Belgium: Data Protection in the Financial Sector
1. Governing Texts
The following EU legislation, among others, is applicable:
- the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is applicable to financial services with regard to their personal data processing activities;
- the Payment Services Directive (Directive (EU) 2015/2366) ('PSD2'); and
- the Directive (EU) 2018/843 of 30 May 2018 Amending Directive (EU) 2015/849 on the Prevention of the Use of the Financial System for the Purposes of Money Laundering or Terrorist Financing, and Amending Directives 2009/138/EC and 2013/36/EU ('the Fifth Anti-Money Laundering Directive').
The European Data Protection Board ('EDPB') has issued the following relevant Opinion:
- Opinion 4/2019 on the draft Administrative Arrangement for the Transfer of Personal Data between the European Economic Area ('EEA') Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities;
- Letter regarding the PSD2 Directive;
- Guidelines 06/2020 on the Interplay of the Second Payment Services Directive and the GDPR;
- EDPB letter to the European Commission on the protection of personal data in the AML-CFT legislative proposals.
The Article 29 Working Party ('WP29') has issued the following relevant guidance:
- Opinion 14/2011 on Data Protection Issues related to the Prevention of Money Laundering and Terrorist Financing;
- Opinion 1/2006 on the Application of EU Data Protection Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal Accounting Controls, Auditing Matters, Fight against Bribery, Banking and Financial Crime ('WP29 Opinion on Whistleblowing');
- Letter of the Chair of the Article 29 Working Party to FATCA; and
- Guidelines on Transparency under Regulation 2016/679 ('the Guidelines On Transparency').
The European Banking Authority ('EBA') has issued, among others, the following relevant guidance:
- Recommendations on Outsourcing to Cloud Service Providers (20 December 2017);
- Guidelines on Major Incident Reporting under Directive (EU) 2015/2366 (PSD2) (27 July 2017); and
- Guidelines on Reporting Requirements for Fraud Data under Article 96(6) PSD2 (22 January 2020);
- Final Report on EBA Guidelines on Outsourcing Arrangements (25 February 2019) ('the EBA Guidelines on Outsourcing'); and
- Guidelines on ICT and Security Risk Management (29 November 2019).
In the aftermath of the enactment of the GDPR, two acts implementing the GDPR have been adopted in Belgium. First of all, the Belgian legislator adopted the Act of 3 December 2017 Establishing the Data Protection Authority ('the DPA Act'), which implements the requirements of the GDPR with respect to national supervisory authorities and reforms the Belgian Commission for the Protection of Privacy. As of 25 May 2018, the Belgian Commission for the Protection of Privacy carries the name Data Protection Authority ('Belgian DPA') and has the powers and competences which the GDPR requires national supervisory authorities to possess. A second act, Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data ('the Act'), addresses the national substantive aspects of the GDPR and introduces several specifications and derogations, such as determining the age of consent for children in an online context and imposing additional security measures in relation to sensitive data. At the same time, it abolishes and replaces the Act of 8 December 1992 on the Protection of Privacy in Relation to the Processing of Personal Data and the Royal Decree of 13 February 2001 implementing the Act of 8 December 1992 on the Protection of Privacy in Relation to the Processing of Personal Data.
National legislation concerning data protection in the financial sector more specifically:
- Code of Economic Law of 28 February 2013 (only available in French and Dutch here) ('the Code of Economic Law');
- Insurance Act of 4 April 2014 (only available in French and Dutch here) ('the Insurance Act');
- Act of 18 September 2017 regarding the Prevention of Money Laundering and Terrorist Financing and regarding the Limitation of the Use of Cash (only available in Dutch and French here) ('the AML/CFT Act');
- Royal Decree of 30 July 2018 regarding the Operating Modes of the Register of Ultimate Beneficial Owners (only available in Dutch and French here) ('the UBO Register Decree'); and
- Act of 11 March 2018 concerning the Status and the Supervision of Payment Institutions and Electronic Money Institutions, Access to the Payment Service Provider's Business and the Electronic Money Issuance Activity and Access to Payment Systems (only available in French and Dutch here) ('the Payment Services Act').
