Support Centre
Belgium - National GDPR Implementation Overview
Back

Belgium - National GDPR Implementation Overview

September 2020

1. THE LAW

1.1. National implementing legislation of the GDPR

The Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data ('the GDPR Implementing Law') incorporates elements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') that allow for Member State specifications or restrictions. The GDPR Implementing Law and the GDPR are the principal data protection laws in Belgium.

While not covered in this Guidance Note, it should be mentioned that the GDPR Implementing Law also transposes the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) which regulates the processing of personal data by law enforcement, and establishes the Police Information Supervisory Body.

The GDPR Implementing Law repeals the Act of 8 December 1992 on the Protection of Privacy in Relation to the Processing of Personal Data, the Royal Decree of 13 February 2001 implementing the Act of 8 December 1992 on the Protection of Privacy in Relation to the Processing of Personal Data, the Royal Decree of 17 December 2003 regarding Certain Sectoral Committees within the Privacy Commission (only available in Dutch and French here), and Article 15(3) of the Act of 25 December 2016 regarding the Processing of Passenger Data (available in Dutch and French here).

1.2. Guidelines

The Data Protection Authority ('Belgian DPA') publishes news, guidance for professionals and citizens including guidelines that address frequently asked questions on specific contexts or themes, formal advice and recommendations, and decisions of its Litigation Chamber.

Some of the relevant guidelines include:

  • Recommendation on the Processing of Personal Data for Direct Marketing (only available in Dutch here and French here)
  • Guidance on the Processing of Personal Data in the context of Combatting COVID-19 (only available in Dutch here and French here);
  • Guidance on the Use of CCTV (only available in Dutch here and French here);
  • Guidance on HR-related Processing of Personal Data (only available in Dutch here and French here);
  • Guidance on Cookies and Other Tracking Mechanisms (only available in Dutch here and French here);

In January 2020, the Belgian DPA presented its strategic plan 2020-2025 (only available in Dutch here), in which it expresses its ambition to lead citizens, businesses, associations and governments to a digital world where privacy is a reality for everyone.

The Belgian DPA has the following six strategic objectives:

  • improved data protection through awareness raising:
  • enhanced data protection through enforcement;
  • improved data protection by identifying and addressing evolutions in the field of privacy and data protection;
  • improved data protection through collaboration with other agencies;
  • enhanced data protection with the Belgian DPA as leader and reference center; and
  • enhanced data protection with the Belgian DPA as an efficient supervisor.

Furthermore, the Belgian DPA has set priorities in 3 categories:

  1. sectors,
  2. GDPR instruments; and
  3. social topics.

(i) Sectors

The first category refers to five priorities specific to a particular sector:

  • telecommunications and media;
  • government;
  • direct Marketing;
  • education; and
  • SMEs.

 (ii) GDPR instruments

The second category of strategic priorities contains three GDPR instruments that the Belgian DPA considers important building blocks for a better protection of the privacy of the citizens:

  • role of the DPO;
  • legitimacy of the processing of personal data; and
  • citizens' rights (access, rectification, transfer etc.).

(iii) Social topics

The third category includes topics that are high on the social agenda:

  • pictures and CCTV;
  • online data protection; and
  • sensitive data.

1.3. Case Law

The following decisions of the Belgian DPA's Litigation Chamber can be consulted online:

