS Belgium will then notify the registrant and have the domain name redirected to a BDPA warning page.
The registrant then has two weeks to react and take remedial action. Within the framework of the cooperation of the FPS Economy, domain name holders almost never make use of this possibility, according to DNS Belgium. This would indicate that most of them are in fact fraudsters.
For the BDPA, the N&A procedure is an additionalinstrument toquickly put an end to serious GDPR infringements. Nevertheless, it does not affect the processing of personal data already collected via the website.
There are also a number of open questions:
The cooperation protocol also includes a commitment to extend cooperation to the domain name zones .vlaanderen and .brussels in the future.
We will keep you informed of developments.