1.2. Supervisory authorities
The GDPR requires every Member State to establish a supervisory authority (Article 54 of the GDPR). In addition, the GDPR provides for a system of cooperation and transparency among all Member States' supervisory authorities in order to ensure consistent application of the GDPR throughout the EU.
The Belgian DPA has the powers and competencies which the GDPR requires national supervisory authorities to possess. Together with the change of name, the powers of the Belgian DPA have also been greatly expanded. The Belgian DPA is responsible for monitoring compliance with the fundamental principles of the protection of personal data within the framework of the GDPR and the laws containing provisions on the protection of the processing of personal data.
The Belgian DPA consists of six bodies, which play a specific role in the evaluation of a data protection matter:
- the Executive Committee, which determines the general policy and the strategic plan;
- the General Secretariat, which provides daily support and approves, amongst others, Binding Corporate Rules ('BCRs');
- the First Line Service, which assesses the admissibility of complaints and requests, and streamlines mediation proceedings;
- the Knowledge Centre, which drafts general recommendations;
- the Inspection Service, which investigates and carries out inspections; and
- the Dispute Chamber, which serves as an administrative court.
In addition to the Belgian DPA, the Financial Services and Markets Authority ('FSMA') and the National Bank of Belgium ('NBB') are important regulators in the financial sector that to a certain extent also deal with certain data protection matters.
2. Personal and Financial Data Management
2.1. Legal basis for processing
Under the GDPR, personal data must be processed in accordance with the principles of fairness, lawfulness and transparency, among others. In addition, processing shall only be lawful if (Article 6 (1) of the GDPR):
- the data subject has given consent to the processing for one or more specific purpose;
- the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering a contract;
- the processing is necessary for the compliance with a legal obligation to which the controller is subject;
- the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- the processing is necessary to for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Moreover, under Article 9 of the GDPR, the processing of special categories of personal data is prohibited unless one of the conditions in Article 9(2) of the GDPR applies.
In the financial sector, the legal ground for the processing of personal data generally consists of:
- the data subject's consent;
- the preparation or performance of a contract;
- specific legal or regulatory obligations resting upon financial institutions; and
- the legitimate interests of the financial institution.
As regards industry-specific laws and regulations, many acts include legal obligations for financial institutions to process personal data, by way of identification, verification, reporting, or data retention obligations.
Furthermore, Article VII.63/3 of the Code of Economic Law, which implements PSD2, specifies that the processing of personal data by payment systems and payment service providers is permitted when this is necessary and relevant for the prevention, investigation, and detection of payment fraud. However, payment service providers may only access personal data necessary for the execution of their payment services with the explicit consent of the payment service user.
However, the EDPB considers that payment services are always provided on a contractual basis and the legal basis shall therefore be Article 6(1)(b) of the GDPR. The concept of explicit consent under PSD2 is an additional requirement of a contractual nature and therefore different from the explicit consent in the GDPR.
The GDPR establishes the principle of transparency (Article 5 of the GDPR). In addition, when data is being processed, information on the controller, purposes for processing, recipients of the data, retention period, and details of the data subject's rights must be provided to the data subject (Articles 13 and 14 of the GDPR).
In Belgium, there are no specific requirements for financial institutions to provide customers with notice of the institution's internal privacy policies and practices, complementing the general framework of the GDPR.
Under the AML/CFT Act, financial institutions are required to report suspicious transactions to the Financial Information Processing Unit ('CTIF-CFI'). Transactions will be considered suspicions if there are reasonable grounds to suspect that the funds are related to money laundering or terrorist financing. In such a case, the right of information provided for in Article 14 (5)(b) of the GDPR shall not apply as financial institutions are prohibited from disclosing to customers or to other third parties the fact that information is shared with to the CTIF-CFI. As a consequence, financial institutions are not required to include such personal data transfer to the CTIF-CFI in their privacy notices and policies.
Taking into account the costs of implementation, nature, scope, context, and purposes of the processing, as well as the level of risk to the rights and freedoms of natural persons, data controllers and processors must implement technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 of the GDPR).
