On June 25, 2013, the Belgian Data Protection Authority (the “Privacy Commission”) and the Belgian Ministry of Justice agreed on a Protocol (in French and in Dutch) establishing new rules for the approval of international data transfer agreements.
Previously, data controllers in Belgium only had to obtain authorization for international data transfers that were based on ad hoc data transfer agreements. No authorization was required for international data transfers based on one of the European Commission’s model contracts. With the new Protocol, however, authorization will be required for both types of international data transfers. The Protocol stipulates that all data transfer agreements will need to be sent to the Privacy Commission for review. If the Privacy Commission concludes that the data transfer agreement incorporates the European Commission’s model clauses, the Privacy Commission will inform the data controller that the proposed international data transfers are permitted. Accordingly, although data controllers using model contracts previously did not need to obtain this type of formal approval, they now will need to wait for confirmation from the Privacy Commission before initiating their international data transfers.
The Ministry of Justice will retain the authority to approve non-standardized data transfer agreements, but the Protocol simplifies the approval procedure by having the Privacy Commission take the lead in examining whether the data transfer agreement provides adequate safeguards for the international data transfer. If the Privacy Commission determines the safeguards are adequate, the Ministry of Justice will only need to verify that the entity complied with the applicable procedural rules before approving the agreement by Royal Decree.
Although the introduction of a formal approval requirement for model contracts may be perceived as a step back, it was already common practice for entities registering data processing activities with the Belgian Privacy Commission to submit their model contracts to the Privacy Commission together with the registration form. The Privacy Commission would then send a letter to the data controller acknowledging that the data transfer agreement includes the European Commission’s model clauses and thus provides an adequate level of data protection.
The Protocol is similar to the 2011 Protocol established by the Privacy Commission and the Ministry of Justice to facilitate the approval of binding corporate rules.