Alleged data protection violation? Your “.be” domain name could be taken down!
The Belgian Data Protection Authority (the “Belgian DPA”) published on 30 November 2020 a Cooperation Agreement with DNS Belgium, the organization managing the “.be” country code top-level domain name. This Agreement allows DNS Belgium to make unavailable “.be” websites that violate the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) in a more efficient manner.
This Agreement establishes a two-tier cooperation system between the Belgian DPA and DNS Belgium. At the first level, DNS Belgium must cooperate with investigations of the Belgian DPA and provide its Investigation Service with the required information for its investigations. Additionally, the agreement lays down that both the Belgian DPA and DNS Belgium must respect the obligations and principles of the GDPR, for instance, DNS Belgium must not share the documents and information containing personal data, received by the Belgian DPA in context of legal proceedings, with third parties.
The second tier of the cooperation system entails the notice and action procedure. In terms of Article 2 of this Agreement:
If the Inspection Service or the Litigation Chamber of the DPA finds that the processing of personal data via a website linked to a .be domain name constitutes a breach of the fundamental principles of privacy protection and if the controllers or processors do not comply with the order to suspend, limit, (temporarily) suspend or terminate the processing of personal data within the time limit set by the order, they shall notify DNS Belgium in accordance with article 4 of this protocol.
This notice and action procedure is limited to the infringements that cause the “greatest prejudice to the interests to be protected, committed by organizations or persons who deliberately violate this legislation and who continue their processing of personal data despite a previous injunction from the Inspection Service or the Litigation Chamber to suspend, limit, suspend (temporarily) or terminate it”.
In other words, this procedure is applicable only to infringements causing very serious harm and are committed by natural or legal persons that deliberately infringe the law or continue data processing activity in spite of a prior order by the Belgian DPA directing suspension, limitation, freezing (temporarily) or ending of the processing activity. Under this procedure, the Investigation Service or the Litigation Chamber of the Belgian DPA is authorized to send a “Notice and Action” notification to DNS Belgium after the responsible data controller or data processor does not comply with the DPA’s order passed when a website with a “.be” domain name is found to be in violation of the GDPR. Informing the website owner about the infringement, DNS Belgium will proceed to re-direct the domain name in question to a warning page of the Belgian DPA. If the website owner takes appropriate measures in regards to the infringement within 14 days and the Belgian DPA does not object to the same, the domain name would be restored. However, if necessary action is not taken within the 14-day period, the website, after six months of redirection to the Belgian DPA’s warning page, will be cancelled and available for registration again after 40 days. If the owners of the website request to suspend the notice and action procedure within the 14-day period, the domain name may be restored till a decision on the subsequent procedure is taken. The Belgian DPA also has the discretion to grant extra time to the website owner to adopt such necessary measures.
Reported by Priyanshi Rastogi, Student Ambassador