CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

  • General Data Protection Regulation n° 2016/679 (GDPR);
  • Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (Privacy Act) and implementing decrees;
  • Law of 5 September 2018 establishing the Information Security Committee and amending various laws concerning the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
  • Law of 21 March 2018 on the use of surveillance cameras (the new Camera Act);
  • Law of 3 December 2017 on the creation of a Data Protection Authority (DPA);
  • Law of 13 June 2005 on electronic communications (on cookies);
  • Book VI and Book XII Belgian Economic Code (on direct marketing and cookies);
  • Royal Decree of 3 February 2019 on the implementation of the Law of 25 December 2016 on the processing of passenger data, including the obligations for bus carriers;
  • Royal Decree of 3 February 2019 on the implementation of the law of 25 December 2016 on the processing of passenger data, including the obligations for HST (High Speed Train) carriers and HST ticket machines;
  • Royal Decree of 6 December 2018 determining the places where the controller can direct his surveillance cameras towards the perimeter directly surrounding the site, keep the images of the surveillance cameras for three months and give real-time access to the images to the police services;
  • Royal Decree of 8 May 2018 on declarations of installation and use of surveillance cameras and on the register of activities for the processing of images from surveillance cameras;
  • Royal decree of 4 April 2003 regulating advertising by electronic mail;

To consult these laws, see hyperlinks below.

Law of 3 December 2017:

Law of 5 September 2018:

Privacy Act:

The Privacy Act (Articles 2 and 4) applies when:

  • the processing is carried out wholly or partly by automatic means or otherwise forms part of or is intended to form part of a filing system
  • AND
  • the processing is carried out in the context of the effective and actual activities of a permanent establishment of the controller or processor on Belgian territory or a place where Belgian law applies by virtue of private international law; or
  • the processing of personal data of data subjects on Belgian territory or a place where Belgian law applies by virtue of private international law is carried out by a controller or processor not established in Belgium/a place where Belgian law applies by virtue of private international law where the processing activities are related to:
    • the offering of goods and services to such data subjects; or
    • the monitoring of their behaviour as far as their behaviour takes place in Belgium or a place where Belgian law applies by virtue of private international law.

Book VI and Book XII of the Belgian Economic Code apply to all processing/marketing activities on Belgian territory.

The principal data protection legislation is Law 19.628 “on protection of private life” (also known as the Chilean Data Protection Law or “CDPL”). 

There are also two other legal provisions that regulate some aspects of personal data processing:

  • The Chilean Constitution, in its article 19 No. 4 and No. 5, which enshrine the right to privacy, as well as the protection of personal data, and also;
  • Law 19.496 (Consumer Protection Law) that establishes the regulation regarding unsolicited commercial marketing communications for consumers.

2. Data protection authority

Data Protection Authority: https://www.dataprotectionauthority.be

Chile does not have a Data Protection Authority.

3. Anticipated changes to local laws

There are no anticipated changes to local laws.

Congress is discussing a new law that will replace the current one and raise the protection standards.

Anticipated changes:

  • A new legal definition: The objective will be to update and expand it, in accordance with international standards;
  • Legitimate Basis for Processing: A more robust basis for processing has been incorporated;
  • The creation of a Data Protection Authority: A National Directorate for Personal Data Protection with the obligation to register databases;
  • Cross-Border Data Transfer: It will be regulated for the first time. According to the current law, there is no statement that controls cross-border data transfers.
  • A new set of infringements;
  • A complaint procedure: This procedure will consist of three steps. First, a direct claim to the data processor. Secondly, an administrative claim before the new National Directorate for Personal Data Protection, and finally, a judicial claim that disputes the decision of the National Directorate for Personal Data Protection.

4. Sanctions & non-compliance

Administrative sanctions:

The Belgian Supervisory Authority has investigative and enforcement powers, meaning that it can, among others, conduct investigations and impose administrative fines on companies (as provided for in Article 83 GDPR, and Articles 221-230 Privacy Act).

Criminal sanctions:

The Privacy Act also provides for criminal sanctions (which can only be imposed by court order): with a maximum criminal fine of EUR 30,000 (to be multiplied by the factor applying to criminal fines i.e. eight at the time of the last update of this document); confiscation of any carriers containing personal data to which the breach relates; court order to erase such personal data; court order to publish all or part of the court decision.