  • Decision 03/2020: complaint against two former employers (only available in Dutch here and French here);
  • Decision 15/2020: complaint related to the processing by a municipality of personal data of tenants by means of the tax return (only available in Dutch here and French here);
  • Decision 16/2020: complaint related to the use of CCTV in a shop (only available in Dutch here and French here);
  • Decision 17/2020: complaint by two customers against their bank following their request for the communication of all the personal data it had about them (only available in French here);
  • Decision 18/2020: inspection report on liability for personal data breaches and the position of the DPO (only available in Dutch here and French here);
  • Decision 19/2020: complaint against a city regarding the lawfulness of  the consultation of a citizen's photo in the National Registry by a municipal employee (only available in Dutch here and French here);
  • Decision 22/2020 on the obligation to enter into a data processing agreement in timely manner (only available in Dutch here and French here);
  • Decision 24/2020 on the lack of transparency in an insurance company's privacy statement (only available in Dutch here and French here);
  • Decision 25/2020 on the legal basis for the processing of personal data by a social media platform (only available in Dutch here and French here);
  • Decision 28/2020: complaint regarding marketing by a non-profit organisation (only available in Dutch here and French here);
  • Decision 29/2020 on the use of use of a professional email address for claiming food expenses in the context of a family dispute (only available in French here);
  • Decision 30/2020 regarding a municipal file (only available in French here);
  • Decision 31/2020: complaint related to the use of Smartschool for carrying out a “well-being” survey without parental consent (only available in Dutch here);
  • Decision 32/2020 on the right to object to direct marketing and the lack of cooperation with the supervisory authority (only available in French here);
  • Decision 33/2020: complaint for unlawful and inaccurate processing of personal data as well as violations in the exercise of the rights of the data subject (only available in Dutch here and French here);
  • Decision 34/2020 on the processing of personal data included in the Crossroads Bank for Vehicles (only available in Dutch here and French here);
  • Decision 35/2020 on the re-use of a Facebook profile picture (only available in Dutch here);
  • Decision 36/2020: complaint on the use of CCTV in an apartment building (only available in Dutch here);
  • Decision 37/2020 on delisting on online search engines (only available in Dutch here and French here)
  • Decision 39/2020: complaint on the processing of citizens’ data during municipal elections (only available in Dutch here);
  • Decision 41/2020 on the right of access (only available in French here); and
  • Decision 42/2020: complaint regarding the publication of personal data in telephone directories and via telephone directory services, after a request not to publish such information, and the transfer of personal data to other providers of telephone and information services (only available in Dutch here).

2. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

2.1. Main regulator for data protection

The Belgian DPA was established by the Act of 3 December 2017 Establishing the Data Protection Authority ('the DPA Law') and replaced its predecessor, the Privacy Commission, on 25 May 2018.

2.2. Main powers, duties and responsibilities

The Belgian DPA is responsible for monitoring compliance with the basic principles of the protection of personal data in Belgium.

Its tasks are outlined in Article 57 of the GDPR:

  • to monitor and enforce the application of the GDPR;
  • to promote public awareness and understanding of the risks, rules, safeguards, and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
  • to advise, in accordance with Belgian law, the National Parliament, the Government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
  • to promote the awareness of controllers and processors of their obligations under the GDPR;
  • upon request, to provide information to any data subject concerning the exercise of their rights under the GDPR and, if appropriate, to cooperate with the supervisory authorities in the other Member States to that end;
  • to handle complaints lodged by a data subject, body, organisation or association in accordance with Article 80 of the GDPR, and to investigate, to the extent appropriate, the subject matter of the complaint and to inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
  • to cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of the GDPR;
  • to conduct investigations on the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority;
  • to monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular, the development of information and communication technologies and commercial practices;
  • to adopt standard contractual clauses referred to in Article 28(8) and Article 46(2)(d) of the GDPR;
  • to establish and maintain a list in relation to the requirement for Data Protection Impact Assessments ('DPIAs') pursuant to Article 35(4) of the GDPR;
  • to give advice on the processing operations referred to in Article 36(2) of the GDPR;
  • to encourage the drawing up of codes of conduct pursuant to Article 40(1) of the GDPR and to provide an opinion and approving such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5) of the GDPR;
  • to encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1) of the GDPR, and to approve the criteria of certification pursuant to Article 42(5) of the GDPR;
  • where applicable, to carry out a periodic review of certifications issued in accordance with Article 42(7) of the GDPR;
  • to draft and publish the criteria for the accreditation of a body for monitoring codes of conduct pursuant to Article 41 of the GDPR and of a certification body pursuant to Article 43 of the GDPR;
  • to conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 of the GDPR and of a certification body pursuant to Article 43 of the GDPR;
  • to authorise contractual clauses and provisions referred to in Article 46(3) of the GDPR;
  • to approve Binding Corporate Rules ('BCRs') pursuant to Article 47 of the GDPR;
  • to contribute to the activities of the European Data Protection Board ('EDPB');
  • to keep internal records of infringements of the GDPR and of measures taken in accordance with Article 58(2) of the GDPR; and
  • to fulfil any other tasks related to the protection of personal data.

