Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Belgium - Data Protection Overview
September 2024
1. Governing Texts
The Act of July 30, 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data (the Act) applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in Belgium, regardless of whether the processing takes place in Belgium or not. However, where a controller is established in an EU Member State and uses a processor established in Belgium, the law of the Member State in question shall apply to the processor insofar as the processing takes place on the territory of that Member State.
It should also be noted that the Act grants the data subject and the Data Protection Authority (Belgian DPA) the right to obtain a cease and desist order against a company infringing the data protection laws. The order can be issued under forfeiture of a penalty. In addition, class action-type proceedings may be available.
Finally, Title 3 of the Act specifically addresses the processing of personal data by other authorities such as intelligence and security services and the armed forces, processing in the context of classification, and security clearances, security certificates, and security advice, processing by the coordination body for threat analysis and the processing of passenger data.
1.1. Key acts, regulations, directives, bills
The Act incorporates elements of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) that allow for Member State specifications or restrictions. The Act and the GDPR are the principal data protection laws in Belgium.
While not covered in this Guidance Note, it should be mentioned that the Act also transposes the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) which regulates the processing of personal data by law enforcement, and establishes the Police Information Supervisory Body.
The Act repeals the Act of December 8, 1992 on the Protection of Privacy in Relation to the Processing of Personal Data, the Royal Decree of February 13, 2001, implementing the Act of December 8, 1992 on the Protection of Privacy in Relation to the Processing of Personal Data (updated text available in Dutch here and French here), the Royal Decree of December 17, 2003, regarding Certain Sectoral Committees within the Privacy Commission (available in Dutch here and French here), and Article 15(3) of the Act of December 25, 2016, regarding the Processing of Passenger Data (available in Dutch here and French here).
1.2. Guidelines
The Belgian DPA publishes news, and guidance for professionals and citizens including guidelines that address frequently asked questions on specific contexts or themes, formal advice, and recommendations, and decisions of its Litigation Chamber.
Some of the relevant guidelines include:
- Template Complaint Form to the U.S. Office of the Director of National Intelligence's Civil Liberties Protection Officer (CLPO) (available in Dutch here and French here);
- EU-US Data Privacy Framework Template Complaint Form for Submitting Commercial Related Complaints to EU DPAs (available in Dutch here and French here);
- Internal Regulations of the Belgian DPA (available in Dutch here and French here);
- Settlement Policy of the Litigation Chamber of the Belgian DPA (available in Dutch here and French here);
- Cookie checklist (available in Dutch here and French here);
- Recommendation on the Processing of Biometric Data (available in Dutch here and French here);
- Charter of the Inspection Service of the Belgian DPA (updated version available in Dutch here and French here);
- Complaint Dismissal Policy of the Litigation Chamber of the Belgian DPA (available in Dutch here and French here);
- Recommendation on the Processing of Personal Data for Direct Marketing (available in Dutch here and French here);
- Recommendation on data sanitization and data medium destruction techniques;
- Guidance on the Use of CCTV (available in Dutch here and French here);
- Guidance on HR-related Processing of Personal Data (available in Dutch here and French here);
- Guidance on Cookies and Other Tracking Mechanisms (available in Dutch here and French here);
- Toolbox for Controllers and Processors (available in Dutch here and French here);
- Prior consultation form for DPIAs (available to download in Dutch here and French here) (DPIA Prior Consultation Form); and
- Guidance on DPIA (available in Dutch here and French here) (DPIA Guidance);
- Portal for Guidance on DPOs (available in Dutch here and in French here); and
- Guidance on International Data Transfers (available in Dutch here and French here).
In January 2020, the Belgian DPA presented its strategic plan 2020-2025, a summary of which is available in Dutch here and French here, in which it expressed its ambition to lead citizens, businesses, associations, and governments to a digital world where privacy is a reality for everyone.
