Belgium 

ePrivacy | Marketing and cookies

  1. National Legislation
  2. Cookies 
  3. Marketing by E-mail
  4. Marketing by Telephone
  5. Marketing by Fax

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

    General data protection laws

The law of 8 December 1992 on privacy protection in relation to the processing of personal data (the “DPA”) was modified by the law of 11 December 1998 to implement the Data Protection Directive.

The DPA has been amended on a number of occasions, most recently by the law of 27 April 2016 regarding complementary measures in the fight against terrorism. The most significant amendments took place under the law of 26 February 2003 regarding the status and competence of the national regulatory authority.

    Entry into force

    The DPA entered into force on 1 September 2001 further to an implementing Royal Decree of 13 February 2001 (the “Decree”).

    _____________________________________________________________________      Top

    National Regulatory Authority

Details of the competent national regulatory authority 

Commission for the Protection of Privacy (the “Commission”)
Rue de la Presse 35
1000 Brussels
Belgium

www.privacycommission.be

Notification or registration scheme and timing

    The data controller must notify the Commission before the start of any wholly or partially automated processing operation. Such notification is a mere filing of information that can be made by electronic means. It costs EUR 25 online or EUR 125 if made by hard copy. The end of any processing must also be notified.

    Exemptions

    Notification is only required for automated processing (and not for manual files), with certain exemptions applicable under strict conditions (e.g. payroll and personnel administration, accounting and client/supplier administration).

    Appointment of a data protection officer

    There is no legal requirement to appoint a data protection officer.

    _____________________________________________________________________      Top

    Personal Data

    What is personal data? 

The definition of personal data in the DPA closely follows the standard definition of personal data.

However, Belgium has widened its interpretation of the concept of personal data by limiting the circumstances in which personal data can be considered anonymised. Indeed, as soon as a data subject can directly or indirectly be identified on the basis of a set of data, this data will be considered as personal data. This is true even if the person with the means to identify the individual behind the data is not the data controller.

Is information about legal entities personal data?

No. The concept of personal data only applies to individuals, including representatives of legal entities, as opposed to the legal entities themselves.

What are the rules for processing personal data? 

    Personal data may be processed if the standard conditions for processing personal data are met. Furthermore, Belgian law specifies that the processing may be carried out with the unambiguous consent of the data subject.

    In practice, the legitimate interest condition is frequently relied upon as a ground for processing non-sensitive personal data. However, the Commission insists that obtaining consent is best practice and the legitimate interest condition is a residual ground for processing.

    The DPA contains exemptions for certain types of processing. For example, processing for domestic purposes is exempt from the provisions of the DPA.

    Are there any formalities to obtain consent to process personal data?

    Except with respect to the processing of sensitive personal data (see below), the DPA does not impose any formalities to obtain consent to process personal data. Such consent may be express or implied, written or oral. However, express and written consent is recommended, for evidential purposes, as the DPA requires consent to be unambiguous. In addition, the DPA requires that consent be freely given, specific and informed.

    As regards the processing of employees’ personal data, the Commission recommends that such processing should be based on legal grounds other than consent since obtaining valid consent from employees may be questionable given their subordinate relationship to their employer. To the extent that such processing would still be consent based, the Commission recommends that one should obtain both individual consent, from the employee, and collective consent, through employee representative bodies such as the works council.

    _____________________________________________________________________      Top

    Sensitive Personal Data

    What is sensitive personal data?

Under the DPA, sensitive personal data is defined by reference to the standard types of sensitive personal data. In addition, data of a judicial nature such as information about criminal offences or criminal proceedings (including suspicions of such) is treated as sensitive personal data.

    Are there additional rules for processing sensitive personal data?

    Standard types of sensitive personal data may only be processed if the standard conditions for processing sensitive personal data are met. Consent is not a justification for processing personal data of a judicial nature.

    In addition, for the processing of sensitive personal data, the data controller must ensure that the persons having access to such data will comply with the obligation of confidentiality in relation to such data by means of legal or contractual provisions. The data controller must keep a list at the disposal of the Commission with the categories of persons having access to such data and a precise description of their roles in relation to the data.

    Are there any formalities to obtain consent to process sensitive personal data?

    Consent from a data subject to process standard types of sensitive personal data must be in writing.

    _____________________________________________________________________      Top

Scope of Application 

    What is the territorial scope of application?

The DPA applies the standard territorial test

Who is subject to data protection legislation?

The DPA primarily applies to data controllers, with limited obligations imposed on data processors.

Are both manual and electronic records subject to data protection legislation?

The DPA applies to the processing of personal data carried out, in whole or in part, by automatic means as well as the processing of personal data other than by automatic means which forms part of a filing system (i.e. any structured set of personal data that is accessible according to specific criteria, whether centralised, decentralised or allocated on a functional or geographical basis). 

Compensation

Data subjects have a right to compensation by the data controller if they suffer damage. Such right is based on general Belgian liability law.

