The Belgian GDPR bill is finally ready and has been submitted to Parliament for review. Please find below a brief summary of the bill's main highlights of relevance to private companies.

We will follow-up on the legislative process and will inform you once the text is final.

1. Children's consent

The age of consent for the processing of a child's personal data in relation to the offer of information society services is set at 13, whereas the GDPR sets the bar at 16 (Article 8.1 GDPR). This means that parental consent will only be required to process the personal data of a child in relation to the offer of information society services if the child is below the age of 13.

2. Additional requirement for the processing of genetic, biometric and health data

When processing genetic, biometric or health data, the following measures must be taken:

  • the controller or the processor, as the case may be, must designate the persons entitled to consult the data;
  • the controller or the processor, as the case may be, must compile a list of these persons and make this list available to the supervisory authority;

  • the controller must ensure that the designated persons are bound by a legal or contractual duty of confidentiality.

3. Processing of criminal data

The bill provides for additional grounds to process data related to criminal convictions and offences or related security measures. These grounds are similar to those set out in the Data Protection Act of 8 December 1992.

This type of data may be processed:

  • by private companies, if necessary for the management of litigation to which the company is a party;

  • by lawyers or other legal advisors, if necessary to defend the interests of a client;

  • by other persons, for substantial public interest reasons or to perform a task in the public interest;

  • if necessary for archiving purposes, scientific or historical research or statistical purposes.

The controller or the processor, as the case may be, must establish a list of persons entitled to consult these data and keep this list at the disposal of the supervisory authority.

These persons must be bound by a legal or contractual duty of confidentiality.

4. Restriction on data subject rights when personal data are processed for journalistic purposes and for the purpose of academic, artistic or literary expression

The bill defines journalistic purposes as the preparation, collection, drafting, production, distribution or archiving for the purpose of informing the public by means of any medium provided the controller abides by the ethical rules applicable to the journalism profession.

Articles 7 to 10 (consent and special categories of personal data), 11.2 (specific information requirement where the controller cannot identify the data subject), 13 to 16 (information obligation, right to access and right to rectification), 18 to 20 (right to restrict processing, duty to notify third parties as to the exercise of their rights and the right to data portability) and 21.1 (right to object) do not apply to the processing of personal data for journalistic purposes or for the purpose of academic, artistic and literary expression.

Articles 30.4 (disclosure of register to the authorities), 31 (cooperation with the supervisory authorities), 33 (personal data breach notification) and 36 (prior consultation) do not apply to the processing of personal data for journalistic purposes or for the purpose of academic, artistic and literary expression if the application of these articles would jeopardise an intended publication or constitute a prior control.

Articles 44 to 50 (international transfers) do not apply to transfers of personal data for journalistic purposes or the purpose of academic, artistic and literary expression if the transfer is necessary to align the right to the protection of personal data to freedom of expression and information.

Article 58 (investigative powers of the supervisory authority) does not apply to the processing of personal data for journalistic purposes or the purpose of academic, artistic and literary expression if its application would jeopardise the protection of sources or constitute a prior control.

5. Processing for the purpose of archiving in the public interest or for scientific or historical research or statistical purposes

The bill provides for exceptions to data subject rights where these rights would render impossible or seriously impair the achievement of specific purposes and derogations are necessary to fulfil these purposes, as allowed by Article 89 GDPR.

In addition, it imposes additional requirements on entities processing personal data for such purposes.

Register

When processing personal data for the purpose of scientific or historical research or statistical purposes, the following information should be included in the register:

  • a justification for the use of pseudonymized or unpseudonymized data;

  • an explanation as to why the exercise of data subject rights would render impossible or seriously impair achievement of purpose(s) pursued;

  • where applicable, a data processing impact assessment if the controller processes data that are not anonymized or pseudonymized.

When processing personal data for the purpose of archiving in the public interest, the following information should be included in the register:

  • a justification of the archive's public interest;

  • an explanation as to why the exercise of data subject rights would render impossible or seriously impair achievement of the purpose pursued.

Information to be provided to data subjects

The information notice should include:

  • information on whether the personal data are anonymized;

  • an explanation as to why the exercise of data subject rights would render impossible or seriously impair achievement of the purpose pursued.

Further processing by a new controller

Where further processing for archiving in the public interest, scientific or historical research or statistical purposes is performed by a controller other than the controller that collected the personal data (i.e. the "initial controller"), the second controller must enter into an agreement with the initial controller.

This agreement must stipulate the contact details of both controllers and explain why the exercise of data subject rights would render impossible or seriously impair achievement of the purpose(s) pursued. The agreement must be added to the register.

Anonymization of personal data processed for archiving in the public interest, scientific or historical research or statistical purposes

The bill provides that controllers must pseudonymize or anonymize personal data if they wish to process these data for the abovementioned purposes.

If personal data are processed for such purposes by a controller other than the initial controller, the initial controller must pseudonymize or anonymize the data before passing them on to the other controller.