On the second anniversary since GDPR became applicable on 25 May 2018, many have taken the time to reflect on its journey that started not just two years ago, but when the adoption process was launched by the EU Commission back in early 2012.

At Belgian level, things started off more slowly as the Heads of the Data Protection Authority were only confirmed about a year after the GDPR came into force, but it has slowly gathered steam since.

To celebrate the second anniversary, the Belgian Data Protection Authority released a set of figures, including:

  • the total number of notified data breaches in the last year (937);
  • the total number of claims received (351)
  • the total number of inspections carried out (100+); and 
  • the total number of sanctions issued (59). 

These figures mean that on average each day of the year, one claim is filed with the Authority and three breaches are notified, while each week two inspections are carried out and one sanction is imposed. 

In a blog post analysing these numbers (available in French here and in Dutch here), the Authority underlines a couple of key learnings as follows:

  • While inspections used to be more reactive further to claims, the Inspection service intends to work more proactively with sweeping investigations on its own initiative.
  • The Litigation Chamber of the Authority is looking at establishing its case law, which will also constitute a set of guidelines for other companies to understand how to process personal data appropriately. 
  • Sanctions are not seen as a means in themselves and are only imposed if strictly necessary.
  • The Authority considers it has a double role, acting both as a supervisor and as a guide.