Is the DPA competent for all data processing? A ruling on security clearances and the right to a copy

When an employee files a complaint about the processing of their personal data, the Data Protection Authority (DPA) is usually the competent authority. A ruling of 3 September 2025 by the Market Court in Brussels (the appellate body for DPA decisions), however, nuances this.

The Court overturned an entire DPA decision against a government agency. The reasons are important for any organization: first, the DPA lacked jurisdiction to adjudicate data processing in the context of security clearances. Second, the Court clarified that the right to a “copy” (GDPR) does not automatically imply a right to a copy of the entire document.

The facts: a denied security clearance and the consequences

The case revolved around a statutory official at a Belgian regulator, a public utility institution. For his position, this person needed a security clearance.

1. The refusal: The National Security Government refused to renew this clearance. The reason was particularly sensitive: the official was “known to the Prosecutor's Office (as a suspect) in a case....”.
2. Internal communications: The NSG communicated this reasoned decision (including the sensitive information about the criminal investigation) to the employer's security officer.
3. Further dissemination: The security officer then forwarded the full, reasoned decision to the institution's management. The management in turn shared the decision with the officer's hierarchical superior.
4. The implications: Based on this information, the employer initiated disciplinary proceedings against the official and unsuccessfully tried to access the criminal file at the Prosecutor's Office.
5. The complaint: The official filed a complaint with the DPA for multiple violations of the General Data Protection Regulation (GDPR), particularly the unlawful processing of his highly sensitive criminal records. He also requested access to correspondence between his employer and the Prosecutor's Office, which he was denied.

The decision: The Market Court overturns the judgment of the DPA

The DPA had ruled against the employer on two key points:

• The DPA ruled that the internal dissemination of the reasoned decision (to management and the superior) was illegal, in the absence of a valid legal basis under the GDPR (arts. 5, 6 and 10).
• The DPA argued that the employer had improperly denied access to correspondence with the Prosecutor's Office (a violation of Articles 12 and 15 GDPR).

The DPA imposed a reprimand, ordered the deletion of the records, and demanded that access still be granted. The employer successfully appealed to the Market Court, which overturned the entire DPA decision.

The Court's reasoning is based on two separate pillars:

1. The DPA was unauthorized for data processing.

The Market Court ruled that the DPA was not competent to rule on the substance of the complaint (the internal dissemination of the refusal decision).

• The data processing (the communication by the security officer) took place within the framework of he Law of 11 December 1998 on security clearances..
• The personal data processing act of 30 July 2018 explicitly provides that oversight of data processing under that particular law does not fall under the remit of the DPA.
• The exclusively competent supervisor for this matter is the Standing Committee I (the intelligence and security services control body).

The DPA's argument that this was mere ‘personnel management’ was dismissed by the court. Because the decision on the illegality of the first internal division (treatment 3) was overturned, and the DPAhad linked its judgment on the subsequent divisions (treatments 4 and 5) to it, the entire data processing section was cancelled.

2. The right to a “copy” (GDPR) is not an absolute right to a “document”

The second part of the ruling dealt with the employer's refusal to provide a copy of the letters to the Prosecutor's Office. Again, the Court overturned the DPA's decision, on the grounds of inadequate reasoning and an erroneous interpretation of the law.

• The Court reiterated European case law (ECJ C-487/21). Article 15.3 of the GDPR gives data subjects the right to a copy of their personal data being processed.
• This does not automatically imply a right to receive a copy of the documents themselves (such as the full emails or letters).
• A right to a copy of the document arises only if it is “indispensable” to enable the data subject to understand his data and verify the lawfulness of the processing.
• In its decision, the DPA had completely failed to justify why a mere summary of the data would not suffice and why it was “indispensable” for the official to obtain the full letters.

Legal analysis and interpretation

This ruling has two important implications that directly affect DPA practice and data protection law in Belgium.

First, the DPA is not a ‘super-regulator'. The powers of the DPA are clearly delineated. This ruling is a powerful reminder that for specific matters, such as data processing by intelligence and security agencies (or under their legislation), specific regulators (such as the Committee I) have exclusive jurisdiction. The DPA should have declared the complaint inadmissible on this point. Organizations operating in these ‘gray areas’ (defense, national security, justice) should be aware of this division.

Second, the scope of Article 15 GDPR is not unlimited. The Market Court here affirms a principle that often leads to discussion in practice. The right of access is sometimes (mis)used as a ‘fishing expedition’ to collect documents for other proceedings (e.g., a dismissal case or, as here, disciplinary proceedings). This ruling clearly states that the right to a ‘copy’ is primarily a copy of the data. The burden of proof is on the applicant (or the DPA) to show why a copy of the document is ‘indispensable’ to the understanding of that data.

What this specifically means

• For organizations with security officers: The processing of personal data (such as a reasoned refusal) by a security officer under the 1998 Act falls under the control of Committee I, not the DPA.
• For employees: If your complaint concerns the actions of a security officer or the framework of a security clearance, you should contact the Standing Committee I.
• For any organization handling GDPR access requests: You are not automatically required to copy complete documents (emails, reports). Providing a clear overview or summary of the personal data processed may suffice. You must only provide the document itself if the context is “indispensable” for understanding the data.

Frequently asked questions (FAQ)

Is the DPA in Belgium the only authority that adjudicates data protection complaints?
No. Although the DPA is the general regulator for the GDPR, there are specific authorities for certain sectors. As this ruling confirms, the Standing Committee I has jurisdiction over data processing under the Security Clearance Act.

Does the right of access (Art. 15 GDPR) mean that I may always ask for a copy of the entire document (e.g., an e-mail)?
Not automatic. You are entitled to a copy of your personal data being processed. You are only entitled to a copy of the entire document if it is “indispensable” to understand the data and verify the lawfulness of the processing. The controller may also provide a summary.

Has the Market Court now stated that sharing sensitive information about a criminal case with my management is permitted?
No. The Market Court did not rule on this issue on the merits. It overturned the DPA's decision only because the DPA lacked jurisdiction to adjudicate this issue and because the DPA did not adequately justify its decision on the right of access. The question of whether the security officer was allowed to share the reasoning remains unanswered in this ruling.

Conclusion

This ruling is an important procedural victory for the institution complained of and a clear vindication for the DPA. It more sharply delineates the powers between the DPA and Committee I and nuances the practical scope of the right of access under the GDPR.