On 5 September 2018, the Act of 30 July 2018 regarding the protection of individuals with respect to the processing of personal data (GDPR Implementation Act) entered into force on its publication in the Belgian State Gazette.

The GDPR Implementation Act addresses the national substantive aspects of the GDPR and introduces several specifications and derogations. At the same time, it abolishes and replaces the current 1992 Data Protection Act and 2001 Royal Decree which implemented it.

Here are some of the important takeaways of the GDPR Implementation Act applying to private-sector companies.

Territorial scope

The territorial scope provisions of the GDPR are fully incorporated into the GDPR Implementation Act. However, the GDPR Implementation Act provides that where the data controller is established in another EU Member State and uses a processor located in Belgium, the national law of that Member State applies to the processor, provided however that the processing takes place in that other Member State.

Age of consent

The GDPR Implementation Act provides that parental/guardian consent for the processing of children’s personal data with regard to the offering of online services is not required for children aged 13 and over. The Belgian legislator thereby lowers the GDPR age of consent from 16 years to 13 years.

Sensitive data

Sensitive data (also referred to as 'special categories of data') are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

In relation to the processing of health-related, biometric and genetic data, the GDPR Implementation Act introduces, as permitted by the GDPR, the following additional security measures that controllers must take:

  • the controller must keep a list of the categories of persons having access to the data, including a description of their capacity in relation to the data;
  • the controller must communicate this list to the supervisory authority on request; and
  • the persons having access to the data should be bound by a (statutory or contractual) confidentiality obligation.

The above requirements were previously imposed on Belgian controllers by the 1992 Data Protection Act and the 2001 Royal Decree which implemented it.

Criminal conviction data

Pursuant to Article 10 of the GDPR, the processing of personal data relating to criminal convictions and offences or related security measures based on Article 6 (1) may be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. The GDPR Implementation Act provides for a limited number of legal grounds for the processing of criminal conviction data, imposes additional conditions, and introduces specific security measures for the processing thereof.

Criminal conviction data can be processed:

  • by private undertakings, if necessary for the management of litigation to which they are a party;
  • by lawyers or other legal advisors, to the extent necessary to defend the interests of their clients;
  • by other persons, when the processing is necessary for the fulfilment of purposes established by or pursuant to a law; and
  • if necessary for archiving purposes, scientific or historical research or statistical purposes.

The above processing operations are subject to additional conditions similar to those set out above in relation to the processing of health-related, biometric and genetic data.

Restriction on data subjects rights

The GDPR Implementation Act provides restrictions on the data subject’s rights in the following three cases:

  • prevention and detection of criminal offences;
  • protection of important objectives of general public interest such as economic or financial interests, including in the monetary, budgetary and fiscal fields, public health or social security; and
  • control, inspection or regulatory missions related to the exercise of public authority.

In such cases, data controllers do not have to inform data subjects of the processing of their personal data.

Processing for journalistic purposes and for academic, artistic or literary expression

The GDPR Implementation Act includes various restrictions on data subjects’ rights when personal data is processed for journalistic purposes and for the purpose of academic, artistic or literary expression, provided that the controller abides by the ethical rules applicable to professional journalism. For example, data subjects may not object to the processing of their data nor do they have the right to access or rectify such data.

Cease-and-desist proceedings

The GDPR Implementation Act introduces a cease-and-desist procedure allowing claims for alleged violations of data protection legislation to be brought before the President of the Court of First Instance. The Belgian Data Protection Authority (DPA) may also bring such claims before the Court of First Instance.

If the claim is well founded, the President may order the infringer to cease the infringing practices and impose a private penalty if the order is not complied with. The President may also order the display or publication of its decision. The cease-and-desist proceedings do not allow the claimant to obtain damages. To claim damages or monetary compensation, the data subject would have to initiate separate proceedings on the merits.

Sanctions and penalties

The sanctions for violations of the provisions of the GDPR, including the administrative fines, are fully incorporated in the GDPR Implementation Act.

In addition, the GDPR Implementation Act also provides for criminal sanctions.

You can read the text of the bill here in Dutch and French.

Other items

Aside from implementing the GDPR into Belgian law, the GDPR Implementation Act also implements Directive (EU) 2016/680 of the European Parliament and of the European Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.