New Belgian DPA decision: broader "controller" concept & extensive access rights?

In a decision of 29 July that it published today, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) examined the issue of who is controller in the case of an external auditor, as well as the limits to data subjects' rights to obtain a copy of personal data relating to them.

The case revolved around a request by a doctor, head of a radiology service in a hospital, to gain access to an audit report and specifically sections that related to her individually. The audit was carried out at the request of the hospital in question by an external expert.

Read here the analysis and comments by the NautaDutilh data protection team.

Blog

11.04.2024
Counting down to DORA – governance of ICT risks and board member responsibility
Blog

14.03.2024
ICT services: comparison of the ESMA and EBA outsourcing guidelines and DORA
Corporate news

07.03.2024
NautaDutilh intensifies AI collaboration with Fledger
Update

06.03.2024
DMA countdown - Perhaps the most important milestone: gatekeepers must ensure compliance
Update

09.02.2024
Privacy & data in the Benelux: five things you need to know in 2024
Update

24.01.2024
Technology and the law in 2024: five things you need to know
Update

11.12.2023
EU AI Act: three key insights on the world's first comprehensive AI law
Publication

30.11.2023
The Chambers Technology & Outsourcing guide 2023
Update

30.11.2023
Q&AI: What financial institutions need to consider when using AI
Update

23.08.2023
Luxembourg FDI screening mechanism enters into force
Update

08.08.2023
Third parties can intervene in BDPA proceedings and appeal its decisions
Update

24.07.2023
The twin transition of the financial sector: eight key insights
Publication

21.07.2023
The competition dynamics in relation to cloud services
Update

14.07.2023
Green light for EU-US Data Privacy Framework: a new era for transatlantic data flows
Publication

27.06.2023
NautaDutilh writes Netherlands chapter of the Global Legal Insights on AI, Machine Learning and Big Data 2023
Corporate news

06.06.2023
Anke Holtland appointed to counsel Public Law
Publication

02.06.2023
Upcoming EU legislation on artificial intelligence
Corporate news

01.05.2023
NautaDutilh Luxembourg ranked in Chambers FinTech 2023
Publication

14.04.2023
Best practices for drafting and updating data protection notices
Deal or Case news

13.04.2023
NautaDutilh assists Bluestar Alliance in Scotch & Soda acquisition
Update

21.03.2023
Using ChatGPT and other generative AI tools: risks and challenges
Publication

17.03.2023
The EDPB provides for further guidance on the use of cloud solutions in line with the GDPR
Update

01.03.2023
Dutch DPA letter to the government on PNR: enforcement threatens again with focus on proportionality
Update

27.02.2023
Data Protection in Belgium: the 2023 focus of the BDPA
Update

13.02.2023
The end-user and its avatar - data integrity risks and ethical challenges in the metaverse - Part one
Publication

03.02.2023
NautaDutilh contributes to IAPP's Global Legislative Predictions 2023
Update

26.01.2023
Online platforms and search engines to publish average monthly active recipients (AMARs) in EU by 17 February 2023
Update

20.01.2023
Benelux Technology Law in 2023: five things you need to know
Publication

15.12.2022
GDPR & AML: no longer public access to UBO data without legitimate interest
Update

28.11.2022
No longer public access to UBO data without legitimate interest
Update

22.11.2022
Digital Markets Regulation: now a reality in the EU
Update

21.11.2022
DORA: the forthcoming EU legal framework on Digital Operational Resilience in the financial sector
Publication

27.10.2022
Vincent Wellens on FATCA in the Paperjam
Publication

24.10.2022
DORA the EU Regulation
Publication

12.10.2022
NautaDutilh contributes to Technology Disputes Guide by Lexology
Publication

22.08.2022
Privacy and security concerns in the metaverse
Update

28.07.2022
VoetbalTV: Administrative fine permanently annulled without judgement on the 'pure commercial interest'
Publication

13.07.2022
Luxembourg first member state to launch a certification mechanism under the GDPR
Publication

28.06.2022
European Data Protection Board harmonises EU fining guidelines
Update

14.06.2022
New GDPR guidelines on fines on the way
Update

07.06.2022
Data protection impact assessments new EDPS recommendations
Update

03.06.2022
Heavy fines for Belgian airports for using thermal imaging cameras – what are the lessons for the other controllers?
Update

26.04.2022
Revamped CSSF outsourcing guidance for the financial sector
Update

09.02.2022
Technology & the law in 2022: five things you need to know
Corporate news

28.01.2022
Our privacy experts Vincent Wellens and Yoann Le Bihan contribute to the IAPP’s Global Legislative Predictions 2022
Update

27.01.2022
Benelux Data Law: five things you need to know in 2023
Update

11.01.2022
Luxembourg IP & Technology Law: five things you need to know
Publication

15.12.2021
Data Protection notices after the Whatsapp case: what's the message?
Corporate news

14.12.2021
NautaDutilh Luxembourg ranked in Chambers FinTech 2022
Blog

10.12.2021
The record fine for the Dutch Tax Administration from a legal perspective
Deal or Case news

29.11.2021
NautaDutilh assists shareholders of Mepal in investment by 3i
Update

25.11.2021
Prohibition of online advertising in a list of e-mails or messages: a misstep by the CJEU?
Update

26.10.2021
Why all companies should care about the UN's cybersecurity & software update regulations: Lessons for all sectors
Update

