October 2023

1. Governing Texts

The Act of July 30, 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data ('the Act') applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in Belgium, regardless of whether the processing takes place in Belgium or not. However, where a controller is established in an EU Member State and uses a processor established in Belgium, the law of the Member State in question shall apply to the processor insofar as the processing takes place on the territory of that Member State.

It should also be noted that the Act grants the data subject and the Data Protection Authority ('Belgian DPA') the right to obtain a cease and desist order against a company infringing the data protection laws. The order can be issued under forfeiture of a penalty. In addition, class action-type proceedings may be available.

Finally, Title 3 of the Act specifically addresses the processing of personal data by other authorities such as intelligence and security services and the armed forces, processing in the context of classification, and security clearances, security certificates, and security advice, processing by the coordination body for threat analysis and the processing of passenger data.

1.1. Key acts, regulations, directives, bills

The Act incorporates elements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') that allow for Member State specifications or restrictions. The Act and the GDPR are the principal data protection laws in Belgium.

While not covered in this Guidance Note, it should be mentioned that the Act also transposes the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) which regulates the processing of personal data by law enforcement, and establishes the Police Information Supervisory Body.

The Act repeals the Act of December 8, 1992 on the Protection of Privacy in Relation to the Processing of Personal Data, the Royal Decree of February 13, 2001, implementing the Act of December 8, 1992 on the Protection of Privacy in Relation to the Processing of Personal Data, the Royal Decree of December 17, 2003, regarding Certain Sectoral Committees within the Privacy Commission (available in Dutch here and French here), and Article 15(3) of the Act of December 25, 2016, regarding the Processing of Passenger Data (available in Dutch here and French here).

1.2. Guidelines

The Belgian DPA publishes news, and guidance for professionals and citizens including guidelines that address frequently asked questions on specific contexts or themes, formal advice, and recommendations, and decisions of its Litigation Chamber.

Some of the relevant guidelines include:

• Recommendation on the Processing of Biometric Data (available in Dutch here and French here);
• Recommendation on the Processing of Personal Data for Direct Marketing (available in Dutch here and French here);
• Recommendation on data sanitisation and data medium destruction techniques;
• Guidance on the Processing of Personal Data in the Context of Combatting COVID-19 (available in Dutch here and French here);
• Guidance on the Use of CCTV (available in Dutch here and French here);
• Guidance on HR-related Processing of Personal Data (only available in Dutch here and French here);
• Guidance on Cookies and Other Tracking Mechanisms (available in Dutch here and French here);
• Toolbox for Controllers and Processors (available in Dutch here and French here);
• Prior consultation form for DPIAs (available to download in Dutch here and French here) ('DPIA Prior Consultation Form'); and
• Guidance on DPIA (available in Dutch here and French here) ('DPIA Guidance');
• Portal for Guidance on DPOs (available in Dutch here and in French here); and
• Guidance on International Data Transfers (available in Dutch here and French here).

In January 2020, the Belgian DPA presented its strategic plan 2020-2025, a summary of which is available in Dutch here and French here, in which it expressed its ambition to lead citizens, businesses, associations, and governments to a digital world where privacy is a reality for everyone.

The Belgian DPA has the following six strategic objectives:

• improved data protection through awareness raising:
• enhanced data protection through enforcement;
• improved data protection by identifying and addressing evolutions in the field of privacy and data protection;
• improved data protection through collaboration with other agencies;
• enhanced data protection with the Belgian DPA as leader and reference center; and
• enhanced data protection with the Belgian DPA as an efficient supervisor.

Furthermore, the Belgian DPA has set priorities in three categories:

• sectors;
• GDPR instruments; and
• social topics.

Sectors

The first category refers to five priorities specific to a particular sector:

• telecommunications and media;
• government;
• direct marketing;
• education; and
• SMEs.

