The process for the implementation of the General Data Protection Regulation (“GDPR”) is occurring in two phases in Belgium.
The first phase was the reform of the former “Privacy Commission” into a full-fledged investigative and sanctioning authority: the Belgian Data Protection Authority (“DPA”) (see our previous article). The DPA formally exists since 25 May 2018, although its tasks are currently still performed by the ‘old’ members of the Privacy Commission, until the new members are formally appointed.
In a second phase, a framework act addressing the national substantive aspects of the GDPR (the “Framework Act”) has been adopted by the Belgian Federal Parliament on 19 July 2018. The Framework Act adapts national legislation to the GDPR and introduces several specifications and derogations. This Framework Act is supplemented by a second act creating a new public law body, the “Information Security Committee”, and amending various laws. Both acts will enter into force upon (or shortly after) their publication in the Belgian State Gazette, which has not yet occurred.
Main provisions of the Belgian Framework Act
The most noticeable provisions of the Framework Act applying to private-sector companies are the following:
1. Territorial scope
The Framework Act fully incorporates the provisions of the GDPR relating to its territorial scope. In addition, the Act specifies that it will not apply in situations where the controller is established in another EU Member State even if the processor is located in Belgium, provided however that the processing takes place in that other Member State. In that case, the national law of the other Member State applies.
2. Age of digital consent set at 13
The Framework Act sets the bar for parental / guardian consent to be obtained for information society services offered directly to a child at 13 years. The Belgian legislator thereby lowers the GDPR age of 16 years to 13 years.
As permitted by the GDPR, the Framework Act imposes a number of additional conditions for the processing of genetic, biometric or health data. Data controllers and processors of such data are obliged to: (i) designate the persons that are entitled to consult these categories of data and describe their capacity as regards the processing, (ii) draft a list of these persons (and keep this list available for the competent supervisory authority); and (iii) ensure that these persons are bound by legal or contractual confidentiality obligations.
4. Data relating to criminal convictions and offences
The Framework Act provides a list of legal grounds for processing data relating to criminal convictions and offences, e.g. processing operations which are necessary for the management of own disputes, processing by lawyers or other legal advisors for the defence of their clients’ interests, etc. Such processing operations are subject to similar additional conditions as for the processing of genetic, biometric or health data.
5. Additional situation requiring the appointment of a DPO
In accordance with article 37.4 GDPR, the Framework Act stipulates that private organisations which process personal data on behalf of a federal authority or to which a federal authority transfers personal data, are required to designate a DPO, where the processing could lead to a ‘high risk’ to the rights and freedoms of natural persons – as referred to in article 35 of the GDPR.
As a result, lawyers, notaries and bailiffs having access to the national register will have to do such risk assessment in order to know whether they should appoint a DPO. Likewise, non-profit organisations that have access to the national register, or companies that have access to the national social security database, the crossroad database for vehicles, or any other government database, should take this provision into account.
6. Cease-and-desist procedure
The Framework Act reintroduces a cease-and-desist procedure, so that claims for alleged infringements of data protection legislation can be brought before the President of the Court of First Instance. Also the DPA can bring such claims before the Court of First Instance. If the court finds an infringement, it may order the infringer to cease the infringing practices and impose penalty payments if the order is not respected. The Court may also order to display or publish its decision (or a summary thereof). Damages cannot be requested in this procedure. To obtain damages, distinct proceedings on the merits will have to be initiated.
7. Sanctions and penalties
As a final point, the Framework Act takes over the sanctions mentioned in the GDPR, including the administrative fines, for infringements of the provisions of the Belgian Framework Act. Besides these sanctions, the Framework Act also lays down criminal sanctions, thus continuing (as was the case in the past) to make the infringement of data protection legislation a criminal offence.