DLA Piper Intelligence

Data Protection
Laws of the World

Law

Belgium
Belgium

Belgium implemented the EU Data Protection Directive 95/46/EC with the Data Protection Act dated 8 December 1992 as amended in 1998 (Act). Enforcement is through the Belgian Data Protection Authority (DPA), called the Commission for the Protection of Privacy.

Belgium expressed the importance of privacy and data protection by appointing a Secretary of State (i.e. a member of the cabinet assigned to a Minister) responsible for privacy matters, in October 2014.

Future legislation?

A bill reviewing the current Belgian Data Protection Act has been introduced by some Members of Parliament in the Belgian Chamber of Representatives. New rules similar to the European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) would be introduced, including an information security breach notification duty, the replacement of the general notification duty by the mandatory appointment of an information security officer, and the introduction of administrative fines. This proposed bill is still pending and it is unsure whether it will get through Parliament given that the GDPR will be adopted in the near future.

In addition, the Belgian Secretary of State responsible for privacy matters has announced that he will propose draft legislation in order to give the DPA the competence to issue fines. Under current Belgian law, the DPA does not have the right to impose fines upon companies infringing data protection laws and must refer such companies to the courts if the DPA wishes such companies to be sanctioned. A new Secretary of State responsible for privacy matters has since been appointed, but he has  confirmed that a draft bill will be proposed along the same lines.

Last modified 26 Jan 2017
Law
Belgium

Belgium implemented the EU Data Protection Directive 95/46/EC with the Data Protection Act dated 8 December 1992 as amended in 1998 (Act). Enforcement is through the Belgian Data Protection Authority (DPA), called the Commission for the Protection of Privacy.

Belgium expressed the importance of privacy and data protection by appointing a Secretary of State (i.e. a member of the cabinet assigned to a Minister) responsible for privacy matters, in October 2014.

Future legislation?

A bill reviewing the current Belgian Data Protection Act has been introduced by some Members of Parliament in the Belgian Chamber of Representatives. New rules similar to the European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) would be introduced, including an information security breach notification duty, the replacement of the general notification duty by the mandatory appointment of an information security officer, and the introduction of administrative fines. This proposed bill is still pending and it is unsure whether it will get through Parliament given that the GDPR will be adopted in the near future.

In addition, the Belgian Secretary of State responsible for privacy matters has announced that he will propose draft legislation in order to give the DPA the competence to issue fines. Under current Belgian law, the DPA does not have the right to impose fines upon companies infringing data protection laws and must refer such companies to the courts if the DPA wishes such companies to be sanctioned. A new Secretary of State responsible for privacy matters has since been appointed, but he has  confirmed that a draft bill will be proposed along the same lines.

Last modified 26 Jan 2017
Definitions

Definition of personal data

Personal data means any information relating to an identified or identifiable natural person.

A person is considered to be an identifiable person when he or she can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

The Act distinguishes between three categories of sensitive personal data, for which distinct rules apply:

  • personal data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life or trade union membership

  • health related personal data, and

  • personal data relating to disputes which have been submitted to courts and tribunals as well as to administrative judicial bodies, regarding suspicions, prosecutions or convictions in matters of crime, administrative sanctions or security measures.

Last modified 26 Jan 2017
Authority

Commission for the Protection of Privacy
Drukpersstraat 35
1000 Brussels
T +32 (0)2 274 48 78
F +32 (0)2 274 48 35
commission@privacycommission.be
www.privacycommission.be

Last modified 26 Jan 2017
Registration

Unless an exemption applies, data controllers who process personal data by automatic means must notify the DPA so that their processing of personal data may be registered and made public. Changes to the processing of personal data will require the notification to be amended.

The notification shall inter alia include the following information (as outlined in the DPA standard notification form):

  1. the purpose(s) of the processing
     
  2. the controller’s contact details and, if relevant, the contact details of the controller’s representative
     
  3. the types of personal data being processed
     
  4. whether categories of sensitive personal data are processed and if so, which categories
     
  5. the categories of recipients of the data and the guarantees which must be applied to the communication to third parties
     
  6. the way in which data subjects will be informed of the processing and the department which data subjects may contact to use their right to access
     
  7. the data retention terms
     
  8. a general description of security measures, and
     
  9. in cases where the data will be transferred outside of the European Economic Area, categories of data to be transferred and for each category of data, the country of destination.
Last modified 26 Jan 2017
Data Protection Officers

There is no legal requirement in Belgium for organisations to appoint a data protection officer. It is, however, recommended to do so.