GDPR instruments

The second category of strategic priorities contains three GDPR instruments that the Belgian DPA considers important building blocks for better protection of the privacy of the citizens:

• role of the data protection officer ('DPO');
• the legitimacy of the processing of personal data; and
• data subjects' rights (access, rectification, transfer, etc.).

Social topics

The third category includes topics that are high on the social agenda:

• pictures and CCTV;
• online data protection; and
• sensitive data.

1.3. Case law

In a landmark judgment issued on January 14, 2021, the Belgian Constitutional Court ('Court') confirmed that the exception in the Act that prevents administrative fines to be imposed on public authorities is based on an objective criterion and not without reasonable justification and that it can, thus, be maintained.

On January 12, 2023, the Court ruled that it is unconstitutional that third parties cannot appeal a decision of the Litigation Chamber of the Belgian DPA ('Litigation Chamber').  This verdict prompted a legislative initiative aimed at modifying Article 108 of the Act. This amendment will enable third parties to participate in proceedings before the Litigation Chamber and to file appeals with the Belgium Market Court. The proposal was been approved by the Belgian Chamber of Representatives and is expected to be published in the Belgian Official Gazette (available in Dutch and French here) in the near future. It is worth noting that, prior to such legislative change, the Court stated that third parties should be entitled to the right to appeal, which should be filed 30 days after becoming aware of the decision in question (which is, at the earliest, the day that such decision is published in the Official Gazette.

2. Scope of Application

2.1. Personal scope

The Act applies to both private and public controllers and processors.

Article 221 §2 of the Act explicitly excludes public authorities and their appointees or agents from the application of Article 83 of the GDPR, unless it concerns a legal person governed by public law offering goods or services on a market. As a result of this carve-out, they cannot be subject to administrative fines.

2.2. Territorial scope

The Act applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Belgian territory, regardless of whether the processing takes place in the Belgian territory or not.

However, whenever a data controller located in an EU Member State engages a data processor with an establishment in the Belgian territory, the law of the Member State in question applies insofar as the processing is carried out in the territory of the Member State.

Furthermore, the Act applies to the processing of personal data of data subjects who are in the Belgian territory by a controller or processor not established in the EU, where the processing activities are related to:

• the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Belgian territory; or
• the monitoring of their behavior as far as their behavior takes place within the Belgian territory.

Lastly, the Act applies to the processing of personal data by a data controller not established in the Belgian territory, but in a place where Belgian law applies by virtue of public international law.

2.3. Material scope

The act applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Belgian DPA was established by the Act of December 3, 2017, Establishing the Data Protection Authority (as amended) (available in Dutch here and French here) ('the DPA Law') and replaced its predecessor, the Privacy Commission, on May 25, 2018.

3.2. Main powers, duties and responsibilities

The Belgian DPA is responsible for monitoring compliance with the basic principles of the protection of personal data in Belgium.

Its tasks are outlined in Article 57 of the GDPR:

• to monitor and enforce the application of the GDPR;
• to promote public awareness and understanding of the risks, rules, safeguards, and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
• to advise, in accordance with Belgian law, the Federal Parliament, the Belgian Federal Government ('Government'), and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
• to promote the awareness of controllers and processors of their obligations under the GDPR;
• upon request, to provide information to any data subject concerning the exercise of their rights under the GDPR and, if appropriate, to cooperate with the supervisory authorities in the other Member States to that end;
• to handle complaints lodged by a data subject, body, organization, or association in accordance with Article 80 of the GDPR, and to investigate, to the extent appropriate, the subject matter of the complaint and to inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular, if further investigation or coordination with another supervisory authority is necessary;
• to cooperate with, including sharing information and providing mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of the GDPR;
• to conduct investigations on the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority;
• to monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular, the development of information and communication technologies and commercial practices;
• to adopt standard contractual clauses referred to in Article 28(8) and Article 46(2)(d) of the GDPR;
• to establish and maintain a list in relation to the requirement for Data Protection Impact Assessments ('DPIAs') pursuant to Article 35(4) of the GDPR;
• to give advice on the processing operations referred to in Article 36(2) of the GDPR;
• to encourage the drawing up of codes of conduct pursuant to Article 40(1) of the GDPR and to provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5) of the GDPR;
• to encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1) of the GDPR, and to approve the criteria of certification pursuant to Article 42(5) of the GDPR;
• where applicable, to carry out a periodic review of certifications issued in accordance with Article 42(7) of the GDPR;
• to draft and publish the criteria for the accreditation of a body for monitoring codes of conduct pursuant to Article 41 of the GDPR and of a certification body pursuant to Article 43 of the GDPR;
• to conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 of the GDPR and of a certification body pursuant to Article 43 of the GDPR;
• to authorize contractual clauses and provisions referred to in Article 46(3) of the GDPR;
• to approve Binding Corporate Rules ('BCRs') pursuant to Article 47 of the GDPR;
• to contribute to the activities of the European Data Protection Board ('EDPB');
• to keep internal records of infringements of the GDPR and of measures taken in accordance with Article 58(2) of the GDPR; and
• to fulfill any other tasks related to the protection of personal data.

Its investigative powers are outlined in Article 58(1) of the GDPR:

• to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;
• to carry out investigations in the form of data protection audits;
• to carry out a review of certifications issued pursuant to Article 42(7) of the GDPR;
• to notify the controller or the processor of an alleged infringement of the GDPR;
• to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; and
• to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with EU or Member State procedural law.

Its corrective powers are outlined in Article 58(2) of the GDPR:

• to issue warnings to a controller or processor that intended processing operations that are likely to infringe provisions of the GDPR;
• to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;
• to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to the GDPR;
• to order the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;
• to order the controller to communicate a personal data breach to the data subject;
• to impose a temporary or definitive limitation including a ban on processing;
• to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17, and 18 of the GDPR and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19 of the GDPR;
• to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43 of the GDPR, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
• to impose an administrative fine pursuant to Article 83 of the GDPR, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; and
• to order the suspension of data flows to a recipient in a third country or to an international organization.

Its authorization and advisory powers are outlined in Article 58(3) of the GDPR:

• to advise the controller in accordance with the prior consultation procedure referred to in Article 36 of the GDPR;
• to issue, on its own initiative or on request, opinions to the Federal Parliament, the Federal Government or, in accordance with Belgian law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
• to authorize processing referred to in Article 36(5) of the GDPR, if Belgian law requires such prior authorization;
• to issue an opinion and approve draft codes of conduct pursuant to Article 40(5) of the GDPR;
• to accredit certification bodies pursuant to Article 43 of the GDPR;
• to issue certifications and approve criteria of certification in accordance with Article 42(5) of the GDPR;
• to adopt standard data protection clauses referred to in Article 28(8) and Article 46(2)(d) of the GDPR;
• to authorize contractual clauses referred to in point (a) of Article 46(3) of the GDPR;
• to authorize administrative arrangements referred to in Article 46(3)(b) of the GDPR; and
• to approve BCRs pursuant to Article 47 of the GDPR.

4. Key Definitions

Data controller: No variation. GDPR applies.

Data processor: No variation. GDPR applies.

Personal data: No variation. GDPR applies.

Sensitive data: No variation. GDPR applies.

Health data: No variation. GDPR applies.

Biometric data: No variation. GDPR applies.

Pseudonymisation: No variation. GDPR applies.

Public authority: The Act adds the concept of 'public authority' and defines it as follows:

• the Federal State, the federated states, and local authorities;
• legal persons governed by public law which depend on the Federal State, the States, or local authorities;
• the persons, whatever their form and nature, which are:
  • established for the specific purpose of meeting needs of general interest that are not of an industrial or commercial nature;
  • have legal personality; and
  • of which either the activities are principally undertaken by the public authorities or institutions referred to in the provisions under one or two, or the management is subject to supervision by those authorities or institutions, or the members of the administrative body, more than half of the members of the administrative, management or supervisory body are appointed by these authorities or institutions are appointed by these authorities or institutions; and
• associations consisting of one or more public authorities as referred to in the provisions under one, two, or three.