Its investigative powers are outlined in Article 58(1) of the GDPR:

  • to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;
  • to carry out investigations in the form of data protection audits;
  • to carry out a review on certifications issued pursuant to Article 42(7) of the GDPR;
  • to notify the controller or the processor of an alleged infringement of the GDPR;
  • to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; and
  • to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with EU or Member State procedural law.

Its corrective powers are outlined in Article 58(2) of the GDPR:

  • to issue warnings to a controller or processor that intended processing operations which are likely to infringe provisions of the GDPR;
  • to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;
  • to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to the GDPR;
  • to order the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;
  • to order the controller to communicate a personal data breach to the data subject;
  • to impose a temporary or definitive limitation including a ban on processing;
  • to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 of the GDPR and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19 of the GDPR;
  • to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43 of the GDPR, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
  • to impose an administrative fine pursuant to Article 83 of the GDPR, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; and
  • to order the suspension of data flows to a recipient in a third country or to an international organisation.

Its authorisation and advisory powers are outlined in Article 58(3) of the GDPR:

  • to advise the controller in accordance with the prior consultation procedure referred to in Article 36 of the GDPR;
  • to issue, on its own initiative or on request, opinions to the Federal Parliament, the Federal Government or, in accordance with Belgian law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
  • to authorise processing referred to in Article 36(5) of the GDPR, if Belgian law requires such prior authorisation;
  • to issue an opinion and approve draft codes of conduct pursuant to Article 40(5) of the GDPR;
  • to accredit certification bodies pursuant to Article 43 of the GDPR;
  • to issue certifications and approve criteria of certification in accordance with Article 42(5) of the GDPR;
  • to adopt standard data protection clauses referred to in Article 28(8) and Article 46(2)(d) of the GDPR;
  • to authorise contractual clauses referred to in point (a) of Article 46(3) of the GDPR;
  • to authorise administrative arrangements referred to in Article 46(3)(b) of the GDPR; and
  • to approve BCRs pursuant to Article 47 of the GDPR.

3. NOTIFICATION | REGISTRATION

3.1.    National requirements

There is no requirement for Belgian controllers or processors to notify their processing activities to the Belgian DPA, nor to pay a registration fee.

4. DATA SUBJECT RIGHTS

Belgium has relied on Article 23 of the GDPR to provide exceptions to the data subject rights for reasons including national and public security, which are described in detail in Title 1, Chapter III of the GDPR Implementing Law.

Furthermore, Title 3 of the GDPR Implementing Law provides for exceptions to the data subject rights where personal data is processed by:

  • the Intelligence and Security Services, the Armed Forces, the Coordination Unit for Threat Analysis and the Passenger Information Unit; and
  • in the context of the Act of 11 December 1998 concerning Classification and Security Authorisations, Attestations and Advice (only available in Dutch and French here).

Additionally, Title 1, Chapter V of the GDPR Implementing Law specifically addresses processing carried out for journalistic purposes and the purpose of academic artistic or literary expression, with exemptions or derogations from Chapter II (Articles 7 to 10 and 11(2) do not apply), Chapter III (Articles 13 to 16, 18 to 20 and 21(1) do not apply), Chapter IV (Articles 30(4), 31, 33 and 36 do not apply when their application would compromise a planned publication or would constitute a control measure prior to the publication of an article), Chapter V (Articles 44 to 50 do not apply to the extent that it is necessary to reconcile the right to the protection of personal data with freedom of expression and information) and Chapter VI (Article 58 does not apply when its application would provide guidance on the sources of information or constitute a control measure prior to the publication of an article).

Finally, variations in data subject rights are possible when personal data is processed for scientific or historical research purposes (see section 10 below).

4.1. Variations of GDPR on right of information to be provided

The transparency principle and Articles 12 to 22 and Article 34 of the GDPR generally do not apply to the processing of personal data coming directly or indirectly from the authorities mentioned in Title 3 of the GDPR Implementing Law. However, appropriate technical and organisational measures should be taken and personnel who work for these authorities and are involved in the processing of personal data are bound by a duty of discretion.

In certain cases, data subjects have the right to ask the Belgian DPA to verify whether the authorities mentioned in Title 3 of the GDPR Implementing Law comply with the rules applicable to their processing activities.

