Hunton Andrews Kurth LLP
August 30, 2012 - Virginia
Data Protection Guide: Belgium
by Laura De Boel
Introduction Title and date of national law The Act on the protection of privacy in relation to the processing of personal data of December 8,1992 (the 'Data Protection Act' or 'DPA') and its Royal Decree of February 13, 2001. Relation with international instruments The DPA implements EU Directive 95/46/EC on the protection of individuals regarding the processing of personal data and the free movement of such data. Is the national law regarded as equivalent to EU standards or as meeting other regional standards? The DPA does not contain major differences from EU Directive 95/46/EC.
A general right to privacy is enshrined in the Belgian Constitution. The DPA regulates the processing of personal data, which is defined as any operation or set of operations which is performed upon personal data, by automatic or non-automatic means.
The use of personal data for marketing purposes is subject to the DPA. In addition, the e-Commerce Act of March 11, 2003, the Royal Decree on Spam of April 4, 2003, the Act on Market Practices and Consumer Protection of April 6, 2010 and the Electronic Communications Act of June 13, 2005 contain specific rules that may apply to the use of personal data for marketing purposes.
Surveillance and Retention of Data
The monitoring of data subjects is subject to the general provisions of the DPA. In addition, the Camera Surveillance Act of March 21, 2007 contains specific rules for the installation and use of surveillance cameras. When cameras are used to monitor employees on the work place, Collective Labor Agreement n°68 of June 16, 1998 applies. The Electronic Communications Act of June 13, 2005 and the Penal Code set conditions for accessing electronic communications. To monitor the electronic communications of employees, employers must follow specific procedures set out in Collective Labor Agreement n°81 of April 26, 2002.
The DPA provides an exemption for the processing of personal data by a natural person in the course of a purely personal or household activity. In addition, certain types of data processing benefit from partial exemptions, such as data processing by public security services or data processing for journalistic purposes.
It is advisable to consult the opinions and recommendations issued by the Belgian Data Protection Authority (the "Privacy Commission") which provide guidance on Belgian data protection rules.
Nature of legal instruments, e.g., Constitutional Rights, Self-Executing Convention Rights
Privacy is a constitutional right. The right to the protection of personal data is provided by the DPA, but not by the Belgian constitution. However, a specific right to the protection of personal data is enshrined in the Charter of Fundamental Rights of the European Union, which can be invoked by individuals before Belgian courts. Date(s) of implementation of main law The DPA was adopted on December 8, 1992 and has since been amended several times e.g., in 1998 to implement EU Directive 95/46/EC. Detail Relationship with EU law and third pillar matters? The Treaty of Lisbon abolished the three pillar structure. Does national law cover third pillar matters? The DPA covers former third pillar matters, but certain exemptions apply. Are there differences between public and private sector regulation or specific sectoral regulation? The DPA covers both the public and the private sector. Coverage and scope of the Data Protection Act
Who is covered? Data Subjects Covered by the Act
The DPA applies to data controllers, which are natural or legal persons, private or public bodies, which determine alone or jointly with others the purposes and means of the processing of personal data. The DPA also applies to data processors, which are natural or legal persons, private or public bodies, which process personal data on behalf of the controller (but are not under the direct authority of the data controller, such as employees). What data is covered (manual or electronic)? The DPA applies to personal data that is processed wholly or partly by automatic means. The DPA also applies to personal data that is processed otherwise than by automatic means if it is included or is intended to be included in a filing system (i.e., a structured set of personal data). What personally identifiable information is covered? The DPA applies to personal data, which is defined as any information concerning an identified or identifiable natural person (i.e., the data subject). How are the territorial boundaries established? The DPA covers the processing of personal data that is carried out: (i) in the context of the effective and actual activities of a data controller's permanent establishment on Belgian territory or in a place where Belgian law applies by virtue of international public law; or (ii) by a data controller who does not have a permanent establishment on EU territory but who uses means of processing which are located on Belgian territory, unless such equipment is used exclusively for the purposes of transit through Belgian territory.
The grounds for Processing
Does the law require a justification for processing personally identifiable information? Yes. Personal data may only be processed if the data controller can rely on one of the legal bases listed in the DPA.
Basis for Processing any Personal Data
The processing of personal data must be based on the data subject's consent or it must be necessary for: (i) the performance of a contract; (ii) compliance with a legal obligation; (iii) protecting the vital interests of the data subject; (iv) performance of a task carried out in the public interest or in the exercise of official authority; or (v) the purposes of the legitimate interests pursued by the controller or the third party to whom the data are disclosed, unless the interests or fundamental rights and freedoms of the data subject prevail. Any special provisions for sensitive personal data? The DPA sets specific conditions for the processing of the following three categories of sensitive personal data:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership as well as the processing of data concerning sex life;
- health-related personal data; and
- personal data concerning litigation that have been submitted to courts, tribunals or administrative judicial bodies, or personal data concerning suspicions, prosecutions or convictions for crimes, administrative sanctions or security measures.
