Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

The collection of personal data must be transparent. The person wishing to collect the data must clearly state the exact purpose for which the data will be collected and the data controller cannot obtain more data than is required for that purpose.

In any case, it is prohibited to collect sensitive personal data. Certain exceptions apply, but these are limited and depend on the specific case. Written consent of the individual is always required.

The processing of personal data is allowed only in the following cases:

  • The data subject has unambiguously given his or her consent;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed; or
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection (the General Data Protection Regulation (GDPR) intensifies this exception, in particular, for cases where the data subject is a child).

Regarding the fourth lawful basis for data processing (ie, vital interests), Recital 46 and Article 6(1)(d) of the GDPR clarify that vital interests can also extend to other individuals (eg, children of the data subject).   

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Personal data can be stored only for a limited period of time – that is, no longer than is necessary for the realisation of the purpose for which it is collected and processed.

A limited number of statutes (eg, tax or social security laws) provide for specific retention periods (eg, five to seven years) with respect to certain records.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, they do. On request, data controllers must inform individuals of:

  • the personal data that they process;
  • the purposes of such processing; and
  • the recipients or categories of recipient of the data.

Do individuals have a right to request deletion of their data?

Data subjects have a right to oppose the processing of their personal data for serious and legitimate reasons, unless such processing is necessary for the performance of a contract or to comply with the law.

As far as deletion is concerned, data subjects may demand deletion of their data if it is inaccurate, incomplete or obsolete in light of the purpose of the processing. In addition, they may also request rectification of any incorrect data. 

The GDPR preserves these rights and introduces the new ‘right to be forgotten’ and the ‘right to data portability’:

  • The right to be forgotten – each individual has the right to request the deletion or removal of his or her personal data where there is no compelling reason for its continued processing.
  • The right to data portability – this allows individuals to obtain and reuse their personal data for their own purposes across different services (eg, from Facebook to a new provider).

Consent obligations

Is consent required before processing personal data?

The explicit and unambiguous consent of an individual is required for the processing of personal data, unless one of the conditions set forth in Article 5 of the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the Data Protection Act) is met (see “If consent is not provided, are there other circumstances in which data processing is permitted?” below).

Consent, albeit, remains the primary basis to process personal data under the GDPR, the definition of ‘consent’ is often argued to be more restrictive under the GDPR. Consent should be freely given, specific, informed and unambiguous consent. This also means that data subjects must have an option of withdrawing their consent at any time without suffering any prejudice and being dependent on no conditions.

It remains to be seen how the GDPR’s notion of consent will differ in practice from the present concept of ‘consent’.

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes, if the processing is necessary:

  • for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • for compliance with a legal obligation to which the controller is subject;
  • in order to protect the vital interests of the data subject;
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or a third party to which the data is disclosed; or
  • for the purposes of the legitimate interests pursued by the controller or the third party or parties to which the data is disclosed, except where such interests are overridden by the interests of the fundamental rights and freedoms of the data subject.

The GDPR allows EU member states to introduce additional lawful bases for limited purposes connected with their national law or the performance of tasks in the public interest (Article 6). The Belgian Data Protection Authority has provided no guidance to date regarding whether it seeks to implement additional bases for lawful processing.

What information must be provided to individuals when personal data is collected?

Data controllers must inform individuals of the following:

  • the data that is collected, stored and processed;
  • the purposes of the processing;
  • the recipients or categories of recipient of the data;
  • all information available regarding the source of the data collected; and
  • the individual’s right of access, rectification and deletion.

Click here to view the full article.