5. Legal Bases

5.1. Consent

Apart from what is mentioned in the section on children's data below, there is no national variation in relation to consent as a legal basis.

5.2. Contract with the data subject

There is no national variation in relation to the contract with the data subject as a legal basis.

5.3. Legal obligations

There is no national variation in relation to legal obligations as a legal basis.

5.4. Interests of the data subject

There is no national variation in relation to the interests of the data subject.

5.5. Public interest

The Act lists specific processing operations that are considered to be for reasons of substantial public interest, in accordance with Article 9(2)(g) of the GDPR, as detailed further in the section on special categories of personal data below.

5.6. Legitimate interests of the data controller

There is no national variation in relation to the legitimate interests of the data controller as a legal basis.

5.7. Legal bases in other instances

Scientific or historical research purposes

Article 89 of the GDPR is implemented in Title 4 of the Act (Article 186 and its subsections of the Act).

Data controllers who wish to rely on the exceptions foreseen by Articles 89(2) and 89(3) must comply with the provisions of Title 4 of the Act which require, among other things, that the data controller:

• includes the following information in its record of processing:
  • a justification for the non-use of pseudonymized data;
  • the reasons why the exercise of data subject rights is likely to seriously impair or render impossible the pursued purposes; and
  • the DPIA; and
• in addition to what is required under Article 13 of the GDPR, informs the data subject as to whether the personal data are anonymized or not, and the reasons why the exercise of the data subject's rights is likely to seriously impair or render impossible the achieved purposes.

Further processing

Where a data controller processes personal data for scientific or historical research purposes that were not obtained directly from the data subjects, the controller must enter into an agreement with the original controller, unless an exception applies. This agreement must contain the details of both controllers and the reasons why the exercise of the data subject rights is likely to seriously impair or render impossible the pursued purposes. The agreement must be added to the record of processing activities.

Anonymization and pseudonymization

Scientific or historical research must be performed on the basis of anonymized data. If it is not possible to achieve the research purpose with anonymized data, then the controller must use pseudonymized data. If it is not possible to achieve the research purpose with pseudonymized data, then the controller may use non-pseudonymized data.

Personal data obtained directly from the data subject must be pseudonymized/anonymized after collection.

In case of further processing for scientific or historical research purposes, the personal data must be pseudonymized/anonymized before initiating further processing or before disclosure to another controller for further processing.

Pseudonymized data may only be de-pseudonymized if necessary for the research and after advice from the DPO.

In case of further processing by another controller, the other controller may not have access to the pseudonymization keys.

The DPO must give advice on the efficacy of pseudonymization/anonymization.

Disclosure

In principle, the controller may only disclose the data in its pseudonymized form but exceptions are possible (e.g., if the data subject has given their consent).

6. Principles

There are no other national principles than the ones outlined in the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no requirement for Belgian data controllers or data processors to notify their processing activities to the Belgian DPA, nor to pay a registration fee.

7.2. Data transfers

There are no data transfer restrictions other than the ones outlined in the GDPR.

7.3. Data processing records

There are no other data processing records obligations other than the ones outlined in the GDPR.

7.4. Data protection impact assessment

A DPIA must be conducted when the processing is likely to create a high risk to the rights and freedoms of the persons concerned.

The Belgian DPA has issued the DPIA Guidance, as well as a list of data processing activities for which a DPIA shall be required (available in Dutch here and in French here) ('List').

