The Data Protection Authority (DPA) is responsible for ensuring compliance with the GDPR in Belgium. In 2020, cookies were on the priority list. We will tell you about it.
What is the Data Protection Authority (DPA)?
Like other European states, Belgium has established a regulator to protect personal data. Initially called the Commission for the Protection of Privacy, this authority became the Data Protection Authority in 2018.
It has several missions:
- To assist data controllers in their efforts to integrate GDPR requirements.
- To handle complaints, conduct investigations, and, if necessary, impose sanctions for violations of legal obligations. In 2018 and 2019, the DPA acquired natural control powers that will allow it to ensure the effectiveness of protecting personal data in Belgium.
Why will DPA investigations speed up your GDPR compliance?
The DPA’s 2019 annual report shows a gradual increase in the authority’s actions. It handled:
- 5168 information cases;
- 331 mediation cases.
In this context, why worry about your GDPR compliance?
- Belgian companies must catch up in their GDPR compliance efforts like other countries. Much remains to be done two years after the European Regulation came into force.
- The obligation to notify the authority of personal data breaches applies to everyone, not just operators. The assessment shows the importance of verifying one’s level of cybersecurity: in 2019, the DPA received at least 869 notifications.
- While continuing to support stakeholders, the DPA ensures the effectiveness of legal obligations. In 2019, it opened 77 control files. Between May 2019 and May 2020, 59 sanctions were imposed, including nine fines.
- Complaints are a significant source of control. But the DPA also adopts a more proactive approach. Keeping an eye on developments and trends in data exploitation, it increasingly initiates commands on significant topics.
Like its European counterparts, the Data Protection Authority does not favor repression. The DPA aims to be an accompanying authority first, and the sanction, particularly the fine, is, in a way, the last resort.
However, beware of the temptation of laxity:
- While fines have often been limited to a few thousand euros, the DPA regularly improves its record. The latest example is a fine of €600,000 against Google for non-compliance with the right to be forgotten.
- The DPA’s public decisions have an educational function for the market. Publishing a sanction allows the Data Protection Authority to encourage all companies to comply on a given subject.
How does the APD ensure GDPR compliance for cookies?
The Data Protection Authority has published an FAQ detailing the obligations it intends to impose on website publishers.
The APD’s action program is determined through the 2020-2025 strategic plan. It identifies:
- Priority sectors: telecommunications and media; public authorities; direct marketing; education; SMEs;
- The effectiveness of specific priority GDPR protection instruments: the role of the DPO; the legitimacy of data processing; citizen rights;
- Priority social themes: photos and cameras, online data protection, and sensitive data.
Cookies are therefore included in this program. To the extent that they were a priority action theme in 2020. The APD’s management plan is based on two significant actions:
- An investigation into the cookie management policy initiated by the most popular media in Belgium;
- Controls that will be created after the investigation is completed.
Has the APD already sanctioned actors for their cookie management? Yes.
- In 2019, it imposed a fine of €15,000 against the jubel.be site. This public sanction is also a warning to all Belgian site publishers, many of whom do not comply with the rules.
- In 2015, the former Privacy Commission initiated an investigation against Facebook for its data collection practices via its modules, cookies, and pixels. This procedure is still ongoing, subject to a preliminary question to the CJEU.
- Investigations are ongoing regarding real-time auctions. In 2020, the Investigations Service completed a report concluding that the TCF framework proposed by the IAB is non-compliant.
How to manage GDPR compliance for your cookies?
Above all, do not panic. The increasing interest of the APD in cookies does not mean you will necessarily be checked or sanctioned.
You must, however, implement a cookie management policy on your sites.
- Prioritize GDPR compliance for your websites. Cookie management, the UX design of your banner, the review of data collection forms, and the privacy policy update should be addressed.
- Set up monitoring, and follow the positions that are taken and upcoming decisions of the Data Protection Authority. In the long term, a European regulation should replace the directive dealing with these issues. You must comply with today’s requirements and be aware of tomorrow’s requirements.
- Install a cookie management solution on your sites. This solution will allow you to handle the collection and storage of consents and objections to the placement of cookies.
Conclusion: Thanks to the APD, prioritize GDPR compliance for your cookies
After installation, the Belgian Data Protection Authority has taken on its role as a supervisory authority.
Its priority action program is straightforward, and cookies are part of it.
For you, this is a real opportunity to review the way you interact with your users. Giving them control over cookies is an honest service. Ready to switch to a chosen marketing approach?
So go immediately, go to your websites. Need help? Axeptio can provide you with a practical and user-friendly module.