4.2. Variations of GDPR on right to erasure

Where the processing is carried out by the authorities mentioned in Title 3 of the GDPR Implementing Law, data subjects may in certain cases request erasure from the relevant supervisory authority.

4.3. Variations of GDPR on right to restriction of processing

See section 4.1.

4.4. Variations of GDPR on right to data portability

See section 4.1.

4.5. Variations of GDPR on automated individual decision-making, including profiling

In general, the authorities mentioned in Title 3 of the GDPR Implementing Law cannot take decisions which have legal effect, based solely on automated processing unless this is allowed by law or for reasons of substantial public interest.

5. CHILDREN

5.1. National regulation of the processing of children's data and age of consent

Regarding the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the consent is given by children of at least 13 years old. Where a child is younger than 13 years of age, such processing shall be lawful only if and to the extent that consent is given by the legal representative of the child in question.

In addition, the Belgian DPA has created a web page that focuses on children's privacy, which covers topics such as the privacy of children at school and provides useful information and guidance for children, parents, and teachers.

6. PROCESSING OF SPECIAL CATEGORIES OF DATA & CRIMINAL CONVICTIONS

6.1. National regulation concerning the processing of special categories of data and criminal conviction data

Processing of special categories of personal data

As foreseen in Article 9(2)(f) of the GDPR, the GDPR Implementing Law clarifies that the following processing activities should be considered as being necessary for reasons of substantial public interest in Belgium:

  • Processing by associations with a legal personality or foundations, whose main statutory objective is to defend and promote human rights and fundamental freedoms, and processed in order to achieve that objective, provided that the processing has been authorised by the King by a decree adopted after consultation in the Federal Council of Ministers, after advice from the competent supervisory authority. The King may lay down more detailed rules for such processing;
  • Processing managed by the Center for Missing and Sexually Exploited Children for the receipt, transmission to the judicial authorities and follow-up of data concerning persons suspected of having committed a crime or malpractice in a particular case of missing or sexually exploited children. The foundation is not allowed to hold a record of persons suspected of having committed a crime or misdemeanour or convicted persons, and shall appoint a data protection officer ('DPO').
  • Processing of personal data relating to sexual life, carried out by an association having a legal personality or by a foundation, whose main statutory purpose is the evaluation, supervision and treatment of persons whose sexual behaviour may be qualified as a criminal offence, if that association or foundation is recognised and subsidised by the competent authority for the achievement of that purpose. Such processing, that should be aimed at evaluating, supervising and treating the persons referred to in this paragraph and that exclusively relates to personal data which, when they relate to sexual life, only concern the latter persons, must be subject to a special, individual authorisation granted by the King by means of a decree deliberated in the Federal Council of Ministers, after the competent supervisory authority has given its opinion. Such a decree should specify the duration of the authorisation, the modalities of the data processing, the modalities for the verification of the association or foundation by the competent authority and the way in which the competent authority reports to the competent supervisory authority on the processing of personal data within the framework of the authorisation granted.

Unless there are specific legal provisions to the contrary, the processing of genetic and biometric data by these associations and foundations for the purpose of uniquely identifying a physical person is prohibited.

The controller and, where applicable, the processor shall draw up a list of the categories of persons having access to the personal data, describing their status in relation to the processing of the envisaged data. This list shall be kept available for the competent supervisory authority. Any designated person must also be bound by a legal or statutory obligation, or by an equivalent contractual provision, to respect the confidentiality of the data in question.

As foreseen in Article 9(4) of the GDPR, the GDPR Implementing Law introduces further conditions with regard to the processing of genetic data, biometric data or data concerning health, determining that the following additional measures should be taken:

  • the controller or, where applicable, the processor, shall designate the categories of persons having access to the personal data, specifying their status in relation to the processing of the data concerned;
  • the controller or, where applicable, the processor shall keep a list of the categories of designated persons at the disposal of the competent supervisory authority; and
  • the controller shall ensure that the designated persons are bound by a legal or statutory obligation, or by an equivalent contractual provision, to respect the confidentiality of the information in question.

