Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Jurisdiction snapshot

Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?

The national data protection laws are ahead of the international curve. The main privacy law in Belgium is the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the ‘Data Protection Act’), which has been amended several times to reflect the privacy rules set forth in the EU Data Protection Directive. The Belgian Data Protection Authority has issued a number of decisions, guidelines and recommendations on privacy issues in recent years in which it usually follows (or even simply refers to) the position of the Article 29 Working Party.

Are any changes to existing data protection legislation proposed or expected in the near future?

No immediate changes to the existing Data Protection Act are expected. However, this will change when the EU General Data Protection Regulation enters into force on May 25 2018, as it will have direct effect in EU member states.

However, in certain cases EU member states will be able to uphold their own rules and deviate from or supplement the EU data protection regime. The Belgian government has not yet made public its intentions in this respect.

Legal framework

Legislation
What legislation governs the collection, storage and use of personal data?

The collection, storage and use of personal data are governed by the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the ‘Data Protection Act’). A number of the act’s provisions were implemented by the Decree-Law of February 13 2001.

Other legislation containing provisions on privacy and data protection include the Act of March 11 2003 on Certain Legal Aspects of Information Society Services and the Act of June 13 2005 on Electronic Communications.

Scope and jurisdiction
Who falls within the scope of the legislation?

The Data Protection Act applies to all natural or legal persons that collect personal data for use in automated processing systems or that process the personal data in such systems.

What kind of data falls within the scope of the legislation?

The Data Protection Act applies only to the processing of ‘personal data’, which is defined as any information relating to an identified or identifiable natural person. An ‘identifiable person’ is one who can be directly or indirectly identified, particularly by reference to an identification number or one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Are data owners required to register with the relevant authority before processing data?

Yes, although certain exceptions apply. In principle, before starting any data processing activities the data controller must notify the Belgian Data Protection Authority. No specific authorisation is required.

Certain automated processing activities (eg, processing related to client administration, personnel administration, payroll and bookkeeping) are excluded from the notification requirement, provided that they meet certain conditions (as established in the Decree-Law of February 23 2001).

Is information regarding registered data owners publicly available?

Yes. A public register is available which includes all notifications. The public register can be consulted at the Belgian Data Protection Authority’s offices and online. It is also possible to obtain an excerpt from the public register.

If the data controller is exempt from notification, it must still provide all of the information that would have to be included in the notification form to any person who may request this information.

Is there a requirement to appoint a data protection officer?

In Belgium, there is no legal requirement to appoint a data protection officer.

However, when the EU General Data Protection Regulation enters into force the appointment of a data protection officer will become mandatory for all public authorities and entities where:

  • the core activities of the controller or the processor involve regular and systematic monitoring of data subjects on a large scale; or
  • the entity conducts large-scale processing of sensitive personal data (ie, data revealing ethnic or racial origins, political opinions, religious or philosophical beliefs or sexual orientation).

Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?

The Belgian Data Protection Authority is the regulating authority with respect to privacy and data protection matters. However, it has no real enforcement powers. At present, the authority acts only as a mediator in disputes between data subjects and data controllers and issues guidelines relating to data protection. It is also consulted by the legislature in relation to new data protection legislation.

If a data controller fails to comply with the applicable legislation, the authority may inform the public prosecutor’s office. However, it has no power itself to prosecute or impose fines on companies or organisations.

When the EU General Data Protection Regulation enters into force in 2018, the powers of the Belgian Data Protection Authority will be extended. It will acquire increased investigative powers (eg, data protection audits) and will have the right to initiate legal proceedings. In addition, the authority will be able to impose temporary measures or administrative fines.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

The collection of personal data must be transparent. The person wishing to collect the data must clearly state the exact purpose for which the data will be collected and the data controller cannot obtain more data than is required for that purpose.

In any case, it is prohibited to collect sensitive personal data. Certain exceptions apply, but these are limited and depend on the specific case. Written consent of the individual is always required.

The processing of personal data is allowed only in the following cases:

  • The data subject has unambiguously given his or her consent;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed; or
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Personal data can be stored only for a limited period of time – that is, no longer than is necessary for the realisation of the purpose for which it is collected and processed.

A limited number of statutes (eg, tax or social security laws) provide for specific retention periods (eg, five to seven years) with respect to certain records.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, they do. On request, data controllers must inform individuals of:

  • the personal data that they process;
  • the purposes of such processing; and
  • the recipients or categories of recipient of the data.

Do individuals have a right to request deletion of their data?

Data subjects have a right to oppose the processing of their personal data for serious and legitimate reasons, unless such processing is necessary for the performance of a contract or to comply with the law.

As far as deletion is concerned, data subjects may demand deletion of their data if it is inaccurate, incomplete or obsolete in light of the purpose of the processing. In addition, they may also request rectification of any incorrect data. 

Consent obligations
Is consent required before processing personal data?