The Belgian DPA has the following six strategic objectives:
- improved data protection through awareness raising:
- enhanced data protection through enforcement;
- improved data protection by identifying and addressing evolutions in the field of privacy and data protection;
- improved data protection through collaboration with other agencies;
- enhanced data protection with the Belgian DPA as leader and reference center; and
- enhanced data protection with the Belgian DPA as an efficient supervisor.
Furthermore, the Belgian DPA has set priorities in three categories:
- sectors;
- GDPR instruments; and
- social topics.
Sectors
The first category refers to five priorities specific to a particular sector:
- telecommunications and media;
- government;
- direct marketing;
- education; and
- SMEs.
GDPR instruments
The second category of strategic priorities contains three GDPR instruments that the Belgian DPA considers important building blocks for better protection of the privacy of the citizens:
- role of the data protection officer (DPO);
- the legitimacy of the processing of personal data; and
- data subjects' rights (access, rectification, transfer, etc.).
Social topics
The third category includes topics that are high on the social agenda:
- pictures and CCTV;
- online data protection; and
- sensitive data.
1.3. Case law
In a landmark judgment issued on January 14, 2021, the Belgian Constitutional Court (Court) confirmed that the exception in the Act that prevents administrative fines to be imposed on public authorities is based on an objective criterion and not without reasonable justification and that it can, thus, be maintained.
On January 12, 2023, the Court ruled that it is unconstitutional that third parties cannot appeal a decision of the Litigation Chamber of the Belgian DPA (the Litigation Chamber). This verdict prompted a legislative initiative aimed at modifying Article 108 of the Act.
2. Scope of Application
2.1. Personal scope
The Act applies to both private and public controllers and processors.
Article 221 §2 of the Act explicitly excludes public authorities and their appointees or agents from the application of Article 83 of the GDPR, unless it concerns a legal person governed by public law offering goods or services on a market. As a result of this carve-out, they cannot be subject to administrative fines.
2.2. Territorial scope
The Act applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Belgian territory, regardless of whether the processing takes place in the Belgian territory or not.
However, whenever a controller located in an EU Member State engages a processor with an establishment in the Belgian territory, the law of the Member State in question applies insofar as the processing is carried out in the territory of the Member State.
Furthermore, the Act applies to the processing of personal data of data subjects who are in the Belgian territory by a controller or processor not established in the EU, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Belgian territory; or
- the monitoring of their behavior as far as their behavior takes place within the Belgian territory.
Lastly, the Act applies to the processing of personal data by a controller not established in the Belgian territory, but in a place where Belgian law applies by virtue of public international law.
2.3. Material scope
The act applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The Belgian DPA was established by the Act of December 3, 2017, establishing the Data Protection Authority (as amended) (available in Dutch here and French here) (the DPA Law).
The most recent amendment modified certain procedures related to the First Line Service, the Litigation Chamber and the Executive Committee, changed the name of the 'Knowledge Center' to 'Authorization and Advice Service,' and implemented a system that allows the Belgian DPA to draw on a pool of external experts.
3.2. Main powers, duties and responsibilities
The Belgian DPA is responsible for monitoring compliance with the basic principles of the protection of personal data in Belgium.