Processing of personal data relating to criminal convictions and offences

As foreseen in Article 10 of the GDPR, the GDPR Implementing Law authorises the processing of personal data relating to criminal convictions and offences or related security measures when the processing is carried out:

  • by any natural or legal person, whether governed by private or public law, to the extent necessary for the management of their own disputes;
  • by lawyers or other legal counsel to the extent necessary to defend the interests of their clients;
  • by other persons, if the processing is necessary for reasons of substantial public interest for the performance of tasks of general interest laid down by or pursuant to a law, a decree, an ordinance or EU law;
  • to the extent that the processing is necessary for scientific, historical or statistical research or for archiving purposes;
  • where the data subject has given his or her explicit written consent to the processing of those personal data for one or more specified purposes and the processing is limited to those purposes; or
  • if the processing relates to personal data which are manifestly disclosed by the data subject on his or her own initiative for one or more specified purposes and the processing is limited to those purposes.

The controller and, where applicable, the processor shall draw up a list of the categories of persons having access to the personal data, describing their status in relation to the processing of the envisaged data. This list shall be kept available for the competent supervisory authority. The controller shall also ensure that any designated persons are bound by a legal or statutory obligation, or by an equivalent contractual provision, to respect the confidentiality of the data in question.

7. DATA PROTECTION OFFICER

7.1. Additional/varied requirements on DPO appointment, role and tasks

The GDPR Implementing Law does not impose general additional obligations in relation to the appointment of a DPO.

It does, however, require that the following organisations appoint a DPO:

  • the Center for Missing and Sexually Exploited Children, referred to in section 6.1. above;
  • any private body processing personal data on behalf of a Federal Government, or to which a Federal Government transmits personal data, if the processing of these data may present a high risk, as referred to in Article 35 of the GDPR; and
  • controllers processing personal data for archiving for public interest, scientific or historical research or statistical purposes as referred to in Article 89(2) and (3) of the GDPR, if the processing of these data may present a high risk, as referred to in Article 35 of the GDPR.

The communication of the contact details of the DPO, as required by Article 37(7) of the GDPR, can be done via an e-Form (only available in Dutch here and in French here) (instructions on how to access the e-forms available in French here).

8. DATA BREACH NOTIFICATION

8.1. Variation/exemptions on breach notification obligation

There are no variations or exemptions regarding the breach notification obligation foreseen by the GDPR.

The notification of a data breach to the Belgian DPA should be done via an e-form (only available in Dutch here and in French here) (instructions on how to access the e-forms available in French here). The form must be completed in Dutch, French or German. Technical annexes to the application form may be in English in addition to the three national languages referred to above. If this language requirement is not met, the application will be considered inadmissible.

8.2. Sectoral obligations

Companies that are subject to the Act of 13 June 2005 on Electronic Communications (only available in Dutch here) should promptly notify the Belgian Institute for Postal Services and Telecommunications ('BIPT') of any breach of security or loss of integrity that has a significant impact on the operation of networks or services. The BIPT may inform the public (or require the company in question to do so) if it considers that it would be in the public interest to disclose the breach. If such breach is a personal data breach as well, notification obligations to the Belgian DPA will apply.

The Act of 7 April 2019 on Security of Network and Information Systems (only available in both Dutch and French here), which transposes the Directive on Security Network and Information System (Directive (EU) 2016/1148) requires providers of so-called 'essential services to notify any incident that has significant repercussions on the provision of their services. Incidents shall be reported simultaneously to the National Computer Security Incident Response Team ('CSIRT'), the sectoral authority or its sectoral CSIRT, and the Centre for Cyber Security Belgium ('CCB') as a single point of contact. If such an incident is a personal data breach as well, notification obligations to the Belgian DPA will apply.

9. DATA PROTECTION IMPACT ASSESSMENTS

9.1. National activities subject to prior consultation/authorisation

An impact assessment must be conducted when the processing is likely to create a high risk to the rights and freedoms of the persons concerned.

The Belgian DPA has issued guidance on Data Protection Impact Assessments ('DPIA') (available in Dutch here and French here), as well as a draft List of the Types of Processing Operations for which a DPIA shall be Required (Article 35(4) of the GDPR) ('the Draft List'). In response, the EDPB issued its opinion on the Belgian DPA's Draft List. There is no final list available yet on the Belgian DPA's website.

In addition, the Belgian DPA has published a form by means of which a prior consultation in line with Article 36 of the GDPR should be carried out (only available in Dutch here and in French here).