The Act requires controllers and processors to take adequate technical and organisational security measures.  In relation to this obligation the DPA has issued 'Security Reference Measures', which reflect what is to be considered as constituting 'adequate technical and organisation security measures'. Although the Security Reference Measures are not part of the Act itself and are not legally binding, they are considered authoritative.

The Security Reference Measures  recommend controllers to appoint a so called 'information security officer'. This security officer is responsible for the implementation of the personal data security policy.

Last modified 26 Jan 2017
Collection & Processing

Legal basis for processing

Data controllers may collect and process personal data when any of the following conditions are met:

  • the data subject unambiguously consents
  • the processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into such a contract
  • the processing is necessary for compliance with a legal obligation to which the controller is subject
  • the processing is necessary to protect the vital interests of the data subject
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed, or
  • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.

Where sensitive personal data is processed, a different list of specific conditions applies.

Information vis-à-vis data subjects

Prior to the processing activity, the controller must provide the data subject with certain information, unless an exemption applies. The notification shall include at least information on the identity of the controller, the purposes of the processing, the existence of the right to object to the processing of personal data for direct marketing purposes, as well as the right to access and rectification, the recipients or categories of recipients of the personal data, and whether or not it is obligatory to respond to the data controller’s request to submit personal data and any possible consequences of not responding.

Last modified 26 Jan 2017
Transfer

Transfer of a data subject’s personal data to non EU/European Economic Area (EEA) countries is allowed if the countries provide ‘adequate protection’, as decided upon by the European Commission.

Data controllers may transfer personal data out of the EEA to countries which are not deemed to offer adequate protection if any of the following exceptions apply:

  • the data subject has unambiguously consented to the transfer
  • the transfer is necessary for the performance of a contract between the data subject and the data controller, or for the performance of tasks at the request of the data subject prior to entering into such a contract
  • the transfer is necessary for the conclusion or performance of a contract with a third party in the interest of the data subject
  • the transfer is necessary in order to protect the vital interests of the data subject
  • the transfer is necessary in order to establish, exercise or defend a legal claim
  • the transfer is necessary or legally required in order to protect an important public interest, or
  • there is statutory authority for demanding data from a public register.

The DPA may allow transfers even if the above conditions are not fulfilled if the controller adduces additional safeguards with respect to the protection of the rights of the data subject. Such safeguards may inter alia result from contractual clauses, e.g. by standard contractual clauses approved by the European Commission (EU model clauses), or via an organisation's Binding Corporate Rules.

New rules on EU model clause transfers have been introduced in 2013. All data transfer agreements must formally be submitted to the DPA for scrutiny. Where the agreement is in line with the EU model clauses, the DPA will confirm compliance. Where significant derogations to the EU model clauses have been made, the DPA will assess its compliance with Belgian legislation and, if accepted, formally approve the transfer following a strict procedure including authorisation by Royal Decree.

Following the Judgment of the Court of Justice of the European Union of 6 October 2015 (C-362/14) the US-EU Safe Harbor regime (Safe Harbor) is no longer regarded as a valid basis for transferring personal data from the EEA to the US. In this respect, the DPA has stated that it is "particularly happy with the ruling taking into account the fact that it clearly recognizes that it is important that national supervisory authorities intervene whenever privacy disputes arise". Safe Harbor has been replaced with the Privacy Shield regime, which can now be used as a legal basis for US-EU transfers of personal data (see Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield). 

 

Last modified 26 Jan 2017
Security

Data controllers and processors must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

The DPA has issued guidelines in respect of such security measures (the 'Security Reference Measures'). The DPA also issued a recommendation on security measures and data breaches, following several widely publicised data breaches in Belgium. The recommendation builds further on its previously issued guidelines and details specific security requirements regarding among others IT architecture and development and production environments.

The DPA also announced its intention to strengthen the legal framework for security measures. Given certain highly publicised data breaches in Belgium, the DPA considered it should not only have the competence to merely recommend security measures, but should also be able to legally enforce those measures.

Last modified 26 Jan 2017
Breach Notification

The Act does not provide for a general data security breach notification duty for all data controllers.

However, in its recommendation on security measures and data breaches, the DPA recommends that companies notify security breaches in the event of 'public incidents'. Companies should document notification procedures for data security breach incidents. In case of a 'public incident', the DPA should be informed of the causes and damage within 48 hours. A public information campaign will be initiated within 24 to 48 hours after such notification. The DPA does not specify what is to be understood by a 'public incident'.

The DPA has made a standard data breach notification form available on its website, along with a manual providing guidance on how to complete the form. The form can be completed and filed electronically via the website.

