Towards more transparent investigations

The Belgian Data Protection Authority (Dutch: Gegevensbeschermingsautoriteit; French: Autorité de Protection des Données) (DPA) has published a first version of its charter with respect to its Inspection Service in August 2021. The charter is not intended to summarize all possible legal provisions that govern the DPA's powers of investigation, but provides an interesting review of the practicalities of an investigation. The charter should offer both inspectors and the parties that are the subject of an investigation a better, and more transparent, understanding of what is to be expected once a letter is received announcing an inquiry by the DPA.

What is the Inspection Service?

The Inspection Service is the Belgian DPA's body that investigates complaints about as well serious indications of breaches of European and Belgian privacy and data protection law, such as: (i) the GDPR; (ii) the Belgian Act of 30 July 2018 regarding the protection of natural persons with respect to the processing of personal data (the Belgian Privacy Act); and (iii) specific laws such as the Camera Act of 21 March 2007.

The body consists of inspectors with various backgrounds, including legal specialists, auditors, information security experts or former DPOs. Mere inspections are not the primary concern of the Investigation Service. Rather, it must contribute to the better compliance with existing regulations, structurally tackle certain practices or issues, and support the Litigation Chamber (which the DPA's dispute resolution body) to handle disputes in a more effective manner.

The Charter specifically mentions the importance for the Investigation Service of DPOs, as this function should be seen as an ally, or even as an ambassador of the DPA to ensure compliance with the law. Organizations should therefore pay specific attention to this role within their structure, especially given the Belgian DPA's decision of 28 April 2020 that addressed the potential conflicts of interest of a DPO who is assigned multiple roles within the same organization. Other important topics for the Inspection Service include the privacy policy and the cookie policy to improve the transparency of personal data processing.

It is good to know that under the Belgian DPA's Strategic Plan for 2020-2025 the following categories will be prioritized to assess compliance with privacy and data protection law:

- Sectors: (i) telecommunications and media; (ii) government; (iii) direct marketing; (iv) education; and (v) SMEs;

- GDPR instruments: (i) the role of the DPO; (ii) the legitimacy of the processing of personal data; and (iii) the rights of citizens; and

- Social themes: (i) Photos and cameras; (ii) online data protection; and (iii) sensitive data.

The Inspection Service opened 149 investigations in 2020, compared to 85 in 2019. These investigations mainly concerned direct marketing, COVID-19, the operation of cities and communities and cameras.

When will an investigation be opened?

An investigation by the Investigation Service will only be opened following a motivated decision based on facts evidencing a breach of the law, or serious indications thereof.

There are three possible sources based on which such investigation will be opened:

(i) the Executive Committee of the DPA when it has strong indications of a breach (e.g., news articles or data breaches), when it has to cooperate with a foreign DPA or pursuant to a question from a judicial authority or an administrative supervisor (18 of the 149 investigations opened in 2020, or 13%);

(ii) the Litigation Chamber of the DPA when it receives a complaint that must be further investigated or in case further investigation of a dispute is required (123 of the 149 investigations opened in 2020, or 83%); or

(iii) at the Investigation Service's own initiative (6 of the 149 investigations opened in 2020, or 4%).

What are the Investigation Service's competencies?

(i) The most commonly used competencies by the Investigation Service are the following:

- Gathering information online or on location: this is generally used to analyze websites of data controllers or processors (e.g., regarding the privacy policy or the non-essential cookies that are being used), or to take pictures of the cameras at the organizations facilities;

- Gathering all relevant information and documents from an organization: the Investigation Service can ask questions to the respective organization to provide the opportunity to explain and prove its compliance with the law;

-  Interrogations: the Investigation Service can inform the organization of an interrogation on the day thereof itself at the latest, whereby it will indicate the subject of the interrogation and the applicable procedural safeguards. These interrogations are used to verify the information that was provided in writing, or to ask additional questions. A written report of the interrogations is provided at the end.

(ii) Interim-measures that can be imposed are:

To prevent serious and immediate damage that is difficult to repair, the Inspection Service can suspend, restrict or freeze the processing of personal data under investigation for a renewable period of three months. An appeal can be lodged by the processing organization against this decision within thirty days.

