The Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (hereafter Law) was published in the Belgian Gazette and immediately entered into force on 5 September 2018.
The largest part of the provisions of the Law apply to the processing of personal data in the public sector. In relation to the private sector, the Law only deviates and/or complements the General Data Protection Regulation (hereafter GDPR) to a limited extent and will therefore have a minor impact on the processing of personal data by private companies and organizations.
Hereafter are some of the most noteworthy provisions of the Law (concerning the private sector).
The Law explicitly states in article 6 that the GDPR remains fully applicable in relation to the processing of personal data in the private sector except in those cases where the Law supplements the GDPR. In principle, this article 6 is unnecessary but Belgian legislation has introduced it for reasons of clarity.1
Moreover, it has been stated that the Law will apply to companies and organizations that process personal data:
The Law will not apply to a processor established on Belgian territory, if the controller is established in another EU Member State and when the processing takes place on the territory on which the controller is established. In that case, the law of the other EU Member State will be applicable.
The GDPR allows EU Member States to provide for an age lower than 16 years regarding a child’s consent, as long as it does not go below the age of 13 years old. Belgian lawmakers have chosen to make full use of this possibility and lower the age to 13. If a child is below the age of 13 years, the processing of its personal data will only be lawful and valid if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. Therefore, each data controller should implement an adequate system that can verify the parental consent for children under 13 years old.
The GDPR prohibits the processing of special categories of personal data (i.e. racial or ethnic origin, political beliefs, religious or philosophical beliefs, etc.). However, there are several exemptions in which case the processing of these special categories of personal data is allowed. One of the exemptions allows Member States to determine when the processing of these special categories of personal data is necessary for reasons of substantial public interest. Consequently, the Law lists three situations in which processing is deemed to be of substantial public interest. In concreto, the most relevant of these three situations relates to processing by associations who have as their statutory goal the defense and improvement of human rights and fundamental freedoms. The two other situations apply to sex offenders and are irrelevant to private companies and organizations.
In relation to the processing of genetic data, biometric data or data concerning health, the Law introduces three new obligations for the data controller or processor:
The Law introduces a so-called “cease and desist” procedure. This procedure allows the data subject, whose rights have been infringed, to bring a claim of infringement of data protection obligations before the President of the competent Court of First Instance.
If the Court decides that there is indeed an infringement, it can prevent, in a rapid manner, further infringement of the data subject’s rights via an injunction. The Court can also impose a penalty if the infringing party does not comply with the provisions of the injunction. The Court can also order a publication of its decision/order.
Important to note is that a data subject cannot claim compensation for damages incurred as the President of the Court of First Instance is not competent to rule on the matter. The data subject will have to initiate separate proceedings.
Finally, in addition to the administrative sanctions already imposed by the GDPR, the Belgian legislator has introduced criminal sanctions in the form of fines ranging from €100 to €30.000 for infringements of the Law.