Photo of Kristof Van Quathem

Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

While the EU GDPR regulates the international transfer of personal data, several recently enacted EU laws regulate the international transfer of non-personal data, which is any data that is not “personal data” under the GDPR.  In other words, these new laws apply to data that does not relate to an identified or identifiable natural person, including anonymized data and data about industrial equipment, significantly expanding the types of data subject to international transfer restrictions.  Some of this legislation has been enacted recently, and other legislation on this topic is making its way through the legislative process but has yet to be adopted.  In this blog post, we outline the current and forthcoming EU legislation on the international transfer of non-personal data.Continue Reading EU Rules Restricting the International Transfers of Non-Personal Data

In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.Continue Reading Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment

On January 16, 2024, the Belgian Supervisory Authority sanctioned a data broker for violating several provisions of the GDPR.  In particular, the data broker processed personal data without an appropriate legal basis and in violation of its transparency obligation.

The more than 100-page decision explains that until July 2021 the data broker collected personal data from different sources and sold the data to interested third parties (“data delivery services”).  The company also provided “data quality services” aimed at improving the quality and relevance of the personal data held by its clients.  The relevant data were mainly used for advertising by postal mail.Continue Reading Belgian Supervisory Authority Sanctions Data Broker

Several EU data protection supervisory authorities (“SAs”) have recently issued guidance on cookies.  On January 11, 2024, the Spanish SA published guidance on cookies used for audience measurement (often referred to as analytics cookies) (available in Spanish only).  On December 20, 2023, the Austrian SA published FAQs  on cookies and data protection (available in German only).  On October 23, 2023, the Belgian SA published a cookie checklist (available in Dutch and French).

The new guidance builds on existing guidance but addresses some new topics which we discuss below.Continue Reading EU Supervisory Authorities Publish New Guidance on Cookies

On October 11, 2023, the French data protection authority (“CNIL”) issued a set of “how-to” sheets on artificial intelligence (“AI”) training databases. The sheets are open to consultation until December 15, 2023, and all AI stakeholders (including companies, researchers, NGOs) are encouraged to provide comments.  Continue Reading French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases

EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to data does not amount to “identity theft” as that term is used in the GDPR.Continue Reading EU Advocate General Defines “Identity Theft” And Reaffirms GDPR Compensation Threshold

On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW).   As a result, the CJEU held that a provision under German law that permitted doctors to ask their patients to pay for the costs associated with providing access to their medical record is contrary to EU law.Continue Reading CJEU Holds That GDPR Right of Access Overrules Local Laws

On October 12, 2023 the Italian Data Protection Authority (“Garante”) published guidance on the use of AI in healthcare services (“Guidance”).  The document builds on principles enshrined in the GPDR, national and EU case-law.  Although the Guidance focuses on Italian national healthcare services, it offers considerations relevant to the use of AI in the healthcare space more broadly.

We provide below an overview of key takeaways.Continue Reading Italian Garante Issues Guidance on the Use of AI in the Context of National Healthcare Services

On August 22, 2023, the Spanish Council of Ministers approved the Statute of the Spanish Agency for the Supervision of Artificial Intelligence (“AESIA”) thus creating the first AI regulatory body in the EU. The AESIA will start operating from December 2023, in anticipation of the upcoming EU AI Act (for a summary of the AI Act, see our EMEA Tech Regulation Toolkit). In line with its National Artificial Intelligence Strategy, Spain has been playing an active role in the development of AI initiatives, including a pilot for the EU’s first AI Regulatory Sandbox and guidelines on AI transparency.
Continue Reading Spain Creates AI Regulator to Enforce the AI Act

On July 4, 2023, the European Commission published its proposal for a regulation laying down additional procedural rules relating to the enforcement of the GDPR.  The aim of the proposed Regulation is to clarify and harmonize the procedural rules that apply when EU supervisory authorities investigate complaint-based and ex officio cross-border cases (i.e., where the relevant processing conducted by a controller or processor  spans multiple Member States, resulting in a “lead” authority and additional “concerned” authorities).  If adopted, the Regulation will sit alongside the GDPR, complementing the existing cooperation and consistency mechanisms set forth in Chapter VII.Continue Reading European Commission Proposes GDPR Enforcement Procedure Regulation