Its tasks are outlined in Article 57 of the GDPR:
- to monitor and enforce the application of the GDPR;
- to promote public awareness and understanding of the risks, rules, safeguards, and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
- to advise, in accordance with Belgian law, the Federal Parliament, the Belgian Federal Government ('Government'), and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
- to promote the awareness of controllers and processors of their obligations under the GDPR;
- upon request, to provide information to any data subject concerning the exercise of their rights under the GDPR and, if appropriate, to cooperate with the supervisory authorities in the other Member States to that end;
- to handle complaints lodged by a data subject, body, organization, or association in accordance with Article 80 of the GDPR, and to investigate, to the extent appropriate, the subject matter of the complaint and to inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular, if further investigation or coordination with another supervisory authority is necessary;
- to cooperate with, including sharing information and providing mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of the GDPR;
- to conduct investigations on the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority;
- to monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular, the development of information and communication technologies and commercial practices;
- to adopt standard contractual clauses referred to in Article 28(8) and Article 46(2)(d) of the GDPR;
- to establish and maintain a list in relation to the requirement for Data Protection Impact Assessments ('DPIAs') pursuant to Article 35(4) of the GDPR;
- to give advice on the processing operations referred to in Article 36(2) of the GDPR;
- to encourage the drawing up of codes of conduct pursuant to Article 40(1) of the GDPR and to provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5) of the GDPR;
- to encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1) of the GDPR, and to approve the criteria of certification pursuant to Article 42(5) of the GDPR;
- where applicable, to carry out a periodic review of certifications issued in accordance with Article 42(7) of the GDPR;
- to draft and publish the criteria for the accreditation of a body for monitoring codes of conduct pursuant to Article 41 of the GDPR and of a certification body pursuant to Article 43 of the GDPR;
- to conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 of the GDPR and of a certification body pursuant to Article 43 of the GDPR;
- to authorize contractual clauses and provisions referred to in Article 46(3) of the GDPR;
- to approve Binding Corporate Rules ('BCRs') pursuant to Article 47 of the GDPR;
- to contribute to the activities of the European Data Protection Board ('EDPB');
- to keep internal records of infringements of the GDPR and of measures taken in accordance with Article 58(2) of the GDPR; and
- to fullfil any other tasks related to the protection of personal data.
Its investigative powers are outlined in Article 58(1) of the GDPR:
- to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;
- to carry out investigations in the form of data protection audits;
- to carry out a review of certifications issued pursuant to Article 42(7) of the GDPR;
- to notify the controller or the processor of an alleged infringement of the GDPR;
- to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; and
- to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with EU or Member State procedural law.
Its corrective powers are outlined in Article 58(2) of the GDPR:
- to issue warnings to a controller or processor that intended processing operations that are likely to infringe provisions of the GDPR;
- to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;
- to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to the GDPR;
- to order the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;
- to order the controller to communicate a personal data breach to the data subject;
- to impose a temporary or definitive limitation including a ban on processing;
- to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17, and 18 of the GDPR and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19 of the GDPR;
- to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43 of the GDPR, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
- to impose an administrative fine pursuant to Article 83 of the GDPR, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; and
- to order the suspension of data flows to a recipient in a third country or to an international organization.
Its authorization and advisory powers are outlined in Article 58(3) of the GDPR:
- to advise the controller in accordance with the prior consultation procedure referred to in Article 36 of the GDPR;
- to issue, on its own initiative or on request, opinions to the Federal Parliament, the Federal Government or, in accordance with Belgian law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
- to authorize processing referred to in Article 36(5) of the GDPR, if Belgian law requires such prior authorization;
- to issue an opinion and approve draft codes of conduct pursuant to Article 40(5) of the GDPR;
- to accredit certification bodies pursuant to Article 43 of the GDPR;
- to issue certifications and approve criteria of certification in accordance with Article 42(5) of the GDPR;
- to adopt standard data protection clauses referred to in Article 28(8) and Article 46(2)(d) of the GDPR;
- to authorize contractual clauses referred to in point (a) of Article 46(3) of the GDPR;
- to authorize administrative arrangements referred to in Article 46(3)(b) of the GDPR; and
- to approve BCRs pursuant to Article 47 of the GDPR.
4. Key Definitions
Data controller: No variation. GDPR applies.
Data processor: No variation. GDPR applies.
Personal data: No variation. GDPR applies.
Sensitive data: No variation. GDPR applies.
Health data: No variation. GDPR applies.
Biometric data: No variation. GDPR applies.
Pseudonymization: No variation. GDPR applies.
