Data protection in Belgium: overview
A Q&A guide to data protection in Belgium.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
Please note: this Q&A was written before the ruling of the ECJ concerning the validity of the EU-US Safe Harbor framework. Therefore, the answers referring to safe harbours do not reflect the ruling.
To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
The Data Protection Directive has been implemented into Belgian law by the Law on the protection of privacy in relation to the processing of personal data (Wet tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens/Loi relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel) (DPL) of 8 December 1992 (as subsequently amended), which entered into force on 1 September 2001. The DPL has been further implemented by the Royal Decree of 13 February 2001 (Koninklijk besluit ter uitvoering van de wet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens/Arrêté royal portant exécution de la loi du 8 décembre 1992 relative à la protection de la vie privée à l’égard des traitements de données à caractère personnel).
The authority that oversees and enforces the DPL is the Privacy Commission (Commissie voor de bescherming van de persoonlijke levenssfeer/Commission de la protection de la vie privée) (see box, The regulatory authority). The Privacy Commission issues recommendations on the application of the DPL, which are not binding, but form an important tool for interpreting the DPL.
Belgium has not adopted a genuinely "sectoral" approach for the regulation of the protection of privacy and personal data, but has nevertheless adopted specific rules for certain cases. In addition to the DPL and the Royal Decree of 13 February 2001, a number of specific laws and rules also contain provisions on the protection of privacy and personal data, such as:
The installation and use of surveillance cameras (except for cases subject to specific regulations) is governed by the Camera Surveillance Law of 21 March 2007 (Wet tot regeling van de plaatsing en het gebruik van bewakingscamera's/Loi réglant l'installation et l'utilisation de caméras de surveillance).
The installation and use of surveillance cameras for monitoring employees is subject to Collective Bargaining Agreement No. 68 concerning the camera surveillance of employees of 16 June 1998 (Collectieve arbeidsovereenkomst 68 betreffende de bescherming van de persoonlijke levenssfeer van de werknemers ten opzichte van de camerabewaking op de arbeidsplaats/Convention collective de travail 68 relative à la protection de la vie privée des travailleurs à l'égard de la surveillance par caméras sur le lieu de travail).
Monitoring of employees' online communication is regulated by Collective Bargaining Agreement No. 81 concerning the monitoring of electronic communications of employees of 26 April 2002 (Collectieve arbeidsovereenkomst 81 tot bescherming van de persoonlijke levenssfeer van de werknemers ten opzichte van de controle op de elektronische onlinecommunicatiegegevens/Convention collective de travail 81 relative à la protection de la vie privée des travailleurs à l'égard du contrôle des données de communication électroniques en réseau).
The Electronic Communications Law of 13 June 2005 (Wet betreffende de elektronische communicatie/Loi relative aux communications électroniques) contains provisions on the secrecy of electronic communications and the protection of privacy in relation to such communications.
The Patient Rights Law of 22 August 2002 (Wet betreffende de rechten van de patient/Loi relative aux droits du patient) regulates, among other things, the use of patients' data and the information that patients need to receive in respect of this use.
Scope of legislation
The DPL applies to data controllers, that is, any natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes of, and means for, processing personal data (Article 1 §4, DPL). Certain rules of the DPL (Article 16, DPL) also apply to a data processor, that is, any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller, except for the persons who, under the direct authority of the controller or the processor, are authorised to process the data (Article 1 §5, DPL).
The DPL regulates personal data, that is, any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Article 1 §1, DPL). The person to whom personal data relates is defined as the "data subject".
The DPL applies to any fully or partly automated processing of personal data, that is, by means of a computer system, as well as to any non-automated processing of personal data included or intended to be included in a filing system (Article 3 §1, DPL). A filing system is defined as any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis (Article 1 §3, DPL).
The processing of personal data is a broad concept and includes (Article 1 §2, DPL):
Adaptation or alteration.
Disclosure by transmission, dissemination or otherwise making available.
Alignment or combination.
Blocking, deletion or destruction.
The DPL applies to the processing of personal data:
Carried out in the context of effective and actual activities of a data controller having a permanent establishment in Belgium or in a place where Belgian law is applicable under public international law (Article 3bis 1°, DPL).
