Belgian data protection legislation for the private sector brought in line with the GDPR
The Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (hereafter Law) was published in the Belgian Gazette and immediately entered into force on 5 September 2018.
The largest part of the provisions of the Law apply to the processing of personal data in the public sector. In relation to the private sector, the Law only deviates and/or complements the General Data Protection Regulation (hereafter GDPR) to a limited extent and will therefore have a minor impact on the processing of personal data by private companies and organizations.
Hereafter are some of the most noteworthy provisions of the Law (concerning the private sector).
Material & Territorial scope
The Law explicitly states in article 6 that the GDPR remains fully applicable in relation to the processing of personal data in the private sector except in those cases where the Law supplements the GDPR. In principle, this article 6 is unnecessary but Belgian legislation has introduced it for reasons of clarity.
Moreover, it has been stated that the Law will apply to companies and organizations that process personal data:
- in relation to the activities of an establishment which is situated on Belgian territory, irrespective of where the processing takes place; or
- in relation to data subjects residing on Belgian territory, even if the company is not established there, and it offers goods and services to these subjects on Belgian territory or it monitors the behavior of such data subjects, for as far as this behavior takes place on Belgian territory; or
- which are established in a place where Belgian law is applicable under public international law.
The Law will not apply to a processor established on Belgian territory, if the controller is established in another EU Member State and when the processing takes place on the territory on which the controller is established. In that case, the law of the other EU Member State will be applicable.
The GDPR allows EU Member States to provide for an age lower than 16 years regarding a child’s consent, as long as it does not go below the age of 13 years old. Belgian lawmakers have chosen to make full use of this possibility and lower the age to 13. If a child is below the age of 13 years, the processing of its personal data will only be lawful and valid if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. Therefore, each data controller should implement an adequate system that can verify the parental consent for children under 13 years old.
Special categories of personal data
The GDPR prohibits the processing of special categories of personal data (i.e. racial or ethnic origin, political beliefs, religious or philosophical beliefs, etc.). However, there are several exemptions in which case the processing of these special categories of personal data is allowed. One of the exemptions allows Member States to determine when the processing of these special categories of personal data is necessary for reasons of substantial public interest. Consequently, the Law lists three situations in which processing is deemed to be of substantial public interest. In concreto, the most relevant of these three situations relates to processing by associations who have as their statutory goal the defense and improvement of human rights and fundamental freedoms. The two other situations apply to sex offenders and are irrelevant to private companies and organizations.
Genetic, biometric data or data concerning health
In relation to the processing of genetic data, biometric data or data concerning health, the Law introduces three new obligations for the data controller or processor:
to indicate which categories of persons have access to the data and explain their relation to the processing of the personal data;
to maintain a list of these categories of persons for the Belgian data protection authority;
to make sure that the designated persons are subject to a legal, statutory or equal contractual obligation to ensure the confidential character of the personal data.
Cease and desist procedure
The Law introduces a so-called “cease and desist” procedure. This procedure allows the data subject, whose rights have been infringed, to bring a claim of infringement of data protection obligations before the President of the competent Court of First Instance.
If the Court decides that there is indeed an infringement, it can prevent, in a rapid manner, further infringement of the data subject’s rights via an injunction. The Court can also impose a penalty if the infringing party does not comply with the provisions of the injunction. The Court can also order a publication of its decision/order.
Important to note is that a data subject cannot claim compensation for damages incurred as the President of the Court of First Instance is not competent to rule on the matter. The data subject will have to initiate separate proceedings.
Finally, in addition to the administrative sanctions already imposed by the GDPR, the Belgian legislator has introduced criminal sanctions in the form of fines ranging from €100 to €30.000 for infringements of the Law.