Public authority: The Act adds the concept of 'public authority' and defines it as follows:
- the Federal State, the federated states, and local authorities;
- legal persons governed by public law which depend on the Federal State, the States, or local authorities;
- the persons, whatever their form and nature, which are:
- established for the specific purpose of meeting needs of general interest that are not of an industrial or commercial nature;
- have legal personality; and
- of which either the activities are principally undertaken by the public authorities or institutions referred to in the provisions under one or two, or the management is subject to supervision by those authorities or institutions, or the members of the administrative body, more than half of the members of the administrative, management or supervisory body are appointed by these authorities or institutions are appointed by these authorities or institutions; and
- associations consisting of one or more public authorities as referred to in the provisions under one, two, or three.
5. Legal Bases
5.1. Consent
Apart from what is mentioned in the section on children's data below, there is no national variation in relation to consent as a legal basis.
5.2. Contract with the data subject
There is no national variation in relation to the contract with the data subject as a legal basis.
5.3. Legal obligations
There is no national variation in relation to legal obligations as a legal basis.
5.4. Interests of the data subject
There is no national variation in relation to the interests of the data subject.
5.5. Public interest
The Act lists specific processing operations that are considered to be for reasons of substantial public interest, in accordance with Article 9(2)(g) of the GDPR, as detailed further in the section on special categories of personal data below.
5.6. Legitimate interests of the data controller
There is no national variation in relation to the legitimate interests of the controller as a legal basis.
5.7. Legal bases in other instances
Scientific or historical research purposes
Article 89 of the GDPR is implemented in Title 4 of the Act (Article 186 and its subsections of the Act).
Controllers who wish to rely on the exceptions foreseen by Articles 89(2) and 89(3) must comply with the provisions of Title 4 of the Act which require, among other things, that the controller:
- includes the following information in its record of processing:
- a justification for the non-use of pseudonymized data;
- the reasons why the exercise of data subject rights is likely to seriously impair or render impossible the pursued purposes; and
- the DPIA; and
- in addition to what is required under Article 13 of the GDPR, informs the data subject as to whether the personal data are anonymized or not, and the reasons why the exercise of the data subject's rights is likely to seriously impair or render impossible the achieved purposes.
Further processing
Where a controller processes personal data for scientific or historical research purposes that were not obtained directly from the data subjects, the controller must enter into an agreement with the original controller, unless an exception applies. This agreement must contain the details of both controllers and the reasons why the exercise of the data subject rights is likely to seriously impair or render impossible the pursued purposes. The agreement must be added to the record of processing activities.
Anonymization and pseudonymization
Scientific or historical research must be performed on the basis of anonymized data. If it is not possible to achieve the research purpose with anonymized data, then the controller must use pseudonymized data. If it is not possible to achieve the research purpose with pseudonymized data, then the controller may use non-pseudonymized data.
Personal data obtained directly from the data subject must be pseudonymized/anonymized after collection.
In case of further processing for scientific or historical research purposes, the personal data must be pseudonymized/anonymized before initiating further processing or before disclosure to another controller for further processing.
Pseudonymized data may only be de-pseudonymized if necessary for the research and after advice from the DPO.
In case of further processing by another controller, the other controller may not have access to the pseudonymization keys.
The DPO must give advice on the efficacy of pseudonymization/anonymization.
Disclosure
In principle, the controller may only disclose the data in its pseudonymized form but exceptions are possible (e.g., if the data subject has given their consent).
6. Principles
There are no other national principles than the ones outlined in the GDPR.
7. Controller and Processor Obligations
7.1. Data processing notification
There is no requirement for Belgian controllers or processors to notify their processing activities to the Belgian DPA, nor to pay a registration fee.
7.2. Data transfers
There are no data transfer restrictions other than the ones outlined in the GDPR.
7.3. Data processing records
There are no other data processing records obligations other than the ones outlined in the GDPR.
7.4. Data protection impact assessment
A DPIA must be conducted when the processing is likely to create a high risk to the rights and freedoms of the persons concerned.
The Belgian DPA has issued the DPIA Guidance, as well as a list of data processing activities for which a DPIA shall be required (available in Dutch here and in French here) (the List).
