van Cutsem Wittamer Marnef & Partners
What law(s) specifically govern personal data / information?
GDPR (regulation 2016/679)
Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data (link)
Pertaining to electronic communications: 13 June 2005 pertaining to electronic communications
What are the key data protection principles in this jurisdiction?:
Lawful basis for processing
The GDPR provides an exhaustive list of legal bases on which personal data may be processed:
- consent of the data subject for one or more specific purposes;
- contractual necessity;
- compliance with a legal obligation of the controller to perform the relevant processing;
- protection of the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).
The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:
- explicit consent of the affected data subject;
- the processing is necessary in the context of employment or social security law; or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Transparency
Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Purpose limitation
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
Data minimisation
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
Accuracy
Personal data must be accurate and, where necessary, kept up to date.
Storage limitation
Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
What is the supervisory authority / regulator in charge of data protection?
Autorité de la Protection des données (APD) / GegevensBechermingsAutoriteit (GBA)
Is there a requirement to register with a supervisory authority / regulator?
Prior registration formalities with the APD/GBA are not required
Is there a requirement to notify the supervisory authority / regulator?
See below in the event of a data breach.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes in the event of a consultation of the APD/GBA for a DPIA and data breach (see below).
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to information
Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
Right to rectification of errors
Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.
Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reasons as listed in Article 17 GDPR apply.
Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.
Right to data portability
Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).
Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 GDPR)
This is a summary only and there are some qualifications and limitations to these rights which may be relevant.
Is there a requirement to appoint a data protection officer (or equivalent)?
Article 37 GDPR requires that a DPO be appointed in the following situations:
- The data processing is carried out by a public authority or public body regardless of the data they process, with the exception of courts acting in their judicial capacity (Article 37(1)(a));
- The basic activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic large-scale monitoring of the data subjects (Article 37(1)(b));
- The basic activities of the controller or processor consist of large-scale processing of special categories of data referred to in Article 9 and of personal data relating to criminal convictions and offences referred to in Article 10 (Article 37(1)(c)).
This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
In conformity with article 35 GDPR, a DPIA is to be carried out should the processing be likely to result in a high risk to the rights and freedoms of natural persons.
In any event a DPIA is required in 3 circmstances:
- If the processing implies an evaluation of personal aspects (profiling)
- A large scale processing of specific categories of data (art. 9 and 10 GDPR)
- A systematic large scale processing and analysing of a publicly available space.
The APD/GBA published a list of processing activities requiring a DPIA, and a working group of the EU commission published a list of criteria to evaluate if a DPIA is necessary.
If a high residual risk is identified, the APD/GBA is to be consulted through this page , and the required form filled out in one of the three national languages.
Does this jurisdiction have any specific data breach notification requirements?
In the event of data breach, the APD/GBA is required to be notified as soon as possible, and at the latest within 72 hours from the finding out of the data breach throught an electronic form. The form is to be drafted in one of the three national languages, and is to be found at https://www.autoriteprotectiondonnees.be/professionnel/actions/fuites-de-donnees-personnelles this address.
What restrictions apply to the international transfer of personal data / information?
International data transfer within the EU from Belgium is allowed without any specific requirement if the GDPR principles are respected.
International date transfer from the EU to a EEA country (Norway, Lichtenstein, Iceland) is allowed as theses country are deemed to have an equivalent level of protection of personal data.
International data transfer from Belgium to third countries is subject to the evaluation that the protection level of personal data is equivalent to the EU protection. The EU Commission has delivered adequacy decisions for the following countries and organisations:
- Andorra
- Argentina
- Canada (for processing subject to the Canadian Personal Information Protection and Electronic Documentation Act);
- the Faroe Islands;
- Guernsey;
- Israel
- Isle of Man;
- Jersey;
- New Zealand
- Switzerland;
- Uruguay
- Japan;
- United Kingdom;
- South Korea;
- the United States (see ‘EU-U.S. Data Privacy Framework’ adequacy decisions): only for transfers to organisations on the ‘Data Privacy Framework list’);
- the European Patent Organisation.
