Home / Publications / Data Law Navigator | Belgium

Data Law Navigator | Belgium

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>

Data Protection

Last updated April 2020

Risk scale

Risk Scale Orange

Laws

  • General Data Protection Regulation n° 2016/679 (GDPR);
  • Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (Privacy Act) and implementing decrees;
  • Law of 5 September 2018 establishing the Information Security Committee and amending various laws concerning the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
  • Law of 21 March 2018 on the use of surveillance cameras (the new Camera Act);
  • Law of 3 December 2017 on the creation of a Data Protection Authority (DPA);
  • Law of 13 June 2005 on electronic communications (on cookies);
  • Book VI and Book XII Belgian Economic Code (on direct marketing and cookies);
  • Royal Decree of 3 February 2019 on the implementation of the Law of 25 December 2016 on the processing of passenger data, including the obligations for bus carriers;
  • Royal Decree of 3 February 2019 on the implementation of the law of 25 December 2016 on the processing of passenger data, including the obligations for HST (High Speed Train) carriers and HST ticket machines;
  • Royal Decree of 6 December 2018 determining the places where the controller can direct his surveillance cameras towards the perimeter directly surrounding the place, keep the images of the surveillance cameras for three months and give real-time access to the images to the police services;
  • Royal Decree of 8 May 2018 on declarations of installation and use of surveillance cameras and on the register of activities for the processing of images from surveillance cameras;
  • Royal decree of 4 April 2003 regulating advertising by electronic mail;

To consult these laws, see hyperlinks below.

Authority

The Data Protection Authority  (https://www.dataprotectionauthority.be). 

In January 2020, the DPA published its 2020-2025 Strategic Plan (available in French and Dutch). The DPA will focus on (1) the telecoms and media sector; (2) public authorities; (3) direct marketing; (4) education; and (5) small & medium Eenterprise (SMEs). The DPA will also work on priority topics at the societal level such as (1) pictures and cameras; (2) online data protection, including cookies; and (3) sensitive data, including applications using biometric data (facial recognition).

If applicable: Local derogations as permitted by GDPR

In a nutshell, the Privacy Act: 

  • sets the age of children to validly consent to information society services at 13 (Article 7, Privacy Act);
  • provides a comprehensive list of the processing activities considered as “processing necessary for reasons of substantial public interest” (Article 8(1), Privacy Act);
  • requires that the controller, when processing genetic data, biometric data and data concerning health, lists the categories of persons having access to those personal data (Article 9, Privacy Act);
  • specifies a limitative list of cases where the processing of data relating to criminal convictions and offences is authorized (Article 10, Privacy Act);
  • enunciates some of the derogations and exemptions to the rights of data subjects as authorized under Article 23, GDPR (Articles 11-17, Privacy Act);
  • provides derogations and exemptions for the processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 24, Privacy Act);
  • introduces the possibility to seek an injunction (“action en cessation”; “vordering tot staking”)(under summary proceedings) before the president of the Court of first instance in case of a violation of the GDPR or the Privacy Act (Article 209, Privacy Act);
  • provides administrative fines (except on public sector entities) and criminal sanctions for violations of the GDPR or the Privacy Act (Articles 221-230, Privacy Act).

Scope

As provided for in Articles 2 and 3, GDPR.

The Privacy Act (Articles 2 and 4) applies when: 

  • the processing is carried out wholly or partly by automatic means or otherwise forms part of or is intended to form part of a filing systemAND
  • the processing is carried out in the context of the effective and actual activities of a permanent establishment of the controller or processor on the Belgian territory or a place where Belgian law applies by virtue of private international law; or
  • the processing of personal data of data subjects on the Belgian territory or a place where Belgian law applies by virtue of private international law is carried out by a controller or processor not established in Belgium/a place where Belgian law applies by virtue of private international law where the processing activities are related to:
    • the offering of goods and services to such data subjects; or
    • the monitoring of their behaviours as far as their behaviour takes place in Belgium or a place where Belgian law applies by virtue of private international law.

Book VI and Book XII of the Belgian Economic Code apply to all processing/marketing activities on the Belgian territory.