Fair processing information

A data controller must provide fair processing information to data subjects, including the recipients or categories of recipients of the data. In practice, such information is preferably provided in writing to the data subjects but this is not mandatory.

There is no obligation in the DPA to provide this information in any of the national languages of Belgium; however, it may be difficult to show that the information has been fairly provided if it is not in a language the data subject is familiar with. In addition, specific rules regarding the use of languages in Belgium must be taken into account, including those applicable in the context of an employment relationship and in relation to consumers.

Rights to access information

Upon request, the data controller must provide the subject access information to the data subject, free of charge.

Objection to direct marketing

If the data is to be used for direct marketing purposes, the data subject also has the right to object, free of charge, to such processing and the data controller must inform the data subjects of their right to object. To exercise such right, the data subject must send a dated and signed request to the data controller, who must confirm the amendment or deletion within one month to the data subject and, where possible, the third parties to whom the incorrect data was communicated.

Other rights

The data subject has the right to have inaccurate data corrected or deleted.

In certain cases, the data subject may object to decisions being made about him/her based solely on automatic processing.

    _____________________________________________________________________      Top

Security requirements in order to protect personal data

The data controller must comply with the general data security obligations and must also: (i) secure access to the data; (ii) inform its personnel about their obligations under the DPA; and (iii) ascertain that no unlawful use is made of the software programs used for the automatic processing of personal data.

Specific rules governing processing by third party agents (processors)

The DPA requires that if the processing is carried out by a data processor, the data controller must conclude an agreement with the data processor containing the standard processor obligations as well as the allocation of liability between the data processor and the data controller. The obligations of this agreement must be provided for in writing, hard copy or in an electronic format.

Notice of breach laws

The DPA does not contain any obligation to inform the Commission or data subjects of a security breach. However, data controllers in certain sectors may be required to inform sector regulators of particular types of breach.

A specific notice of breach obligation now applies to the electronic communications sector as a result of the implementation into national law of the amendments to the Privacy and Electronic Communications Directive made by the Citizens’ Rights Directive. The law was amended in April 2014 to replace the regulator to be notified, from the telecom regulator (the Institute for Postal Services and Telecommunications) to the Commission.

_____________________________________________________________________      Top

The DPA contains a restriction on transborder dataflows. Transfers can take place if the data controller satisfies the standard conditions for transborder dataflow. Furthermore, the DPA states that permission for transfer to countries that do not guarantee an adequate level of protection may be granted by Royal Decree subject to adequate safeguards, including contractual guarantees.

Notification and approval of national regulator (including notification of use of Model Contracts)

Further to a protocol concluded on 25 June 2013 between the Commission and the Ministry of Justice, data transfer contracts should be submitted to the Commission for advice.

If they conform to the Model Contracts, they will be approved without the need for a Royal Decree. If there are differences (e.g. in the case of ad hoc clauses), a Royal Decree is required which should be issued following positive advice from the Commission.

Use of binding corporate rules

The Commission has approved the use of binding corporate rules in Belgium. Such binding corporate rules must be ratified by an individual Royal Decree (issued by the Ministry of Justice after advice from the Commission) in accordance with a protocol concluded between the Commission and the Ministry of Justice on 13 July 2011.

_____________________________________________________________________      Top

    Enforcement

    Sanctions

    The DPA provides for criminal sanctions for most provisions, including the duty to inform the data subject and the duty to file a prior notification. Penalties range from EUR 600 to EUR 600,000 and include, in specific cases, imprisonment of up to two years. The publication of the judgment may also be ordered, together with other measures that may constitute a serious threat to the data controller, such as confiscation of the support media, an order to erase the data, and/or a prohibition on using the personal data for up to two years.

Practice

In 2015, 4,192 new files were opened, compared to 3,532 files opened in 2013 and 3,826 in 2014.

Amongst these files, 3,561 consisted of requests for information from the public and private sectors as well as data subjects, 347 requests for mediation (compared to 413 in 2014) and 284 control files (i.e. mainly files where the Commission is requested to exercise a right of indirect access when the direct access by the data subject is not allowed). In 64.4% of the mediation requests, compared to 30.23% of the control files regarding indirect access, the Commission found a violation of the law on data protection. The issue of surveillance cameras is the most recurrent topic in the three types of files.

An example of enforcement is the civil action that the Commission initiated against Facebook regarding its terms of use which entered into force on 30 January 2015. The Commission considered, amongst others, that these terms enabled Facebook to track both users and non-users of Facebook without obtaining proper consent from the latter. In a judgement of 9 November 2015, the President of the Court of First Instance of Brussels in summary proceedings ordered Facebook Inc., Facebook Ireland Limited and Facebook Belgium SPRL to cease registering via cookies and social plug-ins which websites are visited by Belgian based internet users who do not have a Facebook account. Non-compliance with the order was subject to a penalty of EUR 250,000 per day. Facebook lodged an appeal against the decision while accepting to comply with the ruling. In June 2016, the Court of Appeal of Brussels dismissed the case in summary proceedings stating that (i) the Belgian courts do not have international jurisdiction over Facebook Inc. and (ii) that there is no urgency to justify summary proceedings. The case is still pending before the courts on the merits.