15.10.2021
New rules on material IT outsourcing in the financial sector
Publication

17.09.2021
NautaDutilh contributes to Technology Disputes Guide by Lexology
Deal or Case news

16.09.2021
NautaDutilh assists SoftBank Vision Fund 2 with its Series C investment in Dutch scale-up SendCloud
Update

17.08.2021
NautaDutilh contributes to digitalization series by EACCNY
Corporate news

02.07.2021
NautaDutilh's IP & Tech Law team recognised by Leaders League
Update

17.06.2021
Belgian DPA: fines prohibited in the absence of a prior order to comply?
Update

15.06.2021
The CNPD Publishes Several Decisions Following Investigations
Update

07.06.2021
Europe proposes first-ever statutory framework for AI
Update

12.05.2021
Lindsay Korytko in Silicon Luxembourg on IP and contractual protection of APIs in the EU
Update

29.04.2021
Insufficient cybersecurity measures under GDPR: 100k EUR fine in Belgium & key fines elsewhere
Update

15.04.2021
Regulatory changes in the audiovisual media sector
Corporate news

26.03.2021
NautaDutilh participates to Brexit and Covid legal update webinar
Update

17.03.2021
New law brings Luxembourg to the forefront of distributed ledger technology
Update

15.02.2021
The Sky Is Not the Limit: Space Activities in Luxembourg
Update

02.12.2020
(Alleged) data protection infringement? Say bye-bye to your .be domain name
Update

18.11.2020
Personal data transfers to the UK: Last weeks to prepare for an increasing likely «no-deal» Brexit
Update

17.11.2020
New Belgian DPA decision: employee consent sometimes works
Update

12.11.2020
Finally some practical EDPB guidance on how to make international data transfers lawful
Update

22.10.2020
Data protection litigation: preparing to defend yourself – or attack
Update

07.10.2020
What to do with ex-employee mailboxes? Belgian DPA fines post-dismissal use of e-mails
Update

14.09.2020
New controller-processor guidelines: beware of impact on data processing agreements
Update

14.08.2020
Benelux Regulators to Apply EIOPA Guidelines on Outsourcing to Cloud Service Providers by Insurance and Reinsurance Undertakings
Update

30.07.2020
Luxembourg law on e-signature and other trust e-services now fully consistent with the eIDAS Regulation
Update

16.07.2020
Schrems II: What is (or should be) on your to-do list for international data transfers?
Update

14.07.2020
What does the new Google decision by the Belgian DPA mean for other organisations?
Corporate news

09.07.2020
Peter Craddock in Le Vif/L'Express on contact tracing
Update

23.06.2020
Surveys, transparency and DPIAs: tips from the Belgian DPA
Update

10.06.2020
Belgium: new data protection decisions on complaints by opponents – next, competitors?
Update

25.05.2020
Belgium: what has GDPR year 2 taught us, and what will come next?
Update

20.05.2020
Belgium: two new fines for tell-a-friend and health-related GDPR violations
Publication

19.05.2020
GDPR: some organisations may need a new DPO according to the Belgian Data Protection Authority
Update

07.05.2020
You may need a new DPO, according to the Belgian Data Protection Authority
Corporate news

04.05.2020
NautaDutilh Avocats Luxembourg hosts webinar "Manage a company remotely in compliance with Luxembourg law"
Update

16.04.2020
When the Belgian DPA comes knocking, who knows what it might find (or fine)
Update

09.04.2020
Freshly baked cookie guidance from Belgian Data Protection Authority
Update

27.03.2020
Ex-employers sharing dirt on an employee: no fine under data protection law if done orally?
Update

17.03.2020
COVID-19 & homeworking: how will we sign documents now?
Publication

17.03.2020
What legal framework for your APIs in the financial sector?
Update

05.03.2020
Your ID for a loyalty card: no data protection fine in the end?
Update

20.02.2020
Artificial Intelligence White Paper: what are the practical implications?
Publication

17.02.2020
The Belgian data protection authority issues guidance on the processing of personal data for direct marketing purposes
Update

11.02.2020
Want to reach your customers or prospects? Important new direct marketing guidance in Belgium
Publication

23.01.2020
Cookies are to be consumed with moderation certainly in the Christmas period
Update

08.01.2020
Social elections 2020 & personal data challenges
Update

07.01.2020
Clarity on territoriality?

Related articles

Counting down to DORA – governance of ICT risks and board member responsibility

ICT services: comparison of the ESMA and EBA outsourcing guidelines and DORA

NautaDutilh intensifies AI collaboration with Fledger

DMA countdown - Perhaps the most important milestone: gatekeepers must ensure compliance

