Law: 

Act of 3 December 2017 Establishing the Data Protection Authority, Act of 30 July 2018 on
the Protection of Natural Persons with Regard to the Processing of Personal Data ('the Act'), and
the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: Data Protection Authority ('Belgian DPA') 

Summary: Belgium implemented the GDPR in 2018 through the Act, and derogated from the
GDPR by creating exceptions to data subject rights for purposes such as scientific or historical
research and in setting the age of consent for children's data to 13 years of age. The Act
designates the previously established Belgian DPA as the supervisory authority. The Belgian
DPA often releases guidance in both Dutch and French, and sometimes German, addressing key
concerns such as data protection officer appointments, Data Protection Impact Assessments,
and Binding Corporate Rules ('BCRs'). The Belgian DPA is particularly active in issuing opinions
and enforcement decisions, which often concern, among other things, organisations' responses
to data subject access requests and unlawful use of video surveillance.

Legal Bases

1. Consent

Apart from what is mentioned in section on children's data below, there is no national
variation in relation to consent as a legal basis.

2. Contract with the data subject

There is no national variation in relation to contract with the data subject as a legal basis.

3. Legal obligations

There is no national variation in relation to legal obligations as a legal basis.

4. Interests of the data subject

There is no national variation in relation to the interests of the data subject.

5. Public interest
The Act lists specific processing operations that are considered to be for reasons of
substantial public interest, in accordance with Article 9(2)(g) of the GDPR, as details further
in section on special categories of personal data, below.

6. Legitimate interests of the data controller

There is no national variation in relation to the legitimate interests of the data controller as
a legal basis.

7. Legal bases in other instances

Scientific or historical research purposes

Article 89 of the GDPR is implemented in Title 4 of the Act (Article 186 and its subsections of
the Act).

Controllers who wish to rely on the exceptions foreseen by Article 89(2) and (3) must comply
with the provisions of Title 4 of the Act which requires, among other things, that the data
controller:

 include the following information in its record of processing:

o a justification for the non-use of pseudonymised data;
o the reasons why the exercise of data subject rights is likely to seriously impair
or render impossible the pursued purposes; and
o the DPIA.
 in addition to what is required under Article 13 of the GDPR, inform the data subject
as to whether the personal data are anonymised or not, and the reasons why the
exercise of the data subject rights is likely to seriously impair or render impossible the
achieved purposes.

Further processing

Where a data controller processes personal data for scientific or historical research
purposes which were not obtained directly from the data subjects, the controller must enter
into an agreement with the original controller, unless an exception applies. This agreement
must contain the details of both controllers and the reasons why the exercise of the data
subject rights is likely to seriously impair or render impossible the pursued purposes. The
agreement must be added to the record of processing.

Anonymisation and pseudonymisation

Scientific or historical research must be performed on the basis of anonymised data. If it is
not possible to achieve the research purpose with anonymised data, then the controller
must use pseudonymised data. If it is not possible to achieve the research purpose with
pseudonymised data, then the controller may use non-pseudonymised data.

Personal data obtained directly from the data subject must be pseudonymised/anonymised
after collection.

In case of further processing for scientific or historical research purposes, the personal data
must be pseudonymised/anonymised before initiating further processing or before
disclosure to another controller for further processing.

Pseudonymised data may only be de-pseudonymised if necessary for the research and after
advice from the DPO.

In case of further processing by another controller, the other controller may not have access
to the pseudonymisation keys.

The DPO must give advice on the efficacy of the pseudonymisation/anonymisation.

Disclosure

In principle, the controller may only disclose the data in its pseudonymised form but
exceptions are possible (e.g. if the data subject has given their consent).

Principles

There are no other national principles than the ones outlined in the GDPR.

Controller and Processor Obligations

1. Data processing notification

There is no requirement for Belgian data controllers or data processors to notify their
processing activities to the Belgian DPA, nor to pay a registration fee.
2. Data transfers

There are no data transfer restrictions other than the ones outlined in the GDPR.

3. Data processing records

There are no other data processing records obligations other than the ones outlined in the
GDPR.

4. Data protection impact assessment

An DPIA must be conducted when the processing is likely to create a high risk to the rights
and freedoms of the persons concerned.

The Belgian DPA has issued guidance on DPIAs (available in Dutch here and French here), as
well as a draft List of the Types of Processing Operations for which a DPIA shall be Required
(Article 35(4) of the GDPR) ('the Draft List'). In response, the EDPB issued its opinion on the
Belgian DPA's Draft List. There is no final list available yet on the Belgian DPA's website.

