- 1 Belgium
- 1.1 Contribution Details
- 1.2 Law
- 1.3 Definition of Personal Data
- 1.4 Definition of Sensitive Personal Data
- 1.5 National Data Protection Authority
- 1.6 Registration
- 1.7 Data Protection Officers
- 1.8 Collection and Processing
- 1.9 Transfer
- 1.10 Security
- 1.11 Breach Notification
- 1.12 Enforcement
- 1.13 Electronic Marketing
- 1.14 Online Privacy (Including Cookies and Location Data)
- 1.15 Download Entire File
- 1.16 Acknowledgement and Disclaimer
DLA Piper’s Data Protection Laws of the World 2013March 2013
Patrick Van Eecke
Belgium implemented the EU Data Protection Directive 95/46/EC with the Data Protection Act dated 8 December 1992 (“Act”). Enforcement is ensured by the Data Protection Authority (“DPA”).
Definition of Personal Data
Personal data means any information relating to an identified or identifiable natural person.
A person is considered to be an identifiable person when he or she can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
Definition of Sensitive Personal Data
The Belgian Data Protection Act distinguishes between three categories of sensitive personal data, for which distinct rules apply:
National Data Protection Authority
Unless an exemption applies, data controllers who process personal data by automatic means must notify the DPA so that their processing of personal data may be registered and made public. Changes to the processing of personal data will require the notification to be amended.
The notification shall inter alia include the following information (as outlined in the DPA standard notification form):
Data Protection Officers
There is no legal requirement in Belgium for organisations to appoint a data protection officer. It is, however, recommended to do so.
The Act requires controllers and processors to take adequate technical and organizational security measures.
As part of this obligation the DPA has issued “Security Guidelines”, which reflect what is to be considered as constituting ‘adequate technical and organisation security measures’. Although the Security Guidelines are not part of the Act itself and are not binding, they do have an important moral value.
The Security Guidelines recommend controllers to appoint a so called “information security officer”. This security officer is responsible for the implementation of the personal data security policy.
Collection and Processing
Data controllers may collect and process personal data when any of the following conditions are met:
Where sensitive personal data is processed, a different list of specific conditions applies.
Whichever of the above conditions is relied upon, the controller must first provide the data subject with certain information, unless an exemption applies. The notification shall include information on the identity of the controller, the purposes of the processing, the existence of the right to object in the case of personal data processing for direct marketing purposes, as well as the right to access and rectification, the recipients or categories of recipients of the personal data, and whether or not it is obligatory to respond to the data controller’s request to submit personal data and any possible consequences of not responding.
Transfer of a data subject’s personal data to non EU/European Economic Area countries is allowed if the countries provide “adequate protection”.
For the transfer of data to the United States, companies which adhere to the US/EU Safe Harbor principles are deemed to offer adequate protection.
Data controllers may transfer personal data out of the European Economic Area to countries which are not deemed to offer adequate protection if any of the following exceptions apply:
The DPA may allow transfers even if the above conditions are not fulfilled if the controller adduces additional safeguards with respect to the protection of the rights of the data subject. Such safeguards may inter alia result from contractual clauses, e.g. by standard contractual clauses approved by the European Commission, or via an organisation’s Binding Corporate Rules.
Currently, in the context of a notification procedure, the DPA usually requests a copy of data transfer agreements, in particular to verify whether any changes were made to the EU model clauses. No formal approval of EU model clauses based data transfer agreements is required.
However, the DPA recently indicated that in the near future, this could change and an authorisation decree may be required for each contract based international transfer of personal data – regardless of whether the international transfer is based on the EU Model Clauses.
Data controllers and processors must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
The DPA has issued (non binding) guidelines in respect of such security measures.
The Act does not provide for a data security breach notification duty.
The DPA is authorised to investigate complaints, and to act as a mediator in case of complaints. The DPA may also appoint experts, may require the provision of documents, and may require access to certain places. In the case of criminal actions, the DPA must notify the public prosecutor.
Failure to comply with the Act may be criminally sanctioned with imprisonment or fines up to EUR 600,000.
The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (e.g. an email address is likely to be “personal data” for the purposes of the Act). The Act does not prohibit the use of personal data for the purposes of electronic marketing but provides individuals with the right to object to the processing of their personal data (i.e. a right to “opt out”) for direct marketing purposes.
Additionally, specific rules are set out in Belgian E-Commerce Act (Act of 11 March 2003) regarding opt-in requirements:
Online Privacy (Including Cookies and Location Data)
The use and storage of cookies and similar technologies requires: a) clear and comprehensive information; and b) consent of the website user.
Consent is not required for cookies that are:
Regulatory guidance on the informed consent requirement is expected to be issued in the near future.
The processing of location data in the framework of a service regarding traffic or location data is subject to strict conditions set forth in article 123.
Processing of location data must in addition also comply with the general rules stipulated by the Data Protection Act.
Subject to compliance with specific information obligations and subject to specific restrictions, operators may process certain location data for the purposes of:
Download Entire File
Acknowledgement and Disclaimer
This handbook is provided to you as a courtesy, and it does not establish a client relationship between EDRM, DLA Piper and you, or any other person or entity that receives it. It provides a general overview of the data protection regime currently in force in 63 jurisdictions. It is a general reference document and should not be relied upon as legal advice. The application and effect of any law or regulation upon a particular situation can vary depending upon the specific facts and circumstances, and so you should consult with a lawyer regarding the impact of any of these regimes in any particular instance.
EDRM, DLA Piper and the other contributing law firms accept no liability for errors or omissions appearing in the handbook and, in addition, EDRM and DLA Piper accepts no liability at all for the content provided by the other contributing law firms. Please note that privacy and information law is dynamic, and the legal regime in the countries surveyed could change.
No part of this publication may be reproduced or transmitted in any form without the prior consent of the DLA Piper.
Copyright © 2013 DLA Piper UK LLP
This publication has been reproduced by EDRM with the prior consent of DLA Piper.