The List provides that the following types of processing operations require a DPIA:
- biometric data, when collected for the purpose of uniquely identifying data subjects who are in a public space or a private publicly accessible area;
- data collected from third parties which are subsequently taken into account in the context of a decision to refuse or terminate a service contract;
- health data, when collected by automated means with the aid of an active implantable medical device;
- data collected on a large scale from third parties in order to analyze or predict the economic situation, health, personal preferences or interests, reliability or behavior, location or movements of natural persons;
- special categories of data, when systematically exchanged between several controllers;
- large-scale processing of data, when generated by Internet of Things devices which serves to analyze or predict the economic situation, health, personal preferences or interests, reliability or behavior, location or movements of natural persons;
- large-scale and/or systematic processing of telephony or communication data, metadata, or location data which allows the tracing of natural persons when the processing is not strictly necessary for a service requested by the data subject; or
- large-scale processing of data whereby the behavior of natural persons is systematically observed, collected, established, or influenced by automated processing, including for advertising purposes.
In addition, the Belgian DPA has published the DPIA Prior Consultation Form.
Consultation
The Belgian DPA has not yet issued a list of national activities for which no DPIA is required. However, no prior consultation is required if controllers can adequately reduce the risk to the rights and freedoms of natural persons with the implementation of appropriate technical and organizational measures.
Finally, the DPIA Prior Consultation Form can be submitted to the Belgian DPA in French here, Dutch here, and German here.
7.5. Data protection officer appointment
The Act does not impose general additional obligations in relation to the appointment of a DPO.
It does, however, require that the following organizations appoint a DPO:
- the Center for Missing and Sexually Exploited Children (the Children Center);
- any private body processing personal data on behalf of the Government, or to which the Government transmits personal data, if the processing of these data may present a high risk, as referred to in Article 35 of the GDPR; and
- controllers processing personal data for archiving for public interest, scientific or historical research, or statistical purposes as referred to in Articles 89(2) and 89(3) of the GDPR, if the processing of these data may present a high risk, as referred to in Article 35 of the GDPR.
The communication of the contact details of the DPO, as required by Article 37(7) of the GDPR, can be done via an e-Form (instructions on how to access the e-forms available in Dutch here and French here).
The Belgian DPA has issued useful guidance on the mandatory appointment of DPOs (available in Dutch here and in French here) and on other aspects of such appointment (available in Dutch here and in French here).
7.6. Data breach notification
The notification of a data breach to the Belgian DPA should be done via an e-form (available in Dutch here, French here, and German here). The form must be completed in Dutch, French, or German. Technical annexes to the application form may be in English in addition to the three national languages referred to above. If this language requirement is not met, the application will be considered inadmissible.
Additionally, there are sectoral requirements, due to the Act of June 13, 2005, on Electronic Communications (available in Dutch here and French here) and the Directive on Security Network and Information System (Directive (EU) 2016/1148) (NIS Directive).
7.7. Data retention
There are no specific additional data retention requirements imposed by the Act.
7.8. Children's data
Regarding the offering of information society services directly to a child, the processing of the personal data of a child shall be lawful where the consent is given by a child of at least 13 years old. Where a child is younger than 13 years of age, such processing shall be lawful only if and to the extent that consent is given by the legal guardian of the child in question.
In addition, the Belgian DPA has created a webpage (accessible in Dutch here and French here) that focuses on children's privacy, which covers topics such as the privacy of children at school and provides useful information and guidance for children, parents, and teachers.
7.9. Special categories of personal data
Processing of special categories of personal data
As foreseen in Article 9(2)(f) of the GDPR, the Act clarifies that the following processing activities should be considered as being necessary for reasons of substantial public interest in Belgium:
- Processing by associations with a legal personality or foundations, whose main statutory objective is to defend and promote human rights and fundamental freedoms, and processed in order to achieve that objective, provided that the processing has been authorized by the King by a decree adopted after consultation in the Federal Council of Ministers, after advice from the competent supervisory authority. The King may lay down more detailed rules for such processing.