The Draft List provides that the following types of processing operations require a DPIA:

 biometric data, when collected for the purpose of uniquely identifying data subjects
who are in a public space or a private publicly accessible area;
 data collected from third parties which are subsequently taken into account in the
context of a decision to refuse or terminate a service contract;
 health data, when collected by automated means with the aid of an active implantable
medical device;
 data collected on a large scale from third parties in order to analyse or predict the
economic situation, health, personal preferences or interests, reliability or behaviour,
location or movements of natural persons;
 special categories of data, when systematically exchanged between several
controllers;
 large-scale processing of data, when generated by Internet of Things devices which
serves to analyse or predict the economic situation, health, personal preferences or
interests, reliability or behaviour, location or movements of natural persons;
 large-scale and/or systematic processing of telephony or communication data,
metadata or location data which allows to trace natural persons when the processing
is not strictly necessary for a service requested by the data subject; or
 large-scale processing of data whereby the behaviour of natural persons is
systematically observed, collected, established or influenced by automated
processing, including for advertising purposes.
In addition, the Belgian DPA has published a form by means of which a prior consultation in
line with Article 36 of the GDPR should be carried out (only available in Dutch here and in
French here).

Consultation

The Belgian DPA has not yet issued a list with national activities for which no DPIA is
required. However, no prior consultation is required if controllers can adequately reduce
the risk to the rights and freedoms of natural persons with the implementation of
appropriate technical and organisational measures.

Finally, the form for prior consultation on DPIAs can be submitted to the Belgian DPA
(available in French here, Dutch here, and German here).

5. Data protection officer appointment

The Act does not impose general additional obligations in relation to the appointment of a
DPO.

It does, however, require that the following organisations appoint a DPO:

 the Centre for Missing and Sexually Exploited Children ('the Children Centre');

 any private body processing personal data on behalf of the Government, or to which
the Government transmits personal data, if the processing of these data may present
a high risk, as referred to in Article 35 of the GDPR; and
 controllers processing personal data for archiving for public interest, scientific or
historical research, or statistical purposes as referred to in Articles 89(2) and 89(3) of
the GDPR, if the processing of these data may present a high risk, as referred to in
Article 35 of the GDPR.

The communication of the contact details of the DPO, as required by Article 37(7) of the
GDPR, can be done via an e-Form (instructions on how to access the e-forms available in
French here).

In regard to the DPO requirement under the GDPR, Article 5 of the Data Protection Act
defines 'public authority' as:

1. the Federal State, the federated entities and the local authorities;
2. the legal persons under public law subordinate to the Federal State, the federated
entities or the local authorities;
3. the persons, whatever their form or nature:
 1. established for the specific purpose of meeting needs of general interest,
without any industrial or commercial character; 
2. having legal personality; and
3. either whose activities are mainly financed by the public authorities or bodies
referred to in bullet point one and two, either whose management is subject to
the supervision of those authorities or bodies, or having an administrative,
management or supervisory body of which more than half of the members are
appointed by these authorities or bodies; and
4. associations composed of one or more public authorities as referred to in the above
provisions.

In the FAQs on mandatory appointment of DPOs (only available in Dutch here and in

French here), the Belgian DPA highlighted that additional situations under the Data
Protection Act where a DPO must be designated, in addition to the requirements set out in
Article 37(1) of the GDPR, are set out in Articles 21 and 190 of the Data Protection Act.

On the point of notification, organisations that appoint a DPO are under an obligation to
notify their contact details to the Belgian DPA through an electronic form, which must be
submitted via the Belgian DPA's e-forms web portal. The Belgian DPA provides guidance
(only available in Dutch here and in French here) on how to fill out the notification form and
states that it must be completed in one of the three official languages (Dutch, French, or
German). The technical annexes to the application form may also be submitted in English, in
addition to the three national languages. The Belgian DPA noted that applications submitted
in other languages are considered inadmissible.

Finally, the DPO is not treated as a regulated profession. Therefore, the Belgian DPA is not
authorised to proactively verify the choice of a DPO by a controller or processor (the
Appointment FAQs).

Absence of a DPO

In line with the Appointment FAQs, an organisation should prepare a procedure for the
event of the absence of a DPO. The Belgian DPA noted that, in the event of the absence of a
DPO, a data controller or a data processor must guarantee the continuity of compliance
with the GDPR obligations that relate to the DPO. In line with the GDPR principle of
accountability, such continuity must be demonstrated to the Belgian DPA.

