On 5 September 2018, the Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (hereinafter the "Act") was published in the Belgian State Gazette. The Act entered into force on that same date, with the exception of the provisions on transfers of personal data between federal governmental authorities via optional protocol agreements.
The Act implements the General Data Protection Regulation (hereinafter the "GDPR"), transposes Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data (hereinafter the "Law Enforcement Directive"), and covers processing activities that do not fall within the scope of EU law (e.g. national security).
This newsletter provides more detailed information on the implementation of the GDPR. Although the GDPR seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities, the Members States are, in some cases, allowed to maintain or introduce national provisions to further clarify application of the rules.
This newsletter does not discuss transposition of the Law Enforcement Directive or cover processing activities that fall outside the scope of EU law.
1. Children's consent in relation to information society services
As mentioned in our newsletter of 13 June 2018, the Belgian legislature made use of the possibility to lower the age of consent for the processing of children's personal data. The bar has now been set at 13 years of age. For children below the age of 13, processing shall only be lawful if consent is given or authorised by a person with parental authority over the child. The age of consent was lowered to reflect the reality that children are increasingly active online at an earlier age.
2. Processing of special categories of personal data
As a general rule, the processing of sensitive data is prohibited by the GDPR. However, the GDPR provides for certain exceptions, such as when the data subject expressly consents to the processing or when the processing is necessary for reasons of substantial public interest. The Act contains an exhaustive list of reasons that are deemed to be of substantial public interest (i.e. the processing of special categories of personal data by child focus, organizations that follow up on and treat (potential) sex offenders, and organisations authorised by royal decree that defend and promote fundamental rights and freedoms).
In addition, the Belgian legislature stipulates the safeguards that need to be implemented when processing special categories of personal data, as recommended by the data protection authority, such as the designation of categories of persons entitled to consult the data, the compilation of a list of these persons and a description of their capacity, submission of the list to the competent supervisory authority and ensuring that persons authorised to process the data are bound by a legal or contractual duty of confidentiality. With respect to criminal data, the Act contains an exhaustive list of entities entitled to process such data (e.g. lawyers and legal advisors, companies when necessary for the management of litigation, etc.).
3. Restrictions on data subject rights
The Act states when the rights of data subjects can be restricted. Under the GDPR, the Member States are allowed to restrict data subject rights provided the restriction respects the essence of their fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard national security, public security, the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, etc. For example, data subject rights do not apply when the data controller has obtained personal data from or is transmitting personal data to intelligence and security services.
4. Processing for journalistic purposes or for the purpose of academic, artistic, or literary expression
The rights of data subjects can be restricted when personal data are processed for journalistic purposes or for the purpose of academic, artistic or literary expression. For more information in this regard, please refer to our newsletter of 13 June 2018.
5. Processing for the purpose of archiving in the public interest, scientific or historical research or statistical purposes
The Act provides for exceptions to data subject rights when personal data are processed for the purpose of archiving in the public interest, scientific or historical research or statistical purposes. In addition, the Act imposes additional requirements on entities processing personal data for such purposes. For more information on processing for the purpose of archiving in the public interest, scientific or historical research or statistical purposes, please refer to our newsletter of 13 June 2018.
6. Legal Remedies
The Act provides for the possibility for both the data subject and the competent supervisory authority to seek an injunction to put an end to a violation of the GDPR. A petition in this regard can be lodged with the president of the court of first instance, ruling as in summary proceedings. However, it should be noted that the injunction may not be anticipatory in nature, meaning it is not possible to obtain an injunction for processing activities that have not yet started.
7. Sanctions and Penalties
In addition to administrative fines, the Act provides for the possibility to impose criminal sanctions for violation of the data protection legislation. Moreover, the court can order publication of the judgment in one or more newspapers at the losing party's expense.
However, the potential cumulative application of administrative and criminal sanctions requires further clarification, and arrangements between the competent supervisory authority and the public prosecutor's office should be worked out and put in place.
Although the GDPR's obligations also extend to the public sector, the Act does not allow the imposition of administrative fines on public sector entities. On the other hand, criminal penalties can be imposed in the public sector, although the cap on such penalties is much lower than that provided for administrative fines by the GDPR.