The List provides that the following types of processing operations require a DPIA:

• biometric data, when collected for the purpose of uniquely identifying data subjects who are in a public space or a private publicly accessible area;
• data collected from third parties which are subsequently taken into account in the context of a decision to refuse or terminate a service contract;
• health data, when collected by automated means with the aid of an active implantable medical device;
• data collected on a large scale from third parties in order to analyze or predict the economic situation, health, personal preferences or interests, reliability or behavior, location or movements of natural persons;
• special categories of data, when systematically exchanged between several controllers;
• large-scale processing of data, when generated by Internet of Things devices which serves to analyze or predict the economic situation, health, personal preferences or interests, reliability or behavior, location or movements of natural persons;
• large-scale and/or systematic processing of telephony or communication data, metadata, or location data which allows the tracing of natural persons when the processing is not strictly necessary for a service requested by the data subject; or
• large-scale processing of data whereby the behavior of natural persons is systematically observed, collected, established, or influenced by automated processing, including for advertising purposes.

In addition, the Belgian DPA has published the DPIA Prior Consultation Form.

Consultation

The Belgian DPA has not yet issued a list of national activities for which no DPIA is required. However, no prior consultation is required if controllers can adequately reduce the risk to the rights and freedoms of natural persons with the implementation of appropriate technical and organizational measures.

Finally, the DPIA Prior Consultation Form can be submitted to the Belgian DPA in French here, Dutch here, and German here.

7.5. Data protection officer appointment

The Act does not impose general additional obligations in relation to the appointment of a DPO.

It does, however, require that the following organizations appoint a DPO:

• the Centre for Missing and Sexually Exploited Children ('the Children Centre');
• any private body processing personal data on behalf of the Government, or to which the Government transmits personal data, if the processing of these data may present a high risk, as referred to in Article 35 of the GDPR; and
• controllers processing personal data for archiving for public interest, scientific or historical research, or statistical purposes as referred to in Articles 89(2) and 89(3) of the GDPR, if the processing of these data may present a high risk, as referred to in Article 35 of the GDPR.

The communication of the contact details of the DPO, as required by Article 37(7) of the GDPR, can be done via an e-Form (instructions on how to access the e-forms available in Dutch here and French here).

In regard to the DPO requirement under the GDPR, Article 5 of the Act defines 'public authority' as:

• the Federal State, the federated entities, and the local authorities;
• the legal persons under public law subordinate to the Federal State, the federated entities, or the local authorities;
• the persons, whatever their form or nature:
  • established for the specific purpose of meeting needs of general interest, without any industrial or commercial character;
  • having legal personality; and
  • either whose activities are mainly financed by the public authorities or bodies referred to in bullet points one and two, either whose management is subject to the supervision of those authorities or bodies, or having an administrative, management, or supervisory body of which more than half of the members are appointed by these authorities or bodies; and
• associations composed of one or more public authorities as referred to in the above provisions.

In its guidance on mandatory appointment of DPOs (available in Dutch here and in French here), the Belgian DPA highlighted that additional situations under the Act where a DPO must be designated, in addition to the requirements set out in Article 37(1) of the GDPR, are set out in Articles 21 and 190 of the Act.

On the point of notification, organizations that appoint a DPO are under an obligation to notify their contact details to the Belgian DPA through an electronic form, which must be submitted via the Belgian DPA's e-forms web portal. The Belgian DPA provides guidance (available in Dutch here and in French here) on how to fill out the notification form and states that it must be completed in one of the three official languages (Dutch, French, or German). The technical annexes to the application form may also be submitted in English, in addition to the three national languages. The Belgian DPA noted that applications submitted in other languages are considered inadmissible.

Finally, the DPO is not treated as a regulated profession. Therefore, the Belgian DPA is not authorized to proactively verify the choice of a DPO by a controller or processor (the Appointment FAQs).

Absence of a DPO

In line with the Appointment FAQs, an organization should prepare a procedure for the event of the absence of a DPO. The Belgian DPA noted that in the event of the absence of a DPO, a data controller or a data processor must guarantee the continuity of compliance with the GDPR obligations that relate to the DPO. In line with the GDPR principle of accountability, such continuity must be demonstrated to the Belgian DPA.