In principle, the processing of these three categories of personal data is prohibited. However, the DPA lists a number of circumstances in which these categories of personal data may be processed. For instance, the first two categories of personal data may be processed on the basis of the data subject's written consent. Consent is not a legal basis for the processing of the third category of personal data.
Principles Relating to Finality
Fair and lawful processing Personal data processing must be fair and lawful. Finality principle Personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner that is incompatible with those purposes. Notification with the Privacy Commission must be made per purpose of the data processing and data subjects must be informed of this purpose (see below). Principles relating to data quality Data adequacy, accuracy and retention Personal data must be accurate (and kept up to date), relevant and not excessive in relation to the purposes for which it is collected or processed and may not be kept in a form enabling identification of the data subjects for longer than necessary for those purposes.
Anonymizing personal data is considered as a data processing activity, which requires a legal basis. The processing of anonymous data falls outside the scope of the DPA. In addition to personal data and anonymous data, Belgian data protection law defines a third category of data: key-coded data. The Royal Decree of February 13, 2001 defines key-coded personal data as personal data which can only be linked to an identified or identifiable individual by way of a code. The Royal Decree provides for a specific legal regime for the processing of key-coded data if certain conditions are met.
Notice Data controllers must provide data subjects upfront with information regarding the processing of their personal data. At least the following information should be provided, unless the data subject is already aware of this:
- the name and address of the data controller and of his representative, if any;
- the purposes of the data processing; and
- the existence of a right to object, free of charge, to any intended processing of the data subject's personal data for direct marketing purposes.
If this is necessary to ensure fair data processing, more information should be provided, such as:
- the data recipients or categories of data recipients; whether the data subject is obliged to provide its personal data and the consequences of not replying to the request; the existence of a right of access to, and the right to rectify, the personal data concerning the data subject; and other information depending on the specific nature of the processing.
In addition, if personal data is not obtained directly from the data subject, the data subject should also be informed of the categories of personal data processed. The obligation to provide the above information is subject to certain exemptions (e.g., if personal data is processed for journalistic purposes).
Subject access Data subjects also have the right to obtain, upon request, certain information from the data controller, such as whether their personal data are being processed, the purposes of the data processing, the categories of personal data concerned and the categories of data recipients. Right to object to processing The data subject has the right to object, without providing justification, to the processing of his personal data for direct marketing purposes. In addition, if he can invoke compelling and legitimate reasons relating to his specific situation, the data subject has a general right to object to the processing of his personal data, except when the processing is necessary for the performance of a contract or to comply with a legal obligation. Automated decisions In principle, decisions that have legal effects for a data subject or substantially affect him cannot be solely based on automated data processing intended to evaluate certain aspects of the data subject's personality. However, if the decision is taken in the context of an agreement or to comply with a legal obligation, the prohibition does not apply. Such agreement or legal obligation must contain adequate measures to protect the data subjects' legitimate interests. Also, the data subject concerned has the right to obtain from the data controller information on the logic of such decision making.
Data subjects also have the right to obtain from the data controller the rectification of incorrect personal data and the erasure or blocking of personal data that is incomplete or irrelevant for the purpose of the data processing or if the recording, disclosure or storage of the personal data is prohibited or if the permitted retention period for the personal data is exceeded. The data subject may request the Privacy Commission to exercise the above rights on his behalf or file a complaint before courts.
Confidentiality and Security of Data Processing
Confidentiality obligations The DPA imposes confidentiality obligations on data controllers as well as data processors. Security obligations Data controllers and data processors must implement adequate technical and organizational security measures to protect personal data against accidental or unauthorized destruction, or accidental loss, as well as unauthorized alteration or access and all other unlawful forms of processing of personal data. These security measures should ensure an adequate level of protection, taking into account on the one hand the state of the art and the costs relating to implementing the measures and on the other hand the type of personal data concerned and the potential risks relating to the data processing. The Privacy Commission has published on its website a non-binding list of recommended security measures (« Referentiemaatregelen voor de beveiliging van elke verwerking van persoonsgegevens »/ « Mesures de référence en matière de sécurité applicables à tout traitement de données à caractère personnel »). Use of data processors The data controller must conclude a written agreement with the data processor which should (i) specify the technical and organizational security measures; (ii) set out the data processor's liability and (iii) state that the data processor will only process personal data on the instructions of the data controller.