If the destination country does not enjoy an adequacy decision, the transfer can be allowed if it is based on appropriate safeguards, those being:
- standard contractual clauses established by the EC (SCCs). The SCCs, which took effect from 27 July 2021, are available for the following transfers:
- Module 1: controller to controller
- Module 2: controller to processor
- Module 3: processor to processor
- Module 4: processor to controller
- approved codes of conduct and certification, accompanied by binding and enforceable commitments from the party in the third country to apply the appropriate safeguards.
- a transfer based on binding corporate rules, which are global privacy policies that apply within organizations for the transfer of personal data to countries without an adequate level of protection (third countries) worldwide.
- Certification mecanisms
It is also possible under the GDPR (Art. 49) to allow transfer to a third country under one of the following conditions:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
Please note that in any event if there is no adequacy decision awarded to the third country, it will be essential to proceed to a Transfer Impact Assessmen, and take complementary measures.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the law of 30 July 2018 on the protection of individuals with regard to the processing of personal data specified that it applies to the processing of personal data carried out in the context of the activities of an establishment of a controller or processor on Belgian territory, whether or not the processing takes place on Belgian territory.
What rules specifically deal with marketing?
General rules of the GDPR applies to direct marketing.
The APD/GBA has published specific recommendation on direct marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
No when the marketing is directed to a natural person acting as a professional
Marketing to a legal entity and not a specific employee if the target company is excluded from this.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
All applicable rules of the GDPR need to be applied to this instance.
What rules specifically deal with cookies?
Applicable law:
- Law of 13 June 2005 on electronic communication;
- Directive 2002/58/EC art. 5.3.
Cookies allowed without consent:
- Strictly necessary functional cookies, which are strictly necessary to provide a service that a visitor/customer has expressly requested (such as for temporary storage of choice of language, cookie preferences or shopping basket contents, or to guarantee the security of a banking application).
- Strictly necessary technical cookies, which are strictly necessary for sending a message via an electronic communication network (such as session cookies for load balancing, in which the cookie used assigns a label to the traffic, on the basis of which an optimal load is sought).
For other cookies, consent of the user needs to be obtained, which needs to meet the requirement of a ‘valid consent’, that is:
- Prior to the installing of the cookie;
- Unambiguous and active;
- Informed;
- Free to accept or refuse;
- Specific;
- Retractable.
A cookie can be stored on the computer of the user for only as long as it is strictly necessary to accomplish its goal
Cookie walls are strictly prohibited.
What are the consequences of non compliance with data protections laws (including marketing laws)?
There are two categories of breaches to the GDPR and corresponding maximum fines:
- If a controller fails to fulfil one of its obligations a fine of up to EUR 10 million, or a fine of 2% of the worldwide annual turnover, if that amount is higher can be imposed on the company.
- If a controller violates the principles or foundations of the GDPR or the privacy rights of the data subjects, then a fine of up to EUR 20 million or a fine of 4% of the worldwide annual turnover, if that amount is higher can be imposed on the company.
Furthermore, the APD/GBA can:
- impose that a penalty must be paid if the violation has not stopped after a certain period of time;
- determine that (certain categories of) personal data may not be processed;
- impose a reprimand if that is more appropriate than an administrative fine;
- issue a formal warning about an intended processing.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
The GDPR has a very wide territorial scope.
Controllers and processors who are not established in the EEA are generally required under Article 27 GDPR to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under Article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA.
What upcoming data protection developments should multinational organisations be aware of?
The EU is currently discussing the ePrivacy Regulation which will be repealing the current Privacy and Electronic Communications Directive (Directive 2002/58/EC). However, as of today the work programme of the Commission seems to indicate that in the absence of foreseeable agreement on the matter, and the proposal being outdated, the proposal will be withdrawn