Furthermore, in line with the FAQs on who to appoint as DPO (only available in Dutch here and in French here) ('the Appointment FAQs'), the Belgian DPA outlined rules to be determined by the data controller/processor concerned and noted that the procedure should be frequently evaluated and updated. In particular, the data controller/processor concerned should take the following into account:

• the absence of a DPO does not exempt the controller/processor from compliance with their obligations. If the DPO is absent, their position must be filled by a person with sufficient qualifications and status as required by the GDPR, or who most closely resembles it, in order to ensure the continuity of a DPO's function;
• the specific rules for managing the absence of the DPO depend on factors such as the duration of the absence, the types of tasks carried out by the DPO and the applicable or foreseen deadlines, the risk level of the processing carried out by the controller/processor concerned, the existence of another DPO within the organizational structure and all other contextual relevant factors, etc. Depending on the situation, the controller/processor may choose to temporarily use the services of an external DPO, especially in case of long-term absence; and
• during the absence of the DPO, the rules regarding confidentiality and protection of personal data at the workplace continue to apply.

The Appointment FAQs further specify that if the absence of the DPO is managed without designating a new DPO and it is still possible to contact the person who is fulfilling the relevant tasks in DPO's absence with the contact address communicated to the Belgian DPA, no new DPO is required to be notified with the Belgian DPA. However, if this is not the case or if the controller/processor decides to replace the existing DPO with a new DPO, this replacement must be notified to the Belgian DPA.

7.6. Data breach notification

The notification of a data breach to the Belgian DPA should be done via an e-form (available in Dutch here, French here, and German here). The form must be completed in Dutch, French, or German. Technical annexes to the application form may be in English in addition to the three national languages referred to above. If this language requirement is not met, the application will be considered inadmissible.

Sectoral

Companies that are subject to the Act of June 13, 2005, on Electronic Communications (available in Dutch here and French here) should promptly notify the Belgian Institute for Postal Services and Telecommunications ('BIPT') of any breach of security or loss of integrity that has a significant impact on the operation of networks or services. The BIPT may inform the public (or require the company in question to do so) if it considers that it would be in the public interest to disclose the breach. If such a breach is a personal data breach as well, notification obligations to the Belgian DPA will apply.

The Act of April 7, 2019, on Security of Network and Information Systems (available in Dutch here and French here), which transposes the Directive on Security Network and Information System (Directive (EU) 2016/1148) ('NIS Directive') requires providers of so-called 'essential services' to notify any incident that has significant repercussions on the provision of their services. Incidents shall be reported simultaneously to the National Computer Security Incident Response Team ('CSIRT'), the sectoral authority or its sectoral CSIRT, and the Centre for Cyber Security Belgium ('CCB') as a single point of contact. If such an incident is a personal data breach as well, notification obligations to the Belgian DPA will apply.

Please note that on January 16, 2023, Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, came into force, repealing the NIS Directive.

7.7. Data retention

There are no specific additional data retention requirements imposed by the Act.

7.8. Children's data

Regarding the offering of information society services directly to a child, the processing of the personal data of a child shall be lawful where the consent is given by a child of at least 13 years old. Where a child is younger than 13 years of age, such processing shall be lawful only if and to the extent that consent is given by the legal guardian of the child in question.

In addition, the Belgian DPA has created a webpage (accessible in Dutch here and French here) that focuses on children's privacy, which covers topics such as the privacy of children at school and provides useful information and guidance for children, parents, and teachers.

