Stage of legislative progress 
Eg. pre-consultation, in consultation

The Belgian Privacy Act ("BPA") was adopted by Parliament on 30 July 2018 and was published in the Belgian Official Gazette on 5 September 2018. It has entered into force that same day.


Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

The Belgian Privacy Act fully repeals the Privacy Act of 8 December 1992, which had already been partly repealed by the Act of 3 December 2017 on the creation of the Data Protection Authority. It also implements Directive 2016/680 on data protection in the police and criminal justice sectors, which takes up the majority of the Act's 286 articles.

 
Timescale for implementation 
Eg. pre-consultation, in consultation

The BPA entered into force on 5 September 2018.  

 

Areas where Member States must have local laws:

Personal data and freedom of expression 

A large number of GDPR provisions are declared inapplicable or only conditionally applicable to processing for journalistic purposes and for purposes of academic, artistic or literary expression. In this respect, "journalistic purposes" is considered to cover the preparation, collection, drafting, production, distribution or archiving for the purpose of informing the public, using any media and where the controller should ensure compliance with journalistic deontology.

Penalties

The BPA introduces different tiers of criminal penalties for violations of the BPA as well as the GDPR itself, with a maximum penalty of EUR 30.000. Taking into account the mandatory multiplication of criminal fines, this equals a de facto maximum fine of EUR 240.000.

The BPA also clarifies that a controller, processor, or its representative in Belgium, as the case may be, is in principle civilly liable for the payment of the fines which have been imposed on his contractor or agent.

Finally, the Act stipulates that the administrative fines of Article 83 GDPR cannot be imposed on public authorities, except when the latter is a public-law legal entity offering goods or services on a market.


 

Areas where Member States may have local laws:

Professional secrecy 

The BPA itself does not contain any rules to reconcile the right of personal data protection with obligations of secrecy. These were included in the Act of 3 December 2017 on the creation of the Data Protection Authority (the "DPAA") which sets out the powers of the Belgian supervisory authority and the appropriate (procedural) safeguards for individuals.

Firstly, the Act introduces a specific exception for medical data covered by professional secrecy. As a general rule, the DPAA states that investigative measures can give rise to an official report establishing an infringement. Such report has evidential value until proven otherwise and in principle, other inspection services or administrative supervisory authorities may use the material findings from the reports while preserving their evidential value. However, with respect to medical data, the DPAA states that such information may only be communicated and used in accordance with the relevant rules on medical professional secrecy.

Secondly, professional secrecy in general is taken into account in the context of on-site investigations. When there arises a reason to believe that the principles of personal data protection have been violated, the inspectors of the Belgian DPA are entitled to enter the company, the service or any other premises to conduct on-site investigations. An exception is introduced for the premises of a professional that is under a duty of professional secrecy and for whom a legal arrangement is foreseen for on-site investigations and access to their premises. In such case, the inspectors are only allowed to access the premises in the presence of a representative of the professional association, except in case of prior written approval of the data subject or with an authorization of the investigating judge.

Scientific, historical or statistical purposes 

The BPA contains an entire title (Title 4) on processing for archiving purposes in the public interest, for scientific or historic purposes or statistical purposes. It sets out the necessary safeguards that must be taken into account when not applying certain data subject rights because they threaten to render impossible or seriously impair the achievement of those purposes.

The general safeguards consist of:

  • The requirement to appoint a DPO in case the processing is likely to result in a high risk to the rights and freedoms of natural persons within the meaning of Article 35 GDPR; and
  • The requirement to add specific additional information to the register of processing activities, including (among others) justification of the (non-)use of pseudonymised data in case of processing for scientific, historical or statistical purposes and justification of the public interest in case of preserved archives.

Where the personal data are obtained directly from the individual, the BPA requires additional information to be provided to the individual, notably on whether or not the personal data will be anonymized and the reasons why the data subject's rights threaten to render impossible or seriously impair achievement of the relevant purposes. Where the personal data are not obtained directly from the individual, an agreement must in principle be concluded with the controller of the initial processing activity. This is however subject to exceptions.

Additionally, the BPA establishes a number of anonymization and pseudonymisation requirements for on processing for archiving purposes in the public interest, for scientific or historic purposes or statistical purposes. It also distinguishes between the concepts of "communication of data", which means the communication of data to an identified third party, and "dissemination of data", which means disclosure of data without identifying the relevant third party and stipulates requirements and safeguards for each situation.

Employment

The BPA does not contain employment-related provisions.

Personal data of deceased persons 

The BPA does not include any rules on personal data of deceased persons.

Children online 

The age of consent with respect to offering information society services to children is lowered to 13 years. Where the child is below 13 years of age, such processing shall be lawful only if and to the extent that consent is given by the child's legal representative.

Special rules for special categories of data

The BPA identifies six (6) categories of instances in which process personal data relating to criminal convictions and offences without the control of official authority is allowed, notably where:

  • Processing by natural persons or private or public-law legal persons insofar as necessary for the management of their own disputes;
  • Processing carried out by lawyers necessary for the defence of their client's interests;
  • Processing by other persons where necessary for reasons of substantial public interest for fulfilling tasks in the public interest as defined by law;
  • Processing required for scientific, historical or statistical research or for archiving purposes;
  • Express written consent by the data subject for processing for one or more well-defined purposes and the processing is limited to those purposes;
  • Personal data that have clearly been made public by the data subject on its own initiative for one or more well-defined purposes and the processing is limited to those purposes.

Additionally, the BPA introduces specific safeguards for processing of such data, including the requirement to list individuals that have access to such data.

Genetic, biometric or health data

Controllers processing genetic, biometric or health data are required to take a number of additional measures, including the requirement to list individuals that have access to such data.

Designation of a Data Protection Officer

The BPA does not contain provisions on Data Protection Officers.

National identification numbers/any other identifier of general application

The BPA does not contain provisions on national identification numbers or other identifiers of general application.

 


 

Other:

Any other areas under discussion

The Belgian Privacy Commission (predecessor of the newly established Data Protection Authority) published DPO recommendations on 24 May 2017, recommendations on records of processing activities on 14 June 2017 and recommendations on privacy impact assessments on 28 February 2018.