The explicit and unambiguous consent of an individual is required for the processing of personal data, unless one of the conditions set forth in Article 5 of the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data is met (see “If consent is not provided, are there other circumstances in which data processing is permitted?” below).

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes, if the processing is necessary:

  • for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • for compliance with a legal obligation to which the controller is subject;
  • in order to protect the vital interests of the data subject;
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or a third party to which the data is disclosed; or
  • for the purposes of the legitimate interests pursued by the controller or the third party or parties to which the data is disclosed, except where such interests are overridden by the interests of the fundamental rights and freedoms of the data subject.

What information must be provided to individuals when personal data is collected?

Data controllers must inform individuals of the following:

  • the data that is collected, stored and processed;
  • the purposes of the processing;
  • the recipients or categories of recipient of the data;
  • all information available regarding the source of the data collected; and
  • the individual’s right of access, rectification and deletion.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Article 16(4) of the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the ‘Data Protection Act’) provides that data controllers and data processors must implement sufficient technical and organisational security measures with respect to the protection of personal data against destruction, accidental loss and any non-authorised processing of data. Although the Data Protection Act imposes no specific security measures, the notification form used by the Belgian Data Protection Authority for the notification of data processing activities lists a wide range of possible security measures, including physical access control, encryption, appropriate clauses in contracts with personnel and processors, access logging and prevention plans.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

Data owners or controllers must inform the individuals of a data breach without undue delay if there is a high risk that their data could be used by third parties. Notification is not required if the data is encrypted or if measures have been taken to ensure that the data subject cannot be identified. However, the Belgian Data Protection Authority can always order the data controller to inform the individual of the data breach.

Are data owners/processors required to notify the regulator in the event of a breach?

At present, the only legal notification requirement applies to companies in the telecoms sector.

Pursuant to Articles 114(2)-(3) of the Act of June 13 2005 on Electronic Communication (the ‘Electronic Communication Act’), data owners (ie, companies offering electronic communication services) must notify the Belgian Data Protection Authority and the Belgian telecoms regulator in case of a data breach.

Pursuant to Article 33 of the EU General Data Protection Regulation, the data owner must notify the Belgian Data Protection Authority in case of a data breach, unless the breach is unlikely to result in a risk. On the other hand, the data processor must always notify the data owner in case of a data breach.

Electronic marketing and internet use

Electronic marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?

Yes, these are laid down in:

  • Articles 13 to 15 of the Act of March 11 2003 on Certain Legal Aspects of Information Society Services;
  • the Decree-Law of April 4 2003 on the Regulation on the Transmission of Advertising by Electronical Mail; and
  • several recommendations of the Belgian Data Protection Authority:
    • Recommendation 34/2000 of November 22 2000;
    • Recommendation 4/2009 of October 14 2009; and
    • Recommendation 2/2013 of January 30 2013).

As a rule, marketing emails are permitted only if the recipient has previously given consent. The only exception to this opt-in requirement applies to emails sent by a company to its existing customers in relation to products or services that are identical or similar to the products or services already purchased by the customers. In such case, the recipient must be able to opt out (ie, ask the sender to stop sending marketing emails).

Cookies
Are there rules governing the use of cookies?

Article 129 of the Electronic Communication Act deals with the use of cookies. The user must be informed of the exact purpose of the processing and of his or her rights. The user must also actively accept the use of cookies (and must be given the possibility to withdraw this acceptance at any time).

Further, in 2015 the Belgian Data Protection Authority issued a recommendation on the use of cookies (Recommendation 1/2015 of February 4 2015).

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Personal data may be transferred to recipients in EU member states or states that are parties to the European Economic Area (EEA) Agreement, provided that there is justification for the data transfer. In addition, data transfers are allowed to a number of countries outside the EEA which are deemed by the European Commission to provide an adequate level of data protection.

As far as other countries are concerned, data transfers are permitted only with the data subject’s consent or if an adequate level of data protection is ensured by:

  • standard contractual clauses approved by the European Commission;
  • equivalent data transfer agreements approved by the Belgian Data Protection Authority; or
  • with respect to transfers between legal entities of multinational groups of companies, binding corporate rules.

Are there restrictions on the geographic transfer of data?

Yes. Countries outside the EEA (with the exception of Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay) are considered unsafe in terms of data protection. Therefore, data transfers to such countries are allowed only if such transfers are covered by:

  • standard contractual clauses approved by the European Commission;
  • equivalent data transfer agreements approved by the Belgian Data Protection Authority; or
  • with respect to transfers between legal entities of multinational groups of companies, binding corporate rules.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

The Act of March 11 2003 on Certain Legal Aspects of the Services of the Information Society includes provisions that regulate the liability of third-party data processors that act merely as an intermediate (Articles 18 to 20). The act distinguishes between acting as a mere conduit, caching and hosting. 

Penalties and compensation

Penalties
What are the potential penalties for non-compliance with data protection provisions?