In relation to the number of prosecutions last year, no information about individual complaints is available once the files are closed by the Commission.

Enforcement authority 

The Commission’s mission is, amongst other things, to monitor overall compliance with the DPA. To this end, the Commission has general power of investigation with respect to any type of processing of personal data as well as filing a criminal complaint with the Public Prosecutor. The Commission may also institute a civil action before the President of the Court of First Instance. However, the Commission cannot impose fines upon individuals or organisations.

    _____________________________________________________________________     Top

ePrivacy | Marketing and cookies

____________________________________________________________

    _____________________________________________________________________      Top

    Cookies

    Conditions for use of cookies

    The cookie requirements in the Citizens’ Rights Directive have been implemented into Belgian law. It is only possible to use cookies if: (i) clear and specific information has been provided to the individual regarding the purposes of the data processing and their rights, all in accordance with the general requirements of the DPA; and (ii) the individual provides consent after receiving this information. These restrictions do not apply to cookies that are strictly necessary for a service requested by an individual. Last, users must be allowed to withdraw their consent free of charge.

    Regulatory guidance on the use of cookies

    As in most other Member States, the law does not specify how consent from users should be obtained. This matter has to be clarified through regulatory guidance. The Commission reviewing the draft bill opined that consent may not be obtained through current browser settings.

    It also released a recommendation in February 2015 which provides detailed guidance regarding the use of cookies, including the way to obtain valid consent. This requires an affirmative action by the user who must have a chance to review the cookie policy beforehand. This policy must detail each category of cookies with their purposes, the categories of information stored, the retention period, how to delete them and any disclosures of information to third parties.

    _____________________________________________________________________      Top

    Marketing by E-mail

    Conditions for direct marketing by e-mail to individual subscribers

The CEL prohibits the use of e-mails for advertising purposes without prior, free, specific and informed consent of the addressees. Such consent can be revoked at any time, without any justification or any cost for the addressee.

Conditions for direct marketing by e-mail to corporate subscribers

The sending of direct marketing e-mails does not require consent if they are sent to a legal entity using “impersonal” electronic contact details (e.g. info@company.be). The use of addresses such as john.smith@company.be, however, remains subject to the requirement for prior consent.

Exemptions and other issues

It is permitted to send e-mail for the purposes of direct marketing if the similar products and services exemption applies. The CEL also prohibits direct marketing e-mails from being sent if: (i) the identity of the sender is disguised or concealed; or (ii) an opt-out address is not provided. The sender must also include the eCommerce information.

    _____________________________________________________________________      Top

    Marketing by Telephone

    Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Marketing calls to individual subscribers are prohibited in relation to subscribers who object to such marketing calls.

The CEL created an obligation on network operators to enable subscribers to exercise their opt-out right, free of charges. The CEL requires the setting up of a file in which every opt-out request by the subscribers is registered. The operator must give access to this file to the persons involved in direct marketing activities. Such an opt-out list has been put in place on behalf of the industry by the Belgian Direct Marketing Association (the “BDMA”).

By signing the so-called “Ne m’appelez plus/Bell me niet meer” list, subscribers indicate that they no longer wish to receive direct marketing by phone. Phone calls for direct marketing purposes to a phone number which is listed in the “Ne m’appelez plus/Bell me niet meer” list are prohibited.

The BDMA has also put in place another opt-out list which is not set forth in the law. The so called “Robinson list” follows the same principles but covers marketing by mail. BDMA members undertake not to use these subscribers' addresses for marketing purposes.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

Non-automated marketing calls to corporate subscribers are prohibited in relation to subscribers who object to such marketing calls.

Exemptions and other issues

No exemptions apply.

    _____________________________________________________________________      Top

    Marketing by Fax

    Conditions for direct marketing by fax to individual subscribers

It is not permitted to send direct marketing faxes to individual subscribers without their prior, free, specific and informed consent.

Conditions for direct marketing by fax to corporate subscribers

Direct marketing faxes to corporate subscribers are prohibited without their prior, free, specific and informed consent.

Exemptions and other issues

No exemptions apply.

 

 

Contact Details

Tanguy Van Overstraeten

Linklaters LLP

Tel: +(32) 2 501 94 05
Fax: +(32) 2 501 91 94
rue Brederode 13, 1000 Brussels, Belgium
www.linklaters.be

 

*NEW* Our guide to the General Data Protection Regulation

 

National Regulatory Authority

Commission for the Protection of Privacy

National Legislation

DPA

(Please note these links are provided for information only. Any translations may not be accurate and the text may not include amendments to that legislation).