The measures to be taken must therefore be customised to the financial institution, taking into account the nature of the processing activities. Financial institutions are encouraged to carry out risk analysis and Data Protection Impact Assessments ('DPIA') in case of high risks. Such a risk analysis must be revised on a continuous basis by the financial institution.
In some cases, it will be necessary for the financial institution to appoint a data protection officer ('DPO'). Indeed, Article 37 of the GDPR provides for three cases in which it is mandatory to appoint a DPO:
- the data processing is being carried out by a public authority or public body, irrespective of the data they process, except in the case of courts in the performance of their judicial tasks (Article 37 (1)(a) of the GDPR);
- the core tasks of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (Article 37 (1)(b) of the GDPR); and
- the core tasks of the controller or the processor consist of large-scale processing of special categories of data and of personal data relating to criminal convictions and offences (Article 37 (1)(c) of the GDPR).
In many, if not all cases, a financial institution will fulfil one or more of the above conditions and therefore be required to appoint a DPO.
Personal data must not be retained in a form which permits the identification of the data subject for longer than is necessary for the purposes for which the data was processed (Article 5 (1) (e) of the GDPR). Moreover, the period for which the personal data is stored should be limited to a strict minimum, and to these ends, time limits should be established by the controller for erasure or a periodic review (Recital 39 of the GDPR).
According to Article 5 (1)(b) and (c) of the GDPR, personal data may only be collected for specified purposes, may not be further processed in a manner that is incompatible with those purposes, and must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
As a consequence, personal data collected by financial institutions for the performance of a contract may only be retained as long as required for such purpose or as long as such data must be kept in order to fulfil certain legal obligations.
Such legal obligations are stipulated in financial regulation laws which include specific provisions for processing financial data. According to the AML/CFT Act, financial institutions and insurance companies are generally obliged to retain all transactional data and identifications for ten years from the end of the business relationship with their client or from the date of an occasional transaction. After this retention period, the institutions are obliged to delete this data.
As regards insurance companies, the Insurance Act provides that the registration of each activity carried out must be kept for a period of five years and, if requested by the FSMA, for a period of seven years. However, this does not affect the possibility of keeping personal data for a longer period for the execution of the agreement and the management of any disputes arising therefrom. An insurance broker must therefore have good reason to retain a customer's personal data for more than five years – and, where appropriate, seven years – after the end of the contract.
The AML/CFT Act obliges financial institutions to conduct customer due diligence by means of identity identification and verification. Where the identification requirement relates to a natural person, the financial institution must identify the customer's surname, first name, date, and place of birth and, to the extent possible, the customer's address. Where it concerns a legal person, it will include its corporate name, registered office, list of directors, and the provisions on the power to bind the legal person. In order to comply with the obligation to verify the identity of persons, financial institutions will, in order to obtain sufficient assurance that they know the persons concerned, check the identification data collected against one or more supporting documents or reliable and independent sources of information that can confirm these data, such as an ID card.
Furthermore, financial institutions must act vigilantly towards money transactions. This includes a careful examination of the occasional transactions and a continuous examination of the transactions carried out during the business relationship and of the origin of the funds, in order to verify that these transactions correspond to the characteristics of the client, to their risk profile, and, where appropriate, to the purpose and nature of the business relationship.
Finally, financial institutions must verify the identity of the beneficiary and perform a compliance check. They are obliged to identify the Ultimate Beneficial Owners ('UBO') and upload the required information in the Belgian UBO Register ('the UBO Register'). In accordance with the obligations imposed by the UBO Register Decree, Belgian entities have the duty to provide information to the UBOs regarding, among others, the obligations to communicate information, the accessibility of the UBO Register, as well as the retention period of ten years.
In accordance with the Payment Services Act, companies offering payment services based on payment instruments that can be used in the framework of a limited network have an obligation to report data to the NBB when the total value of payment transactions made by the company during the previous 12 months exceeds €1 million.
The legal ground for the processing of personal data in the above cases consists of the legal obligations to which financial institutions are subject.
