Paul assists clients navigate between all legal issues in information technology (IT), data protection, intellectual property (IP) and media & entertainment. He counsels clients from a broad spectrum of industries on a day-to-day basis or for strategic advice.
Paul advises clients on all transactional aspects of IT or IP projects. He also assists clients in dispute settlements or litigation.
Paul’s data protection practice focuses on all aspects of international and domestic data protection and security, including general compliance (processing for HR purposes, CRM strategy, direct marketing compliance, etc.), information security and cybercrime, international data transfers, intra-group agreements, processing and cloud agreements, policy and procedure assistance. Paul holds the CIPP/E certification as a Certified Information Privacy Professional from the International Association of Privacy Professionals (IAPP).
Paul regularly serves as a mediator and arbitrator in information technology and intellectual property disputes (WIPO, CMAP, b.Mediation; CEPANI; etc.). Since 2014, Paul is consistently ranked in The Legal 500 for his practice.
For Privacy and data protection, Information technology and IT & telecoms, the 2018 edition of The Legal 500 recognizes the "strong partner involvement" and "incredible response times". Paul is praised as "technically outstanding" and at the same time as giving "sensible, pragmatic advice".
Paul has also a serious past experience as lecturer in various universities and academic centers in Belgium and abroad and he still stands in scientific committees. He continues to publish articles and give conferences worldwide in his fields of expertise.
Paul is a member of the Brussels and Paris Bars.
The Litigation Chamber of the Data Protection Authority (DPA) recently provided welcome clarifications concerning the validity of employee consent. The DPA decided that the free consent of employees was possible and could be valid if all other conditions of Article 4.11 of the EU General Data Protection Regulation were fulfilled and that the data was collected for a specified and legitimate purpose but the purpose of the processing was not explicit.
The Litigation Chamber of the Data Protection Authority recently issued a reprimand to a hospital for its violation of an employee's access and information rights regarding an audit, which had led to the employee's dismissal. Specifically, the hospital had refused the employee access to the external expert's audit report which had formed the basis of its decision to dismiss the employee.
The Belgian Protection Authority (DPA) recently fined a social media platform €50,000 for processing personal data during the scope of a referral programme without an appropriate legal basis. This decision is particularly relevant because it was rendered on the basis of the one-stop-shop mechanism and all of the national authorities concerned validated the DPA's reasoning.
An estimated 75% of companies in Belgium were subject to cyberattacks in 2019. In this context, the Belgian government recently implemented the EU Network and Information Systems Directive and established a computer security incident response. In this video, Paul Van den Bulck examines the measures taken to strengthen cybersecurity in Belgium and predicts that bring-your-own devices, fintech, regtech and cryptoassets are potentially at-risk sectors in 2020.