Rules for notification Data controllers are required to notify their data processing activities with the Privacy Commission, prior to starting the processing. Data processors are not required to register with the Privacy Commission. One notification is required for each data processing purpose or linked purposes. Notifications can be made online on the Privacy Commission's website at www.privacycommission.be or using a hard copy form. The Privacy Commission keeps a public register of notifications that can be consulted online. Exceptions In principle, a data controller must notify any automated data processing. However, strict exceptions to the notification obligation exist (e.g., for certain standard data processing activities such as basic payroll management). Prior checking There is no prior checking procedure in Belgium. However, prior authorization must be obtained for the use of data transfer agreements that are not based on the European Commission's standard contractual clauses or Binding Corporate Rules (BCR) to legitimize international data transfers to 'non-adequate' third countries (see below).
Does the law restrict overseas transfers? Data transfers to countries outside the European Economic Area that do not provide an adequate level of protection are in principle prohibited. Derogations Personal data may be transferred to 'non-adequate' third countries if the data controller provides sufficient guarantees e.g., by concluding a data transfer agreement or by adopting BCR. If the data transfer to a 'non-adequate' third country is based on a data transfer agreement implementing the European Commission's model clauses, the Privacy Commission must be notified of the use of the data transfer agreement, but it does not need to authorize the data transfer. If the data transfer is based on BCR, the Ministry of Justice's authorization must be obtained by means of an individual Royal Decree. In practice, the BCR must first be sent to the Privacy Commission who will advice the Ministry of Justice on whether or not to adopt the individual Royal Decree. Personal data may also be transferred to 'non-adequate' third countries if one of the exceptions provided in the DPA applies (e.g., the data subject unambiguously consents to the data transfer).
The Privacy Commission considers ‘adequate' those countries that are recognized by the European Commission as providing an adequate level of protection. Enforcement and remedies Independent regulator and regulatory sanctions The Privacy Commission oversees compliance with privacy and data protection rules in general, not limited to the DPA. It issues non-binding guidance on the application and interpretation of privacy and data protection rules. It has the power to exercise rights of data subjects on their behalf. It also has the power to investigate potential breaches of privacy and data protection rules, at its own initiative or at the request of data subjects. However, the Privacy Commission does not have the power to impose fines. If the Privacy Commission detects a breach of privacy and data protection rules, it can refer the case to the Public Prosecutor who may, at its own discretion, initiate criminal proceedings. Violation of the DPA may lead to fines of up to 550,000 euros being imposed, confiscation of the media containing the personal data to which the offence relates, the erasure of the data or the prohibition to control any processing of personal data, directly or through an agent, for a period of up to two years. A Court may also order the publication of the judgment in one or more newspapers. Any repeated violation of the Data Protection Act is punishable by a term of imprisonment of up to two years, and/or a fine of up to 550,000 euros.
National security The DPA contains partial exemptions e.g., for personal data processing by public security services or police services or for journalistic, artistic or literary purposes. Others The DPA does not apply to non-automated personal data processing that is not carried out through a filing system and to personal data processing by a natural person in the course of a purely personal or household activity. Marketing rules Are there specific rules governing marketing? The e-Commerce Act of March 11, 2003, the Royal Decree on Spam of April 4, 2003, the Act on Market Practices and Consumer Protection of April 6, 2010 and the Electronic Communications Act of June 13, 2005 contain specific rules that may apply to the use of personal data for marketing purposes. In addition, the DPA contains an obligation for data controllers to provide data subjects with an opt-out to the processing of their personal data for direct marketing purposes. In general, natural or legal persons who have objected to receiving any form of direct marketing may not be targeted with such marketing. In addition, prior consent is required for the following types of direct marketing: Telephone Individuals who have not provided their prior, free, specific and informed consent may not be targeted with automated marketing calls without human intervention. Consent to may be withdrawn without justification and free of charge.
Individuals may not be targeted with marketing faxes without having provided their prior, free, specific and informed consent. Consent may be withdrawn without justification and free of charge. E-mail and SMS In principle, marketing communications may only be sent by e-mail or sms after the receiver has provided his prior, free, specific and informed consent. Under specific conditions, consent is not required for sending electronic marketing communications to existing customers for similar products or services or to legal entities if the electronic contact information used does not contain personal data.
In June 2012, the Belgian Parliament adopted an amendment to the Electronic Communications Act of June 13, 2005 to implement the revised so-called "cookie clause" of the EU ePrivacy Directive (Article 5.3 of the amended Directive 2002/58/EC) into Belgian law. The amendment imposes an obligation to obtain the informed consent of the subscriber or user before setting cookies or similar devices. Unfortunately, the amendment does not explain how to comply with the new rules in practice. The Privacy Commission has already issued guidance indicating that consent cannot be obtained by relying on current browser settings.
Laura De Boel is an associate in the Brussels office of Hunton & Williams. Her practice focuses on EU data protection issues. She also gives guest lectures on European data protection law at the University of Brussels.