As regards whistleblowing in the financial sector, the WP29 Opinion on Whistleblowing is limited to internal whistleblowing schemes to the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking, and financial crime. The scope of corporate whistleblower hotlines, however, does not need to be limited to any particular issues. The WP29 Opinion on Whistleblowing recommends that the business responsible for the whistleblowing scheme carefully assesses whether it might be appropriate to limit the number of persons eligible for reporting alleged misconduct through the whistleblowing scheme and whether it might be appropriate to limit the number of persons who may be reported through the scheme, in particular in the light of the seriousness of the alleged offences reported.
In Belgium, there is no formal banking secrecy. There is no statutory definition or any specific regulation on banking secrecy.
Nonetheless, banking secrecy is generally recognised as a practice adopted by the financial industry. Financial institutions have the responsibility to keep their client's data confidential for the duration of the contract. It is assumed that the agreement between a bank and its client includes a non-written obligation of confidentiality.
Violation of this duty of confidentiality is considered a contractual breach. Banking secrecy is not regarded as a criminally sanctioned professional secrecy or confidentiality obligation (such as, e.g., for attorneys or physicians).
Nevertheless, specific legislation sets out numerous exceptions to the application of banking secrecy practices. There are certain exceptions to this general rule of banking confidentiality. Financial institutions can be requested by official (tax) authorities and courts to disclose information on their clients. Tax authorities may request financial institutions to share all information that could be useful to determine the taxable income of a client, in case of suspicion of tax fraud.
Insurers inevitably have to process data in the course of their business as they have to make a correct risk assessment. In accordance with the Insurance Act, the policyholder is obliged, when concluding the contract, to accurately communicate all circumstances known to him/her, which he/she must reasonably consider to be information that may influence the insurer's assessment of the risk. An exception to this is genetic data, which may not be disclosed to the insurer. The duty of disclosure in the insurance sector is an important element. After all, if the deliberate concealment or incorrect communication of information about the risk misleads the insurer in the assessment of that risk, the insurance contract can be declared null and void.
Insurance companies often also process sensitive personal data, such as health-related data. The only legal basis that is appropriate under Belgian law for the processing of health-related data in this context is the explicit consent of the data subject. However, the legislator has been given the possibility to introduce additional conditions and restrictions in the case of health-related data. A special exception for the insurance sector (insurance and reinsurance), as proposed by certain Member States during the discussion of the GDPR, has not been adopted. However, the difficulty with this consent lies in assessing whether it meets the conditions of Article 4(11) of the GDPR, namely that it constitutes a freely given, specific, informed, and unambiguous expression of an individual's will. In recent case law, the Belgian DPA has acknowledged this problem and notes that the legislator should intervene in order to provide a legal basis specifically for the insurance sector which allows health-related data to be collected and processed within well-defined limits in the context of the (pre-)contractual relationship between insurer and policyholder.
Regarding the Internet of Things ('IoT') or automated decision-making, profiling, or artificial intelligence, on 8 October 2020, the Belgian legislature approved the Act amending the Insurance Act to Establish a Restriction on the use of Personal Data from Connected Objected in the Field of Health and Life Insurance (only available in French here and Dutch here) ('the Insurance Health Law'). The Belgian legislature intends to prevent insurers from providing discounts to the 'healthy ones', even if the insurers have their policy-holders' consent. The Insurance Health Law ensures that the policyholder cannot be refused insurance nor be subjected to higher charges simply because he does not purchase or use a connected device that processes his/her health data. Moreover, no difference may be made in terms of the underwriting, pricing, and/or scope of coverage based on the condition that the applicant insured agrees to purchase or use a connected device that collects personal information about his lifestyle or health, agrees to share information collected by such a connected device, or based on the insurer's use of such information.
On 25 November 2015, PSD2 was adopted. PSD2 aims to ensure continuity in the market, enabling existing and new service providers, regardless of the business model applied by them, to offer their services with a clear and harmonised regulatory framework while respecting fundamental rights, including the right to privacy.