Last modified 26 Jan 2017
Enforcement

The DPA is authorised to investigate, and to act as a mediator in respect of, complaints.  The DPA may also appoint experts, require the provision of documents, and require access to certain premises.  In the case of criminal actions, the DPA must notify the public prosecutor.

Failure to comply with the Act may result in criminal sanctions, consisting of imprisonment and/or fines up to EUR 600,000 (or even EUR 1,200,000 in certain circumstances).

The DPA also publicly announced its intention to make enforcement its number one priority, e.g. by setting up a dedicated inspection task force, and conducting increased control and inspection activities on all organisations processing customer data on a large scale for advertising purposes as well as in specific industry sectors, such as insurance and heath care.

In 2015 the DPA put its stated intention into practice by taking a very popular social network to court for non-compliance with the Belgian cookie rules. At first instance the social network was ordered to stop its illegal practices or face a daily fine of EUR 200,000. The social network however, appealed against the decision and the appellate court ruled in favour of the network by stating that it has no jurisdictional competence to rule on the case. This case is ongoing.

Whatever the outcome may be on the merits of the case, it is clear that Belgium is becoming one of the more assertive countries when it comes to privacy and data protection.

Last modified 26 Jan 2017
Electronic Marketing

The Act applies to most electronic marketing activities, as there is likely to be processing and use of personal data involved (e.g. an email address is likely to be ‘personal data’ for the purposes of the Act). The Act does not prohibit the use of personal data for the purposes of electronic marketing but provides individuals with the right to object to the processing of their personal data (i.e. a right to ‘opt out’) for direct marketing purposes.

Additionally, specific rules are set out in the Belgian e-commerce legislation (Book XII of the Code of Economic Law) regarding opt-in requirements:

  • These rules apply to all ‘electronic messages’, such as emails and text messages (Short Message Systems or SMS). Other types of electronic communication such as instant messaging and chat may also fall within the scope of these rules depending on the specific context. This covers not only clear promotional messages, but also newsletters and similar communications. Indeed, any form of communication intended to directly or indirectly promote goods, services, the image of a company, organisation or person which/who exercises a commercial, industrial or workmanship activity or regulated profession falls within the scope of these rules.

  • As a general principle, the prior, free, specific and informed consent of the recipient of the message must be obtained (‘opt-in principle’).

  • Two exceptions apply to the opt-in principle. No prior, free, specific and informed consent is to be obtained if:

    • the electronic marketing message is sent to existing customers of the service provider, or

    • the electronic message is sent to legal persons (e.g. to a general email address such as info@company.com).

   These exceptions are subject to compliance with strict conditions.

  • Furthermore, all electronic messages must contain a clear reference to the recipient's right to opt out, including means to exercise this right electronically.

Last modified 26 Jan 2017
Online Privacy

Cookies

Article 5 (3) of the E-Privacy Directive has been implemented into Belgian Law by means of an amendment to article 129 of the Belgian Electronic Communication Act.

The use and storage of cookies and similar technologies requires:

  • the provision of clear and comprehensive information, and

  • consent of the website user.

Consent is not required for cookies that are:

  • used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or
     
  • strictly necessary for the provision of a service requested by the user.

In February 2015 the DPA issued a recommendation on the use of cookies with useful guidance relating to the information obligation, the consent requirement and the exemptions.

Location data

Article 123 of the Belgian Electronic Communication Act stipulates that mobile network operators may process location data of a subscriber or an end user only to the extent that the location data has been anonymised, or if the processing is carried out in the framework of the provision of a service regarding traffic or location data.

The processing of location data in the framework of a service regarding traffic or location data is subject to strict conditions set forth in article 123.

The processing of location data must in addition also comply with the general rules stipulated by the Data Protection Act.

Traffic data

In accordance with article 122 of the Belgian Electronic Communication Act, mobile network operators are required to delete or anonymise traffic data of their users and subscribers as soon as such data is no longer necessary for the transmission of the communication (subject to compliance with cooperation obligations with certain authorities).

Subject to compliance with specific information obligations and subject to specific restrictions, operators may process certain location data for the purposes of:

  • invoicing and interconnection payments

  • marketing of the operator’s own electronic communication services or services with traffic or location data (subject to the subscriber’s or end user’s prior consent), and

  • fraud detection

Last modified 26 Jan 2017
Contacts
Prof. Patrick Van Eecke
Prof. Patrick Van Eecke
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +32 2 500 1630
Last modified 26 Jan 2017