7.9. Special categories of personal data

Processing of special categories of personal data

As foreseen in Article 9(2)(f) of the GDPR, the Act clarifies that the following processing activities should be considered as being necessary for reasons of substantial public interest in Belgium:

• Processing by associations with a legal personality or foundations, whose main statutory objective is to defend and promote human rights and fundamental freedoms, and processed in order to achieve that objective, provided that the processing has been authorized by the King by a decree adopted after consultation in the Federal Council of Ministers, after advice from the competent supervisory authority. The King may lay down more detailed rules for such processing.
• Processing managed by the Children's Centre for the receipt, transmission to the judicial authorities, and follow-up of data concerning persons suspected of having committed a crime or malpractice in a particular case of missing or sexually exploited children. The foundation is not allowed to hold a record of persons suspected of having committed a crime or misdemeanor or convicted persons and shall appoint a DPO.
• Processing of personal data relating to sexual life, carried out by an association having a legal personality or by a foundation, whose main statutory purpose is the evaluation, supervision, and treatment of persons whose sexual behavior may be qualified as a criminal offense if that association or foundation is recognized and subsidized by the competent authority for the achievement of that purpose. Such processing, which should be aimed at evaluating, supervising, and treating the persons referred to in this paragraph and that exclusively relates to personal data which, when they relate to sexual life, only concern the latter persons, must be subject to a special, individual authorization granted by the King by means of a decree deliberated in the Federal Council of Ministers, after the competent supervisory authority has given its opinion. Such a decree should specify the duration of the authorization, the modalities of the data processing, the modalities for the verification of the association or foundation by the competent authority, and the way in which the competent authority reports to the competent supervisory authority on the processing of personal data within the framework of the authorization granted.

Unless there are specific legal provisions to the contrary, the processing of genetic and biometric data by these associations and foundations for the purpose of uniquely identifying a physical person is prohibited.

The data controller and, where applicable, the data processor shall draw up a list of the categories of persons having access to the personal data, describing their status in relation to the processing of the envisaged data. This list shall be kept available for the competent supervisory authority. Any designated person must also be bound by a legal or statutory obligation, or by an equivalent contractual provision, to respect the confidentiality of the data in question.

As foreseen in Article 9(4) of the GDPR, the Act introduces further conditions with regard to the processing of genetic data, biometric data, or data concerning health, determining that the following additional measures should be taken:

• the data controller or, where applicable, the data processor, shall designate the categories of persons having access to the personal data, specifying their status in relation to the processing of the data concerned;
• the data controller or, where applicable, the data processor shall keep a list of the categories of designated persons at the disposal of the competent supervisory authority; and
• the data controller shall ensure that the designated persons are bound by a legal or statutory obligation, or by an equivalent contractual provision, to respect the confidentiality of the information in question.

Processing of personal data relating to criminal convictions and offenses

As foreseen in Article 10 of the GDPR, the Act authorizes the processing of personal data relating to criminal convictions and offenses or related security measures when the processing is carried out:

• by any natural or legal person, whether governed by private or public law, to the extent necessary for the management of their own disputes;
• by lawyers or other legal counsel to the extent necessary to defend the interests of their clients;
• by other persons, if the processing is necessary for reasons of substantial public interest for the performance of tasks of general interest laid down by or pursuant to a law, a decree, an ordinance or EU law;
• to the extent that the processing is necessary for scientific, historical, or statistical research, or for archiving purposes;
• where the data subject has given their explicit written consent to the processing of those personal data for one or more specified purposes and the processing is limited to those purposes; or
• if the processing relates to personal data which are manifestly disclosed by the data subject on their own initiative for one or more specified purposes and the processing is limited to those purposes.

The data controller and, where applicable, the data processor shall draw up a list of the categories of persons having access to the personal data, describing their status in relation to the processing of the envisaged data. This list shall be kept available for the competent supervisory authority. The controller shall also ensure that any designated persons are bound by a legal or statutory obligation, or by an equivalent contractual provision, to respect the confidentiality of the data in question.

7.10. Controller and processor contracts

There are no other national requirements than the ones foreseen in Article 28 of the GDPR.

8. Data Subject Rights

Belgium has relied on Article 23 of the GDPR to provide exceptions to the data subject rights for reasons including national and public security, which are described in detail in Title 1, Chapter III of the Act.

