Belgian information safety authority desires to take away web sites that violate the GDPR

On November 26th, 2020, the Belgian Data Protection Authority (“Belgian Data Protection Authority”) signed a collaboration agreement with DNS Belgium, the organization that manages the top-level domain name “.be”. The aim of the cooperation agreement is to enable DNS Belgium to suspend “.be” websites that are associated with violations of the EU General Data Protection Regulation (“GDPR”).

The cooperation agreement provides for a two-stage cooperation system:

  • Cooperation with investigations by the Belgian data protection authority: DNS Belgium must provide the investigation service of the Belgian data protection authority with the information it needs for its investigations.
  • “Notice and Action” procedure: If the investigation service or the process chamber of the Belgian data protection authority considers a data processing activity carried out via a website with the domain name “.be” to be in breach of one of the data protection principles set out in the GDPR and the responsible data controller or data processor fails to comply with the order of the Data protection authority to suspend, restrict, freeze (temporarily) or terminate the data processing activity, the investigation service or the trial chamber is entitled to send a notification with the title “Notice and Action” to DNS Belgium. After receiving the “Notice and Action” notification, DNS Belgium will inform the website owner of the violation and forward the relevant domain name to a warning page from the Belgian data protection authority. If, after a period of 14 days, the website owner indicates that they have taken the appropriate remedial action to stop the breach and the Belgian data protection authority does not deny this, the relevant domain name will be restored. During the 14-day period, website owners can request to stop or suspend the notification and action process. In this case, the domain name can be restored pending a decision regarding the procedure. If the breach is not resolved during the 14-day period, the website will continue to be redirected to the warning page of the Belgian data protection authority for a period of six months. After that, the website will be canceled and quarantined 40 days before it will be available again for registration. The Inspector General or the Director of the Process Chamber of the Belgian Data Protection Agency may, at their own discretion, allow the website owner additional time to comply with the relevant data protection requirements.

The “Notice and Action” procedure is only available for violations that cause very serious damage and are committed by natural or legal persons who deliberately violate the law or the data processing despite a prior order from the investigation service or the Trial Chamber of the Belgian Data Protection Agency, to suspend, restrict, freeze (temporarily) or end the processing activity.

Read the cooperation agreement in French or Dutch.

Comments are closed.