Welcome to the sixth edition of the KPMG Global Legal Services newsletter on developments in the world of data protection and privacy law. We live in fast changing times in this area and our articles seek to demonstrate the state of development of the law in various jurisdictions whilst also showing the very broad impact that data protection law has. In this edition topics include the right to be forgotten, regulatory actions and statistics, health data, Schrems II case, liability of controllers, privacy abuses, obligations of entities developing or implementing location and tracking apps in the context of COVID-19 outbreak, EDPB‘s Guidelines 05/2020 on cookie consent, data breaches and privacy impact assessments.

Check out the contributions from Belgium regarding the Belgian DPA’s (BDPA) sanctioning of a violation of the right to be forgotten as well as the BDPA’s guidance on body temperature testing.

Discover the complete newsletter below.

Belgian DPA sanctions violation of right to be forgotten

On 14 July 2020, the Belgian Data Protection Authority (BDPA) issued a fine of 600.000 EUR regarding a violation of a data subject’s ‘right to be forgotten’.

The investigation of the BDPA was initiated following a complaint filed by a data subject whose request to have certain online search results delisted was refused. In its decision the BDPA provided some valuable insights on the right to be forgotten.

After having confirmed its territorial authority, the BDPA examined the request of delisting in detail.

The data subject was a public figure whose delisting request consisted out of a number of search results relating to a) his relationship with a political party and b) a complaint filed against the data subject for “bullying” (over 10 years ago).

The BDPA examined in detail the separate requests and the search results. In its decision the BDPA made a clear distinction between both categories of search results.

As the data subject, according to the BDPA’s decision, exercised a public function, the results relating to his relationship with a political party were considered to be relevant for the public interest and thus the right to be forgotten could not be applied here.

On the other hand, the second category of search results was no longer considered to be relevant, amongst others because the bullying complaint was found to be unsubstantiated in 2010 and the data subject had provided sufficient proof in this respect.

For the second category of search results, the BDPA thus considered that the right to be forgotten was violated. In its decision, the BDPA took into consideration that the motivation to retain the search results (following the data subject’s request) was clearly insufficient.

Apart from the fine, the BDPA also stated in its decision that the electronic forms for the filing of a request should be modified and made more transparent.

Belgian DPA issues further guidance on body temperature testing

On 5 June 2020 the Belgian Data Protection Authority (BDPA) published new updated guidelines regarding the measuring of the body temperature of data subjects.

In its guidance the BDPA makes the following distinction to clarify if the measuring of body temperature falls within the scope of the GDPR:

1. Mere reading of the body temperature without any recording of the temperature

The mere reading of the body temperature on a classic thermometer without recording this in a file will not be considered as an activity involving the processing of personal data and falls outside the scope of the GDPR. Also, the consequences that are associated with the (level of) body temperature (i.e. refusing access to the premises due to (1) a high temperature (i.e. fever) or (2) the refusal of a temperature check by the data subject) fall outside the scope of the GDPR under the condition that no additional registration of personal data has taken place.

Read the full article here.

Discover the complete newsletter below.