Failure to comply with the obligations in the Belgian Economic Code/Royal Decree of 4 April 2003 may result in a criminal fine of up to EUR 200,000.

Others:

A data subject may (in addition to making a complaint to the Data Protection Authority) also make a claim to the courts for compensation for material or non-material damage (which may include distress). There is the potential for class actions to be brought.

Since there is no Data Protection Authority, sanctions can only be imposed by a judge (in a civil procedure). To this end, Law 19.628 establishes a special procedure called “habeas data”. However, it is common practice to also use the “Remedy for the Protection of Constitutional Rights”, a constitutional action, to protect the fundamental rights affected by an illegal or arbitrary treatment of personal data.

5. Registration / notification / authorisation

Data Protection Officers must be registered with the Data Protection Authority (Article 63, Privacy Act). For more information, see:

As from 25 May 2018, surveillance cameras must be registered with police authorities (instead of the Data Protection Authority). For more information, see:

There is no registration or notification obligation since there is no data protection authority in Chile and the law does not establish this requirement.

6. Main obligations and processing requirements

In a nutshell, the Privacy Act:

  • sets the age of children to validly consent to information society services at 13 (Article 7, Privacy Act);
  • provides a comprehensive list of the processing activities considered as “processing necessary for reasons of substantial public interest” (Article 8(1), Privacy Act);
  • requires that the controller, when processing genetic data, biometric data and data concerning health, lists the categories of persons having access to those personal data (Article 9, Privacy Act);
  • specifies a limitative list of cases where the processing of data relating to criminal convictions and offences is authorised (Article 10, Privacy Act);
  • enunciates some of the derogations and exemptions to the rights of data subjects as authorised under Article 23, GDPR (Articles 11-17, Privacy Act);
  • provides derogations and exemptions for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 24, Privacy Act);
  • introduces the possibility to seek an injunction (“action en cessation”; “vordering tot staking”) (under summary proceedings) before the president of the Court of First Instance in case of a violation of the GDPR or the Privacy Act (Article 209, Privacy Act);
  • provides administrative fines (except on public sector entities) and criminal sanctions for violations of the GDPR or the Privacy Act (Articles 221-230, Privacy Act)

Data processing: 

According to the CDLP the processing of all data shall be carried out:

  • In a manner consistent with the law;
  • For the purposes permitted by the legal system; and
  • With attention to the full exercise of the fundamental rights of the data subject.

Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.

Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.

Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.

Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:

  • The law authorises it;
  • The data subject expressly accepts said processing;
  • Such data is necessary to establish or grant health benefits that pertain to the respective data subject.

Data security: Article 11 of the law establishes that those responsible for the registries or personal data must “take care of them with due diligence” and be liable for damages.

7. Data subject rights

The Privacy Act provides for some limitations to these rights, e.g. in the context of processing of personal data by state intelligence services (Articles 11-17, Privacy Act).

Access to data

The rights pertaining to all data subjects to demand from the person responsible for any public or private data bank, any information that pertains to them, its source, the purpose for collecting, the legality of the data processing and the name of the individuals or entities to which the data is regularly transmitted. 

Correction and deletion

Correction or modification: The right of all data subjects to request the modification of inaccurate, incomplete, misleading or outdated data that concerns them.

Cancellation

The right of all data subjects to demand the destruction or cancellation of personal data when the purpose of its storage has no legal basis or when it has expired.
Data subjects have the right to request the cancellation of data, if the data storage is not authorised by law or if the authorisation has expired. The data subject is also entitled to exercise this right even if this data has been voluntarily provided or is being used for commercial communications, and he no longer wishes to appear in such records, temporarily or permanently.

Marketing objection

The Consumer Protection Law regulates unsolicited commercial or marketing communications sent by email to consumers. That communication must obtain a valid email address to which the recipient may request the suspension of future communications.

8. Processing by third parties

There are no derogations from the GDPR.

The laws do not regulate processing by third parties. According to Article 8 of the CDLP:
If the processing of personal data is carried out by virtue of a mandate, the general rules will apply. Also, the mandate must be granted in writing, regulating the conditions of use of the data.

9. Transfers out of country

There are no derogations from the GDPR.

The law does not establish specific requirements or restrictions on transfers of personal data abroad.

However, the law contains rules for the automated transmission of data. Article 5 of the law prescribes that the person responsible for the database can establish an automated system for the transmission of personal data, provided that it adequately ensures the rights or interests of the parties involved and such transmission is strictly related to the duties and objectives of the participating entities.

