On 25th May 2018, the General Data Protection Regulation – a.k.a. the GDPR – came into force. This European regulation heralded a new era for the protection of our personal data, and thus our privacy. Any organisation or (government) body that processes, stores or transmits personal data must meet stricter requirements. And indeed, it is the European legislator and the supervisory authorities. Failure to comply or ignoring these requirements can have major consequences, such as fines of up to 4% of the worldwide revenue…

The run-up to (G)D(PR)-Day

Although the start date of the GDPR was announced well in advance and an implementation period of 2 years was foreseen, the new privacy rules brought a shock wave through the business community. After all, every company has been affected by the GDPR, although the extent to which this occurred naturally varies from company to company and sector to sector. The mere maintenance of e.g. personnel data, a customer database or a contact list of suppliers has implications. Moreover, it is not only European companies that are affected, but global companies or organisations that process European data have to comply with the GDPR.

The rather hesitant attitude of many companies panicked as the deadline of May 25th approached. What about subscriber lists and prospecting data? What does a processing agreement entail? Is my company controller or processor on my website and what does all this mean? The threats from certain major companies to stop contracts if they could not demonstrate compliance with privacy rules, also made many companies nervous.

As a result, specialist lawyers and consultants were hired massively. Our Privacy & IT team at De Groote – De Man also navigated many companies as pragmatically and smoothly as possible through the necessary GDPR process.

And now what?

The avalanche of sanctions that companies feared did not occur in Belgium last year. Things were different in our neighbouring countries. In the Netherlands (€ 600,000) and the United Kingdom (€ 439,714), the alternative taxi service Uber was severely fined. Internet giant Google also received a financial fine of €50 million from the privacy authorities in France. And these are just two examples of companies that were convicted.

(Read also: The non-compliance with GDPR costs Google €50 million)

In Belgium, it remained quiet for the time being. Many companies are now asking themselves whether all the panic and effort was necessary. But is this true?

What happened on home soil last year?  Based on figures, we received from the Belgian Data Protection Authority (the “GBA”) and our own experience as specialists, we drew up an assessment of one year of GDPR.

1 year of GDPR: how is Belgium doing?

Download infographic

Complaints submitted to the GBA: 328

In the past year, a total of 328 complaints were submitted to the GBA, the former Privacy Commission. By way of comparison: at the end of 2018, 9,661 complaints were submitted to the Dutch regulator, the Personal Data Authority.

In Belgium, complaints are mainly about :

·         Infringement of the data subject’s rights

Data subjects (people like you and me) filed a complaint against companies that, for example, are not transparent about what data they have about them or what they do with it. According to the GDPR, a data subject has the right to know what data the company has about him/her and, if requested, to delete it as well. Failure to reply (properly) constitutes an infringement.

·         Direct marketing

These complaints mainly concern companies that send people commercial mailings or letters without having the required legal basis (e.g. permission/opt in) from this person to contact them for commercial purposes.

We see that the GDPR thus stimulates many marketers to find new creative ways for online marketing activities.

·         Security cameras

In these cases, it concerns people who were filmed by a security camera and who wanted to know what would happen to those images and for what purposes they would be used.

Data breaches reported to the GBA: 645

When a data breach occurs, a company is obliged to notify the GBA – within 72 hours of being notified – when it is likely that the personal data breach poses a risk to the rights and freedoms of natural persons. In the meantime, 645 such notifications have taken place. By way of comparison: in the Netherlands, 20,881 data breaches (15,400 since 25 May 2018) were reported to the Personal Data Authority in 2018.

Notifications in Belgium came mainly from the following sectors

  1. Financial activities and insurance
  2. Human health care
  3. Public administration and defence

Number of fines issued by the GBA: 0

This is a striking figure, especially if you compare it with the number of fines handed out in other European countries..

A comparison with some neighbouring countries*:

  • Netherlands: 4 fines, totalling € 738 000.
  • France: 8 fines totalling € 51 045 000.
  • Great Britain: 31 fines (!), totalling approximately € 4 484 000.

(A well-known case from Great Britain was the fine of €600,000 for Uber. Read more here)

*Source: Dailybits

Why no fines in Belgium?

The feared fines were therefore not yet imposed in our country. As an explanation for this striking figure, the GBA states that the Disputes Chamber in its full and final composition has only recently been appointed.

Beyond the rest

In the meantime, the Belgian GBA has been constituted and the 5 directors of the GBA took their oath on 24 April 2019. This may be the end of a ‘quiet period’ for Belgium as well. The new chairman, David Stevens, has already announced that the GBA is ready to take action.

Also read: Illustration of the Data protection authority

UPDATE: on 29th May 2019, the GBA issued the first GDPR fine. Click here to read more: First GDPR fine in Belgium becomes reality

Number of Registered Data Protection Officers (DPOs): 4,397

The role of the Data Protection Officer is primarily to ensure compliance with privacy legislation within the company.

DPOs are required to register with the GBA. There are currently 4,397 registered active Data Protection Officers. However, it should be noted that, DPOs were able to register before 25th May. These were also included in this figure.

Most common GDPR issues among companies

The experts within our Privacy and IT Team have already assisted many (international) companies from all possible sectors with advice and deeds regarding privacy legislation. Even a year after its entry into force, the GDPR is and remains a hot topic in the business world. After all, companies that are compliant in the meantime also need regular advice.

DGDM’s main questions in the past year have been to assist companies:

1.      Data transfer

Personal data is often exchanged between numerous companies, e.g. for online marketing. It is important that clear agreements are made on the conditions under which this exchange can take place (e.g. for what purposes, what security measures, what role each of the parties plays (controller/processor, …)). As this often involves several parties, it is necessary that these agreements are geared to each other. Our experts help to map this out, including the commercial interests that play an important role here.

2.      Website review and marketing process

This includes reviewing the website/apps, preparing cookie statements, privacy statements and advice on direct marketing activities.

3.      Compliance process

Our team has already assisted several (international) companies (often with multiple branchs/subsidiaries) to make these GDPR compliant. In doing so, we map out all processes and implement a process for each process in order to treat all data in a GDPR-proof manner. Also for new projects/technologies, we have advised our clients on how to handle personal data.

More about this service: GDPR advice

4.      Data Protection Officer Assistance

With our extensive DPO training, our team has given several DPOs who have been appointed within a company, the right training to be able to perform their new function. In addition, we also offer a first aid line for advice on special issues or questions from DPOs.

In addition, we also fulfil the function of DPO for various companies ourselves and take this task off their hands.

More about this service: DPO officer

We can assist

Do you still have questions about this or are you struggling with a GDPR issue? Be sure to let us know if you would like more information or advice.


1 Year of GDPR infographic