Furthermore, in line with the Appointment FAQs, the Belgian DPA outlined rules to be
determined by the controller/processor concerned and noted that the procedure should be
frequently evaluated and updated. In particular, the controller/processor concerned should
take the following into account:

 the absence of a DPO does not exempt the controller/processor from compliance
with their obligations. If the DPO is absent, their position must be filled by a person
with sufficient qualifications and status as required by the GDPR, or who most closely
resembles it, in order to ensure continuity of a DPO's function;
 the specific rules for managing the absence of the DPO depend on factors such as the
duration of the absence, the types of tasks carried out by the DPO and the applicable
or foreseen deadlines, the risk level of the processing carried out by the
controller/processor concerned, the existence of another DPO within the
organisational structure and all other contextual relevant factors, etc. Depending on
the situation, the controller/processor may choose to temporarily use the services of
an external DPO, especially in case of long-term absence; and
 during the absence of the DPO, the rules regarding confidentiality and protection of
personal data at the workplace continue to apply.

The Appointment FAQs further specify that if the absence of the DPO is managed without
designating a new DPO and it is still possible to contact the person who is fulfilling the
relevant tasks in DPO's absence with the contact address communicated to the Belgian DPA,
no new DPO is required to be notified with the Belgian DPA. However, if this is not the case
or if the controller/processor decides to replace the existing DPO with a new DPO, this
replacement must be notified to the Belgian DPA.

6. Data breach notification

The notification of a data breach to the Belgian DPA should be done via an e-form. Please
note that the e-form on the Belgian DPA's website is currently unavailable. The form must
be completed in Dutch, French, or German. Technical annexes to the application form may
be in English in addition to the three national languages referred to above. If this language
requirement is not met, the application will be considered inadmissible.

Sectoral

Companies that are subject to the Act of 13 June 2005 on Electronic Communications (only
available in Dutch here) should promptly notify the Belgian Institute for Postal Services and
Telecommunications ('BIPT') of any breach of security or loss of integrity that has a
significant impact on the operation of networks or services. The BIPT may inform the public
(or require the company in question to do so) if it considers that it would be in the public
interest to disclose the breach. If such breach is a personal data breach as well, notification
obligations to the Belgian DPA will apply.

The Act of 7 April 2019 on Security of Network and Information Systems (only available in
both Dutch and French here), which transposes the Directive on Security Network and
Information System (Directive (EU) 2016/1148) requires providers of so-called 'essential
services to notify any incident that has significant repercussions on the provision of their
services. Incidents shall be reported simultaneously to the National Computer Security
Incident Response Team ('CSIRT'), the sectoral authority or its sectoral CSIRT, and the Centre
for Cyber Security Belgium ('CCB') as a single point of contact. If such an incident is a
personal data breach as well, notification obligations to the Belgian DPA will apply.

7. Data retention

There are no specific additional data retention requirements imposed by the Act.

8. Children's data

Regarding the offer of information society services directly to a child, the processing of the
personal data of a child shall be lawful where the consent is given by children of at least 13
years old. Where a child is younger than 13 years of age, such processing shall be lawful
only if and to the extent that consent is given by the legal representative of the child in
question.

In addition, the Belgian DPA has created a webpage (accessible here) that focuses on
children's privacy, which covers topics such as the privacy of children at school and provides
useful information and guidance for children, parents, and teachers.

9. Special categories of personal data

Processing of special categories of personal data

As foreseen in Article 9(2)(f) of the GDPR, the Act clarifies that the following processing
activities should be considered as being necessary for reasons of substantial public interest
in Belgium:

 Processing by associations with a legal personality or foundations, whose main

statutory objective is to defend and promote human rights and fundamental
freedoms, and processed in order to achieve that objective, provided that the
 processing has been authorised by the King by a decree adopted after consultation in
the Federal Council of Ministers, after advice from the competent supervisory
authority. The King may lay down more detailed rules for such processing.
 Processing managed by the Children Centre for the receipt, transmission to the
judicial authorities, and follow-up of data concerning persons suspected of having
committed a crime or malpractice in a particular case of missing or sexually exploited
children. The foundation is not allowed to hold a record of persons suspected of
having committed a crime or misdemeanour or convicted persons, and shall appoint
a DPO.
 Processing of personal data relating to sexual life, carried out by an association having
a legal personality or by a foundation, whose main statutory purpose is the
evaluation, supervision, and treatment of persons whose sexual behaviour may be
qualified as a criminal offence, if that association or foundation is recognised and
subsidised by the competent authority for the achievement of that purpose. Such
processing, that should be aimed at evaluating, supervising, and treating the persons
referred to in this paragraph and that exclusively relates to personal data which, when
they relate to sexual life, only concern the latter persons, must be subject to a special,
individual authorisation granted by the King by means of a decree deliberated in the
Federal Council of Ministers, after the competent supervisory authority has given its
opinion. Such a decree should specify the duration of the authorisation, the
modalities of the data processing, the modalities for the verification of the association
or foundation by the competent authority and the way in which the competent
authority reports to the competent supervisory authority on the processing of
personal data within the framework of the authorisation granted.