In the case of a request for the transmission of personal data through an electronic network, the following shall be recorded:

  • Identification of the requesting party;
  • Reason and purpose of the request;
  • Type of data transmitted.

The law does not restrict transfers of personal data to third countries.

Since there are no data transfer restrictions, foreign companies mostly rely on standard clauses to binding corporate rules established by EU legislation. 

The transfer of personal data does not require registration/notification or prior approval from the relevant data protection authority or entity (given the fact that this body does not exist)

10. Data Protection Officer

There are no derogations from the GDPR.

There is no legal requirement for the appointment of a Data Protection Officer.

11. Security

There are no derogations from the GDPR.

There are no legal requirements to take appropriate technical and security measures to protect personal data, but the data processor will always be liable for the damages caused by the leaking of information.

12. Breach notification

There are no derogations from the GDPR.

There is no legal obligation to notify to the authority data breach events.

13. Direct marketing

If by email: need to obtain consent, unless you can rely on (i) the soft opt-in exemption (customers, own similar products or services, and opt-out at the time of collection and afterwards, in every marketing communication) or (ii) the B2B exemption (if the phone number/email address is of an impersonal nature).

If by regular mail: opt-out regime.

If by (manual) call: opt-out regime (you can freely call consumers unless they have subscribed to a do-not-call-me list or otherwise indicated that they do not want you to contact them for marketing purposes).

In February 2020, the DPA published new detailed guidelines on direct marketing (see our Law Now for more information).

Direct marketing is regulated by the Consumer Protection Law. This Law regulates unsolicited commercial marketing communications sent by email to consumers, specifying, among other things, that such communications must contain a valid email address to which the recipient may request the suspension of further communications, also known as an opt-out system. From the moment the recipient requests the suspension of sending further emails, any communication or unsolicited email is prohibited by law.

14. Cookies and adtech

Need to obtain prior informed, freely given, specific and unambiguous consent, unless cookies are used for the sole purpose of carrying out a transmission of a communication over an electronic communications network or if strictly necessary to provide a service explicitly requested by the user. Data subjects should be allowed to withdraw consent at any time, free of charge, and without prejudice.

In December 2019, the DPA imposed a EUR 15,000 fine on a website for unlawful use of cookies (decision available in Dutch and in French).

In April 2020, the DPA published new guidelines on the implementation of cookies (see link below).  

The CDPL does not directly regulate the use of cookies or similar technologies. 

15. Risk scale

Moderate.

Low

Template record of processing activities:

Law of 3 December 2017: 

Law of 5 September 2018:

Privacy Act:

Guidance on the need to conduct a Data Protection Impact Assessment (DPIA) and non-exhaustive list of processing operations requiring a DPIA to be carried out:

List of processing operations requiring a DPIA:

Guidelines on the implementation of cookies:

To notify a data breach to the Data Protection Authority, you must fill in the e-form available here:

Cybersecurity

1. Local cybersecurity laws and scope

Law of 1 July 2011 on the security and protection of critical infrastructure (Critical Infrastructures Act)

  • Law of 11 December 1998 on classification, security clearances, security certificates and security advice (Classification Act)
  • Law of 7 April 2019 establishing a framework for the security of networks and information systems in the general interest of public security (Belgian NIS Act)
  • Royal Decree of 12 July 2019 implementing the Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for public safety, and the Act of 1 July 2011 on the security and protection of critical infrastructure (NIS Royal Decree)

Chile does not have a specific law to regulate cybersecurity. However, many laws regulate some aspects of cybersecurity, for example:

  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity on critical and emergency conditions of the public telecommunications system
  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity of critical and emergency conditions of the public telecommunications system

2. Anticipated changes to local laws

There are no anticipated changes to local laws.

On October 2018, a bill was introduced to the Senate to strengthen the cybercrime law, thus adapting the current regulation to the Budapest Convention standards. One of the amendments proposed in the bill is the inclusion of any cybercrime as a cause for a legal entity criminal liability under law No. 20,393. 

Thereby, if the amendment is approved, legal entities must prevent any cybercrimes from being carried out by their owners, controllers, executives, representatives or managers. The failure to maintain reasonable preventive measures shall cause the legal entity to be subject to criminal liability and therefore the following sanctions:

  • Fines from UTM 400 (an indexed unit of account) to UTM 300,000;
  • Partial or total loss of benefits or absolute prohibition of receiving them for a specified period;
  • Temporary or permanent prohibition to execute contracts with the State of Chile; and
  • Dissolution of the legal entity.

