In its newest decision, the Belgian DPA takes a stance that will please both consumer rights organisations and anyone who likes to rely on the primacy of EU legislation (versus local national legislation), on an issue that would not have arisen if the Belgian legislator had stuck to the text of the GDPR.
This all relates to which organisations are entitled to lodge complaints before the Belgian DPA on behalf of data subjects, in accordance with Art. 80(1) of the GDPR.
Unlike 80(2) GDPR, which allows Member States to choose whether such organisations are allowed to file complaints even in the absence of any mandate given by a data subject (i.e. just because they wish to), Art. 80(1) GDPR does not allow Member States much latitude. If there is a mandate from a data subject, a “not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member�State” that meets certain criteria is entitled to file a complaint on behalf of said data subject.
In Belgium, the legislator chose to include in Art. 220(2)(1) of the Act of 30 July 2018 (which complements the GDPR) the requirement that such an organisation be “be validly constituted in accordance with Belgian law” – not “in accordance with the laws of a Member State of the European Union”.
[Regarding Art. 80(2) GDPR, incidentally, the Belgian legislator chose *not* to include in that Act of 30 July 2018 any provision that would allow organisations to file a complaint in the absence of such a mandate – see links below in that respect]
According to the Belgian DPA’s Litigation Chamber: “The Litigation Chamber is of the opinion that there are serious doubts as to the compatibility with the GDPR of the condition laid down by the Belgian legislator in Article 220.2.1� of the [Act of 30 July 2018] in that the body, organisation or non-profit association must be validly constituted in accordance with Belgian law. In so doing, the Belgian legislator is introducing a more restrictive condition than that set out in Article 80.1 of the GDPR, which requires the body, organisation or non-profit association to be constituted in accordance with the law of a Member State.” (para. 30)
It might be now a more difficult procedural argument for defending controllers/processors, but to be honest I had already been cautioning clients about this argument, due to the primacy of Art. 80(1) GDPR in this context.
So… some solace perhaps for consumer rights organisations after the “fictitious mandate” decision of one month ago that dismissed a complaint by NOYB (and which also related to Art. 80(2) GDPR)? (read more here: https://lnkd.in/eCxsvAit )
Link to the newest decision (in French): https://lnkd.in/ek6UuWrS
data protection privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