Furthermore, Title 3 of the Act provides for exceptions to the data subject rights where personal data is processed by:

• the Intelligence and Security Services, the Armed Forces, the Coordination Unit for Threat Analysis and the Passenger Information Unit; and
• in the context of the Act of December 11, 1998, concerning Classification and Security Authorizations, Attestations, and Advice (available in Dutch here and French here).

Additionally, Title 1, Chapter V of the Act specifically addresses processing carried out for journalistic purposes and the purpose of academic artistic or literary expression, with exemptions or derogations from Chapter II (Articles 7 to 10 and 11(2) of the Act do not apply), Chapter III (Articles 13 to 16, 18 to 20, and 21(1) of the Act do not apply), Chapter IV (Articles 30(4), 31, 33, and 36 of the Act do not apply when their application would compromise a planned publication or would constitute a control measure prior to the publication of an article), Chapter V (Articles 44 to 50 of the Act do not apply to the extent that it is necessary to reconcile the right to the protection of personal data with freedom of expression and information) and Chapter VI (Article 58 of the Act does not apply when its application would provide guidance on the sources of information or constitute a control measure prior to the publication of an article).

Finally, variations in data subject rights are possible when personal data is processed for scientific or historical research purposes.

8.1. Right to be informed

The transparency principle and Articles 12 to 22 and Article 34 of the GDPR generally do not apply to the processing of personal data coming directly or indirectly from the authorities mentioned in Title 3 of the Act. However, appropriate technical and organizational measures should be taken and personnel who work for these authorities and are involved in the processing of personal data are bound by a duty of discretion.

In certain cases, data subjects have the right to ask the Belgian DPA to verify whether the authorities mentioned in Title 3 of the Act comply with the rules applicable to their processing activities.

8.2. Right to access

The national variations on data subject rights are outlined in the introductory paragraph of this section on data subject rights above.

8.3. Right to rectification

The national variations on data subject rights are outlined in the introductory paragraph of this section on data subject rights above.

8.4. Right to erasure

Where the processing is carried out by the authorities mentioned in Title 3 of the Act, data subjects may in certain cases request erasure from the relevant supervisory authority.

8.5. Right to object/opt-out

The national variations on data subject rights are outlined in the introductory paragraph of this section on data subject rights above.

8.6. Right to data portability

See the section on the right to be informed above.

8.7. Right not to be subject to automated decision-making

In general, the authorities mentioned in Title 3 of the Act cannot take decisions which have legal effect, based solely on automated processing unless this is allowed by law or for reasons of substantial public interest.

8.8. Other rights

The right to restriction of processing

See the section on the right to be informed above.

9. Penalties

As mentioned in the section on case law above, Article 221(2) of the Act provides that Article 83 of the GDPR, on administrative sanctions, does not apply to the Government, as defined in Article 5 of the Act, and its authorized officials, except when it concerns legal persons of public law that offer goods or services on the market.

In addition to the administrative sanctions, the Act provides for the following criminal sanctions:

• criminal fines up to €120,000 for:
  • various unlawful processing activities including processing personal data without a legal basis, non-compliance with the data processing principles of Article 5 of the GDPR, not respecting the right to object, transferring personal data without appropriate safeguards;
  • impeding the statutory verification and audit duties of the Belgian DPA;
  • defiance towards the members of the Belgian DPA;
  • non-compliance with corrective measures imposed by the Belgian DPA pursuant to Articles 58(2)(d) and (f) of the GDPR; and
  • various infringements of the rules regarding certification.
• criminal fines up to €240,000 for non-respect of the prohibition to inform the data subject of the processing of their personal data by the authorities mentioned in Title 3 of the Act where such information is not allowed; and
• full or partial publication of the judgment in one or more journals at the expense of the convicted person.

9.1 Enforcement decisions

All decisions issued by the Belgian DPA's Litigation Chamber from 2020 may be accessed on the Belgian DPA's website. The page is available in Dutch here and French here.