This bill was approved by the Senate and now has moved to the second constitutional procedure. It is likely to be approved in 2021.

3. Application 

Critical Infrastructures Act: sets out security obligations for European and national critical infrastructure in the energy, transport, financial and electronic communications sector

Classification Act: covers the main processes to evaluate which information should be classified, and determining which individuals may be granted a security access level.

Belgian NIS Act: covers a number of obligations imposed on operators of essential services and digital service providers to take technical and organisational security measures to prevent incidents or limit their impact on and ensure the continuity of (essential) services. It also includes the notification of incidents, supervision and sanctions.

NIS Royal Decree: implements the Belgian NIS Act on topics such as the NIS notification Platform, the notification, processing of the incident, voluntary notifications and institutions for the conformity assessment.

N/A

4. Authority

  • Centre for Cybersecurity Belgium (CCB) https://ccb.belgium.be/en;
  • The National Crisis Centre (NCCN);
  • The sectoral government and/or its sectoral CSIRT

N/A

5. Key obligations 

  • Critical Infrastructures Act
    • Appoint a security officer and establish a security plan
    • Mandatory reporting obligation of all incidents threatening the security of critical infrastructure
  • Classification Act
    • Requires data that may cause a threat to national security or the national interest of Belgium to be classified
    • Maps security practices to assigned classification levels
  • Belgian NIS Act
    • Need to appoint a DPO, a single contact point and establish an Information Security Policy (ISP)
    • Implement the appropriate and proportionate technical and organisational security measures described in the ISP

Mandatory reporting obligation of all incidents threatening significantly affecting the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service(s) it provides depend.

N/A

6. Sanctions & non-compliance 

Please provide your answers under the following headings:

Administrative sanctions:
  • Belgian NIS Act
    • Administrative fine up to EUR 200,000
Criminal sanctions:
  • Belgian NIS Act
    • Imprisonment of up to three years
    • Criminal fine of up to EUR 75,000
  • Critical Infrastructures Act
    • Imprisonment of up to one year
    • Criminal fine of up to EUR 80,000
  • Classification Act
    • Imprisonment of up to five years
    • Criminal fine of up to EUR 40,000
Others:
  • Belgian NIS Act
  • Two types of audits and checks by the inspectorate

N/A

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

  • CERT.be is the federal cyber emergency team that assists companies with: (i) coordination in the event of cyber incidents; (ii) advice on finding a solution when cyber incidents arise; and (iii) support to prevent these security incidents occurring.
  • Cert.be is part of the CCB
  • The Centre for Cybersecurity Belgium (CCB) is the national CSIRT.
  • Sectoral CSIRTs are possible to support the national CSIRT.

The National Cybersecurity Centre (which is part of GCHQ) does not regulate the NIS Regulations but has a role in providing technical support and guidance by the following:

  • a Single Point of Contact (SPOC) – for engagement with EU partners, coordinating requests and submitting annual incident statistics;
  • a Computer Security Incident Response Team (CSIRT) to provide advice and support where reported incidents are identified or suspected of having a cybersecurity aspect;
  • being a Technical Authority on Cyber Security – to support OESs and CAs with advice and guidance, and to act as a source of technical expertise. For example, it provides:
    • a set of 14 NIS Security Principles for securing essential services;
    • a collection of supporting guidance for each principle;
    • a Cyber Assessment Framework (CAF) incorporating indicators of good practice; and implementation of guidance and support to CAs.

8. National cybersecurity incident management structure

The notification must be made via the NIS notification platform: https://nis-incident.be/nl/.

The CCB is responsible for replying to cybersecurity incidents targeting strategically important institutions.

Yes, see above.

9. Other cybersecurity initiatives 

N/A

No.

NA

Portrait of Tom De Cordier
Tom De Cordier
Partner
Brussels
Portrait of Thomas Dubuisson
Thomas Dubuisson
Senior Associate
Brussels
Portrait of Janick Van Daele
Janick Van Daele
Associate
Brussels
Portrait of Deven Dobbelaere
Deven Dobbelaere
Associate
Brussels
Portrait of Diego Rodríguez
Diego Rodríguez, LL.M.
Partner
Santiago