- Processing managed by the Children's Centre for the receipt, transmission to the judicial authorities, and follow-up of data concerning persons suspected of having committed a crime or malpractice in a particular case of missing or sexually exploited children. The foundation is not allowed to hold a record of persons suspected of having committed a crime or misdemeanor or convicted persons and shall appoint a DPO.
- Processing of personal data relating to sexual life, carried out by an association having a legal personality or by a foundation, whose main statutory purpose is the evaluation, supervision, and treatment of persons whose sexual behavior may be qualified as a criminal offense if that association or foundation is recognized and subsidized by the competent authority for the achievement of that purpose. Such processing, which should be aimed at evaluating, supervising, and treating the persons referred to in this paragraph and that exclusively relates to personal data which, when they relate to sexual life, only concern the latter persons, must be subject to a special, individual authorization granted by the King by means of a decree deliberated in the Federal Council of Ministers, after the competent supervisory authority has given its opinion. Such a decree should specify the duration of the authorization, the modalities of the data processing, the modalities for the verification of the association or foundation by the competent authority, and the way in which the competent authority reports to the competent supervisory authority on the processing of personal data within the framework of the authorization granted.
Unless there are specific legal provisions to the contrary, the processing of genetic and biometric data by these associations and foundations for the purpose of uniquely identifying a physical person is prohibited.
The controller and, where applicable, the processor shall draw up a list of the categories of persons having access to the personal data, describing their status in relation to the processing of the envisaged data. This list shall be kept available for the competent supervisory authority. Any designated person must also be bound by a legal or statutory obligation, or by an equivalent contractual provision, to respect the confidentiality of the data in question.
As foreseen in Article 9(4) of the GDPR, the Act introduces further conditions with regard to the processing of genetic data, biometric data, or data concerning health, determining that the following additional measures should be taken:
- the controller or, where applicable, the processor, shall designate the categories of persons having access to the personal data, specifying their status in relation to the processing of the data concerned;
- the controller or, where applicable, the processor shall keep a list of the categories of designated persons at the disposal of the competent supervisory authority; and
- the controller shall ensure that the designated persons are bound by a legal or statutory obligation, or by an equivalent contractual provision, to respect the confidentiality of the information in question.
Processing of personal data relating to criminal convictions and offenses
As foreseen in Article 10 of the GDPR, the Act authorizes the processing of personal data relating to criminal convictions and offenses or related security measures when the processing is carried out:
- by any natural or legal person, whether governed by private or public law, to the extent necessary for the management of their own disputes;
- by lawyers or other legal counsel to the extent necessary to defend the interests of their clients;
- by other persons, if the processing is necessary for reasons of substantial public interest for the performance of tasks of general interest laid down by or pursuant to a law, a decree, an ordinance or EU law;
- to the extent that the processing is necessary for scientific, historical, or statistical research, or for archiving purposes;
- where the data subject has given their explicit written consent to the processing of those personal data for one or more specified purposes and the processing is limited to those purposes; or
- if the processing relates to personal data which are manifestly disclosed by the data subject on their own initiative for one or more specified purposes and the processing is limited to those purposes.
The controller and, where applicable, the processor shall draw up a list of the categories of persons having access to the personal data, describing their status in relation to the processing of the envisaged data. This list shall be kept available for the competent supervisory authority. The controller shall also ensure that any designated persons are bound by a legal or statutory obligation, or by an equivalent contractual provision, to respect the confidentiality of the data in question.
7.10. Controller and processor contracts
There are no other national requirements than the ones foreseen in Article 28 of the GDPR.
8. Data Subject Rights
Belgium has relied on Article 23 of the GDPR to provide exceptions to the data subject rights for reasons including national and public security, which are described in detail in Title 1, Chapter III of the Act.
