Last updated September 2016
General | Data Protection Laws
- National Legislation
- National Regulatory Authority
- Personal Data
- Sensitive Personal Data
- Scope of Application
- Rights of Data Subjects
Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
- National Legislation
- Marketing by E-mail
- Marketing by Telephone
- Marketing by Fax
General | Data Protection Laws
General data protection laws
The law of 8 December 1992 on privacy protection in relation to the processing of personal data (the “DPA”) was modified by the law of 11 December 1998 to implement the Data Protection Directive.
The DPA has been amended on a number of occasions, most recently by the law of 27 April 2016 regarding complementary measures in the fight against terrorism. The most significant amendments took place under the law of 26 February 2003 regarding the status and competence of the national regulatory authority.
Entry into force
The DPA entered into force on 1 September 2001 further to an implementing Royal Decree of 13 February 2001 (the “Decree”).
Details of the competent national regulatory authority
Commission for the Protection of Privacy (the “Commission”)
Rue de la Presse 35
Notification or registration scheme and timing
The data controller must notify the Commission before the start of any wholly or partially automated processing operation. Such notification is a mere filing of information that can be made by electronic means. It costs EUR 25 online or EUR 125 if made by hard copy. The end of any processing must also be notified.
Notification is only required for automated processing (and not for manual files), with certain exemptions applicable under strict conditions (e.g. payroll and personnel administration, accounting and client/supplier administration).
Appointment of a data protection officer
There is no legal requirement to appoint a data protection officer.
The definition of personal data in the DPA closely follows the standard definition of personal data.
However, Belgium has widened its interpretation of the concept of personal data by limiting the circumstances in which personal data can be considered anonymised. Indeed, as soon as a data subject can directly or indirectly be identified on the basis of a set of data, this data will be considered as personal data. This is true even if the person with the means to identify the individual behind the data is not the data controller.
Is information about legal entities personal data?
No. The concept of personal data only applies to individuals, including representatives of legal entities, as opposed to the legal entities themselves.
What are the rules for processing personal data?
Personal data may be processed if the standard conditions for processing personal data are met. Furthermore, Belgian law specifies that the processing may be carried out with the unambiguous consent of the data subject.
In practice, the legitimate interest condition is frequently relied upon as a ground for processing non-sensitive personal data. However, the Commission insists that obtaining consent is best practice and the legitimate interest condition is a residual ground for processing.
The DPA contains exemptions for certain types of processing. For example, processing for domestic purposes is exempt from the provisions of the DPA.
Are there any formalities to obtain consent to process personal data?
Except with respect to the processing of sensitive personal data (see below), the DPA does not impose any formalities to obtain consent to process personal data. Such consent may be express or implied, written or oral. However, express and written consent is recommended, for evidential purposes, as the DPA requires consent to be unambiguous. In addition, the DPA requires that consent be freely given, specific and informed.
As regards the processing of employees’ personal data, the Commission recommends that such processing should be based on legal grounds other than consent since obtaining valid consent from employees may be questionable given their subordinate relationship to their employer. To the extent that such processing would still be consent based, the Commission recommends that one should obtain both individual consent, from the employee, and collective consent, through employee representative bodies such as the works council.
What is sensitive personal data?
Under the DPA, sensitive personal data is defined by reference to the standard types of sensitive personal data. In addition, data of a judicial nature such as information about criminal offences or criminal proceedings (including suspicions of such) is treated as sensitive personal data.
Are there additional rules for processing sensitive personal data?
Standard types of sensitive personal data may only be processed if the standard conditions for processing sensitive personal data are met. Consent is not a justification for processing personal data of a judicial nature.
In addition, for the processing of sensitive personal data, the data controller must ensure that the persons having access to such data will comply with the obligation of confidentiality in relation to such data by means of legal or contractual provisions. The data controller must keep a list at the disposal of the Commission with the categories of persons having access to such data and a precise description of their roles in relation to the data.
