Recently, and in addition to the new Belgian privacy law, the law establishing the Information Security Committee has also been published in the Belgian Official Gazette. This is the next step Belgium is taking in the context of the implementation of privacy legislation after the law establishing the DPA (Data Protection Authority).
1. What does the Belgian law bring?
The new privacy law definitively abolishes the 1992 privacy law and further implements certain aspects of the GDPR.
The law regulates the processing of personal data by controllers or processors :
- established in Belgium, whether or not the processing takes place in Belgium (except where the controller is established in another EU Member State and uses a Belgian processor, for the processing of personal data in his Member State); or
- not established in the EU but process personal data of data subjects who are on the Belgian territory when processing activities relate to:
- the offering of goods or services to the persons concerned on Belgian territory, whether or not payment is required by the parties involved; or
- monitoring the behaviour of the persons concerned on the Belgian territory.
The law regulates among others the following :
- A child, from the age of 13, has the right to consent to the processing of his / her personal data;
- A list of the processing of personal data that is considered necessary for reasons of significant public interest;
- Additional measures to be taken when processing genetic, biometric or health data;
- The list of the persons who may process and the situations in which processing of data relating to criminal convictions and infringements or related security measures may take place. For example this processing is, inter alia, allowed to lawyers or other legal advisers as far as the defense of the interest of their client so requires;
- The obligation to adopt a protocol with any other body with which the federal government shares personal data.
The controller or the processor is required to establish a list of categories of persons who have access to the processing operations that are considered necessary for important public interest reasons, to genetic, biometric, or health and safety data, or data on criminal convictions and infringements and related security measures. This list must be kept at the disposal of the Data Protection Authority (PDA). They must also ensure that the designated persons are required to observe the confidentiality of these data.
The law provides for a number of administrative and criminal penalties.
2. What does the Information Security Committee bring?
This body was created inter alia to compensate for the abolition of the sectorial committees of the former privacy commission.
The Information Security Committee consists of a social security chamber and a federal authority chamber and is composed of 8 effective members meeting certain competencies, appointed by the Parliament.
Among other things, the committee's task will be to check preventively whether the communication of personal data within the federal government, via the Crossroads Bank for Social Security or of health data, complies with the basic principles of the GDPR and to grant deliberations on this subject.
These deliberations have a general binding scope between the parties and towards third parties and may not conflict with superior legal norms.
The DPA (Data Protection Authority) can test these deliberations with higher legal norms and may ask the Information Security Committee to reconsider, for the future only, a deliberation on the points it has made.