Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The European Union’s General Data Protection Regulation (GDPR) has become directly applicable in Belgium on 25 May 2018.

In the context of this important evolution of the legal framework, the Belgian data protection supervisory authority (formerly called the Commission for the Protection of Privacy) has been reformed by the Act of 3 December 2017 creating the Data Protection Authority (DPA). This reform was necessary to enable the DPA to fulfil the tasks and exercise the powers of a supervisory authority under the GDPR.

On 5 September 2018, the Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (Data Protection Act) was published in the Belgian Official Gazette. The Data Protection Act addresses the areas where the GDPR leaves room for EU member states to adopt country-specific rules and implements Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (the Directive). The Data Protection Act replaced the Act on the Protection of Privacy in relation to the Processing of Personal Data of 8 December 1992.

This chapter mainly focuses on the legislative data protection framework for private sector companies and does not address the specific regime for the processing of PII by police and criminal justice authorities in detail. The responses reflect the requirements set forth by the GDPR and the Data Protection Act.

In addition to the GDPR, a number of international instruments on privacy and data protection apply in Belgium, including:

  • the Council of Europe Convention 108 on the Protection of Privacy and Trans-border Flows of Personal Data;
  • the European Convention on Human Rights and Fundamental Freedoms (article 8 on the right to respect for private and family life); and
  • the Charter for Fundamental Rights of the European Union (article 7 on the right to respect for private and family life and article 8 on the right to the protection of personal data).

 

There is also sector-specific legislation relevant to the protection of PII. The Electronic Communications Act of 13 June 2005 (the Electronic Communications Act), for instance, imposes specific privacy and data protection obligations on electronic communications service providers.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The Belgian Commission for the Protection of Privacy has been replaced by the Belgian DPA. The DPA is responsible for overseeing compliance with data protection law in Belgium. The DPA is headed by a chairperson and consists of five main departments, each headed by a director:

  • a general secretariat that supports the operations of the DPA and has a number of executive tasks, including establishing the list of processing activities that require a data protection impact assessment, rendering opinions in case of prior consultation by a data controller, and approving codes of conduct and certification criteria, as well as standard contractual clauses and binding corporate rules for cross-border data transfers;
  • a front office service that is responsible for receiving complaints and requests, starting mediation procedures, raising awareness around data protection with the general public and informing organisations of their data protection obligations;
  • a knowledge centre that issues advice on questions related to PII processing and recommendations regarding social, economic or technological developments that may have an impact on PII processing;
  • an investigation service that is responsible for investigating data protection law infringements; and
  • a litigation chamber that deals with administrative proceedings.

 

Together, the chairperson and the four directors form the executive committee that, among others, approves the DPA’s annual budget and determines the strategy and management plan. The Belgian DPA’s 2020-2025 Strategic Plan was published on 12 March 2020.

In addition, there is an independent reflection board that provides non-binding advice to the DPA on all data-protection-related topics, upon request of the executive committee or the knowledge centre or on its own initiative.

To fulfil its role, the DPA has been granted a wide variety of investigative, control and enforcement powers. The enforcement powers include the power to:

  • issue a warning or a reprimand;
  • order compliance with an individual’s requests;
  • order to inform affected individuals of a security incident;
  • order to freeze or limit processing;
  • temporarily or permanently prohibit processing;
  • order to bring processing activities in compliance with the law;
  • order the rectification, restriction or deletion of PII and the notification thereof to data recipients;
  • order the withdrawal of a licence given to a certification body;
  • impose penalty payments and administration sanctions; and
  • suspend data transfers.

 

Furthermore, the DPA can transmit a case to the public prosecutor for criminal investigation and prosecution. The DPA can also publish the decisions it issues on its website. The investigation powers of the DPA include the power to:

  • hear witnesses;
  • perform identity checks;
  • conduct written inquiries;
  • conduct on-site inspections;
  • access computer systems and copy all data such systems contain;
  • access information electronically;
  • seize or seal goods, documents and computer systems; and
  • request the identification of the subscriber or regular user of an electronic communication service or electronic communication means.

 

The investigation service also has the power to take interim measures, including suspending, limiting or freezing PII processing activities.

In addition to the DPA, certain public bodies, such as police agencies, intelligence and security services and the Coordination Unit for Threat Analysis, have a specific authority overseeing their data protection compliance.

