Belgium: Overview of Vendor Privacy Contracts
1. Governing Texts
- The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). For requirements under the GDPR, please see our EU - Vendor Privacy Contracts Guidance Note, or select 'EU' within the Comparison tool
- The Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data ('the Act')
1.2. Regulatory authority guidance
The European Data Protection Board ('EDPB') has released:
- Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR) (12 July 2019); and
- Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (version under public consultation).
The Data Protection Authority ('the Belgian DPA') has issued the following applicable guidance:
- The FAQs on mandatory appointment of data protection officers (only available in Dutch here and French here) ('the Mandatory Appointment FAQs')
1.3. Regulatory authority templates
The European Commission has released the following decisions on standard contractual clauses ('SCC') for transfers of personal data to jurisdictions outside of the EU/EEA:
- Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council;
- Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries; and
- Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (2001/497/EC).
The Article 29 Working Party ('WP29') released the following documents, which have been endorsed by the EDPB:
- Recommendation on the Standard Application form for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data | WP 264 rev.01 (18 April 2018);
- Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data | WP 265 rev.01 (18 April 2018);
- Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules | WP 256 rev.01 (9 February 2018); and
- Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules | WP 257 rev.01 (9 February 2018).
Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4(7) of the GDPR).
Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).
3.1. Are there requirements for a contract to be in place between a controller and processor?
Art 53(3) of the Act provides that processing by a processor shall be governed by a contract or other legal act that is binding on the processor with regard to the controller and that sets out the subject matter and duration of the processing, nature and purpose and the processing, the type of personal data and categories of the data subjects, and the rights and obligations of the controller.
3.2. What content should be included?
Article 53(4) of the Act provides that contracts or other legal acts between controllers and processors shall be drawn up in writing, including in electronic form.
Article 53(3) of the Act provides that the contract between a controller and processor should include:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data;
- categories of data subjects; and
- the rights and obligations of the controller.
Article 53(3) of the Act also provides, that contracts must stipulate the processor:
- only acts on the instructions of the controller;
- ensures that any persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate legal obligations of confidentiality;
- assists the controller by appropriate means in ensuring compliance with the provisions governing the rights of the data subject;
- deletes or returns all the personal data to the controller once the processing services have come to an end and deletes any existing copies, unless storage of the personal data is required by law, decree ordinance, European law or international agreement;
- makes available to the controller all information necessary to demonstrate compliance; and
- meets the requirement of Article 53(3) of the Act, and shall not engage another processor without prior specific or general written authorisation of the controller.
4.1. Are processors required to assist controllers with handling of data subject requests?
Article 53(3) of the Act provides that processing contracts between a controller and processor stipulate that the processor assist the controller by appropriate means in ensuring compliance with the provisions governing the rights of the data subject.
Article 51(1) of the Act provides that with regard to technical and organisational measures to protect personal data, they must ensure the effective implementation of data protection principles and the integration of the necessary safeguards to protect the rights of data subjects, both when defining the means for processing and at the time of processing itself.
For further information see Belgium - Data Subject Rights.
For further information on data subject rights under the GDPR see EU-GDPR Data Subjects Rights.
5.1. Are processors required to keep records of their processing activities?
Article 55(1) of the Act provides that controllers and processors must keep a register of the categories of processing activities carried out under its responsibilities. The register must contain:
- the name and contact details of the controller or the processor and of its deputy or representative;
- the name and contact details of the data protection officer;
- the purposes of the processing;
- the categories of data subjects;
- the categories of personal data;
- the categories of recipients;
- the transfers of personal data to a third country or an international organisations, including identification of that third country or international organisation, and where applicable, the documentation attesting that suitable safeguards are in place;
- the envisaged time limits for erasure of the various categories of data;
- a general description of the technical and organisational security measures referred to in Article 50 of the Act;
- the use of profiling;
- the legal basis for processing;
- the category of external sources; and
- the protocol for transfer of personal data under Article 20 of the GDPR Implementing Law, and the opinion of the data protection officer ('DPO') referred to in Article 22 of the Act.
Article 56(1) of the Act holds that the log files of processing operations including collection, alteration, consultation, disclosure, transfer, combination, and erasure shall be kept in automated processing systems. The log files must allow the following to be established:
- the reasons, date and time of the processing activities;
- the categories of persons who consulted personal data and where possible, the identity of the person who consulted the personal data;
- the systems that disclosed these personal data; and
- the categories of recipients who received the personal data, and where possible, the identity of the recipients of the personal data.