By a data controller with no permanent establishment in EU territory if, for purposes of processing personal data, use is made of equipment, automated or otherwise, situated in Belgium, unless such equipment is used exclusively for purposes of transit through Belgian territory. If the equipment is used exclusively for transit purposes through Belgian territory, the data controller must appoint a representative established in Belgium for the purposes of the DPL (Article 3bis 2°, DPL).
The DPL does not apply to non-automated data processing, if the personal data being processed is not included or is not intended to be included in a filing system (Article 3 §1, DPL).
In addition, the DPL does not apply to data processing by a natural person in the course of a purely personal or household activity (Article 3 §2, DPL).
In addition, partial exemptions from the application of the DPL exist for each of the following categories of data processing (Article 3 §3, DPL):
Processing operations by or on behalf of, among others, the state security or general intelligence and security service of the armed forces, or for the purposes of implementing police tasks (Articles 3 §4 and §5, DPL).
Processing personal data for the purposes of implementing money laundering legislation (Article 3 §5 4º, DPL).
Processing personal data solely for journalistic, artistic or literary purposes, subject to certain conditions with respect to some of the DPL's provisions (Article 3 §3, DPL).
Processing personal data of individuals subject to a control or an examination undertaken by or on behalf of the Federal Public Service on Finance (Article 3 §7, DPL).
In principle, every data controller processing personal data by automatic means must notify the Privacy Commission before processing the data (Article 17 §1, DPL). By contrast, manual processing of personal data does not require notification.
However, an automated processing can be exempt from the notification obligation if the data processing falls within one of the categories listed in Articles 51 to 62 of the Royal Decree of 13 February 2001. The main exemptions apply to the processing of personal data that is:
Necessary for the payroll management by the employer.
Used by the employer exclusively for staff management.
Necessary for the data controller's accounting.
Necessary for the administration of shareholders and partners.
Necessary for the administration of customers and suppliers.
Indispensable for contacting the data subject.
Relating to access control for company buildings and premises.
The notification is usually done online on the Privacy Commission's website (www.privacycommission.be). Although less used and more expensive, hard copy notification is still possible. The hard copy notification form can be downloaded from the Privacy Commission's website. The fee for an online notification amounts to EUR25 (as at 1 March 2012, US$1 was about EUR0.7) and to EUR125 for a paper notification. The fee for modifying an existing notification is EUR20.
Each purpose for which personal data is processed, or each group of connected purposes, requires a separate notification, that is, by using a separate form. The notification form must be completed either in Dutch or in French, and must contain the following information:
Name and address or name and registered office of the data controller.
Purpose(s) of the automatic processing.
Categories of the personal data processed.
Categories of the recipients of the personal data.
Manner in which the data subjects are informed of their rights.
Retention period of the personal data.
Information on specific compliance measures for sensitive data, if applicable.
General description of the security measures taken.
Categories of personal data that are transferred to other countries and the country of destination.
If personal data is transferred to a third country not providing an adequate level of protection, the legal basis for the transfer of the personal data.
Furthermore, within the scope of its power of supervision and investigation, the Privacy Commission is entitled to demand additional information from the notifying data controller. In particular, the Privacy Commission can ask for:
Information regarding the origin of the personal data.
The selected automation technology.
The applicable security measures.
Additional information on the implemented safeguards regarding the international transfer of personal data.
The data controller can begin processing the personal data after the Privacy Commission acknowledges receipt of the notification. The acknowledgment of receipt is usually sent within three days of receiving the notification form.
In certain cases, prior authorisation is required (see Question 20).
Main data protection rules and principles
Main obligations and processing requirements
Data controllers are under the following obligations to ensure fair and lawful processing of personal data:
The data controller can only process personal data with the data subject's consent, or if one or more of the other criteria for the lawful processing of personal data are met (see Questions 9, 10 and 11).
The processing of personal data must be legitimate and comply entirely with the principles relating to data quality. That is, personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way that is incompatible with those purposes. In addition, personal data must be (Article 4, §1, DPL):
not excessive in relation to the purposes for which it is collected and/or further processed;
where necessary, kept up to date; and
kept in a form permitting identification of data subjects for no longer than necessary.
