Following the entry into force of the GDPR on 25 May 2018 (see our news “GDPR – Are you ready?”), the law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, which repeals the law of 8 December 1992, has been published in the Belgian Official Journal on 5 September 2018 and entered into force the same day.
Another matter on which the GDPR gives some flexibility to the Member States is the processing of Although the GDPR is directly applicable in all EU Member States, it contains numerous provisions allowing or imposing on the Member States to enact national implementation provisions.
The material scope of the new Belgian law is, however, more extensive than a mere implementation of the GDPR. It also transposes the Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and regulates in details the conditions under which personal data can be processed by various public authorities in that context, including by national intelligence and security services, armed forces, the threat assessment coordination body, the passengers information body, or even the body controlling the police information.
The following overview will focus on the consequences of the law of 30 July 2018 for private undertakings rather than the public sector.
Territorial scope of the law
The territorial scope of the law is determined by criteria similar to those outlined in the GDPR. Therefore, the law applies to any processing of personal data in the context of the activities of the establishment of a controller or a processor in Belgium, as well as to any processing of personal data of data subjects who are in Belgium by a controller or processor not established in Belgium where the processing activities are related to the offering of goods or services to data subjects in Belgium or to the monitoring of the behaviour of data subjects in Belgium.
Age of consent
In accordance with the flexibility provided by the GDPR, the Belgian legislator decided to lower to 13 (instead of 16 in the GDPR) the age from which children can consent themselves to the processing of their personal data by a third party willing to address them a direct offer of information society services.
Another matter on which the GDPR gives some flexibility to the Member States is the processing of so-called ‘sensitive’ data (particularly, personal data revealing the racial or ethnic origin of the data subject, their political opinions, their religious or philosophical beliefs, their trade union membership, data concerning their health or even their sexual orientation). Namely, the GDPR provides that the Member States can enact reasons of substantial public interest allowing, under certain conditions, the processing of such sensitive data. The Belgian legislator has set a list of processing activities based on such reasons including, in particular, the processing by associations for the defence of human rights or for the assistance to missing or sexually exploited children. Additional conditions oversee the processing of genetic data, biometric data or health-related data.
The GDPR enables the Member States to allow, under certain conditions, the processing of personal data relating to criminal convictions and offences or related security measures by other persons than official authorities. In that respect, the Belgian law notably allows the processing of such data by natural persons or by legal persons governed by public or private law, as long as it is necessary for the management of their own disputes. The law also authorises lawyers to process such data if the defence of their clients requires it. Another specific scenario dealt with by the law is when the personal data are made public by the data subject. In such cases, the processing is allowed provided that it is compatible with the purpose for which the data have been made public. Nonetheless, the lawfulness of those processing activities always depends, in particular, on the respect of the confidential nature of these data.
Specific processing purposes
The processing of personal data for journalistic purposes and for the purposes of academic, artistic or literary expression is subject to an alleviated legal regime to avoid restricting excessively such activities. In particular, the law waives the data controller’s obligation to provide information and limits considerably the rights of the data subjects.
The law also provides for a derogatory regime for personal data processing made for purposes of archiving in the public interest, scientific or historical research, or statistical purposes. In accordance with the GDPR, the law oversees such processing with appropriate safeguards.
Procedural aspects and sanctions
Procedurally, the law creates the possibility for data subjects to seek a ceasing order in case of unlawful processing or to potentially assert their rights, in particular their right of access and of rectification, their right to be forgotten, or even their right to restrict the processing. The data subject can also mandate a body, an organisation or an association to act on their behalf. As the case may be, such ceasing order may also be requested by competent authorities. The judge, adjudicating in such proceedings, can order not only the termination of the breach but also publicity measures if they can contribute to the termination of the breach or its effects. The judge can also order the data controller or data processor to inform third-parties that they had access to data which are inaccurate, incomplete or irrelevant, or whose storage is forbidden. The judge can even be seized by an ex parte application if there are serious reasons to believe that evidence could be concealed, could disappear, or could be made inaccessible, and order any measure to prevent such concealment, disappearance or inaccessibility.
Finally, the law provides for various administrative and criminal sanctions, that can be imposed on the data controller or processor, or against their servants or agents.