Articles

Part one - GDPR and Public Law: Applicability of GDPR to public bodies

Part one -GDPR and public law - Applicability of GDPR to public bodies

Part one - GDPR and Public Law: Applicability of GDPR to public bodies

21.05.2019 EU law

Since the GDPR became applicable almost one year ago, multiple questions have arisen about its interaction with other fields of law. In this three-part blog series of “GDPR and Public Law”, we discuss three relevant issues of the interaction of GDPR with public law and government. In this blog we discuss the applicability of GDPR to public bodies.

1. “Public authority” under GDPR

In principle, GDPR equally applies to private and public entities. This is reflected in the definitions of “data controller” and “data processor”, which both refer to “the natural or legal person, public authority, agency or other body…”.

Yet, the scope of the concept of “public authority” is important since some specific deviating provisions apply to public authorities. However, the GDPR does not define “public authority”, leaving this to the Member States. Article 5 of the Belgian Act of 30 July 2018 on processing of personal data (hereinafter “Belgian Data Protection Act”) defines “public authorities” under GDPR as (i) entities subject to the Belgian act of 17 June 2016 on public procurement as well as (ii) legal persons governed by public law and depending on the state. The relevance of this second category is rather limited, since most of these entities are already covered by the first category. In any event, it is interesting to note that the legislator defined “public authority” very broadly, also covering hospitals, mutualities, universities, etc.

2. Specific provisions for public authorities

Various specific provisions apply for public authorities. For example, they must appoint a data protection officer (“DPO”) regardless of the risk of the processing itself (Article 37 GDPR). Furthermore, they cannot rely on their legitimate interests for processing of personal data in the performance of their tasks (Article 6 GDPR).[1] Also, specific provisions apply for authorities that prevent, investigate, detect or prosecute criminal offences or execute criminal penalties (see Directive 2016/680 and the Belgian Data Protection Act).

Most importantly, Article 83 §7 GDPR allows Member States to lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. Article 221 §2 of the Belgian Data Protection Act implements this provision, and states that the administrative fines under the GDPR do not apply to public authorities and their employees or agents, except in case of a legal person governed by public law that offers goods or services on a market. As a result, public authorities are largely exempt from administrative fines, but not from criminal sanctions, other administrative corrective measures (e.g. reprimands, orders, etc.) and judicial review. Whether administrative fines apply, therefore depends on the capacity in which a public authority is operating, with administrative fines remaining applicable for public authorities competing with private actors.

The Federation of Belgian Enterprises (Verbond van Belgische Ondernemingen Fédération des Entreprises de Belgique) has filed an application for annulment with the Constitutional Court, claiming that this Article 221 §2 amounts to an unjustified discrimination. The Council of State previously stated that the repressive measures in the public sector should be at least comparable to those in the private sector.[2] It nevertheless acknowledged a risk of jeopardizing the continuity of public services if fines of up to EUR 20 million can be imposed on the public sector. Therefore it finds specific maxima ceilings for the public sector acceptable. The Belgian Data Protection Authority preferred equal treatment in terms of enforcement in its Opinion, considering that a difference would be difficult to justify.[3] A ruling by the Constitutional Court is expected in 2020.

To be continued …

 

Footnotes:

  1. Nevertheless, Article 6, para. 1, (e) GDPR provides a specific lawful basis for such processing, i.e.: “processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
  2. Opinion no. 63.192/2 of 19 April 2018, http://www.raadvst-consetat.be/dbx/adviezen/63192.pdf.
  3. Opinion no. 33/2018 of 11 April 2018, https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/advies_33_2018.pdf.

Team

Related news

07.11.2019 NL law
Symposium 'From Stint to Fipronil: a compensation fund for victims of energetic government intervention in crisis situations

Seminar - Stibbe is organising a symposium in Amsterdam on Thursday 7 November entitled 'From Stint to Fipronil: a compensation fund for victims of energetic government intervention in crisis situations'. During this symposium, Stibbe lawyer Tijn Kortmann and Prof. Pieter van Vollenhoven, alongside other experts,  will speak about the compensation fund which, according to van Vollenhoven, injured parties should be able to call upon if a decision by the government turns out to be too drastic.

Read more

15.10.2019 BE law
Avis du Maître architecte et organisation d’une réunion de projet. De nouvelles étapes préalables à la demande de permis d’urbanisme.

Articles - Une des nouveautés de la réforme du CoBAT adoptée le 30 novembre 2017, publiée au Moniteur belge le 20 avril 2018 et entrée en vigueur le 1er septembre 2019 (pour ce qui concerne les demandes de permis d’urbanisme) porte sur la création de deux nouvelles étapes préalables à l’introduction d’une demande de permis d’urbanisme : l’obtention de l’avis du Maître architecte, d’une part, et l’organisation d’une réunion de projet, d’autre part. 

Read more

14.10.2019 NL law
Kamerdebat over digitalisering van de overheid: aandacht voor bescherming burger vereist

Short Reads - Op 24 september 2019 zijn er vier moties in stemming gebracht én aangenomen door de Tweede Kamer. De moties hebben als gemeenschappelijke deler dat ze in het teken staan van de steeds groter wordende digitalisering bij de overheid. Het achterliggende doel van de moties is dat de burger voldoende beschermd moet worden tegen deze digitalisering.

Read more

15.10.2019 NL law
Een nieuwe uittredingsregeling voor gemeenschappelijke regelingen

Short Reads - Op 26 augustus 2019 is de internetconsultatie gestart van een wetsvoorstel dat de Wet gemeenschappelijke regelingen (Wgr) wijzigt. Het wetsvoorstel heeft als doel de democratische legitimiteit van gemeenschappelijke regelingen te versterken. In een eerder bericht gingen wij al in op eerdere initiatieven om de Wgr te wijzigen en op de in het wetsvoorstel voorgestelde maatregelen, waarbij zeggenschap over de begroting werd uitgelicht

Read more

08.10.2019 NL law
Annotatie bij ABRvS 26 juni 2019, waarin de Afdeling een vereniging als belanghebbende aanmerkt

Short Reads - Op 26 juni 2019 heeft de Afdeling twee uitspraken gedaan over de vraag of een vereniging die opkomt voor werknemers als belanghebbende als in artikel 1:2, derde lid, Awb kan worden aangemerkt. De Afdeling oordeelde dat medewerkers in beginsel niet als belanghebbende kunnen worden aangemerkt. Maar in tegenstelling tot de rechtbanken van Amsterdam en Limburg, oordeelde de Afdeling ook dat een uitzondering hierop kan worden gemaakt. 

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring