Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

The national data protection laws are ahead of the international curve. The main privacy law in Belgium is the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the ‘Data Protection Act’), which has been amended several times to reflect the privacy rules set forth in the EU Data Protection Directive. The Belgian Data Protection Authority has issued a number of decisions, guidelines and recommendations on privacy issues in recent years in which it usually follows (or even simply refers to) the position of the Article 29 Working Party (which will be replaced by the European Data Protection Board under the General Data Protection Regulation (GDPR)).

This is also evidenced by the fact that, although the GDPR introduces a number of new obligations, especially for data processors, as well as some mandatory data protections measures (eg, data protection officers, detailed processing records), the GDPR will not entail such a radical reform of the data protection legislation and industry standards in place in Belgium as it might bring about for national data protection frameworks of other EU member states.

Are any changes to existing data protection legislation proposed or expected in the near future?

On November 17 2017 the Chamber of Representatives approved the draft law transforming the Belgian Privacy Commission into the Belgian Data Protection Authority, and aligned the fines under the Data Protection Act with those set out in the GDPR. The draft law will need to be ratified by the king and will enter into force on May 25 2018.

No further substantive changes to the existing data protection legislation are expected for the moment, taking into account the entry into force of the directly applicable GDPR on May 25 2018.

However, to some extent EU member states will be able to uphold their own rules and supplement the EU data protection regime (eg, additional lawful bases for processing without consent). The government has not yet made public its intentions in this respect.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

The collection, storage and use of personal data are governed by the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the ‘Data Protection Act’). A number of the act’s provisions were implemented by the Royal Decree of February 13 2001.

Other legislation containing provisions on privacy and data protection include the Act of March 11 2003 on Certain Legal Aspects of Information Society Services and the Act of June 13 2005 on Electronic Communications.

The General Data Protection Regulation (GDPR) is about to replace the general legal framework for data protection in all EU member states.

Scope and jurisdiction

Who falls within the scope of the legislation?

The Data Protection Act applies to all natural or legal persons that collect personal data for use in automated processing systems or that process the personal data in such systems.

Under the GDPR, businesses established in the European Union are the primary focus. Nonetheless, a company outside the European Union targeting and processing personal data from EU citizens will also be subject to the GDPR (country of destination rule).

What kind of data falls within the scope of the legislation?

The Data Protection Act applies only to the processing of ‘personal data’, which is defined as any information relating to an identified or identifiable natural person. An ‘identifiable person’ is one who can be directly or indirectly identified, particularly by reference to an identification number or one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. The material scope of protection largely remains unchanged under the forthcoming GDPR.

Are data owners required to register with the relevant authority before processing data?

Yes, although certain exceptions apply. In principle, before starting any data processing activities the data controller must notify the Belgian Data Protection Authority. No specific authorisation is required.

Certain automated processing activities (eg, processing related to client administration, personnel administration, payroll and bookkeeping) are excluded from the notification requirement, provided that they meet certain conditions (as established in the Royal Decree of February 13 2001).

The notification obligation of the Data Protection Directive 95/46/EC is no longer mandatory under the GDPR and is in fact replaced by an obligation for processors and controllers to keep detailed records of their processing activities (including location, data subjects, purpose and security measures).

On June 14 2017 the Belgian Data Protection Authority issued some guidance regarding the new recordkeeping obligation that replaces the ineffective notification obligation of Article 17 of the Privacy Act. Both obligations were introduced to serve the same purpose (ie, to move the controller to identify the processing operations and provide certain information on them).

In its communication the authority admitted that the notification obligation failed to achieve its goal in practice, due to the fact that it is usually perceived by data processors as a mere administrative burden and is therefore often not being complied with.

The new obligation to keep processing records – which will remain a mere internal instrument –differs from the notification obligation to the extent that these records are not directly accessible for data subjects as they will not be included in a public register. However, since the former public register of submitted processing notifications has been consulted only rarely in the past, the authority nuanced the effectiveness of this transparency requirement.

As the same was observed in other EU member states, where a similar notification obligation was introduced under the auspices of the Directive 95/46 / EC, the European Union decided to do away with this notification obligation in the GDPR and chose to oblige data processors and controllers to keep internal but more detailed processing records, which should also be provided to the supervisory authority on its first request (a posteriori control).

Is information regarding registered data owners publicly available?

Yes. A public register is available which includes all notifications. The public register can be consulted at the Belgian Data Protection Authority’s offices and online. It is also possible to obtain an excerpt from the public register.

Is there a requirement to appoint a data protection officer?

In Belgium, there is no legal requirement to appoint a data protection officer.

However, when the GDPR enters into force the appointment of a data protection officer will become mandatory for all public authorities and entities where:

  • the core activities of the controller or the processor involve regular and systematic monitoring of data subjects on a large scale; or
  • the entity conducts large-scale processing of sensitive personal data (ie, data revealing ethnic or racial origins, political opinions, religious or philosophical beliefs or sexual orientation).

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

Whereas the Belgian Data Protection Authority has only limited enforcement powers and mostly acts as a mediator in disputes between data subjects and controllers, a new draft law on the authority’s reform was unanimously approved by the Belgian Chamber of Representatives on November 16 2017, granting the new authority extensive investigative and sanctioning powers. The new authority can impose fines of up to €20 million or up to 4% of the total worldwide annual turnover of the infringing company. Another novelty introduced by the draft law is that, apart from physical persons, legal persons, associations or institutions will also be able to lodge a complaint of an alleged data protection infringement. The ratification of the draft law by the king is still awaited for the legislative process to be completed. Its entry into force is scheduled for May 25 2018, simultaneously with the GDPR.  

In spite of the expansion of the authority’s powers, the government has unfortunately decided not to increase its budget. The authority will have to perform more tasks, but with the same resources. Given the fact that, at present, the authority only rarely conducts raids and investigations due to a lack of resources, it remains to be seen whether these new powers will be little more than a toothless tiger.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

The collection of personal data must be transparent. The person wishing to collect the data must clearly state the exact purpose for which the data will be collected and the data controller cannot obtain more data than is required for that purpose.

In any case, it is prohibited to collect sensitive personal data. Certain exceptions apply, but these are limited and depend on the specific case. Written consent of the individual is always required.

The processing of personal data is allowed only in the following cases:

  • The data subject has unambiguously given his or her consent;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed; or
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection (the General Data Protection Regulation (GDPR) intensifies this exception, in particular, for cases where the data subject is a child).

Regarding the fourth lawful basis for data processing (ie, vital interests), Recital 46 and Article 6(1)(d) of the GDPR clarify that vital interests can also extend to other individuals (eg, children of the data subject).   

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Personal data can be stored only for a limited period of time – that is, no longer than is necessary for the realisation of the purpose for which it is collected and processed.

A limited number of statutes (eg, tax or social security laws) provide for specific retention periods (eg, five to seven years) with respect to certain records.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, they do. On request, data controllers must inform individuals of:

  • the personal data that they process;
  • the purposes of such processing; and
  • the recipients or categories of recipient of the data.

Do individuals have a right to request deletion of their data?

Data subjects have a right to oppose the processing of their personal data for serious and legitimate reasons, unless such processing is necessary for the performance of a contract or to comply with the law.

As far as deletion is concerned, data subjects may demand deletion of their data if it is inaccurate, incomplete or obsolete in light of the purpose of the processing. In addition, they may also request rectification of any incorrect data. 

The GDPR preserves these rights and introduces the new ‘right to be forgotten’ and the ‘right to data portability’:

  • The right to be forgotten – each individual has the right to request the deletion or removal of his or her personal data where there is no compelling reason for its continued processing.
  • The right to data portability – this allows individuals to obtain and reuse their personal data for their own purposes across different services (eg, from Facebook to a new provider).

Consent obligations

Is consent required before processing personal data?

The explicit and unambiguous consent of an individual is required for the processing of personal data, unless one of the conditions set forth in Article 5 of the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the Data Protection Act) is met (see “If consent is not provided, are there other circumstances in which data processing is permitted?” below).

Consent, albeit, remains the primary basis to process personal data under the GDPR, the definition of ‘consent’ is often argued to be more restrictive under the GDPR. Consent should be freely given, specific, informed and unambiguous consent. This also means that data subjects must have an option of withdrawing their consent at any time without suffering any prejudice and being dependent on no conditions.

It remains to be seen how the GDPR’s notion of consent will differ in practice from the present concept of ‘consent’.

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes, if the processing is necessary:

  • for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • for compliance with a legal obligation to which the controller is subject;
  • in order to protect the vital interests of the data subject;
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or a third party to which the data is disclosed; or
  • for the purposes of the legitimate interests pursued by the controller or the third party or parties to which the data is disclosed, except where such interests are overridden by the interests of the fundamental rights and freedoms of the data subject.

The GDPR allows EU member states to introduce additional lawful bases for limited purposes connected with their national law or the performance of tasks in the public interest (Article 6). The Belgian Data Protection Authority has provided no guidance to date regarding whether it seeks to implement additional bases for lawful processing.

What information must be provided to individuals when personal data is collected?

Data controllers must inform individuals of the following:

  • the data that is collected, stored and processed;
  • the purposes of the processing;
  • the recipients or categories of recipient of the data;
  • all information available regarding the source of the data collected; and
  • the individual’s right of access, rectification and deletion.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Article 16(4) of the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the ‘Data Protection Act’) provides that data controllers and data processors must implement sufficient technical and organisational security measures with respect to the protection of personal data against destruction, accidental loss and any non-authorised processing of data. Although the Data Protection Act imposes no specific security measures, the notification form used by the Belgian Data Protection Authority for the notification of data processing activities lists a wide range of possible security measures, including physical access control, encryption, appropriate clauses in contracts with personnel and processors, access logging and prevention plans.

The General Data Protection Regulation (GDPR) does not specify the security measures that companies should undertake. What is considered to be appropriate depends on a range of factors (eg, the sensitivity of the data, the risks to individuals in case of a security breach, the state of the art, the costs of implementation and the nature of the processing). The GDPR promotes the pseudonymisation and encryption of data. Testing the effectiveness of implemented security measures on a regular basis is also required where appropriate.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Data owners or controllers must inform the individuals of a data breach without undue delay if there is a high risk that their data could be used by third parties. Notification is not required if the data is encrypted or if measures have been taken to ensure that the data subject cannot be identified. However, the Belgian Data Protection Authority can always order the data controller to inform the individual of the data breach.

Are data owners/processors required to notify the regulator in the event of a breach?

At present, the only legal notification requirement applies to companies in the telecoms sector.

Pursuant to Articles 114(2)-(3) of the Act of June 13 2005 on Electronic Communication (the ‘Electronic Communication Act’), data owners (ie, companies offering electronic communication services) must notify the Belgian Data Protection Authority and the Belgian telecoms regulator in case of a data breach.

Pursuant to Article 33 of the GDPR, data owners must notify the Belgian Data Protection Authority in case of a data breach, unless the breach is unlikely to result in a risk to the rights and freedom of individuals (eg, identify theft). Notification should be given within 72 hours.

Further, data processors must notify the relevant controller of any breach without undue delay after becoming aware of it.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

Yes, these are laid down in:

  • Articles 13 to 15 of the Act of March 11 2003 on Certain Legal Aspects of Information Society Services;
  • the Decree-Law of April 4 2003 on the Regulation on the Transmission of Advertising by Electronical Mail; and
  • several recommendations of the Belgian Data Protection Authority:
    • Recommendation 34/2000 of November 22 2000;
    • Recommendation 4/2009 of October 14 2009; and
    • Recommendation 2/2013 of January 30 2013).

As a rule, marketing emails are permitted only if the recipient has previously given consent. The only exception to this opt-in requirement applies to emails sent by a company to its existing customers in relation to products or services that are identical or similar to the products or services already purchased by the customers. In such case, the recipient must be able to opt out (ie, ask the sender to stop sending marketing emails).

The European Union also hopes to have enacted the new e-Privacy Regulation, which will govern electronic marketing and will directly apply in all EU member states, by the time that the GDPR enters into force on May 25 2018.

On September 8 2017 the Council of the European Union published its proposed revisions to the draft e-Privacy Regulation, which was first published by the European Commission in January 2016. The revisions have been made based on written comments and discussions involving the Working Party for Telecommunications and Information Society.

As the road to adoption of the proposal is expected to be long, the foreseen date of enactment of May 25 2018 seems quite unrealistic.

Cookies

Are there rules governing the use of cookies?

Article 129 of the Electronic Communication Act deals with the use of cookies. The user must be informed of the exact purpose of the processing and of his or her rights. The user must also actively accept the use of cookies (and must be given the possibility to withdraw this acceptance at any time).

Further, in 2015 the Belgian Data Protection Authority issued a recommendation on the use of cookies (Recommendation 1/2015 of February 4, 2015).

The European Union also hopes to have enacted the new e-Privacy Regulation, which will govern the use of cookies and will directly apply in all EU member states by the time that the GDPR enters into force on May 25 2018.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

Personal data may be transferred to recipients in EU member states or states that are parties to the European Economic Area (EEA) Agreement, provided that there is justification for the data transfer. In addition, data transfers are allowed to a number of countries outside the EEA which are deemed by the European Commission to provide an adequate level of data protection. This is also the case under the General Data Protection Regulation (GDPR).

As far as other countries are concerned, data transfers are permitted only with the data subject’s consent or if an adequate level of data protection is ensured by:

  • standard contractual clauses approved by the European Commission;
  • equivalent data transfer agreements approved by the Belgian Data Protection Authority; or
  • with respect to transfers between legal entities of multinational groups of companies, binding corporate rules.

Are there restrictions on the geographic transfer of data?

Yes. Countries outside the EEA (with the exception of Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay) are considered unsafe in terms of data protection. Therefore, data transfers to such countries are allowed only if such transfers are covered by:

  • standard contractual clauses approved by the European Commission;
  • equivalent data transfer agreements approved by the Belgian Data Protection Authority; or
  • with respect to transfers between legal entities of multinational groups of companies, binding corporate rules.

In this regard, the European Union does not consider the United States to provide an adequate level of protection. To urge US companies to provide the same level of data protection, the European Union and the United States concluded a general framework for transatlantic exchanges of personal data for commercial purposes one year ago (the so-called ‘EU-US Privacy Shield’). Its main purpose is to enable US companies to easily receive personal data from EU entities in compliance with EU privacy legislation.

On October 18 2017 the EU Commission published its report on the first annual review of the EU-US Privacy Shield. The report reflects the commission’s findings on the implementation and enforcement of the EU-US Privacy Shield framework in its first year of operation. On the whole, the report shows that the EU-US Privacy Shield continues to ensure an adequate level of data protection. However, there is still room for improvement.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Article 16 of the Data Protection Act prescribes the minimum conditions which need to be met when a data controller seeks to use a third-party data processor:

  • the controller should choose a processor which provides enough thorough technical and organisational guarantees for the processing of the personal data;
  • the controller must ensure sure the guarantees are met by (written) contractual clauses;
  • the liability of the processor towards the controller is part of the contract; and
  • the processor should act only on behalf of the controller and within the limits that the controller needs to respect itself.

In addition, this provision also obliges the controller to ensure that:

  • personal data is kept up to date and that incorrect, incomplete, irrelevant data is corrected or deleted;
  • access to personal data is limited to allow necessary processing;
  • all persons acting on its behalf are aware of the conditions for processing in the Data Protection Act; and
  • the automated processing is compliant with the notification to the supervisory authority.

It should be noted that the GDPR imposes significantly heavier duties on data processors (eg, cloud providers) which will face liability for non-compliance or for acting outside the instructions and authorities granted by the customer/controller. These new responsibilities are likely to change the contractual negotiations between controllers, processors and sub-processors.

Similarly to Article 16 of the Data Protection Act, the processor-controller relationship must be governed by a written contract, including obligations for the processor regarding the duration, nature and purpose of the processing, the types of data processed and the obligations and rights of the controller. Specifically, processor-controller contracts must include the obligations for the processor to:

  • process only data on documented instructions from the controller;
  • assist the controller in complying with many of its obligations; and
  • tell the controller if it believes an instruction to hand information to the data controller breaches the GDPR or any other EU or member state law.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

The penalty provisions are included in Articles 37 to 43 of the Act of December 8, 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the ‘Data Protection Act’). Data owners and data controllers that do not comply with the data protection provisions may be subject to fines of between €600 and €100,000.

Under the General Data Protection Regulation (GDPR) and the (draft) law on the reform of the Belgian Data Protection Authority and the widening of its sanctioning powers (which will soon be ratified by the king and simultaneously enter into force with the GDPR), the fines for violating data protection legislation will significantly increase and could amount to up to 4% of the infringing company’s total worldwide turnover or €20 million, whichever is higher.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Yes. Individuals can file a complaint with the Belgian Data Protection Authority, which will mediate between parties with a view to reaching an amicable solution. Individuals may also choose to file a complaint with the public prosecutor or the president of the Court of First Instance in order to obtain compensation for any loss suffered.

