HR Privacy Issues in Belgium: What does the GDPR mean today?

On November 29, 2022, Crowell & Moring’s Yung Shin Van Der Sype gave a webinar covering one of the most important HR privacy issues in Belgium today – the actual impact, four years on, of the GDPR. This blog post summarizes the main points discussed during that webinar.

Back in 2018, many employers were afraid of the GDPR (General Data Protection Regulation, Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC). This was not only because of a general concern regarding compliance with stricter data protection requirements, but also because of multiple specific reasons. For example, some employers were concerned that disgruntled employees would exercise their data subject access rights en masse, and that – due to the strict consent requirements for the use of biometric data – they would have to change their physical access security procedures.

The IBJ/IJE-Crowell webinar provided an overview of the legislation and took a look at some recent Belgian Data Protection Authority (DPA) decisions in order to answer the fundamental question: “Is fear of the GDPR justified?”

And our conclusion was: yes and no.

It is true that employees, as data subjects, can now more easily bring a complaint; that access rights could be manipulated by employees to obtain insight into the decisions and decision-making processes of their employers; that employee consent remains a tricky area; and yes, that there is the possibility of administrative fines for non-compliance.

But overall, the situation is not too bad.

In actual fact, there has not been a dramatic increase in employee access requests. This was confirmed by our webinar participants (our participants were mainly in-house counsel in medium to large organizations). More than 50% of those replying to the survey indicated that their organization had not received more than one employee access request during the past year.

Mild consequences for non-compliance

Also, the decisions of the DPA’s Litigation Chamber show that organizations have so far been dealt with leniently when it comes to GDPR enforcement. The DPA is responsible for monitoring compliance with the basic principles of data protection law in Belgium, and its Litigation Chamber is its administrative dispute body. Cases can be brought before the Litigation Chamber based on a complaint from an individual, in the context of an inspection conducted on the authority’s own initiative, or because the DPA is involved in a European cross-border case. The DPA’s corrective powers are outlined in Article 58(2) of the GDPR and include issuing warnings and reprimands, ordering controllers and processors to comply with requests from individuals to exercise their data subject rights, and imposing administrative fines.

Over the last four years, the Litigation Chamber has ruled in multiple cases involving employee data protection, and in many of the published cases a violation of data protection law was indeed found. These violations ranged from excessive processing of personal data to failure to notify data breaches. However, despite establishing violations in a wide range of circumstances, the consequences – in terms of strict GDPR enforcement – have been rather mild in comparison both to sanctions given for non-HR-related violations and to sanctions given in comparable cases by authorities in other EU member states. Almost all the decisions were limited to warnings and reprimands, together with, where applicable, an order to change company practices and procedures in order to be compliant with the GDPR. Administrative sanctions for violations of employee data protection have therefore – until now at least – been surprisingly rare and relatively minor. In our opinion, the DPA’s focus on promoting long-term compliance rather than on harsh post-breach enforcement actions is the right course of action.

Company endeavors and efforts

The guidance provided by the various data protection authorities and by the European data protection board has been significant. Together with the creative solutions from in-house and external counsel, it has allowed many companies to implement viable, sustainable solutions.

Indirect consequences of non-compliance

Recent case law allows for cautious optimism with regards to non-data protection-related consequences of non-compliance, such as the changed impact of non-compliance on certain employment-related disputes.

Noteworthy in this context is the judgment of the Court of Cassation of 14 June 2021 about unlawfully obtained evidence. In this ruling, the Court confirmed its Antigoon reasoning for unlawfully obtained evidence in a purely horizontal relationship – i.e., between private actors. The Court found that a surreptitiously obtained audio recording of a phone conversation between a seller and a buyer of a pre-owned vehicle can be used as evidence in a lawsuit, even though the audio was unlawfully obtained, unless the reliability of the evidence was affected by the unlawful nature of its collection, or the use of the evidence would jeopardize the right to a fair trial.

This case means that despite the increased focus on data protection enforcement and the risk of administrative sanctions in case of non-compliance, the chances have been significantly reduced that a violation would result in, e.g., making it impossible for you to prove that a dismissal was indeed for just cause.

Remaining challenges and open questions

Nonetheless, there remain a number of unanswered questions. For example, international data transfers are still difficult to manage – especially since the Schrems II ruling from the Court of Justice of the European Union (CJEU C-311/18). In this case, the Court clarified that if an exporter relies on standard contractual clauses for the transfer of personal data, they must assess whether these clauses offer appropriate and sufficient safeguards in the concrete circumstances of the transfer. This means that an exporter is faced with the difficult job of assessing the relevant legal framework applicable to the recipient in the relevant third country, together with potential additional safeguards that the recipient is able to provide, in order to overcome any insufficiencies in the protection of personal data.

To sum up, the GDPR, with all its challenges for companies both in and outside the EU, is here to stay and we strongly recommend that you keep investing in long-term compliance. Don’t hesitate to contact us if you would like our help with this important project.

A recording of the webinar is available on Crowell Hub, our Crowell & Moring Legal Knowledge Library. You can access a mine of information through this free portal, which has been designed specifically to support in-house counsel. Please click here to login or register.

For further information about our firm, please visit us on


Yung Shin Van Der Sype, Counsel, -, +32 2 897 0872

More Partner Blogs

25 juni 2024

Je slides voor je laten praten en andere fouten bij presentaties

Hoe vaak zat je al in een meeting of een seminar, waarbij je – verveeld – amper de aandacht kon...

Lees meer...

25 juni 2024

Transposition of the NIS 2 Directive into Belgian law to strengthen cybersecurity

The law establishing a framework for the cybersecurity of network and information systems of...

Lees meer...

24 juni 2024

Synthetic data – a miracle cure or a data protection headache?

Synthetic data, a term lacking a precise legal definition, broadly refers to data artificially...

Lees meer...

24 juni 2024

Takeaways from the Belgian Presidency of the Council of the EU on Climate and Energy Topics

In the aftermath of the European elections, institutions are adjusting their priorities for the...

Lees meer...

20 juni 2024

Chemicals PFAS restriction proposal

The introduction of the 'essential use' concept and its possible impact on the PFAS restriction...

Lees meer...