BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
If the respondent does not agree with the deci - sion handed down by the Litigation Chamber, the respondent may lodge an appeal before the Market Court (Brussels Court of Appeal) within 30 days of notification of the decision. The Mar - ket Court can overturn the decision, in whole or in part, and remand the case, or decide on all grounds and substitute its decision. Since February 2024, any interested third party affected by a decision of the DPA, who was not a party to the proceedings before the Litiga - tion Chamber, may also lodge an appeal before the Market Court, insofar as it suffers personal, direct, certain, current and legitimate harm due to the decision of the Litigation Chamber. The Litigation Chamber also has the power to propose a transaction. To facilitate a faster resolution, the DPA has recently issued a (non- binding) settlement policy to help companies navigate DPA transactions. While there is no official calculation method for fines in Belgium, the DPA consistently refers to the European Data Protection Board (EDPB) Guidelines 4/2022. These Guidelines outline a methodology for determining the sum of the fine, namely deter - mining: • step one – which and how many actions and infringements are under review; • step two – what amount serves as the start - ing point for calculating the fine for the estab - lished infringements (starting amount); • step three – which mitigating or aggravating circumstances, if any, necessitate an adjust - ment of the amount from step 2; • step four – what maximum amounts apply to the infringements and whether any increas -
es from the previous step exceed these amounts; and • step 5 – whether the final amount of the calculated fine meets the requirements of effectiveness, deterrence and proportionality, where this can be adjusted if necessary. The DPA uses this methodology to determine the extent of administrative fines. In Belgium, fines are transferred to the State Treasury. 1.4 Data Protection Fines in Practice Recent Decisions From the DPA in 2024 Security failures result in EUR200,000 fine (Decision No 166/2024) The DPA fined a hospital EUR200,000 for breach - ing the GDPR following a cyber-attack in 2021. The attack compromised the personal data of 300,000 individuals and made the hospital’s servers inaccessible. The hospital was found to have failed to conduct a data protection impact assessment (DPIA), establish an effective infor - mation security policy or implement essential security measures, such as employee training and system log monitoring. EUR45,000 fine for GDPR violations at the workplace (Decision No 114/2024) On 6 September 2024, the DPA imposed a fine of EUR45,000 on a company following a complaint from an individual who had been employed as a temporary worker for approximately one year. The company collected employees’ fingerprints for time registration without offering alternatives, establishing a legal basis, or informing employ - ees about data storage, retention and third-party transfers. The DPA found the company in viola - tion of GDPR principles, including purpose limi - tation, data minimisation and transparency.
14
CHAMBERS.COM
Powered by FlippingBook