Are there any formalities to obtain consent to process sensitive personal data?
Consent from a data subject to process standard types of sensitive personal data must be in writing.
What is the territorial scope of application?
The DPA applies the standard territorial test.
Who is subject to data protection legislation?
The DPA primarily applies to data controllers, with limited obligations imposed on data processors.
Are both manual and electronic records subject to data protection legislation?
The DPA applies to the processing of personal data carried out, in whole or in part, by automatic means as well as the processing of personal data other than by automatic means which forms part of a filing system (i.e. any structured set of personal data that is accessible according to specific criteria, whether centralised, decentralised or allocated on a functional or geographical basis).
Data subjects have a right to compensation by the data controller if they suffer damage. Such right is based on general Belgian liability law.
Fair processing information
A data controller must provide fair processing information to data subjects, including the recipients or categories of recipients of the data. In practice, such information is preferably provided in writing to the data subjects but this is not mandatory.
There is no obligation in the DPA to provide this information in any of the national languages of Belgium; however, it may be difficult to show that the information has been fairly provided if it is not in a language the data subject is familiar with. In addition, specific rules regarding the use of languages in Belgium must be taken into account, including those applicable in the context of an employment relationship and in relation to consumers.
Rights to access information
Upon request, the data controller must provide the subject access information to the data subject, free of charge.
Objection to direct marketing
If the data is to be used for direct marketing purposes, the data subject also has the right to object, free of charge, to such processing and the data controller must inform the data subjects of their right to object. To exercise such right, the data subject must send a dated and signed request to the data controller, who must confirm the amendment or deletion within one month to the data subject and, where possible, the third parties to whom the incorrect data was communicated.
The data subject has the right to have inaccurate data corrected or deleted.
In certain cases, the data subject may object to decisions being made about him/her based solely on automatic processing.
Security requirements in order to protect personal data
The data controller must comply with the general data security obligations and must also: (i) secure access to the data; (ii) inform its personnel about their obligations under the DPA; and (iii) ascertain that no unlawful use is made of the software programs used for the automatic processing of personal data.
Specific rules governing processing by third party agents (processors)
The DPA requires that if the processing is carried out by a data processor, the data controller must conclude an agreement with the data processor containing the standard processor obligations as well as the allocation of liability between the data processor and the data controller. The obligations of this agreement must be provided for in writing, hard copy or in an electronic format.
Notice of breach laws
The DPA does not contain any obligation to inform the Commission or data subjects of a security breach. However, data controllers in certain sectors may be required to inform sector regulators of particular types of breach.
A specific notice of breach obligation now applies to the electronic communications sector as a result of the implementation into national law of the amendments to the Privacy and Electronic Communications Directive made by the Citizens’ Rights Directive. The law was amended in April 2014 to replace the regulator to be notified, from the telecom regulator (the Institute for Postal Services and Telecommunications) to the Commission.
The DPA contains a restriction on transborder dataflows. Transfers can take place if the data controller satisfies the standard conditions for transborder dataflow. Furthermore, the DPA states that permission for transfer to countries that do not guarantee an adequate level of protection may be granted by Royal Decree subject to adequate safeguards, including contractual guarantees.
Notification and approval of national regulator (including notification of use of Model Contracts)
Further to a protocol concluded on 25 June 2013 between the Commission and the Ministry of Justice, data transfer contracts should be submitted to the Commission for advice.
If they conform to the Model Contracts, they will be approved without the need for a Royal Decree. If there are differences (e.g. in the case of ad hoc clauses), a Royal Decree is required which should be issued following positive advice from the Commission.
Use of binding corporate rules
The Commission has approved the use of binding corporate rules in Belgium. Such binding corporate rules must be ratified by an individual Royal Decree (issued by the Ministry of Justice after advice from the Commission) in accordance with a protocol concluded between the Commission and the Ministry of Justice on 13 July 2011.
