Data Protection Day: looking back and looking forward

Looking back on 2021

2021 was dominated by COVID and the protection of personal data involved. It was not only about data protection, but also about making controllers aware that these processing operations must be preceded by a data protection impact analysis (called DPIA). Data protection impact analyses are mandatory in many cases and can therefore always be requested during an inspection. Make sure to be prepared!

Some figures

In 2021, the Disputes Chamber, responsible for taking enforcement actions, published 143 decisions. In 140 cases the decision was based on a citizen’s complaint. A total of €301,000 in fines was imposed. There were 10 appeals before the Market Court.

73 inspections were conducted by the Inspection Service and only 4 cases were dismissed. The Inspection Service investigates complaints about serious indications of GDPR/AVG violations.

The DPA received 1432 reports of data leaks and initiated 3 cases itself. 48% of data leaks occurred due to human error, 26% due to hacking, phishing or malware. Comparing 2021 with 2020, we see that there were 36% more data breaches in 2021, than in 2020.

Furthermore, there were 1788 DPO notifications, on the one hand new notifications on the other hand changing notifications. As a result, by December 31, 2021, a total of 7041 organizations have an active DPO.

Priorities for 2023

The DPA has communicated its biggest priorities for 2023 to the House of Representatives. We notice two major priorities, namely cookies and the function of the DPO. And one smaller priority, namely smart cities.

1. Cookies: the DPA will later this year formulate a clear position on the use of cookies, what can and cannot be done. This in combination with the export of personal data through the use of certain international tools, such as Google Analytics, Mailchimp, etc. This will remain a priority in 2023 as well and the DPA will work hard on this.
2. The DPO/Data Protection Officer: the DPO is seen as the DPA’s ally. The authority wants to support these individuals as needed. They will do this through preventive actions, further development of guidelines, decision making, and by performing checks on the independence of the DPO.
3. Smart cities: a smart city is a place where all possible technological solutions are used together to facilitate residents’ lives. Think intelligent transportation, smart cameras, mileage charging, etc. This involves collecting different types of personal data together, for which the DPA would like to develop some prevention actions.

In 2023, if possible, the authority wants to pay particular attention to raising awareness about data brokers, especially among young people for example. Data brokers process personal data on a very large scale. The Inspectorate and the Litigation Chamber want to investigate this further this year.

2023 will be an important year for the exchange of personal data to the US. Because of Schrems II, there is no longer a Privacy Shield active between the EU and the U.S., making data exports almost impossible without taking various measures.

On Oct. 7, 2022, a new Executive Order was signed by President Biden, which was seen as a solution to this problem. However, we do not see this as a short-term solution for European companies. The content of the Executive Order will probably not be enough for the European Commission to approve data transfers. We will follow up on this for you!

Source: annual report Data Protection Authority