In this respect it is interesting to note that in 2020 the Belgian DPA has concluded a cooperation protocol with DNS Belgium, a non-profit organization that manages the Belgian domain names, under which the DPA can request, under a strict procedure, the removal of Belgian websites in violation of the GDPR.

(iii) Other competencies of the Inspection Service are:

- access to a building in case of a violation of the principles of data protection law;

- the right to identify users or subscribers of an electronic communications service;

- the right to seize and seal items (e.g., IT systems) for maximum 72 hours when this is necessary to investigate or prove violations of the law, or to prevent further or new violations. A strict procedure must be followed and the decision to seize or seal items is appealable within thirty days; and

- to be accompanied by the police during an investigation in order to protect the physical integrity of the investigators themselves.

What are the Inspection Service's obligations?

Investigations that are conducted by the Investigation Service are of course subject to the necessary legal and procedural safeguards, such as the requirements:

(i) for an inspector to legitimize himself using his legitimation document;

(ii) to keep the investigation confidential until the file is sent to the Litigation Chamber, where it can be consulted by the organization involved;

(iii) to remain independent (e.g., not to act upon instructions of others and to avoid personal conflicts of interest); and

(iv) not to use personal information that has been obtained to create a fictional identity.

The Investigation Service must act proportionally, but this does not withhold it from investigating matters that go beyond the boundaries of the initial complaint (e.g., an investigation into the compliance with data subject rights could turn into an investigation into a lack of sufficient technical and organizational  measures to secure the processing of personal data).

What are the rights of organizations that are the object of an investigation?

(i) Limited right of information - While the Inspection Service will inform the organization of the purpose of an investigation and the applicable law at the first contact, the further investigation will remain confidential as it continues. The name of the person that filed a complaint will in principle only be disclosed if the complaint concerns the exercise of data subject rights, unless this would create negative effects for that person and the disclosure of the identity would not be necessary for the further investigation.

(ii) No right to refuse an investigation - An organization that is the object of an investigation has a duty to cooperate with the Investigation Service in good faith. The Investigation Service expects questions to be answered timely, clearly and completely. Administrative or even criminal sanctions could be imposed when trying to impede the investigation. The Litigation Chamber has for instance sanctioned organizations that did not respond to the Investigation Service's first letter and showed a real disinterest in complying with the GDPR. On the other hand, the provision of information that is confidential by nature (such as personal data regarding health or information subject to client-attorney privilege) can be refused following a strict procedure. Even then a non-confidential copy of such information may be requested by the Investigation Service.

(iii) Right to an attorney - The organization has the right to be assisted by an attorney during the procedure. Of course, everyone within the organization could be contacted (such as the DPO or an employee), meaning that an attorney may not always be present during an interrogation. Even if an attorney is present, the Investigation Service expects the answers to be given by the person that is being heard itself.

(iv) No explicit right to be heard - While an organization can request the Investigation Service to be heard, this is not a right as such (as opposed to the procedure before the Litigation Chamber). However, the organization can voluntarily send documents to the Investigation Service that it deems to be relevant for its defense. Questions to the responsible investigator should be send in writing, as telephone conversations regarding the investigation are in principle not allowed.

What are the consequences of an investigation by the Investigation Service?

Once the responsible investigator has completed his findings, and subject to a confirmation of the completion of the investigation by the inspector-general, an inspection report is prepared that describes the relevant findings, including breaches of specific laws or the absence thereof, or the legal qualification of certain facts. Aggravating or mitigating circumstances can also be mentioned in the report, as well as other relevant facts.

Following this report, there are several possibilities:

(i) the case is dismissed (which happened 14 times in 2020);

(ii) the case is sent to the President of the Litigation Chamber. This body can itself dismiss the case, impose injunctions or administrative fines or send the case to the prosecutor;

(iii) the case is sent to the prosecutor in case of possible criminal acts; or

(iv) the case is sent to a DPA of a different Member State (e.g., when the Belgian DPA has no competence to further investigate the matter).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.