Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

The collection of personal data must be transparent. The person wishing to collect the data must clearly state the exact purpose for which the data will be collected and the data controller cannot obtain more data than is required for that purpose.

In any case, it is prohibited to collect sensitive personal data. Certain exceptions apply, but these are limited and depend on the specific case. Written consent of the individual is always required.

The processing of personal data is allowed only in the following cases:

  • The data subject has unambiguously given his or her consent;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed; or
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Personal data can be stored only for a limited period of time – that is, no longer than is necessary for the realisation of the purpose for which it is collected and processed.

A limited number of statutes (eg, tax or social security laws) provide for specific retention periods (eg, five to seven years) with respect to certain records.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, they do. On request, data controllers must inform individuals of:

  • the personal data that they process;
  • the purposes of such processing; and
  • the recipients or categories of recipient of the data.

Do individuals have a right to request deletion of their data?

Data subjects have a right to oppose the processing of their personal data for serious and legitimate reasons, unless such processing is necessary for the performance of a contract or to comply with the law.

As far as deletion is concerned, data subjects may demand deletion of their data if it is inaccurate, incomplete or obsolete in light of the purpose of the processing. In addition, they may also request rectification of any incorrect data. 

Consent obligations
Is consent required before processing personal data?

The explicit and unambiguous consent of an individual is required for the processing of personal data, unless one of the conditions set forth in Article 5 of the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data is met (see “If consent is not provided, are there other circumstances in which data processing is permitted?” below).

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes, if the processing is necessary:

  • for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • for compliance with a legal obligation to which the controller is subject;
  • in order to protect the vital interests of the data subject;
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or a third party to which the data is disclosed; or
  • for the purposes of the legitimate interests pursued by the controller or the third party or parties to which the data is disclosed, except where such interests are overridden by the interests of the fundamental rights and freedoms of the data subject.

What information must be provided to individuals when personal data is collected?

Data controllers must inform individuals of the following:

  • the data that is collected, stored and processed;
  • the purposes of the processing;
  • the recipients or categories of recipient of the data;
  • all information available regarding the source of the data collected; and
  • the individual’s right of access, rectification and deletion.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Personal data may be transferred to recipients in EU member states or states that are parties to the European Economic Area (EEA) Agreement, provided that there is justification for the data transfer. In addition, data transfers are allowed to a number of countries outside the EEA which are deemed by the European Commission to provide an adequate level of data protection.

As far as other countries are concerned, data transfers are permitted only with the data subject’s consent or if an adequate level of data protection is ensured by:

  • standard contractual clauses approved by the European Commission;
  • equivalent data transfer agreements approved by the Belgian Data Protection Authority; or
  • with respect to transfers between legal entities of multinational groups of companies, binding corporate rules.

Are there restrictions on the geographic transfer of data?

Yes. Countries outside the EEA (with the exception of Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay) are considered unsafe in terms of data protection. Therefore, data transfers to such countries are allowed only if such transfers are covered by:

  • standard contractual clauses approved by the European Commission;
  • equivalent data transfer agreements approved by the Belgian Data Protection Authority; or
  • with respect to transfers between legal entities of multinational groups of companies, binding corporate rules.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

The Act of March 11 2003 on Certain Legal Aspects of the Services of the Information Society includes provisions that regulate the liability of third-party data processors that act merely as an intermediate (Articles 18 to 20). The act distinguishes between acting as a mere conduit, caching and hosting. 

Click here to view the full article.