The penalty provisions are included in Articles 37 to 43 of the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the ‘Data Protection Act’). Data owners and data controllers that do not comply with the data protection provisions may be subject to fines of between €600 and €100,000.

Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Yes. Individuals can file a complaint with the Belgian Data Protection Authority, which will mediate between parties with a view to reaching an amicable solution. Individuals may also choose to file a complaint with the public prosecutor or the president of the Court of First Instance in order to obtain compensation for any loss suffered.

However, as the investigative and enforcement powers of the Belgian Data Protection Authority will increase, it is more likely that in the future individuals may prefer to file a complaint with the Belgian Data Protection Authority rather than initiating criminal or civil proceedings before the courts.

Cybersecurity

Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

As yet, there is no specific Belgian legislation on cybersecurity. Instead, Belgium relies on international standards and the proposal for an EU directive on the issue. Further, the banking sector introduced some sector-specific security guidelines in a 2009 circular.

With respect to cybercrime, Belgium was one of the first countries in the European Union to implement cybercrime legislation in its Criminal Code (through the Act of November 28 2000). The new crimes introduced included:

  • forgery (Article 210bis of the Criminal Code);
  • fraud in informatics (Article 504quater of the Criminal Code);
  • sabotage in informatics (Article 550ter of the Criminal Code); and
  • internal/external hacking (Article 550bis of the Criminal Code).

Criminal procedure was also amended in order to offer the judicial authorities proper instruments to investigate the new criminal offences adequately. The new instruments included:

  • the interception of electronic communications (Article 90ter of the Code of Criminal Procedure);
  • seizure of digital data (Article 39bis of the Code of Criminal Procedure);
  • identification of users of electronic communications services (Article 46bis of the Code of Criminal Procedure);
  • tracing of electronic communications (Article 88bis of the Code of Criminal Procedure); and
  • network searches (Article 88ter of the Code of Criminal Procedure).

Providers of electronic communications services and network operators are obliged to provide appropriate assistance to the authorities when receiving requests relating to one of the abovementioned investigative acts (Articles 46bis, 88bis, 88quater and 90quater of the Code of Criminal Procedure).

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

At EU level, in February 2013 a proposal for a directive on measures to safeguard a common high level of network and information security within the European Union was introduced.

In Belgium, International Organisation for Standardisation/International Electrotechnical Commission Standard 27001 has been implemented in order for companies to safeguard their information. This norm provides guidelines to keep information and assets secure. According to the standard, financial information, intellectual property, employee details and other entrusted information must be properly secured. The standard is the most common one used regarding the implementation of an information security system.

When it comes to cybersecurity, Belgium still lacks a coordinated approach and collaboration between the government and private companies. Following the establishment of the Centre for Cybersecurity in Belgium (introduced by the Decree-Law of October 10 2014 and operational since August 2015), the enhancement of cybersecurity regulation is expected in the near future.

Which cyber activities are criminalised in your jurisdiction?

The following cyber activities are criminalised:

  • forgery (Article 210bis of the Criminal Code);
  • fraud in informatics (Article 504quater of the Criminal Code);
  • sabotage in informatics (Article 550ter of the Criminal Code); and
  • internal/external hacking (Article 550bis of the Criminal Code).

Which authorities are responsible for enforcing cybersecurity rules?

The Centre for Cybersecurity in Belgium was introduced by the Decree-Law of October 10 2014 and has been operational since August 2015. The centre is responsible for intervening when Belgian authorities suffer cyberattacks and deals with potential hacking threats.

Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes. Many Belgian companies obtain insurance for cybersecurity breaches. The number of companies doing so has risen in recent years, given the increase in cyberattacks – in 2013, only 5% of the companies bought such insurance policies, while in 2014 13% were insured for cybersecurity breaches.

Are companies required to keep records of cybercrime threats, attacks and breaches?

As yet, there are no specific rules on maintaining records of cybercrime threats, attacks and breaches. 

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Only telecoms companies are legally required to notify the Belgian Data Protection Authority and the Belgian telecoms regulator of a data leak.

For other companies, Article 33 of the EU General Data Protection Regulation has introduced a new duty for data owners to notify the Belgian Data Protection Authority in case of a data breach, unless the data breach is unlikely to result in a risk. On the other hand, the data processor must always notify the data owner in case of a data breach.

Are companies required to report cybercrime threats, attacks and breaches publicly?

At present, no rules require companies to report cybercrime threats, attacks and breaches publicly.

Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?

With respect to forgery and fraud in informatics, the penalties are imprisonment of between six months and five years, a fine of €156 to €600,000, or both.

With respect to sabotage in informatics and internal and external hacking, the penalties are imprisonment of between three months and one year, or between six months and two years in case of fraudulent intent, a fine of €156 to €125,000, or both.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Since no cybersecurity regulations apply as yet, no penalties can be imposed. However, an individual can sue a company for the loss of his or her data by filing a complaint with the Belgian Data Protection Authority, the public prosecutor or the president of the Court of First Instance.