How to prepare for – and deal with – an inspection by the Data Protection Authority?
It’s been 3 years since the General Data protection Regulation (GDPR) entered into application; the exact deadline known to many being 25 May 2018. Whilst some were under the impression, or maybe were just silently hoping, that the Belgian Data Protection Authority would not change much compared to what is was prior to the GDPR, nothing could be less true however. Although we took a slow start, the Belgian Data Protection Authority is now amongst the most active in Europe.
By now it should be evident to most that GDPR fines (and other sanctions) are a fact and are here to stay. There are however quite some differences in the sanctioning practices of the data protection authorities in the Member States. Reason why – at least for Belgium – we are closely monitoring the decisions issued (and published) by the Litigation Chamber (“Geschillenkamer”) of the Data Protection Authority, and in the wake of this, the decisions issued by the Market Court (“Het Marktenhof”) when it concerns appeals against decisions issued by the Litigation Chamber.
Although the fines and other sanctions imposed remain interesting to analyse, another aspect which has also proven to be of particular interest to analyse is the procedural part of the story. As the investigation and litigation practice of our Data Protection Authority is still in a very early stage quite some businesses are not (yet) prepared to deal with this. This may be due to a lack of time (still today some businesses are struggling to become compliant) and/or lack of information and insight into the conduct of such a procedure.
Being prepared for and appropriately dealing with an inspection by the Investigation Services (“Inspectiedienst”) of the Data Protection Authority may benefit you in the end. Do you know what to do when the inspection services of the data protection authority presents itself at your reception desk? Can you refuse an inspection? Can they come around unannounced? Can they question you staff? Which information and documentation can they request and can they investigate your IT systems? Who do you reach out to internally within your organization or externally for help? To what extent should I cooperate in order to safeguard my own rights?
The same is true for the litigation procedure before the Litigation Chamber. As it still is at a very early stage, there is still quite some unawareness of the rights you have in such a procedure. In what language will the procedure be held and can you request a change? You have the right to be heard however should you, and if so, how do you request this? Is the claim admissible and does the Litigation Chamber have the right authority to judge over this case? Which information should you be informed of by the Litigation Chamber? As the thresholds for admissibility of claims are very low, complaints are often made in a very vague manner thus making it very difficult for the defendant to appropriately safeguards its defense. How do you appeal a decision issued by the Litigation Chambers if you do not agree?
Ensuring you are up to date with the decisions issued by the data protection authority(ies) relevant to your business (in particular if you are processing operation extends to more than one Member State), having internal guidelines on inspections and litigations will definitely help. As the saying goes, good preparation is half the work.
In case you would like to receive further information on this topic or need our assistance, please do not hesitate to reach out to us.