PSD2 was implemented in Belgium by the Payment Services Act, which contains certain provisions on data protection.
Outsourcing will most certainly require compliance with the GDPR as it often involves transfers of personal data. In addition to being subject to the GDPR and other applicable data protection legislation, most suppliers handling data on their customers' behalf are likely to be subject to a contractual non-disclosure obligation towards their customers and potentially also to third parties.
To the extent that a supplier processes personal data on behalf of the financial institution (the controller), the supplier will be regarded as a processor within the meaning given to that term in the GDPR. Controllers and processors must enter into a data processing agreement, where the different responsibilities of the parties are listed.
Within the EU, the principle of free movement of personal data exists, with the consequence that no specific measures need to be taken with regard to cross-border data transfers.
Under the GDPR, transfers are only allowed to countries that provide an adequate level of protection, or under one of the other provisions of Chapter 5 of the GDPR. Data transfers to other jurisdictions outside the EEA can only take place in the following circumstances:
- if the transfer is to a country recognised by the European Commission as providing an adequate level of data protection;
- if the business has implemented one of the required safeguards as specified by the GDPR (such as Standard Contractual Clauses or BCRs); or
- if derogations specified in the GDPR are applicable to the transfer.
On 25 May 2018, the EDPB set out in its Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/679 that a 'layered approach' should be taken with respect to these transfer mechanisms. If no adequacy decision is applicable, the data exporter should first explore the possibility of implementing one of the safeguards provided for in the GDPR before relying on a derogation.
As regards the financial sector, financial institutions, including credit institutions, must take appropriate measures to limit the risks of outsourcing. Article 66 of the Law of 25 April 2014 on the Legal Status and Supervision of Credit Institutions and Stockbroking Firms specifically regulates the outsourcing of operational tasks that are of critical importance. In addition, Circular NBB_2019_19 (only available in French and Dutch here) ('the Circular') applies to credit institutions, stockbroking firms, payment institutions, e-money institutions, and Belgian branch offices of non-EER credit institutions and investment firms ('the Institutions'). The Circular integrates the EBA Guidelines on Outsourcing and includes a grandfather clause for existing outsourcing agreements. A prior notification with the competent authority is necessary, including details on the planned outsourcing of critical or important functions and/or where an outsourced function has become critical or important. The notification must be done in a timely matter which is clarified as a period of two months prior to the outsourcing. In addition, in the case of existing outsourcing contracts that will be subject to material changes and/or severe events, such notification is also required.
In the insurance sector, outsourcing is regulated in several specific laws such as Article 16/2 of the Insurance Act, the Law of 13 March 2016 on the Legal Status and Supervision of Insurance or Reinsurance Companies ('the Solvency II Law'), Article 274 of the Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 on the Taking-up and Pursuit of the Business of Insurance and Reinsurance ('the Solvency II Delegated Regulation'), Circular NBB_2020_18 on Outsourcing to Cloud Service Providers ('the NBB Circular on Outsourcing') and the guidelines of the European Insurance and Occupational Pensions Authority ('EIOPA'). The Solvency II Delegated Regulation sets out that an insurance company intending to outsource must put an outsourcing policy in writing, which shall be approved by the board. The NBB Circular on Outsourcing emphasises that insurance companies must have an IT system that functions properly (which can keep records of business) and appropriate control and security measures in the area of IT. Furthermore, the NBB underlines the importance of cybersecurity. Thus, it expects that insurance companies hence adopt the necessary measures to manage cyber risks in the context of their aforementioned IT security system. Furthermore, planned outsourcing of critical or important functions or activities must be notified to the NBB in advance.
As a general rule, it is mandatory for a data controller to notify the competent supervisory authority of any suffered personal data breach (Article 33(1) of the GDPR). For further information on general data breach requirements, see EU – GDPR – Data Breach.
