The Belgian Privacy Act ("BPA") was adopted by Parliament on 30 July 2018 and was published in the Belgian Official Gazette on 5 September 2018. It has entered into force that same day.
The Belgian Privacy Act fully repeals the Privacy Act of 8 December 1992, which had already been partly repealed by the Act of 3 December 2017 on the creation of the Data Protection Authority. It also implements Directive 2016/680 on data protection in the police and criminal justice sectors, which takes up the majority of the Act's 286 articles.
The BPA entered into force on 5 September 2018.
Areas where Member States must have local laws:
A large number of GDPR provisions are declared inapplicable or only conditionally applicable to processing for journalistic purposes and for purposes of academic, artistic or literary expression. In this respect, "journalistic purposes" is considered to cover the preparation, collection, drafting, production, distribution or archiving for the purpose of informing the public, using any media and where the controller should ensure compliance with journalistic deontology.
The BPA introduces different tiers of criminal penalties for violations of the BPA as well as the GDPR itself, with a maximum penalty of EUR 30.000. Taking into account the mandatory multiplication of criminal fines, this equals a de facto maximum fine of EUR 240.000.
The BPA also clarifies that a controller, processor, or its representative in Belgium, as the case may be, is in principle civilly liable for the payment of the fines which have been imposed on his contractor or agent.
Finally, the Act stipulates that the administrative fines of Article 83 GDPR cannot be imposed on public authorities, except when the latter is a public-law legal entity offering goods or services on a market.
Areas where Member States may have local laws:
The BPA itself does not contain any rules to reconcile the right of personal data protection with obligations of secrecy. These were included in the Act of 3 December 2017 on the creation of the Data Protection Authority (the "DPAA") which sets out the powers of the Belgian supervisory authority and the appropriate (procedural) safeguards for individuals.
Firstly, the Act introduces a specific exception for medical data covered by professional secrecy. As a general rule, the DPAA states that investigative measures can give rise to an official report establishing an infringement. Such report has evidential value until proven otherwise and in principle, other inspection services or administrative supervisory authorities may use the material findings from the reports while preserving their evidential value. However, with respect to medical data, the DPAA states that such information may only be communicated and used in accordance with the relevant rules on medical professional secrecy.
Secondly, professional secrecy in general is taken into account in the context of on-site investigations. When there arises a reason to believe that the principles of personal data protection have been violated, the inspectors of the Belgian DPA are entitled to enter the company, the service or any other premises to conduct on-site investigations. An exception is introduced for the premises of a professional that is under a duty of professional secrecy and for whom a legal arrangement is foreseen for on-site investigations and access to their premises. In such case, the inspectors are only allowed to access the premises in the presence of a representative of the professional association, except in case of prior written approval of the data subject or with an authorization of the investigating judge.
The BPA contains an entire title (Title 4) on processing for archiving purposes in the public interest, for scientific or historic purposes or statistical purposes. It sets out the necessary safeguards that must be taken into account when not applying certain data subject rights because they threaten to render impossible or seriously impair the achievement of those purposes.
The general safeguards consist of:
Where the personal data are obtained directly from the individual, the BPA requires additional information to be provided to the individual, notably on whether or not the personal data will be anonymized and the reasons why the data subject's rights threaten to render impossible or seriously impair achievement of the relevant purposes. Where the personal data are not obtained directly from the individual, an agreement must in principle be concluded with the controller of the initial processing activity. This is however subject to exceptions.
Additionally, the BPA establishes a number of anonymization and pseudonymisation requirements for on processing for archiving purposes in the public interest, for scientific or historic purposes or statistical purposes. It also distinguishes between the concepts of "communication of data", which means the communication of data to an identified third party, and "dissemination of data", which means disclosure of data without identifying the relevant third party and stipulates requirements and safeguards for each situation.
The BPA does not contain employment-related provisions.
The BPA does not include any rules on personal data of deceased persons.
The age of consent with respect to offering information society services to children is lowered to 13 years. Where the child is below 13 years of age, such processing shall be lawful only if and to the extent that consent is given by the child's legal representative.
The BPA identifies six (6) categories of instances in which process personal data relating to criminal convictions and offences without the control of official authority is allowed, notably where:
Additionally, the BPA introduces specific safeguards for processing of such data, including the requirement to list individuals that have access to such data.
Controllers processing genetic, biometric or health data are required to take a number of additional measures, including the requirement to list individuals that have access to such data.
The BPA does not contain provisions on Data Protection Officers.
The BPA does not contain provisions on national identification numbers or other identifiers of general application.
The Belgian Privacy Commission (predecessor of the newly established Data Protection Authority) published DPO recommendations on 24 May 2017, recommendations on records of processing activities on 14 June 2017 and recommendations on privacy impact assessments on 28 February 2018.