Data controllers must provide certain information to the data subjects concerned and grant the data subjects concerned the rights to access, object, rectify, block and/or delete the personal data relating to him (Articles 9 to 12, DPL).
Data controllers must also implement appropriate technical and organisational security measures to protect personal data against (Article 16 §4, DPL):
accidental or unlawful destruction;
unauthorised alteration or access; and
all other unlawful forms of processing.
If a data processor processes personal data on behalf of the data controller, that data processor must be carefully selected, supervised and its compliance with the security requirements must be checked. In addition, a written contract with the data processor must be concluded (Article 16 §1, DPL).
Personal data can be processed without the data subject's prior consent only if the data processing can be based on one of the other legitimate grounds for processing personal data (see Questions 10 and 11).
Form and content of consent
The data subject's consent must be freely given (that is, the data subject must have a free choice and must be able to withdraw his consent). This requirement is particularly relevant in cases where the data subject is subordinate to the data controller (such as in a typical employer-employee relationship) and where it may therefore be questionable whether consent can be freely given. In addition, the data subject's consent must be specific and informed (Article 1 §8, DPL).
In general, there is no particular form in which consent must be given, and online consent that complies with the aforementioned requirements suffices. However, for certain forms of consent (for example, a person's consent for the processing of his sensitive or health-related data (see Question 11), the DPL requires that this consent is recorded in writing (Article 6 §2 (a), DPL).
Consent by minors
A minor under the age of discernment can consent to their personal data being processed through their legal representative (Article 1 §8, DPL), who can withdraw the minor's consent at any time on the minor's behalf.
There is no fixed age at which minors are deemed to have reached the age of discernment, but in a recommendation of 16 September 2002 (Recommendation 38/2002), the Privacy Commission held that minors usually obtain the required insight between the age of 12 and 14.
If no consent has been given, the personal data can be processed only if the processing is necessary (Article 5, DPL):
For the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject before entering into a contract.
For compliance with a legal obligation to which the data controller is subject.
To protect the data subject's vital interests.
For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the data controller or in a third party to whom the data is disclosed.
For the purposes of the legitimate interests pursued by the data controller or by the third party or parties to whom the data is disclosed, except where the interests or fundamental rights and freedoms of the data subject, in particular the right to protection of individual privacy, prevail.
The DPL establishes three categories of personal data requiring special protection:
Sensitive data (that is, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as data concerning sex life).
Health-related personal data.
Personal data relating to litigation that has been submitted to courts and tribunals as well as to administrative judicial bodies, relating to suspicions, prosecution or convictions in matters of criminal offences, administrative sanctions or security measures (judicial data).
Processing these special categories of personal data is, in principle, prohibited unless it meets the specific requirements of Articles 6 to 8 of the DPL. In particular, sensitive and health-related data can be processed if the processing meets one or more of the following criteria:
The data subject has given his written consent to the processing (provided this consent can be withdrawn by the data subject at any time).
The processing is necessary to comply with labour or social security law obligations.
The processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent.
The data has been manifestly made public by the data subject.
The processing is necessary for the establishment, exercise or defence of a right in law.
The processing is done for the purpose of scientific research (provided certain conditions are satisfied).
The processing is necessary for some medical purposes, such as preventative medicine.
The processing is necessary with a view to an important public interest.
In addition, sensitive data can be processed:
By a non-profit-making organisation in the course of its legitimate activities.
For certain statistical purposes.
By an organisation promoting the defence of human rights (provided certain conditions are satisfied).
Health-related data can also be processed if the processing is necessary to prevent a specific danger or punish a particular criminal offence, or to promote and protect public health.
Judicial data can only be processed in the following exceptional cases:
Under the supervision of a public authority.
By other persons if the processing of the data is necessary for purposes set out by law.
By legal or natural persons for the management of their disputes.
By lawyers exclusively for the defence of their clients' rights.
For the purpose of scientific research (provided certain conditions are satisfied).
Rights of individuals
If personal data is collected directly from the data subject, the data controller must provide the data subject with at least the following information (Article 9 §1, DPL), unless he is already aware of this information:
The name and address of the data controller and of his representative, if any.
The purpose(s) of the data processing.
The existence of a right to object to any processing for the purposes of direct marketing.