9.2. National activities not subject to prior consultation/authorisation 

The Belgian DPA has not yet issued a list with national activities for which no DPIA is required.

10. PROCESSING FOR SCIENTIFIC OR HISTORICAL RESEARCH PURPOSES

10.1. National implementation of Article 89 of the GDPR

Article 89 of the GDPR is implemented in Title 4 of the GDPR Implementing Law (Article 186 and its subsections).

Controllers who wish to rely on the exceptions foreseen by Article 89(2) and (3) must comply with the provisions of Title 4 of the GDPR Implementing Law which requires, among other things, that the controller:

  • include the following information in its record of processing:
    • a justification for the non-use of pseudonymised data;
    • the reasons why the exercise of data subject rights is likely to seriously impair or render impossible the pursued purposes; and
    • the DPIA.
  • in addition to what is required under Article 13 of the GDPR, inform the data subject as to whether the personal data are anonymised or not, and the reasons why the exercise of the data subject rights is likely to seriously impair or render impossible the achieved purposes.

Further processing

Where a controller processes personal data for scientific or historical research purposes which were not obtained directly from the data subjects, the controller must enter into an agreement with the original controller, unless an exception applies. This agreement must contain the details of both controllers and the reasons why the exercise of the data subject rights is likely to seriously impair or render impossible the pursued purposes. The agreement must be added to the record of processing.

Anonymisation and pseudonymisation

Scientific or historical research must be performed on the basis of anonymised data. If it is not possible to achieve the research purpose with anonymised data, then the controller must use pseudonymised data. If it is not possible to achieve the research purpose with pseudonymised data, then the controller may use non-pseudonymised data.

Personal data obtained directly from the data subject must be pseudonymised/anonymised after collection.

In case of further processing for scientific or historical research purposes, the personal data must be pseudonymised/anonymised before initiating further processing or before disclosure to another controller for further processing.

Pseudonymised data may only be de-pseudonymised if necessary for the research and after advice from the DPO.

In case of further processing by another controller, the other controller may not have access to the pseudonymisation keys.

The DPO must give advice on the efficacy of the pseudonymisation/anonymisation.

Disclosure

In principle, the controller may only disclose the data in its pseudonymised form but exceptions are possible (e.g. if the data subject has given their consent).

11. SANCTIONS

In addition to the administrative sanctions provided by the GDPR, the GDPR Implementing Law provides for the following criminal sanctions:

  • criminal fines up to €120,000 for:
    • various unlawful processing activities including processing personal data without a legal basis, non-compliance with the data processing principles of Article 5 of the GDPR, not respecting the right to object, transferring personal data without appropriate safeguards;
    • impeding the statutory verification and audit duties of the Belgian DPA;
    • defiance towards the members of the Belgian DPA;
    • non-compliance with corrective measures imposed by the Belgian DPA pursuant to Articles 58(2)(d) and (f) of the GDPR; and
    • various infringements of the rules regarding certification.
  • criminal fines up to €240,000 for non-respect of the prohibition to inform the data subject of the processing of their personal data by the authorities mentioned in Title 3 of the GDPR Implementing Law where such information is not allowed; and
  • full or partial publication of the judgment in one or more journals at the expense of the convicted person.

Article 221(2) of the GDPR Implementing Law provides that Article 83 of the GDPR on administrative sanctions, does not apply to the Government, as defined in Article 5 of the GDPR Implementing Law, and its authorised officials, except when it concerns legal persons of public law that offer goods or services on the market.

12. OTHER SPECIFIC JURISDICTIONAL ISSUES

The GDPR Implementing Law applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in Belgium, regardless of whether the processing takes place in Belgium or not. However, where a controller is established in an EU Member State and uses a processor established in Belgium, the law of the Member State in question shall apply to the processor insofar as the processing takes place on the territory of that Member State.

It should also be noted that the GDPR Implementing Law grants the data subject and the Belgian DPA the right to obtain a cease and desist order against a company infringing the data protection laws. The order can be issued under forfeiture of a penalty. In addition, class action-type proceedings may be available.

Finally, Title 3 of the GDPR Implementing Law specifically addresses the processing of personal data by other authorities such as intelligence and security services and the armed forces, processing in the context of classification and security clearances, security certificates and security advice, processing by the coordination body for threat analysis and the processing of passenger data.