HR Privacy Issues in Belgium: What does the GDPR mean today?

On November 29, 2022, Crowell & Moring’s Yung Shin Van Der Sype gave a webinar covering one of the most important HR privacy issues in Belgium today – the actual impact, four years on, of the GDPR. This blog post summarizes the main points discussed during that webinar.

Back in 2018, many employers were afraid of the GDPR (General Data Protection Regulation, Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC). This was not only because of a general concern regarding compliance with stricter data protection requirements, but also because of multiple specific reasons. For example, some employers were concerned that disgruntled employees would exercise their data subject access rights en masse, and that – due to the strict consent requirements for the use of biometric data – they would have to change their physical access security procedures.

The IBJ/IJE-Crowell webinar provided an overview of the legislation and took a look at some recent Belgian Data Protection Authority (DPA) decisions in order to answer the fundamental question: “Is fear of the GDPR justified?”

And our conclusion was: yes and no.

It is true that employees, as data subjects, can now more easily bring a complaint; that access rights could be manipulated by employees to obtain insight into the decisions and decision-making processes of their employers; that employee consent remains a tricky area; and yes, that there is the possibility of administrative fines for non-compliance.

But overall, the situation is not too bad.

In actual fact, there has not been a dramatic increase in employee access requests. This was confirmed by our webinar participants (our participants were mainly in-house counsel in medium to large organizations). More than 50% of those replying to the survey indicated that their organization had not received more than one employee access request during the past year.

Mild consequences for non-compliance

Also, the decisions of the DPA’s Litigation Chamber show that organizations have so far been dealt with leniently when it comes to GDPR enforcement. The DPA is responsible for monitoring compliance with the basic principles of data protection law in Belgium, and its Litigation Chamber is its administrative dispute body. Cases can be brought before the Litigation Chamber based on a complaint from an individual, in the context of an inspection conducted on the authority’s own initiative, or because the DPA is involved in a European cross-border case. The DPA’s corrective powers are outlined in Article 58(2) of the GDPR and include issuing warnings and reprimands, ordering controllers and processors to comply with requests from individuals to exercise their data subject rights, and imposing administrative fines.

Over the last four years, the Litigation Chamber has ruled in multiple cases involving employee data protection, and in many of the published cases a violation of data protection law was indeed found. These violations ranged from excessive processing of personal data to failure to notify data breaches. However, despite establishing violations in a wide range of circumstances, the consequences – in terms of strict GDPR enforcement – have been rather mild in comparison both to sanctions given for non-HR-related violations and to sanctions given in comparable cases by authorities in other EU member states. Almost all the decisions were limited to warnings and reprimands, together with, where applicable, an order to change company practices and procedures in order to be compliant with the GDPR. Administrative sanctions for violations of employee data protection have therefore – until now at least – been surprisingly rare and relatively minor. In our opinion, the DPA’s focus on promoting long-term compliance rather than on harsh post-breach enforcement actions is the right course of action.

Company endeavors and efforts

The guidance provided by the various data protection authorities and by the European data protection board has been significant. Together with the creative solutions from in-house and external counsel, it has allowed many companies to implement viable, sustainable solutions.

Indirect consequences of non-compliance

Recent case law allows for cautious optimism with regards to non-data protection-related consequences of non-compliance, such as the changed impact of non-compliance on certain employment-related disputes.

Noteworthy in this context is the judgment of the Court of Cassation of 14 June 2021 about unlawfully obtained evidence. In this ruling, the Court confirmed its Antigoon reasoning for unlawfully obtained evidence in a purely horizontal relationship – i.e., between private actors. The Court found that a surreptitiously obtained audio recording of a phone conversation between a seller and a buyer of a pre-owned vehicle can be used as evidence in a lawsuit, even though the audio was unlawfully obtained, unless the reliability of the evidence was affected by the unlawful nature of its collection, or the use of the evidence would jeopardize the right to a fair trial.

This case means that despite the increased focus on data protection enforcement and the risk of administrative sanctions in case of non-compliance, the chances have been significantly reduced that a violation would result in, e.g., making it impossible for you to prove that a dismissal was indeed for just cause.

Remaining challenges and open questions

Nonetheless, there remain a number of unanswered questions. For example, international data transfers are still difficult to manage – especially since the Schrems II ruling from the Court of Justice of the European Union (CJEU C-311/18). In this case, the Court clarified that if an exporter relies on standard contractual clauses for the transfer of personal data, they must assess whether these clauses offer appropriate and sufficient safeguards in the concrete circumstances of the transfer. This means that an exporter is faced with the difficult job of assessing the relevant legal framework applicable to the recipient in the relevant third country, together with potential additional safeguards that the recipient is able to provide, in order to overcome any insufficiencies in the protection of personal data.

To sum up, the GDPR, with all its challenges for companies both in and outside the EU, is here to stay and we strongly recommend that you keep investing in long-term compliance. Don’t hesitate to contact us if you would like our help with this important project.

A recording of the webinar is available on Crowell Hub, our Crowell & Moring Legal Knowledge Library. You can access a mine of information through this free portal, which has been designed specifically to support in-house counsel. Please click here to login or register.

For further information about our firm, please visit us on www.crowell.com

Author:

Yung Shin Van Der Sype, Counsel, - YVanDerSype@crowell.com, +32 2 897 0872

More Partner Blogs


21 maart 2024

The Data Act and its impact on Cloud Service Providers

As the Data Act came into force in January 2024, understanding its profound impact on Cloud...

Lees meer...

15 maart 2024

New case law about wearing religious symbols in the Belgian public sector

On 28 November 2023, a crucial decision by the Court of Justice of the European Union (CJEU) shed...

Lees meer...

08 maart 2024

Larcier-Intersentia lanceert GenIA-L, generatieve AI-oplossing op basis van betrouwbare juridische content

Larcier-Intersentia introduceert als eerste speler in België zijn GenIA-L technologie. Deze...

Lees meer...

05 maart 2024

When talking things through is the problem, not the solution: the european commission’s updated guidance on information exchange

The European Commission recently revised its Guidelines on Horizontal Cooperation Agreements. This is...

Lees meer...

19 februari 2024

Val duchesse summit 2024 to boost eu social dialogue

On 31 January 2024, The Val Duchesse Social Partners Summit was hosted by the European Commission...

Lees meer...