Belgium implements the GDPR: new Privacy Act published and in force

12 September 2018

Isis De Moortel, Julien Debussche, Benoit Van Asbroeck, Jasmien Cesar

On September 5, 2018, the much-anticipated Belgian Privacy Act ("BPA" or the "Act") implementing the GDPR and repealing the Privacy Act of 1992 was published in the Belgian Official Gazette. The Act entered into force that same day. The BPA also implements Directive (EU) 2016/680, which relates to personal data processing by authorities in police and criminal matters.

The GDPR, which has entered into force on 25 May, has left Member States the opportunity to diverge from its requirements or introduce additional ones in a number of specific instances. We have prepared a bird's-eye overview of the main choices made in Belgium:

  • The age of consent with respect to offering information society services to children has been lowered to 13 years, down from 16 years as the default option set by the GDPR;
  • Certain (categories of) organizations are listed which are entitled to process special categories of data for reasons of substantial public interest;
  • Controllers processing genetic, biometric or health data are required to take a number of additional measures;
  • Six (6) categories of instances are identified in which it is allowed to process personal data relating to criminal convictions and offences without the control of official authority. This includes the case where processing is carried out by lawyers for the defense of their client's interests and the case where processing is required for scientific, historical or statistical research;
  • Data subject rights have been limited in case of processing by various public authorities. These derogations are accompanied by various safeguards for the data subjects;
  • A large number of GDPR provisions are declared inapplicable to processing for journalistic purposes and for purposes of academic, artistic or literary expression. In this respect, "journalistic purposes" is considered to cover the preparation, collection, drafting, production, distribution or archiving for the purpose of informing the public, using any media and where the controller should ensure compliance with journalistic deontology;
  • Different tiers of criminal penalties are introduced for violations of the BPA as well as the GDPR itself, with a maximum of EUR 30.000. Taking into account the mandatory multiplication of criminal fines, this equals a de facto maximum fine of EUR 240.000.

The BPA complements the Act of 3 December 2017 on the creation of the Data Protection Authority. The latter succeeded the Privacy Commission on 25 May 2018. Certain existing laws have also been amended in light of the GDPR, including notably the Camera Act of 21 March 2007, which now includes specific GDPR-based requirements for CCTV monitoring in Belgium.