Furthermore, Title 3 of the Act provides for exceptions to the data subject rights where personal data is processed by:
- the Intelligence and Security Services, the Armed Forces, the Coordination Unit for Threat Analysis and the Passenger Information Unit; and
- in the context of the Act of December 11, 1998, concerning Classification and Security Authorizations, Attestations, and Advice (available in Dutch here and French here).
Additionally, Title 1, Chapter V of the Act specifically addresses processing carried out for journalistic purposes and the purpose of academic artistic or literary expression, with exemptions or derogations from Chapter II (Articles 7 to 10 and 11(2) of the Act do not apply), Chapter III (Articles 13 to 16, 18 to 20, and 21(1) of the Act do not apply), Chapter IV (Articles 30(4), 31, 33, and 36 of the Act do not apply when their application would compromise a planned publication or would constitute a control measure prior to the publication of an article), Chapter V (Articles 44 to 50 of the Act do not apply to the extent that it is necessary to reconcile the right to the protection of personal data with freedom of expression and information) and Chapter VI (Article 58 of the Act does not apply when its application would provide guidance on the sources of information or constitute a control measure prior to the publication of an article).
Finally, variations in data subject rights are possible when personal data is processed for scientific or historical research purposes.
8.1. Right to be informed
The transparency principle and Articles 12 to 22 and Article 34 of the GDPR generally do not apply to the processing of personal data coming directly or indirectly from the authorities mentioned in Title 3 of the Act. However, appropriate technical and organizational measures should be taken and personnel who work for these authorities and are involved in the processing of personal data are bound by a duty of discretion.
In certain cases, data subjects have the right to ask the Belgian DPA to verify whether the authorities mentioned in Title 3 of the Act comply with the rules applicable to their processing activities.
8.2. Right to access
The national variations on data subject rights are outlined in the introductory paragraph of this section on data subject rights above.
8.3. Right to rectification
The national variations on data subject rights are outlined in the introductory paragraph of this section on data subject rights above.
8.4. Right to erasure
Where the processing is carried out by the authorities mentioned in Title 3 of the Act, data subjects may in certain cases request erasure from the relevant supervisory authority.
8.5. Right to object/opt-out
The national variations on data subject rights are outlined in the introductory paragraph of this section on data subject rights above.
8.6. Right to data portability
See the section on the right to be informed above.
8.7. Right not to be subject to automated decision-making
In general, the authorities mentioned in Title 3 of the Act cannot take decisions which have legal effect, based solely on automated processing unless this is allowed by law or for reasons of substantial public interest.
8.8. Other rights
The right to restriction of processing
See the section on the right to be informed above.
9. Penalties
As mentioned in the section on case law above, Article 221(2) of the Act provides that Article 83 of the GDPR, on administrative sanctions, does not apply to the Government, as defined in Article 5 of the Act, and its authorized officials, except when it concerns legal persons of public law that offer goods or services on the market.
In addition to the administrative sanctions, the Act provides for the following criminal sanctions:
- criminal fines up to €120,000 for:
- various unlawful processing activities including processing personal data without a legal basis, non-compliance with the data processing principles of Article 5 of the GDPR, not respecting the right to object, transferring personal data without appropriate safeguards;
- impeding the statutory verification and audit duties of the Belgian DPA;
- defiance towards the members of the Belgian DPA;
- non-compliance with corrective measures imposed by the Belgian DPA pursuant to Articles 58(2)(d) and (f) of the GDPR; and
- various infringements of the rules regarding certification.
- criminal fines up to €240,000 for non-respect of the prohibition to inform the data subject of the processing of their personal data by the authorities mentioned in Title 3 of the Act where such information is not allowed; and
- full or partial publication of the judgment in one or more journals at the expense of the convicted person.
9.1 Enforcement decisions
All decisions issued by the Belgian DPA's Litigation Chamber from 2020 may be accessed on the Belgian DPA's website. The page is available in Dutch here and French here.