Belgium

Belgian Privacy Act ("BPA") adopted 30 July 2018; published in Belgian Official Gazette on 5 September 2018. Entered into force 5 September.

Belgian Privacy Act repeals the Privacy Act of 8 December 1992. It also implements Directive 2016/680 on data protection in the police and criminal justice sectors, which takes up the majority of the Act's 286 articles.

The BPA entered into force on 5 September 2018.  

Areas where Member States must have local laws:

A large number of GDPR provisions are declared inapplicable or only conditionally applicable to processing for journalistic purposes and for purposes of academic, artistic or literary expression. "Journalistic purposes" covers the preparation, collection, drafting, production, distribution or archiving for the purpose of informing the public, using any media and where the controller should ensure compliance with journalistic objectives.

BPA introduces different tiers of criminal penalties for violations of the BPA as well as the GDPR itself, with a maximum penalty of EUR 30.000. Taking into account the mandatory multiplication of criminal fines, this equals a de facto maximum fine of EUR 240.000.

The BPA also clarifies that a controller, processor, or its representative in Belgium, as the case may be, is in principle civilly liable for the payment of the fines which have been imposed on his contractor or agent.
Finally, the Act stipulates that the administrative fines of Article 83 GDPR cannot be imposed on public authorities, except when the latter is a public-law legal entity offering goods or services on a market

Areas where Member States may have local laws:

BPA does not contain any rules to reconcile the right of personal data protection with obligations of secrecy. These were included in the Act of 3 December 2017 on the creation of the Data Protection Authority (the "DPAA") which sets out the powers of the Belgian supervisory authority and the appropriate (procedural) safeguards for individuals.

That Act introduces a specific exception for medical data covered by professional secrecy. As a general rule, the DPAA states that investigative measures can give rise to an official report establishing an infringement. Such report has evidential value until proven otherwise and in principle, other inspection services or administrative supervisory authorities may use the material findings from the reports while preserving their evidential value. However, with respect to medical data, the DPAA states that such information may only be communicated and used in accordance with the relevant rules on medical professional secrecy.

Secondly, professional secrecy in general is taken into account in the context of on-site investigations. When there is a reason to believe that the principles of personal data protection have been violated, the inspectors of the Belgian DPA are entitled to enter the company, the service or any other premises to conduct on-site investigations. An exception is introduced for the premises of a professional that is under a duty of professional secrecy and for whom a legal arrangement is foreseen for on-site investigations and access to their premises. In such case, the inspectors are only allowed to access the premises in the presence of a representative of the professional association, except in case of prior written approval of the data subject or with an authorization of the investigating judge.

BPA Title 4 is on processing for archiving purposes in the public interest, for scientific or historic purposes or statistical purposes. It sets out the necessary safeguards that must be taken into account when not applying certain data subject rights because they threaten to render impossible or seriously impair the achievement of those purposes.

The general safeguards consist of:

• The requirement to appoint a DPO in case the processing is likely to result in a high risk to the rights and freedoms of natural persons within the meaning of Article 35 GDPR; and
• The requirement to add specific additional information to the register of processing activities, including (among others) justification of the (non-)use of pseudonymised data in case of processing for scientific, historical or statistical purposes and justification of the public interest in case of preserved archives.
  Where the personal data are obtained directly from the individual, the BPA requires additional information to be provided to the individual, notably on whether or not the personal data will be anonymized and the reasons why the data subject's rights threaten to render impossible or seriously impair achievement of the relevant purposes. Where the personal data are not obtained directly from the individual, an agreement must in principle be concluded with the controller of the initial processing activity. This is subject to exceptions.
  Additionally, the BPA establishes a number of anonymization and pseudonymisation requirements for processing for archiving purposes in the public interest, for scientific or historic purposes or statistical purposes. It also distinguishes between the concepts of "communication of data", which means the communication of data to an identified third party, and "dissemination of data", which means disclosure of data without identifying the relevant third party and stipulates requirements and safeguards for each situation.

No special provisions

No provisions

13 years

BPA identifies six (6) categories of instances in which processing personal data relating to criminal convictions and offences without the control of official authority is allowed:

• Processing by natural persons or private or public-law legal persons insofar as necessary for the management of their own disputes;
• Processing carried out by lawyers necessary for the defence of their client's interests;
• Processing by other persons where necessary for reasons of substantial public interest for fulfilling tasks in the public interest as defined by law;
• Processing required for scientific, historical or statistical research or for archiving purposes;
• Express written consent by the data subject for processing for one or more well-defined purposes and the processing is limited to those purposes;
• Personal data that have clearly been made public by the data subject on its own initiative for one or more well-defined purposes and the processing is limited to those purposes.
  Additionally, the BPA introduces specific safeguards for processing of such data, including the requirement to list individuals that have access to such data.

n/a

n/a

n/a

Other:

n/a