Penalties/enforcement

The Belgian Supervisory Authority has now investigative and enforcement powers, meaning that it can, among others, conduct investigations and impose administrative fines on companies (as provided for in Article 83 GDPR, and Articles 221-230 Privacy Act). 

The Privacy Act also provides for criminal sanctions (which can only be imposed by court order): max. criminal fine of EUR 30.000 (to be multiplied with the multiplication factor that applies to criminal fines i.e. 8 at the time of the last update of this document); confiscation of any carriers containing personal data to which the breach relates; court order to erase such personal data; court order to publish all or part of the court decision.

Failure to comply with the obligations in the Belgian Economic Code/Royal Decree of 4 April 2003 may result in a criminal fine of up to EUR 200.000,00.

Registration/notification

Data Protection Officers must be registered with the Data Protection Authority (Article 63, Privacy Act). For more information, see https://www.gegevensbeschermingsautoriteit.be/formulier-mededeling-contactgegevens-functionaris-voor-gegevensbescherming (NL) or https://www.autoriteprotectiondonnees.be/dossier-thematique-delegue-a-la-protection-des-donnees (FR).

As from 25 May 2018, surveillance cameras must be registered with the police authorities (instead of the Data Protection Authority). For more information, see https://www.besafe.be/nl/nieuws/het-nieuwe-aangiftesysteem-voor-bewakingscameras-is-beschikbaar (NL) / https://www.besafe.be/fr/actualit%C3%A9s/le-nouveau-systeme-de-declaration-pour-vos-cameras-de-surveillance-est-disponible (FR).

Main obligations and processing requirements

  • Information requirement (identical to information requirement under GDPR)
  • Consent requirements (in particular in respect of cookies and sending of direct marketing material via electronic mail. Consent in employment context is considered problematic)

Data subject rights

As provided for in Chapter III GDPR.

The Privacy Act provides for some limitations to these rights, e.g. in the context of the processing of personal data by state intelligence services (Articles 11-17, Privacy Act).

Processing by third parties

Need to enter into data processing agreement with data processors, in accordance with Article 28 GDPR.

Transfers out of country

In accordance with Chapter V GDPR, and Articles 66-70 Privacy Act. 

Data Protection Officer

Need to appoint a Data Protection Officer (DPO) if required under Article 37 GDPR. The Data Protection Authority provides further guidance on the need to appoint a DPO and the role that he/she needs to play within the organization here: https://www.gegevensbeschermingsautoriteit.be/themadossier-functionaris-voor-gegevensbescherming (NL) / https://www.autoriteprotectiondonnees.be/dossier-thematique-delegue-a-la-protection-des-donnees (FR).

Security

Need to take appropriate technical and security measures to protect the personal data. The Data Protection Authority provides further guidance as to what this entails. Further information can be found here: https://www.dataprotectionauthority.be/information-security.

Breach notification

If required under Article 33/34 GDPR.

To notify a data breach to the Data Protection Authority, you must fill in the e-form available here: https://www.gegevensbeschermingsautoriteit.be/melding-gegevenslekken-algemeen (NL) / https://www.autoriteprotectiondonnees.be/notification-fuites-de-donnees-general (FR).

Direct marketing

If by electronic mail: need to obtain consent, unless you can rely on (i) the soft opt-in exemption (customers, own similar products or services, and opt-out at the time of collection and afterwards, in every marketing communication) or (ii) the B2B exemption (if the phone number/email address is of an impersonal nature).

If by regular mail: opt-out regime.

If by (manual) call: opt-out regime (you can freely call consumers unless they subscribed to a do-not-call-me list or otherwise indicated to you that they do not want you to contact them for marketing purposes).

In February 2020, the DPA published new detailed guidelines on direct marketing (see our Law Now for more information).

Cookies

Need to obtain prior informed, freely given, specific and unambiguous consent, unless cookies are used for the sole purpose of carrying out a transmission of a communication over an electronic communications network or if strictly necessary to provide a service explicitly requested by the user.  Data subjects should be allowed to withdraw consent at any time, free of charge, and without prejudice.