Additional information may be required to guarantee fair processing, in particular regarding:
The recipients or categories of recipients of the data.
Whether replies to the questions are obligatory or voluntary, as well as the possible consequences of a failure to reply.
The existence of the right of access to and the right to rectify the personal data concerning the data subject.
Any other information that may be imposed by a Royal Decree based on the specific nature of the processing (for example, for health-related data it may be required that the data subject be informed of the reasons for the processing and the categories of persons that will have access to the data).
Where the data has not been obtained directly from the data subject, the data controller must provide the above information, as well as information on the categories of personal data processed. The information should be provided at the time the personal data is recorded or when a disclosure to a third party is envisaged, but no later than the time when the data is first disclosed (Article 9 §2, DPL).
The data controller is exempt from providing the above information if either:
The data subject is already aware of the information.
Providing this information proves impossible or would require a disproportionate effort.
Recording or disclosure is expressly laid down by law.
In such cases, the data controller must provide the above information when he first contacts the data subject.
Right of access
Every data subject has the right to know (Article 10 §1 a, DPL):
Whether a data controller is processing personal data relating to him.
The categories of data processed.
The purposes of the data processing.
The recipients or categories of recipients to whom the data is disclosed.
In addition, the data subject is entitled to receive:
The personal data concerned in an intelligible form and all available information as to its source (Article 10 §1 b, DPL).
For automated decision-making (see below, Right to be informed about automated decision-making), information on the logic involved in any automatic processing of data concerning him (Article 10 §1 c, DPL).
Information regarding the possibility of initiating proceedings before the Privacy Commission or the president of the Belgian court of first instance, and of accessing the Privacy Commission's register containing all automated processing of personal data (Article 10 §1 d, DPL).
Right to be informed about automated decision-making
A decision producing legal effects for a data subject, or materially affecting him, cannot be taken purely on the basis of automated data processing aimed at evaluating certain aspects of his personality (Article 12bis, DPL).
However, this prohibition does not apply where the decision is taken in the context of an agreement or if it is based on a provision laid down by, or by virtue of, a law, decree or ordinance. Appropriate measures for the protection of the legitimate interests of the data subject must be included in such an agreement or provision and the data subject must at least be allowed to express his point of view in an effective manner.
If automated decision-making is applied, the data subject has the right to be informed about the logic involved in any automatic processing of personal data concerning him (Article 10 §1 c, DPL).
Right to object
Any data subject has the right to object at any time to the processing of personal data relating to him if the data subject has compelling, legitimate grounds relating to his particular situation (Article 12 §1, DPL), except where the processing is necessary either (Article 5, section 1, b and c, DPL):
For the performance of a contract to which the data subject is party, or to take steps at the request of the data subject before entering into a contract.
To comply with a legal obligation to which the data controller is subject.
To protect the data subject's vital interests.
In addition, the data subject has the right to object, by simple request and free of charge, to the processing of personal data relating to him for direct marketing purposes (Article 12 §1, DPL).
If the data subject objects to the (intended) processing of personal data relating to him, the data controller must inform the data subject within one month of the measures which have been taken on the data subject's request. If the objection is legitimate, the data controller can no longer process the personal data for the relevant purpose.
Right to rectify, block and erase
A data subject has the right to obtain from the data controller, free of charge, the rectification, deletion or blocking of personal data that is processed in breach of the DPL provisions. In particular, the data subject can request the rectification, deletion or blocking of incomplete or inaccurate personal data (Article 12 §1, DPL). The personal data will only be erased or rectified to the extent that the data is incomplete or not necessary in view of the purpose(s) of the processing.
The data subject can also request the erasure of, or prohibit the use of, personal data:
That is incomplete or irrelevant in view of the purpose of the processing.
Where its recording, communication or storage is prohibited.
That has been stored for longer than the authorised retention period.
The data controller must rectify or erase the personal data within one month of receiving the data subject's request. Within this one-month period, the data controller must also notify the rectification or the erasure to the recipients of the relevant personal data, if these recipients are still known and the notification to the recipients does not appear to be impossible or require a disproportionate effort.
