The Belgian UBO-Register is a national database that organizes and structures adequate, accurate and up-to-date information regarding Ultimate Beneficial Owners (hereinafter referred to as the “UBOs”) of corporate or other legal entities incorporated in or operating on the Belgian territory. By 30 September 2019 all Belgian corporate or other legal entities are obliged to identify their UBOs and upload the required information in the Belgian UBO-Register.
The obligation to create an UBO-Register in each Member State of the European Union results from the Fourth Anti-Money Laundering Directive 2015/849 of 20 May 2015 (hereinafter referred to as the “Directive”), which has been transposed into Belgian law by means of the Law of 18 September 2017 for the prevention of money laundering and terrorist financing and for the limitation of the use of cash (hereinafter referred to as the “Law”) and the Royal Decree of 30 July 2018 regarding the operating modes of the UBO-Register (hereinafter referred to as the “Royal Decree”).
The UBO-Register is established as a tool in the combat against money laundering and terrorist financing. The institution responsible for the UBO-Register in Belgium is the General Administration of the Treasury of the Federal Public Service Finance.
It goes without saying that a lot of personal data regarding the UBOs (being always a natural person) will be processed in light of the UBO-Register. The UBO-Register will receive, amongst others, the identification details, including the identification number of the National Register of the UBOs.
Therefore, the implications under the Law, the Royal Decree and the General Data Protection Regulation 2016/679 (hereinafter referred to as the “GDPR”) as well as two advices which were published by the Belgian Privacy Commission (currently the Belgian Data Protection Authority, hereinafter referred to as the “Belgian DPA”) deserve a closer look.
As stated above, the UBO-Register will process a lot of personal data. Therefore, corporate and other legal entities will need to comply with the principles imposed by both European and national privacy legislation when identifying and registering their UBOs.
In accordance with the obligations imposed by the Royal Decree, corporate and other legal entities will need to inform the UBOs on a durable medium about:
Moreover, the General Administration of the Treasury will inform the UBOs about their registration in the UBO-Register and provide them with the information that is registered in their name. Besides that, the UBOs can directly, or via the General Administration of the Treasury, request free of charge to rectify or delete any inaccurate data that is registered in their name. The corporate or other legal entity will also be obliged to rectify or delete any inaccurate data concerning the UBOs and notify these changes without delay to the UBO-Register.
The Belgian DPA already identified in its advice of 24 May 2017 an issue with article 74, §1 of the Law which stipulates that “the UBO-Register has as its purpose to make available sufficient, accurate and up-to-date information regarding the UBOs […]”. It is clear that this provision does not provide for a sufficiently precise demarcation of the finality / purpose of the processing of the personal data in light of the UBO-Register. Consequently, the Belgian DPA recommended to determine the essential elements (i.e. the processed personal data, the purposes of the processing and the possible recipients of the personal data) regarding the UBO-Register more clearly.
In its advice of 23 May 2018 the Belgian DPA reviewed and commented upon the Royal Decree, which determines the aforementioned essential elements, and expressed a favorable opinion with minor remarks. More specifically, the Belgian DPA discussed the below mentioned matters more in depth.
For sake of completeness, the reader will note that all rights that are generally granted under the GDPR remain applicable to all involved parties, including but not limited to, the data controller, data processor and UBOs. However, since the UBO-Register has been created in light of a matter of general / public interest, the rights of a data subject (i.e. UBOs) under the GDPR (such as a.o. the right to be forgotten) shall be limited.
In case of any violation of the principles of the GDPR, administrative fines can be imposed on the corporate and other legal entities by the Belgian DPA to the amount of 2% or 4% of their annual worldwide turnover.
Besides that, the Law provides for criminal fines going from 50 EUR to 5.000 EUR (to be multiplied by 8) and administrative fines going from 250 EUR to 50.000 EUR to be imposed on managers / directors of the corporate or other legal entities not complying with the specific UBO-obligations of the Law and the Royal Decree.
Therefore, make sure to consider the aforementioned obligations and to reach out to us for further updates on this topic or for advice or assistance on this matter.