You are here


Survey Answer:

Unlike other Member States, that already have a data protection supervisory authority with real investigative and judiciary powers, the old Belgian Privacy Commission (the BPC), which was the Belgian data protection authority before the entry into force of the GDPR, only had limited enforcement powers and mostly acted as a mediator in disputes between data subjects and no prosecutorial power. If necessary, it could bring a case before the Court of First Instance, but litigation was definitely not its main purpose.
The Belgian Legislator intervened with the Belgian Act of 3 December 2017, which partially implements the European Union’s GDPR (2016/679). In this Act, the BPC is replaced with a new entity, called the Data Protection Authority (the DPA).
In order to ensure proper compliance with the provisions in the GDPR (and the applicable national provisions), the legislator has granted important powers to the DPA. This “new institution” consists of various bodies, of which, in particular, the inspection service and the dispute chamber are the most important, when it comes to the enforcement of rules as mentioned under point 2. Under the GDPR, the DPA is vested with investigative powers when it comes to alleged breaches of the data protection law. Such an investigation can be initiated in two ways, (i) by a single complaint from a private individual, at the request of a supervisory authority of another Member State, at the request of judicial or administrative authorities, or (ii) by the DPA itself.
In the context of investigating alleged breaches of data protection law, the inspection service has extensive powers in carrying out these investigations, e.g., conducting interrogations of persons, house searches, identifying persons which are present on the controlled locations or users of communications services and even consulting and demanding a copy of computer systems.
After the investigation procedure is closed, a procedure can be initiated before the dispute chamber. Should the dispute chamber come to the conclusion to decide upon the merits of the case, a quasi-judicial procedure will be initiated.
In summary, the DPA is vested with investigative and monitoring powers, including the power to bring any GDPR breach before the judicial authorities and, where applicable, go to court to establish whether the GDPR’s provisions apply.

Provided By:
Bastiaan Bruyndonckx (LYDIAN) - Steven De Schrijver (ASTREA)