Following the recent judgment of the European Court of Justice (ECJ) of 13 May 2014, operators of search engines are considered to be "controllers" that "process" personal data within the meaning of the Data Protection Directive. As a result, the operators are obliged to comply with Article 12(b) of the Data Protection Directive, which gives data subjects the right to request the rectification, the erasure or the blocking of data that do not comply with the Data Protection Directive. Therefore, if the personal data does no longer comply with the Data Protection Directive, operators of search engines can be obliged to remove links to personal data and to implement a "right to be forgotten". The Privacy Commission published guidance on how to request operators of search engines to delete links to personal data (Het recht om vergeten te worden: kunt u online uw sporen wissen, en hoe moet u dat dan doen?/Le droit à l'oubli : peut-on effacer ses traces en ligne comment doit on procéder?). For more information, see www.privacycommission.be.
Data controllers must ensure that appropriate technical and organisational measures are in place to protect personal data against accidental or unlawful destruction or accidental loss, as well as the unauthorised alteration or access and all other unlawful forms of processing (Article 16 §4, DPL).
These measures should ensure an appropriate level of security. To determine the appropriate level of security, the data controller should, on the one hand, take into account the state of the art in this field and the cost of implementing such measures, and, on the other hand, the nature of the data to be protected and the potential risks. To assist data controllers in determining the required levels of security, the Privacy Commission has published standard measures for the security of personal data processing (Referentiemaatregelen voor de beveiliging van elke verwerking van persoonsgegevens/Mesures de référence en matière de sécurité applicables à tout traitement de données à caractère personnel). These can be found at www.privacycommission.be.
There is no requirement under the DPL to notify personal data security breaches to data subjects or to the Privacy Commission.
However, Article 114/1, §2 of the Electronic Communications Law of 13 June 2005, requires companies in the telecommunication sector to immediately (within 24 hours), notify personal data breaches to the Privacy Commission, who must transmit a copy of the notification to the Belgian Institute for postal services and telecommunications, Het Belgisch Instituut voor postdiensten en telecommunciatie/Institut belge des services postaux et des telecommunications (BIPT). If there is a breach of personal data or privacy of individuals, the company must also notify the data subjects affected by the breach.
A telecommunications company is exempt from the obligation to notify personal data breaches if:
The company asks the Privacy Commission for permission to postpone the notification to the data subject if the notification may endanger the investigation of the breach of personal data.
The company can show that it has applied sufficient technical protection measures to protect the personal data that was subject to a breach.
In order to facilitate the notification of personal data breaches, the Privacy Commission has published an electronic notification form specifically addressed to telecommunications operators.
Although notification of personal data breaches is not legally required in sectors other than the telecommunications sector, the Privacy Commission published a Q&A on data breaches on its website. In this Q&A, the Privacy Commission encourages all data controllers to notify data breaches, (including data controllers outside the telecommunications sector). The Privacy Commission also published on its website a general notification form that can be used by companies from sectors other than the telecommunications sector.
Processing by third parties
If a data controller entrusts a third party (data processor) with processing personal data on its behalf, the data controller must (Article 16 §1, DPL):
Carefully select the data processor.
Supervise the data processor's compliance with all security measures.
Conclude a written contract with the data processor.
The contract must:
Specify the technical and organisational security measures.
Establish the data processor's responsibility towards the data controller.
the data processor will only act on behalf of the data controller; and
the persons acting under the authority of the data processor may only process the personal data on the instructions of the data controller, except where an obligation is imposed by, or by virtue of, a law, decree or ordinance.
The use of electronic communications networks to store cookies or equivalent devices on a user's or a subscriber's terminal equipment is authorised on two conditions (Article 129, eCommunications Law):
The user or subscriber has been informed of the purposes of the data processing and of his rights in accordance with the DPL.
The data subject has given his permission to store such data.
In principle, sending electronic advertisements without the recipient's prior, free, specific and informed consent is prohibited according to:
Article XII.13 of the Commercial Code (Wetboek van economisch recht/Code de droit économique).
Article VI.110 of the Commercial Code (Wetboek van economisch recht/Code de droit économique).
However, Article 1 of the Royal Decree on Spam of 4 April 2003 (Koninklijk besluit tot reglementering van het verzenden van reclame per elektronische post/Arrêté royal visant à réglementer l'envoi de publicités par courrier électronique) (Royal Decree on Spam) provides an exception to this principle. The prior, free, specific and informed consent of the recipient is not required if the recipient is:
A legal person and the e-mail address used for the mailing is a non-personal address (for example, firstname.lastname@example.org).