Unless there are specific legal provisions to the contrary, the processing of genetic and
biometric data by these associations and foundations for the purpose of uniquely
identifying a physical person is prohibited.

The data controller and, where applicable, the data processor shall draw up a list of the
categories of persons having access to the personal data, describing their status in relation
to the processing of the envisaged data. This list shall be kept available for the competent
supervisory authority. Any designated person must also be bound by a legal or statutory
obligation, or by an equivalent contractual provision, to respect the confidentiality of the
data in question.

As foreseen in Article 9(4) of the GDPR, the Act introduces further conditions with regard to
the processing of genetic data, biometric data, or data concerning health, determining that
the following additional measures should be taken:

 the data controller or, where applicable, the data processor, shall designate the
categories of persons having access to the personal data, specifying their status in
relation to the processing of the data concerned;
  the data controller or, where applicable, the data processor shall keep a list of the
categories of designated persons at the disposal of the competent supervisory
authority; and
 the data controller shall ensure that the designated persons are bound by a legal or
statutory obligation, or by an equivalent contractual provision, to respect the
confidentiality of the information in question.

Processing of personal data relating to criminal convictions and offences

As foreseen in Article 10 of the GDPR, the Act authorises the processing of personal data
relating to criminal convictions and offences or related security measures when the
processing is carried out:

 by any natural or legal person, whether governed by private or public law, to the
extent necessary for the management of their own disputes;
 by lawyers or other legal counsel to the extent necessary to defend the interests of
their clients;
 by other persons, if the processing is necessary for reasons of substantial public
interest for the performance of tasks of general interest laid down by or pursuant to a
law, a decree, an ordinance or EU law;
 to the extent that the processing is necessary for scientific, historical, or statistical
research, or for archiving purposes;
 where the data subject has given their explicit written consent to the processing of
those personal data for one or more specified purposes and the processing is limited
to those purposes; or
 if the processing relates to personal data which are manifestly disclosed by the data
subject on their own initiative for one or more specified purposes and the processing
is limited to those purposes.

The data controller and, where applicable, the data processor shall draw up a list of the
categories of persons having access to the personal data, describing their status in relation
to the processing of the envisaged data. This list shall be kept available for the competent
supervisory authority. The controller shall also ensure that any designated persons are
bound by a legal or statutory obligation, or by an equivalent contractual provision, to
respect the confidentiality of the data in question.

10. Controller and processor contracts

There are no other national requirements than the ones foreseen in Article 28 of the GDPR.

Penalties
In addition to the administrative sanctions provided by the GDPR, the Act provides for the
following criminal sanctions:

 criminal fines up to €120,000 for:

o various unlawful processing activities including processing personal data
without a legal basis, non-compliance with the data processing principles of
Article 5 of the GDPR, not respecting the right to object, transferring personal
data without appropriate safeguards;
o impeding the statutory verification and audit duties of the Belgian DPA;
o defiance towards the members of the Belgian DPA;
o non-compliance with corrective measures imposed by the Belgian DPA
pursuant to Articles 58(2)(d) and (f) of the GDPR; and
o various infringements of the rules regarding certification.
 criminal fines up to €240,000 for non-respect of the prohibition to inform the data
subject of the processing of their personal data by the authorities mentioned in Title 3
of the Act where such information is not allowed; and
 full or partial publication of the judgment in one or more journals at the expense of
the convicted person.

Article 221(2) of the Act provides that Article 83 of the GDPR on administrative sanctions,
does not apply to the Government, as defined in Article 5 of the Act, and its authorised
officials, except when it concerns legal persons of public law that offer goods or services on
the market.

Enforcement decisions

All decisions issued by Belgian DPA's Litigation Chamber from 2020 may be accessed on the
Belgian DPA's website.