Law: Act of 3 December 2017 Establishing the Data Protection Authority, Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data ('the Act'), and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')
Regulator: Data Protection Authority ('Belgian DPA')
Summary: Belgium implemented the GDPR in 2018 through the Act, and derogated from the GDPR by creating exceptions to data subject rights for purposes such as scientific or historical research and in setting the age of consent for children's data to 13 years of age. The Act designates the previously established Belgian DPA as the supervisory authority. The Belgian DPA often releases guidance in both Dutch and French, and sometimes German, addressing key concerns such as data protection officer appointments, Data Protection Impact Assessments, and Binding Corporate Rules ('BCRs'). The Belgian DPA is particularly active in issuing opinions and enforcement decisions, which often concern, among other things, organisations' responses to data subject access requests and unlawful use of video surveillance.