A customer (natural or legal person), in which case three conditions must be fulfilled:
the sender has collected the customer's electronic contact information in connection with the sale of a product or a service;
the electronic contact information is used exclusively in relation to similar products or services; and
the customer is granted the opportunity to oppose in an easy way and free of charge to the use of his electronic contact information when the information is collected.
In addition, with each message sent:
The recipient must be provided with the opportunity to object to receiving any further messages in an efficient way, free of charge and by electronic means (opt-out).
A recipient who has decided to opt out must receive confirmation, by e-mail and within a reasonable time, that his request has been accepted. The sender must regularly update his contact lists.
The sender must clearly identify himself and may not hide the origin of the message or his address.
Moreover, each message must comply with the relevant provisions of the Commercial Code with regard to the content of advertising messages.
International transfer of data
Transfer of data outside the jurisdiction
The DPL applies to all transfers of personal data from Belgium to another country. No special rules apply to transfers within the European Economic Area (EEA) as EEA countries provide an "adequate level of protection".
Special rules apply to data transfers outside the EEA to countries which have not been officially recognised as providing an adequate level of protection. These transfers are in principle prohibited (Article 21, DPL), unless one or more of the following criteria is met (Article 22, DPL):
The data subject has given his unambiguous consent to the proposed transfer.
The transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken in response to the data subject's request.
The transfer is necessary for the conclusion or performance of a contract concluded in the data subject's interests between the data controller and a third party.
The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims.
The transfer is necessary to protect the data subject's vital interests.
The transfer is made from a register which, according to laws or regulations, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in that particular case.
In addition, the Belgian Minister of Justice can individually authorise a specific transfer of personal data or a category of transfers to a non-EEA country which does not provide an adequate level of protection, if the data controller gives "sufficient guarantees", for example, by concluding a data transfer agreement or adopting binding corporate rules (BCRs). An agreement concluded on 25 June 2013 between the Privacy Commission and the Ministry of Justice, has facilitated the authorisation procedure. Under this agreement, companies using the European Commission's standard clauses for their personal data transfers are required to submit these clauses to the Privacy Commission. The Privacy Commission will verify that these clauses do not divert from the European Commission’s Model Clauses. If this is the case, the clauses can be used without requiring prior authorisation.
Alternatively, the DPL allows data exporters to draft individual data transfer agreements that are not based on the standard clauses. To rely on such clauses for the international transfer of personal data to third countries, the parties must request prior authorisation from the Ministry of Justice (see Question 21).
Belgium has simplified the procedure for applying for authorisation of BCRs by participating in a mutual recognition procedure. Under the mutual recognition procedure, a lead authority will review a company's BCRs to ensure that they meet the criteria set out by the Article 29 Working Party, an independent European advisory body on data protection and privacy. If the lead authority accepts the BCRs, the Privacy Commission will advise the Minister of Justice to authorise the BCRs.
The non-EEA countries deemed to provide an adequate level of protection are determined by the European Commission. The rules explained above also apply to intra-group transfers of personal data.
Data transfer agreements
The use of data transfer agreements is quite common, and these agreements are automatically considered to provide "sufficient guarantees" for the transfer of personal data to third countries if they are based on the European Commission's standard contractual clauses:
Commission Decision 2004/915/EC of 27 December 2004, OJ 2004, L385/74.
Commission Decision 2002/16/EC of 27 December 2001, OJ 2002, L6/52, replaced by Commission Decision 2010/87/EU of 5 February 2010, OJ 2010, L39/5.
In addition, in March 2014, the Article 29 Working Party adopted a Working Document providing a draft set of contractual clauses for international transfers of personal data from an EU data processor to a non-EU data sub-processor. These contractual clauses have not yet been adopted by the European Commission and so are not binding. In addition, the set of contractual clauses is only a draft and companies must not rely on these clauses in order to offer sufficient guarantees under Article 26.2 of Directive 95/46/EC and under Article 22, last paragraph of the DPL.