The competent supervisory authority to be notified is in principle the Belgian DPA. The Belgian legislator has foreseen an exception to the obligation to notify a data breach, which was implemented in Article 24 of the Act. There is no obligation to notify a data breach to the Belgian DPA when it concerns processing for journalistic purposes and for academic, artistic, or literary forms of expression, if the notification jeopardises the intended publication or if it would constitute a control measure prior to the publication. Furthermore, the Belgian legislator has chosen to make use of its competence under Article 23 of the GDPR and to introduce an exception for the notification of a data breach to the data subjects. In Belgium, as described in Article 14 of the Act, it will not be necessary to notify the data breach to the data subject when the personal data are directly or indirectly deriving from certain public authorities, such as judicial authorities, police forces, the General Inspectorate of the Federal Police, the CTIF-CFI, the National Directorate of Research for Customs and Excise, and the Passenger Information Unit, vis-à-vis public authorities or other agencies and bodies to whom this data was transmitted in accordance with the law.
As regards the financial sector, financial institutions, with the exception of operators of a trading platform, shall immediately report to the NBB all incidents that have a significant impact on the availability, confidentiality, integrity, or authenticity of the network and information systems on which the essential service or services they provide depend.
More specifically, the Payment Services Act obliges payment institutions to inform the NBB in case of a major operational or security incident. Upon receipt of the incident notification, the NBB informs the EBA and the European Central Bank ('ECB') and provides the relevant incident information. After the evaluation of the relevance of the incident for other Belgian authorities, the NBB informs them accordingly.
Also under the Payment Services Act, payment institutions are required to inform the NBB and the Federal Public Service Economy on a yearly basis or, if the NBB or the Federal Public Service Economy requests it, with shorter intervals, about the statistical information concerning fraud relating to different payment methods. The NBB then shares this information in aggregate form with the EBA and the ECB.
At the EU level there is currently no harmonised framework for Fintech regulation. In March 2018, the European Commission adopted an action plan on FinTech in addition to publishing discussion papers on the same. Moreover, many EU financial regulators have signalled support for the development of a more comprehensive regulatory Fintech framework.
In Belgium, offering financial services often requires licensing, such as payment/credit institutions, e-money institutions, investment institutions, and insurance companies. However, a large number of Fintech services remain unregulated or are not authorised under Belgian law, such as peer-to-peer lending sensu strictu (except in case there is an intermediary). Cryptocurrencies are not regulated and do not require such licensing. Nonetheless, it is not permitted under Belgian law to professionally sell financial products such as cryptocurrencies to consumers and the FSMA is very hesitant on the use of such digital currencies and has issued several warnings.
The GDPR provides for administrative fines of up to (Article 83 of the GDPR):
- €10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringing provisions on the obligations of a controller, processor, certification body or monitoring body; and
- €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for infringing provisions on the basic principles for processing, data subjects’ rights, transfer of personal data to a recipient in a third country or international organisation, or non-compliance with an order or a limitation on processing by the supervisory authority.
If a financial institution violates the AML/CFT Act, administrative fines can be imposed. In the case of legal persons, the administrative pecuniary sanction shall not exceed €5 million or 10% of their annual net turnover in the preceding business year, whichever is the higher. However, in cases where the infringement has produced profits for the company or allowed it to avoid losses, this maximum amount of the administrative pecuniary fine may be increased to double the amount of those profits or losses. When setting the administrative fine, all relevant circumstances, and in particular:
- the gravity and duration of the infringements;
- the degree of responsibility;
- the financial capacity of the institution, as shown in particular by the total turnover of the legal person concerned or by the annual income;
- the benefit or profit that the infringements may generate for the institution, insofar as they can be determined;
- the disadvantage that third parties may have suffered as a result of these infringements, insofar as this can be determined;
- the degree of cooperation of the institution with the supervisory authorities;
- any previous infringements committed by the institution;
- the extent to which the institution has taken into account the guidelines of the supervisory authority.
Moreover, financial institutions may even be subject to a criminal sanction if they obstruct inspections and verifications by the supervisory authorities they are obliged to carry out in the country or abroad or if they refuse to provide the data which they are obliged to disclose under this law or deliberately provide incorrect or incomplete information. Lastly, the supervisory authority can also annul or suspend the license of the financial institution.
11. Additional Areas of Interest
No further information available.