The DPA provides for criminal sanctions for most provisions, including the duty to inform the data subject and the duty to file a prior notification. Penalties range from EUR 600 to EUR 600,000 and include, in specific cases, imprisonment of up to two years. The publication of the judgment may also be ordered, together with other measures that may constitute a serious threat to the data controller, such as confiscation of the support media, an order to erase the data, and/or a prohibition on using the personal data for up to two years.
In 2015, 4,192 new files were opened, compared to 3,532 files opened in 2013 and 3,826 in 2014.
Amongst these files, 3,561 consisted of requests for information from the public and private sectors as well as data subjects, 347 requests for mediation (compared to 413 in 2014) and 284 control files (i.e. mainly files where the Commission is requested to exercise a right of indirect access when the direct access by the data subject is not allowed). In 64.4% of the mediation requests, compared to 30.23% of the control files regarding indirect access, the Commission found a violation of the law on data protection. The issue of surveillance cameras is the most recurrent topic in the three types of files.
In relation to the number of prosecutions last year, no information about individual complaints is available once the files are closed by the Commission.
The Commission’s mission is, amongst other things, to monitor overall compliance with the DPA. To this end, the Commission has general power of investigation with respect to any type of processing of personal data as well as filing a criminal complaint with the Public Prosecutor. The Commission may also institute a civil action before the President of the Court of First Instance. However, the Commission cannot impose fines upon individuals or organisations.
ePrivacy | Marketing and cookies
As in most other Member States, the law does not specify how consent from users should be obtained. This matter has to be clarified through regulatory guidance. The Commission reviewing the draft bill opined that consent may not be obtained through current browser settings.
Conditions for direct marketing by e-mail to individual subscribers
The CEL prohibits the use of e-mails for advertising purposes without prior, free, specific and informed consent of the addressees. Such consent can be revoked at any time, without any justification or any cost for the addressee.
Conditions for direct marketing by e-mail to corporate subscribers
The sending of direct marketing e-mails does not require consent if they are sent to a legal entity using “impersonal” electronic contact details (e.g. firstname.lastname@example.org). The use of addresses such as email@example.com, however, remains subject to the requirement for prior consent.
Exemptions and other issues
It is permitted to send e-mail for the purposes of direct marketing if the similar products and services exemption applies. The CEL also prohibits direct marketing e-mails from being sent if: (i) the identity of the sender is disguised or concealed; or (ii) an opt-out address is not provided. The sender must also include the eCommerce information.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Marketing calls to individual subscribers are prohibited in relation to subscribers who object to such marketing calls.
The CEL created an obligation on network operators to enable subscribers to exercise their opt-out right, free of charges. The CEL requires the setting up of a file in which every opt-out request by the subscribers is registered. The operator must give access to this file to the persons involved in direct marketing activities. Such an opt-out list has been put in place on behalf of the industry by the Belgian Direct Marketing Association (the “BDMA”).
By signing the so-called “Ne m’appelez plus/Bell me niet meer” list, subscribers indicate that they no longer wish to receive direct marketing by phone. Phone calls for direct marketing purposes to a phone number which is listed in the “Ne m’appelez plus/Bell me niet meer” list are prohibited.
The BDMA has also put in place another opt-out list which is not set forth in the law. The so called “Robinson list” follows the same principles but covers marketing by mail. BDMA members undertake not to use these subscribers' addresses for marketing purposes.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
Non-automated marketing calls to corporate subscribers are prohibited in relation to subscribers who object to such marketing calls.
Exemptions and other issues
No exemptions apply.
Conditions for direct marketing by fax to individual subscribers
It is not permitted to send direct marketing faxes to individual subscribers without their prior, free, specific and informed consent.
Conditions for direct marketing by fax to corporate subscribers
Direct marketing faxes to corporate subscribers are prohibited without their prior, free, specific and informed consent.
Exemptions and other issues
No exemptions apply.