Cooperation with other data protection authorities

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

The DPA is required to cooperate with all other Belgian public and private actors involved in the protection of individuals’ rights and freedoms, particularly with respect to the free flow of PII and customer protection. The DPA must also cooperate with the national data protection authorities of other countries. Such cooperation will focus on, inter alia, the creation of centres of expertise, the exchange of information, mutual assistance for controlling measures and the sharing of human and financial resources. The rules for ensuring a consistent application of the GDPR throughout the EU set forth in the GDPR will apply in cross-border cases.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

The DPA has the power to impose the administrative sanctions set forth in the GDPR. Depending on the nature of the violation, these administrative sanctions can go up to €20 million or 4 per cent of an organisation’s total worldwide annual turnover of the preceding financial year. Breaches of data protection law can also lead to criminal penalties, which can, depending on the nature of the violation, go up to €240,000. In addition, violations of Belgian privacy and data protection law may result in civil action for damages.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

Belgian data protection law is generally intended to cover the processing of personally identifiable information (PII) by all types of organisations in all sectors. That being said, certain types of PII processing are (partially) exempted or subject to specific rules, including the processing of PII:

  • by a natural person in the course of a purely personal or household activity; for example, a private address file or a personal electronic diary;
  • solely for journalism purposes, or purposes of academic, artistic or literary expression;
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
  • by the intelligence and security services;
  • by the armed forces;
  • by competent authorities in the context of security classification, clearances, certificates and advice;
  • by the Coordination Unit for Threat Assessment;
  • by the Passenger Information Unit; and
  • by certain public bodies that monitor the police, intelligence and security services (such as the Standing Policy Monitoring Committee and the Standing Intelligence Agencies Review Committee).

 

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The General Data Protection Regulation (GDPR) and the Data Protection Act generally apply to the processing of PII in connection with the interception of communications and electronic marketing, as well as monitoring and surveillance of individuals. In addition, these topics are addressed by specific laws and regulations, including:

  • the Belgian Criminal Code, the Electronic Communications Act and Collective Bargaining Agreement No. 81 of 26 April 2002 on the monitoring of employees’ online communications (interception of communications);
  • the Belgian Code of Economic Law, and the Royal Decree of 4 April 2003 regarding spam (electronic marketing); and
  • the Belgian Act of 21 March 2007 on surveillance cameras (as amended by the Act of 21 March 2018), the Royal Decree of 10 February 2008 regarding the signalling of camera surveillance (as amended by the Royal Decree of 28 May 2018), the Royal Decree of 9 March 2014 appointing the categories of individuals authorised to watch real-time images of surveillance cameras in public spaces, and the Collective Bargaining Agreement No. 68 of 16 June 1998 regarding camera surveillance in the workplace (surveillance of individuals).

 

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

A significant number of laws and regulations set forth specific data protection rules that are applicable in a certain area, for example:

  • the Act of 21 August 2008 on the establishment and organisation of the e-Health Platform (e-health records);
  • Book VII of the Belgian Code of Economic Law on payment and credit services containing data protection rules for the processing of consumer credit data (credit information);
  • Collective Bargaining Agreement No. 81 of 26 April 2002 on the monitoring of employees’ online communications and the Collective Bargaining Agreement No. 68 of 16 June 1998 regarding camera surveillance in the workplace;
  • the Passenger Data Processing Act of 25 December 2016; and
  • the Act of 18 September 2017 on the prevention of money laundering and terrorist financing and the restriction on the use of cash.

 

PII formats

What forms of PII are covered by the law?

The GDPR and the Data Protection Act apply to the processing of PII, wholly or partly by automatic means, and to the processing other than by automatic means of PII that forms part of a filing system (or is intended to form part of a filing system). PII is broadly defined and includes any information relating to an identified or identifiable natural person.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

Belgian data protection law applies to processing of PII carried out in the context of the activities of an establishment of a controller or processor in Belgium. In addition, Belgian data protection law can also apply to the processing of PII by organisations that are established outside the European Union. This is the case where such organisations process PII of individuals located in Belgium in relation to offering goods or services to such individuals in Belgium or monitoring the behaviour of such individuals in Belgian territory.

Belgian data protection law will, however, not apply to the processing of PII by a processor established in Belgium on behalf of a controller established in another EU member state, to the extent that the processing takes place in the territory of the member state where the controller is located. In such a case, the data protection law of the member state where the controller is established will apply.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

In principle, all types of PII processing fall within the ambit of Belgian data protection law, regardless of who is ‘controlling’ the processing or merely processing PII on behalf of a controller. The ‘controller’ is any natural or legal person, public authority, agency or other body that alone or jointly with others determines the purposes and means of the processing of PII. Controllers can engage a ‘processor’ to carry out PII processing activities on their behalf and under their instructions. Controllers are subject to the full spectrum of data protection obligations. Processors, on the other hand, are subject to a more limited set of direct obligations under Belgian data protection law (including the obligation to process PII only on the controller’s instructions, keep internal records of PII processing activities, cooperate with the data protection supervisory authorities, implement appropriate information security measures, notify data breaches to the controller, appoint a data protection officer if certain conditions are met and ensure compliance with international data transfer restrictions). In addition to these direct legal obligations, certain data protection obligations will be imposed on processors through their mandatory contract with the controller.

Law stated date

Correct on

Give the date on which the information above is accurate.

28 April 2020.