Therefore, if a data transfer agreement has been concluded on the basis of the European Commission's standard contractual clauses, prior authorisation is not required (see Question 20). However, the Privacy Commission can request to receive a copy of this data transfer agreement in the context of the notification procedure (see Question 7).
A data transfer, as a form of data processing, must be based on one of the grounds for making the data processing as such legitimate (see Questions 9, 10 and 11) and be carried out in accordance with the principles of the DPL (see Question 8). For instance, the data subject must be informed of the recipients or the categories of recipients of the data (see Question 12).
A data transfer agreement is sufficient to legitimise the data transfer to a third country which does not provide an adequate level of protection, provided it is based on the European Commission's standard contractual clauses for transfers to third countries (see Question 21) or has been authorised by the Minister of Justice (see Question 20).
Consent can constitute a legal basis for the data transfer to a third country (see Question 20). However, consent for a data transfer to third countries is not required if a data transfer agreement is in place.
Approval of a data transfer agreement is only required for agreements that are not based on the European Commission's standard contractual clauses (see Question 21). For those agreements, an authorisation request must be sent to the Ministry of Justice. In practice, data transfer agreements that are not based on the European Commission's standard contractual clauses are not in use and there is no standard form to make such an authorisation request.
Although the Privacy Commission is involved in the authorisation procedure, the authorisation decision is granted by the Minister of Justice by means of a Royal Decree.
Enforcement and sanctions
If the Privacy Commission receives a complaint, its first task is to mediate between the parties. If no solution can be reached, the Privacy Commission can issue an opinion on the case at hand (Article 31 §3, DPL). In addition, the Privacy Commission can initiate an investigation to verify whether the processing of personal data is in accordance with the DPL. In the course of the investigation, the data controller must provide all necessary information and co-operate with the Privacy Commission (Article 32 §1, DPL). The Privacy Commission can also inform the public prosecutor of offences of which it is aware (Article 32 §2, DPL) and can submit to the Belgian court of first instance (criminal section) any dispute relating to the application of the DPL and its implementing measures (Article 32 §3, DPL). For sanctions and remedies for non-compliance with data protection laws, see Question 25.
The processing of personal data in breach of the DPL may constitute a criminal offence (Articles 37 to 39, DPL).
The following criminal offences will attract a fine of EUR550 up to EUR110,000:
The following criminal offences will attract a fine of EUR550 up to EUR550,000:
Failure to comply with the general data protection principles (see Question 8).
Failure to comply with the rules on the processing of special categories of personal data (see Question 11).
Failure to comply with rules regarding the information to be provided to the data subject (see Question 12).
Failure to communicate the information requested by the data subject within 45 days of receipt of the request, or knowingly communicating inaccurate or incomplete data (see Question 13).
Failure to notify a data processing operation (see Question 7).
Providing incomplete or inaccurate information in a notification regarding a data processing operation to the Privacy Commission (see Question 7).
Failure to comply with a request for information of the Privacy Commission (see Question 7).
Transferring personal data to a country outside the EEA contrary to the applicable rules (see Question 20).
On conviction for any of these offences, the court can order (Article 41 § 1-2, DPL):
Confiscation of the media containing the personal data to which the offence relates.
Erasure of the data.
Prohibition of the control of any processing of personal data, directly or through an agent, for a period of up to two years.
Any repeat offences are punishable by a term of imprisonment from three months to two years, and/or a fine of EUR550 to EUR550,000 (Article 41 § 3, DPL).
Finally, a person suffering any harm as a consequence of acts infringing the provisions of the DPL can initiate a civil action for damages (Article 42, DPL).
Data protection infringements currently rarely lead to criminal penalties being imposed. However, the Privacy Commission regularly receives complaints relating to infringements that it will actively examine and that may trigger a further investigation.
The regulatory authority
Privacy Commission (Commissie voor de bescherming van de persoonlijke levenssfeer/Commission de la protection de la vie privée)
Main areas of responsibility. The Privacy Commission supervises compliance with the DPL, issues guidance on the DPL's application, holds a public register of notifications and issues advice on various matters related to the protection of personal data.
Van Bael & Bellis
Professional qualifications. Member of the Brussels bar
Areas of practice. Data protection and privacy: IP law; new technologies and competition law.