In December 2019, the DPA imposed a 15,000 EUR fine on a website for unlawful use of cookies (decision available in Dutch and in French).

On April 2020, the DPA published new guidelines on the implementation of cookies. 

Useful links


Cyber Security

Last updated April 2020

Risk scale

Risk Scale Orange

Laws and regulations

  • Law of 1 July 2011 on the security and protection of critical infrastructures (Critical Infrastructures Act)
  • Law of 11 December 1998 on classification, security clearances, security certificates and security advises (Classification Act)
  • Law of 7 April 2019 establishing a framework for the security of networks and information systems in the general interest of public security (Belgian NIS Act)
  • Royal Decree of 12 July 2019 implementing the Act of 7 April 2019 establishing a framework for the security of networks and information systems of general interest for public security, as well as the Act of 1 July 2011 on security and critical infrastructure protection. 
  • Royal Decree of 10 October 2014 for the establishment of the Centre for Cybersecurity Belgium

Application

  • Critical Infrastructures Act: sets out security obligations for European and national critical infrastructures in the energy, transport, financial and electronic communications sector
  • Classification Act: covers the main processes in evaluating which information should be classified and determining which individuals may be granted a security access level.
  • Belgian NIS Act: covers a number of obligations imposed on operators of essential services and digital service providers to take technical and organizational security measures to prevent incidents or to limit their impact on and ensure the continuity of (essential) services. It also includes the notification of incidents, supervision and sanctions.
  • Royal Decree of 12 July 2010: sets out the notification procedure as envisaged under the Belgian NIS Act (i.e. to notify any incident that has a significant impact on their networks and information systems or on the provision of their service). 
  • Royal Decree of 10 October 2014: establishes the Centre for Cybersecurity Belgium.

Authority

Centre for Cybersecurity Belgium (CCB

Key obligations

  • Critical Infrastructures Act
    • Need to appoint a security officer and establish a security plan
    • Mandatory reporting obligation of all incidents threatening the security of the critical infrastructure
  • Classification Act
    • Requires data that may cause a treat to national security or the national interest of Belgium to be classified
    • Maps security practices to assigned classification levels
  • Belgian NIS Act
    • Need to appoint a DPO, a single contact point and establish an Information Security Policy (ISP)
    • Implement the appropriate and proportionate technical and organizational security measures described in the ISP
    • Mandatory reporting obligation of all incidents significantly affecting the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service(s) it provides depend. The Royal Decree of 12 July 2019 contains the specific requirements of the notification procedure. 

Penalties/enforcement

  • Critical Infrastructures Act
    • Imprisonment of up to 1 year
    • Criminal fine of up to EUR 80.000,00
  • Classification Act
    • Imprisonment of up to 5 years
    • Criminal fine of up to EUR 40.000,00
  • Belgian NIS Act
    • Two types of audits and checks by the inspectorate
    • Imprisonment of up to 3 years
    • Criminal fine of up to EUR 75.000,00
    • Administrative fine up to EUR 200.000,00

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes. CERT.be is the federal cyber emergency team that assists companies with: (i) the coordination in the event of cyber incidents; (ii) advice about finding a solution when cyber incidents arise; and (iii) support to prevent these security incidents occurring.

Centre for Cybersecurity Belgium (CCB) (= the national CSIRT) + possible sectoral CSIRTs (to support the national CSIRT), Cert.be is part of the CCB

Is there a national incident management structure for responding to cyber security incidents?

The CCB has developed a National Cyber Emergency Response Plan. The Plan provides a response structure for handling cybersecurity crises and incidents that require national-level coordination and/or management. 

Other cyber security initiatives

The CBB has created an Early Warning System for Critical Infrastructures. 

The CCB has created Baseline Information Security Guidelines (BSG) in 2019 in consultation with experts from various Federal Public Services and external consultants and takes into account existing standards such as ISO 27001 and ISO 27002. It provides minimum guidelines for the implementation or evaluation of an information security plan, thus providing assistance to data controllers but also to security advisors, data controllers and IT managers.

Useful links

 
<< back to Overview

Authors

Picture of Tom De Cordier
Tom De Cordier
Partner
Brussels