However, as the investigative and enforcement powers of the Belgian Data Protection Authority will increase, it is more likely that in the future individuals may prefer to file a complaint with the Belgian Data Protection Authority rather than initiating criminal or civil proceedings before the courts.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

As yet, there is no specific Belgian legislation on cybersecurity. Instead, Belgium relies on international standards and the proposal for an EU directive on the issue. Further, the banking sector introduced some sector-specific security guidelines in a 2009 circular.

With respect to cybercrime, Belgium was one of the first countries in the European Union to implement cybercrime legislation in its Criminal Code (through the Act of November 28 2000). The new crimes introduced included:

  • forgery (Article 210bis of the Criminal Code);
  • fraud in informatics (Article 504quater of the Criminal Code);
  • sabotage in informatics (Article 550ter of the Criminal Code); and
  • internal/external hacking (Article 550bis of the Criminal Code).

The Belgian Code of Criminal Procedure was also amended in order to offer the judicial authorities proper instruments to investigate the new criminal offences adequately. The new instruments included:

  • the interception of electronic communications (Article 90ter of the Code of Criminal Procedure);
  • seizure of digital data (Article 39bis of the Code of Criminal Procedure);
  • identification of users of electronic communications services (Article 46bis of the Code of Criminal Procedure);
  • tracing of electronic communications (Article 88bis of the Code of Criminal Procedure); and
  • network searches (Article 88ter of the Code of Criminal Procedure).

Providers of electronic communications services and network operators are obliged to provide appropriate assistance to the authorities when receiving requests relating to one of the abovementioned investigative acts (Articles 46bis, 88bis, 88quater and 90quater of the Code of Criminal Procedure).

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

At EU level, in February 2013 a proposal for a directive on measures to safeguard a common high level of network and information security within the European Union was introduced.

In Belgium, the International Organisation for Standardisation/International Electrotechnical Commission Standard 27001 has been implemented in order for companies to safeguard their information. This norm provides guidelines to keep information and assets secure. According to the standard, financial information, intellectual property, employee details and other entrusted information must be properly secured. The standard is the most common one used regarding the implementation of an information security system.

When it comes to cybersecurity, Belgium still lacks a coordinated approach and collaboration between the government and private companies. Following the establishment of the Centre for Cybersecurity in Belgium (introduced by the Decree-Law of October 10 2014 and operational since August 2015), the enhancement of cybersecurity regulation is expected in the near future.

Which cyber activities are criminalised in your jurisdiction?

The following cyber activities are criminalised:

  • forgery (Article 210bis of the Criminal Code);
  • fraud in informatics (Article 504quater of the Criminal Code);
  • sabotage in informatics (Article 550ter of the Criminal Code); and
  • internal/external hacking (Article 550bis of the Criminal Code).

Which authorities are responsible for enforcing cybersecurity rules?

The Centre for Cybersecurity in Belgium was introduced by the Decree-Law of October 10 2014 and has been operational since August 2015. The centre is responsible for intervening when Belgian authorities suffer cyberattacks and deals with potential hacking threats.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes. More and more Belgian companies obtain insurance for cybersecurity breaches. The number of companies doing so has risen in recent years, given the increase in cyberattacks – in 2013, only 5% of the companies bought such insurance policies, while in 2014 13% were insured for cybersecurity breaches.

Are companies required to keep records of cybercrime threats, attacks and breaches?

As yet, there are no specific rules on maintaining records of cybercrime threats, attacks and breaches. 

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Only telecoms companies are legally required to notify the Belgian Data Protection Authority and the Belgian telecoms regulator of a data leak.

For other companies, Article 33 of the General Data Protection Regulation has introduced a new duty for data owners to notify the Belgian Data Protection Authority in case of a data breach, unless the data breach is unlikely to result in a risk. On the other hand, the data processor must always notify the data owner in case of a data breach. This new duty will enter into force on May 25 2018.

Are companies required to report cybercrime threats, attacks and breaches publicly?

At present, no rules require companies to report cybercrime threats, attacks and breaches publicly.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

With respect to forgery and fraud in informatics, the penalties are imprisonment of between six months and five years, a fine of €156 to €600,000, or both.

With respect to sabotage in informatics and internal and external hacking, the penalties are imprisonment of between three months and one year, or between six months and two years in case of fraudulent intent, a fine of €156 to €125,000, or both.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Since no cybersecurity regulations apply as yet, no penalties can be imposed. However, an individual can sue a company for the loss of his or her data by filing a complaint with the Belgian Data Protection Authority, the Public Prosecutor’s Office or the president of the Court of First Instance.