For further information see: Belgium - Data Processing Notification
6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?
Article 53(1) of the Act holds that where processing is entrusted to a processor, the controller shall use only a processor who provides sufficient guarantees in terms of the technical and organisational security measures implemented with regard to the processing operations.
Article 60(1) of the Act outlines that the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in particular with regard to the processing of sensitive personal data and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons.
With respect to automated processing, processors must, based on the assessment of the risk (Article 60(2) of the Act):
- deny unauthorised persons access to processing equipment used for processing;
- prevent the unauthorised reading, copying, modification or removal of data media;
- prevent the unauthorised input of personal data in the filing system and the unauthorised consultation, modification or deletion of stored data;
- prevent the use of automated processing by unauthorised persons using data communication equipment;
- ensure that persons authorised to use an automated processing system have access only to personal data covered by their access authorisation;
- ensure that it is possible to verify and establish bodies to which personal data have been or may be transmitted or made available using data communication equipment;
- ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input;
- prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media;
- ensure that installed systems may, in the case of interruption, be restored; and
- ensure that the functions of the system perform, that the appearance of any faults in the functions is reported and that stored personal data cannot be corrupted by means of a malfunctioning of the system.
7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?
Article 61(2) of the Act provides that processors shall, without undue delay and not later than 72 hours after having become aware of it, notify the breach of the security to the controller.
For further information see Belgium - Data Breach.
For further information on breach notifications under the GDPR, see EU – GDPR – Data Breach.
8.1. Are subprocessors regulated? If so, what obligations are imposed?
Article 53(2) of the Act provides that processors shall not engage another processor without specific prior or general written authorisation of the controller. In case of general written authorisation, the processor must inform the controller of any intended changes with regard to the addition or replacement of another processor, thereby giving the controller the opportunity to object to such changes.
Article 53(3)(6) of the Act provides that controller and processor contracts must stipulate that processors must meet the requirements of Article 53(2) and 53(3) of the Act to recruit a sub-processor.
9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?
Article 55(1)(7) of the Act provides that the register of processing activities held by processors must contain information on the transfers of personal data to a third country or international organisation, including the identification of that third country or international organisation and, where applicable, the documentation attesting that suitable safeguards are in place.
Article 56(1) of the Act provides that the log files of processing operations, including transfers, shall be kept in automated processing systems.
For further information see Belgium - Data Transfers.
Following the publication of the CJEU's judgment C-311/18 Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems ('Schrems II') on 16 July 2020, which generally validated the SCCs while invalidating the EU-US Privacy Shield data transfer certification mechanism, the EDPB has released its Recommendations on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, as well as complementary Recommendations on the European Essential Guarantees for Surveillance Measures, aimed to assist controllers and processors to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses'.
For further information on data transfers under the GDPR, see EU - GDPR - Data Transfers.
10.1. Are processors required to assist controllers with regulatory investigations?
More generally, Article 57 of the Act provides that the controller and processor must cooperate with the supervisory authority in the performance of its tasks.
Article 55(3) of the Act holds that the register of processing activities must be put at the disposal of the supervisory authority.
Additionally, Article 56(3) of the Act provides that processors must make the log files available to the competent supervisory authority on request.
11.1. Are processors required to appoint a DPO / representative?
Data Protection Officer ('DPO')
The Mandatory Appointment FAQs provide that when the data controller is required to appoint a DPO, the appointment of a DPO by the processor in contract with the said controller is encouraged as a matter of good practice.
For further information see Belgium - Data Protection Officer Appointment.
For further information on DPOs under the GDPR, please see our EU - Data Protection Officer Appointment Guidance Note.
There are no national variations.
12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?
Article 53(5) of the Act provides that the contract between controllers and processors stipulates that the processor make available to the controller all information necessary to demonstrate compliance with Article 53 of the Act.
Article 54 of the Act adds that the processor or any person acting under the authority of the controller, or the processor, who has access to personal data, shall exclusively process data on the instructions of the controller unless required to do so by law, decree, ordinance, European law or international agreement.
Authored by OneTrust DataGuidance.
DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.