Belgium's data protection law: Everything you should know

Personal scope

Both public and private entities fall under the scope of the Act and the GDPR.

However, public authorities and their appointees and agents cannot be subject to administrative fines under Article 83 of the GDPR.

Territorial scope of the law

The Act applies to the processing of personal data when this processing takes place in the context of activities related to the establishment of a controller or processor in Belgium. Furthermore, it is irrelevant whether the actual processing is carried out in Belgium or not. 

However, if a data controller located in another EU country uses a data processor established in Belgium, the law of that EU country will apply to the data processing, not the Belgian Data Protection Act.

The Act becomes applicable even when a controller or processor that processes the personal data of people in Belgium is not established in the EU if the processing activities relate to:

• The offering of goods or services, irrespective of whether a payment from the data subject is required, to such data subjects in the Belgian territory; or

• The monitoring of their behavior as far as it takes place within the Belgian territory.

What is the relationship between the Act and the GDPR

The Act implements the EU GDPR and also covers matters that are left to the discretion of EU member states under the GDPR.  For example, the Act incorporates the following changes as allowed under the GDPR:

• Creating exceptions to the fulfilment of data subject rights based on scientific and historical research purposes
• Setting the age limit for consent to 13, instead of 16

How can businesses make sure they're in line with the data protection law in Belgium and achieve compliance?

Comply with the six fundamental principles of the GDPR

When you collect, use, share, and process personal data, you must adhere to the six fundamental principles of the GDPR:

1. Data should be processed fairly, lawfully, and transparently;
2. You should only collect data for specific, explicit, and legitimate purposes and not process it in a manner incompatible with those purposes; 
3. Personal data shall be adequate, relevant, and not excessive to what is necessary considering the purpose of data processing; 
4. Personal data must be accurate and, where necessary, up to date; 
5. Personal data shall be kept in an identifiable form for no longer than necessary; 
6. Personal data shall be kept secure.

Demonstrate your compliance 

Article 5(2) of the GDPR requires you to demonstrate how you comply with these six principles. This is referred to as the “accountability principle”. You need to implement appropriate documentation and technical measures to have proper proof of your compliance efforts. 

For example, you may demonstrate your compliance with GDPR principles by doing the following:

• Signing data processing agreements with your vendors,
• Carrying out data protection impact assessments before you start collecting and using personal data in certain circumstances,
• Keeping records of all data breaches

Identify and document a legal basis to process personal data

When you collect, use and process personal data, you must rely on one of the six bases listed in article 6 of the GDPR. These legal bases include ‘consent’, ‘legitimate interests’, and ‘ contractual necessity’.

When you rely on consent, obtain consent in a GDPR-compliant way

When you rely on data subjects’ consent to collect and process personal data, consent must satisfy GDPR standards.

‍

Valid consent under the GDPR must conform to the following:

• Freely given: Individuals must have a genuine choice as to giving or refusing to give consent.
• Specific: Consent should be for a specific data processing activity and for a purpose.
• Informed: You must be transparent to individuals about how you collect and use their data. For instance, You must provide individuals with clear information about your identity, and explain the purposes for data processing and each data processing activity.
• Unambiguous: Consent should be affirmative.

Additionally, keep in mind that organizations must document and keep records of all consents provided.

Satisfy data subject requests

Individuals are entitled to the following rights related to their personal data:

• Right to be informed
• Right to access
• Right to rectification
• Right to erasure
• Right to object/opt-out
• Right to data portability
• Right not to be subject to automated decision-making
• Right to restriction of processing

To learn more about Data Subject Access Requests (DSARs), make sure to check our complete guide on the topic:

{{learn-everything-you-need-to-know-about-dmps}}

Adhere to breach notification rules

This requirement reflects the GDPR requirements for breach notification.

‍

What types of cookies require individuals' consent?

You need to obtain “valid” consent of data subjects before you can place the following types of cookies and/or similar technologies on their device:

1. Analytics cookies
2. Advertising cookies
3. Social media cookies 

What cookies do not require consent?

If the cookies fall under the following category, you do not have to obtain the consent of individuals:

• Strictly necessary “functional” cookies  

For example, cookies that enable remembering items in a shopping cart or cookies that ensure the security of payments fall under this category.

‍

Can you use cookie walls?

Belgium Data Protection Authority embraces the European Data Protection Board’s approach to cookie walls, and it prohibits the use of cookie walls to obtain consent.

‍

How do you obtain “valid” consent in Belgium?

Belgium Data Protection Authority states that consent must conform to the GDPR requirements.

For example, consent must be obtained through clear and affirmative action. Therefore, pre-ticked boxes, scrolling, or navigating a web page do not amount to valid consent.

Furthermore, the website must provide its users with a ‘granular’ choice for consent to each cookie category. For instance, websites ask for consent to each separate cookie category, such as “functional cookies”, “analytical cookies”, and “advertising cookies”.

Lastly, withdrawing consent must be as easy as giving it. For example, if individuals can consent to cookies with a single click on the ‘Accept’ button, the ‘Reject’ button must also be via a single button.

Do you need a consent management platform?

The Law does not require businesses to adopt a particular consent management tool. There are no specific instructions on what means can be used to obtain and record consent. 

However, businesses are advised to implement a consent management tool so that they can record and manage consent provided by data subjects. This will also enable businesses to satisfy the accountability requirements of the GDPR. 

To find out more, take a look at our Consent Management Platform (CMP):

What are the penalties for failing to comply with Belgian data privacy law? 

If you fail to comply, you may face the following penalties:

• Administrative fines as set out in the GDPR, depending on the type of infringement, you may face the following fines:
  • Fines of up to 4% of annual worldwide turnover or €20m, whichever is the greater;
  • Fines of up to 2% of annual worldwide turnover or €10m, whichever is the greater.
• Criminal sanctions under the Belgian Law

Failure to comply with the Belgian data Protection law may indeed expose controllers and processors to criminal sanctions. Data subjects can also bring claims against controllers or processors for infringements.