In Short

The Situation: On September 5, 2018, Belgium published two laws that implement the Belgian requirements under Regulation 21016/679, the General Data Protection Regulation ("GDPR").

The Details: The two laws include the Law of July 30, 2018, on the protection of individuals regarding the processing of their personal data; and the Law of July 30, 2018, which contains provisions on collective redress actions for GDPR infringement ("Laws").

Looking Ahead: The Laws go into effect immediately, and the provision on collective redress action applies retroactively as of May 25, 2018.

The GDPR entered into force on May 25, 2018. It became applicable immediately but leaves certain leeway to EU Member States to adopt diverging rules in a variety of matters. The law of December 3, 2017, instituted institutional reforms through the replacement of the Belgian Privacy Commission by the Data Protection Authority ("DPA"), which now has fining powers. The newly implemented Laws address various substantive areas of data privacy.

Key Points of the Laws

The Laws anticipate the following developments:

  • Overseeing the activities of: (i) a controller or processor established in Belgium; or (ii) outside the European Union but processing data relating to individuals located in Belgium, provided it also offers goods or services or does profiling in Belgium;
  • Reducing the GDPR's age of consent to 13 years old for information society services;
  • Not extending the obligation to appoint data protection officers beyond the cases foreseen by the GDPR, with the notable exceptions of companies that process personal data either: (i) obtained from or on behalf of federal public authorities; or (ii) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. In both cases, the processing must bear high risks to the rights and freedom of individuals;
  • Introducing additional requirements for processing genetic, biometric, and health-related data, including the requirement to list individuals that have access to such data;
  • Listing the limited cases where the GDPR prohibition on the processing of personal data relating to criminal convictions and offenses does not apply;
  • Limiting data subjects' rights and controllers' obligations for processing by certain public authorities, such as law enforcement and custom authorities. It also exempts public authorities from fines imposed by the DPA;
  • Regulating the processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
  • Applying a wide derogatory regime when the processing is done for the purposes of academic, artistic, and literary expression;
  • Removing the obligation to notify standard contractual clauses to the DPA and to obtain authorization by Royal Decree for Binding Corporate Rules;
  • Introducing the possibility to obtain an injunction under summary proceeding before national courts for infringement of the GDPR and the Laws; and
  • Introducing collective redress action for GDPR infringements, which is also open to damages suffered by small and medium-size undertakings.

Two Key Takeaways

  • Belgium has finalized its implementation of the GDPR and made use of the ability to set out specific rules that deviate from the GDPR on certain matters.
  • Companies established in Belgium or outside the European Union but processing data of Belgian residents should make sure that they comply with the specific provisions foreseen in the Laws, when applicable.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.