Privacy & data in the Benelux: five things you need to know in 2024

Technology and the law in 2024: five things you need to know

EU AI Act: three key insights on the world's first comprehensive AI law

The Chambers Technology & Outsourcing guide 2023

Q&AI: What financial institutions need to consider when using AI

Luxembourg FDI screening mechanism enters into force

Third parties can intervene in BDPA proceedings and appeal its decisions

The twin transition of the financial sector: eight key insights

The competition dynamics in relation to cloud services

Green light for EU-US Data Privacy Framework: a new era for transatlantic data flows

NautaDutilh writes Netherlands chapter of the Global Legal Insights on AI, Machine Learning and Big Data 2023

Anke Holtland appointed to counsel Public Law

Upcoming EU legislation on artificial intelligence

NautaDutilh Luxembourg ranked in Chambers FinTech 2023

Best practices for drafting and updating data protection notices

NautaDutilh assists Bluestar Alliance in Scotch & Soda acquisition

Using ChatGPT and other generative AI tools: risks and challenges

The EDPB provides for further guidance on the use of cloud solutions in line with the GDPR

Dutch DPA letter to the government on PNR: enforcement threatens again with focus on proportionality

Data Protection in Belgium: the 2023 focus of the BDPA

The end-user and its avatar - data integrity risks and ethical challenges in the metaverse - Part one

NautaDutilh contributes to IAPP's Global Legislative Predictions 2023

Online platforms and search engines to publish average monthly active recipients (AMARs) in EU by 17 February 2023

Benelux Technology Law in 2023: five things you need to know

GDPR & AML: no longer public access to UBO data without legitimate interest

No longer public access to UBO data without legitimate interest

Digital Markets Regulation: now a reality in the EU

DORA: the forthcoming EU legal framework on Digital Operational Resilience in the financial sector

Vincent Wellens on FATCA in the Paperjam

DORA the EU Regulation

NautaDutilh contributes to Technology Disputes Guide by Lexology

Privacy and security concerns in the metaverse

VoetbalTV: Administrative fine permanently annulled without judgement on the 'pure commercial interest'

Luxembourg first member state to launch a certification mechanism under the GDPR

European Data Protection Board harmonises EU fining guidelines

New GDPR guidelines on fines on the way

Data protection impact assessments new EDPS recommendations

Heavy fines for Belgian airports for using thermal imaging cameras – what are the lessons for the other controllers?

Revamped CSSF outsourcing guidance for the financial sector

Technology & the law in 2022: five things you need to know

Our privacy experts Vincent Wellens and Yoann Le Bihan contribute to the IAPP’s Global Legislative Predictions 2022

Benelux Data Law: five things you need to know in 2023

Luxembourg IP & Technology Law: five things you need to know

Data Protection notices after the Whatsapp case: what's the message?

NautaDutilh Luxembourg ranked in Chambers FinTech 2022

The record fine for the Dutch Tax Administration from a legal perspective

NautaDutilh assists shareholders of Mepal in investment by 3i

Prohibition of online advertising in a list of e-mails or messages: a misstep by the CJEU?

Why all companies should care about the UN's cybersecurity & software update regulations: Lessons for all sectors

New rules on material IT outsourcing in the financial sector

NautaDutilh contributes to Technology Disputes Guide by Lexology

NautaDutilh assists SoftBank Vision Fund 2 with its Series C investment in Dutch scale-up SendCloud

NautaDutilh contributes to digitalization series by EACCNY

NautaDutilh's IP & Tech Law team recognised by Leaders League

Belgian DPA: fines prohibited in the absence of a prior order to comply?

The CNPD Publishes Several Decisions Following Investigations

Europe proposes first-ever statutory framework for AI

Lindsay Korytko in Silicon Luxembourg on IP and contractual protection of APIs in the EU

Insufficient cybersecurity measures under GDPR: 100k EUR fine in Belgium & key fines elsewhere

Regulatory changes in the audiovisual media sector

NautaDutilh participates to Brexit and Covid legal update webinar

New law brings Luxembourg to the forefront of distributed ledger technology

The Sky Is Not the Limit: Space Activities in Luxembourg

(Alleged) data protection infringement? Say bye-bye to your .be domain name

Personal data transfers to the UK: Last weeks to prepare for an increasing likely «no-deal» Brexit

New Belgian DPA decision: employee consent sometimes works

Finally some practical EDPB guidance on how to make international data transfers lawful

Data protection litigation: preparing to defend yourself – or attack

What to do with ex-employee mailboxes? Belgian DPA fines post-dismissal use of e-mails

New controller-processor guidelines: beware of impact on data processing agreements

Benelux Regulators to Apply EIOPA Guidelines on Outsourcing to Cloud Service Providers by Insurance and Reinsurance Undertakings

Luxembourg law on e-signature and other trust e-services now fully consistent with the eIDAS Regulation

Schrems II: What is (or should be) on your to-do list for international data transfers?

What does the new Google decision by the Belgian DPA mean for other organisations?

Peter Craddock in Le Vif/L'Express on contact tracing