Welcome to the fifth edition of the KPMG Global Legal Services newsletter on developments in the world of data protection and privacy law. We live in fast changing times in this area and our articles seek to demonstrate the state of development of the law in various jurisdictions whilst also showing the very broad impact that data protection law has. In this edition topics include the responses of Data Protection Authorities (DPA) from various jurisdictions to the COVID-19 situation, cyber-attacks on hospitals, guidelines for video conferencing systems, recent data breaches and an annual report of certain Data Protection Authorities.

Check out the contributions from Belgium regarding the Belgian DPA’s response to COVID-19 as well as a judgement imposing an administrative fine on an organization for having appointed a DPO in violation with certain principles of the General Data Protection Regulation (GDPR).  

Discover the complete newsletter below.

The Belgian DPA’s response to COVID-19

Given these uncertain times, the Belgian DPA guidelines emphasize the GDPR’s applicability in employer-employee relationships under the current circumstances. When companies or organizations take certain measures to help combat COVID-19 involving the processing of personal data, the provisions of the GDPR must always be taken into account. At the same time, however, protecting personal data may not limit the battle against the spread of the virus, according to the Belgian DPA. Furthermore, the Belgian DPA clarified misconceptions in the development and use of eHealth applications.

Read the full article here.

Administrative fine imposed by the Belgian DPA

On 28 April 2020, the litigation chamber of the Belgian DPA issued a judgement imposing an administrative fine of 50,000 EUR on an organization having appointed a DPO in violation with certain principles of the GDPR.

The DPA initially started its investigation due to a data breach within the organization. The inspection report indicated that the organization allegedly made three serious infringements on the provisions of the GDPR, namely:

  • Non-collaboration with the supervisory authority (art. 31 GDPR);
  • Non-compliance with the accountability principle (art 5.2 GDPR); and
  • Non-compliance with the obligation to avoid a conflict of interest for the appointed DPO.


In its judgement, the litigation chamber only upheld the alleged infringement relating to the ‘conflict of interest’.

The Belgian DPA stated that the DPO had a conflict of interest due to his other “executive positions” within the organization (i.e. head of Compliance, Risk & Management and internal audit).

The fact that these executive functions did not give the DPO any decision-making powers relating to the data processing activities does not necessarily mean that these executive functions can be combined with the mandate of DPO, according to the Belgian DPA in its judgement.

In addition, the DPA stated that a conflict of interest needs to be evaluated on an ‘ad hoc’ basis and concluded that in this case – as head of the Compliance, Risk & Management and Internal Audit Department – the DPO had an impact on how the processing of personal data would be performed (i.e. determining the purpose and means of the processing activities) and that this is not in line with the Guidelines for DPO’s of Working Group 29.

Read the full article here.

Discover the complete newsletter below.

Connect with us