What's the relationship between the DPA, IVC and the HDA?

What's the relationship between the DPA, IVC and the HDA?

Article 4 of the HDA Law stipulates that the HDA is "not a supervisory authority" within the meaning of Article 51 of the GDPR legislation. The Explanatory Memorandum states that the agency does not aim to replace or undermine the powers of the DPA.

The HDA will play a facilitating role in accessing health data for secondary use and also in relation to the IVC to facilitate access to health data:

  • Assisting in submitting deliberation requests to the Chamber of Social Security and Health of the IVC.
  • Linking/clarifying concurrent requests for access.

The HDA has an operational role; the IVC is an independent body appointed by Parliament, granting authorization for the exchange of health data. Before granting such authorization, the IVC ensures that the request complies with GDPR legislation. The IVC also establishes the information security conditions to be followed in data exchange. The IVC thus has a preventive, supervisory, and normative role. The IVC will also fulfill this role for the exchange of data for secondary use organized through the agency. The IVC has existed in Belgium since 1990, pioneering in this area, while a European Regulation in 2022 obligates all member states to establish such a committee.

It was also crucial to distinguish between an "agency" and an "authority." The DPA conducts control, and the IVC provides advice. "Authority" implies decision-making power or advisory obligations, which is why the Health Data Agency is not an "authority".