New Belgian law on processing of personal data - Implementation of some GDPR open clauses
The Belgian law relating to the protection of individuals regarding the processing of personal data (the Law) of 30 July 2018 has been published in the Official Gazette on 05 September 2018 (date of entry into force). The Law implements some open clauses of the GDPR.
The Law is very bulky (286 provisions!). However, the Law does not impose a lot of specific obligations on companies in addition to those already provided by the GDPR. Most of its provisions relate to the processing of personal data by public authorities.
The following note summarises provisions of the Law which are relevant for companies.
Scope
The Law applies to the processing of personal data carried out in the framework of the activities of an establishment of a controller or a processor on the Belgian territory (even if the processing does not take place on the Belgian territory).
Using the criteria of the GDPR, the Law also applies on the processing of personal data of individuals who are on the Belgian territory by a controller or a processor not established on the Belgian territory when the processing activities are related to (i) the offering of goods or services to such individuals on the Belgian territory, irrespective of whether a payment is required and (ii) the monitoring of their behaviour as far as their behaviour takes place on the Belgian territory.
The Law repeals the law of 08 December 1992 on privacy protection in relation to the processing of personal data and its implementing royal decree of 13 February 2001 which mainly governed the processing of personal data so far.
Consent of minors
In execution of article 8.1 GDPR, the Law provides that the processing of personal data in relation to the offer of information society services directly to children is lawful if the consent is given by a child aged 13 years or over. When such a processing relates to personal data of a child below 13 years, it will only be lawful if the consent is given by the legal representative of the child.
Reasons of substantial public interest
Article 9.2, (g) GDPR provides that a controller can process “special categories of personal data” (i.e. sensitive data such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, etc.) when processing is necessary for “reasons of substantial public interest” on the basis of EU or Member State law.
Article 8.1 of the Law provides a comprehensive list of the processing activities considered as “processing necessary for reasons of substantial public interest”. That list however only applies to specific associations and foundations.
Processing of genetic data, biometric data and data concerning health
Article 9.4 GDPR provides the possibility for Member States to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
The Law provides that the controller must take the following additional measures when processing genetic data, biometric data and data concerning health:
- the categories of persons having access to those personal data are appointed by the controller or the processor (if applicable) with a precise description of their function with regard to the processing intended
- the list of categories of persons appointed as mentioned above is kept at the disposal of the competent supervisory authority (in Belgium the Data Protection Authority, Autorité pour la Protection des Données in French or Gegevensbeschermingsautoriteit in Dutch) by the controller or the processor (if applicable), and
- the controller must ensure that the persons appointed are bound by a statutory or contractual obligation of confidentiality.
Processing of personal data relating to criminal convictions and offences
The GDPR provides that the processing of personal data relating to criminal convictions and offences is in principle prohibited and can only be carried out under the control of an official authority or “when the processing is authorised by EU or Member State law” providing for appropriate safeguards for the rights and freedoms of data subjects.
The Law provides a limitative list of cases where the processing of such personal data is authorised. This list includes among others: the processing by companies for the management of their own litigation, lawyers or other legal counsels as far as the defence of their clients requires it, for the necessity of scientific, historical or statistical research or for archiving purposes, if the data subject has made those personal data public for a specific purpose, or if the data subject has explicitly given his/her consent in writing for specific purposes.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
The GDPR and the Law provide that the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall be lawful without any further legal ground being required if it complies with specific safeguards.
Those safeguards include, for example, the appointment of a DPO when the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals, the obligation to include some additional information in the record of processing activities held in accordance with article 30 GDPR or the obligation to enter into a specific agreement between the initial controller and the new controller, etc.
Some derogations to the rights of data subject could also be considered.
Remedies
The Law provides the possibility to lodge a legal action for cessation before the president of the court of first instance (summary proceedings) in case of breach of the GDPR or of the Law.
Following this action for cessation, an individual can also claim damages on the basis of contractual or tort liability.
Sanctions
The Law provides that the corrective powers of the Data Protection Authority shall apply in case of breach of the above rules. The Law also provides some criminal sanctions (in addition to the administrative fines provided by the GDPR which are already very dissuasive).
If you need any assistance in relation to the above, please do not hesitate to contact Jérémie Doornaert or Olivier Mignolet.
