Privacy Law at Belgium
Belgium's Data Protection Act of 30 July 2018 (also known as the Privacy Act) implements and supplements the EU's General Data Protection Regulation (GDPR), establishing a robust legal framework for personal data protection. Enforced by the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données), the Act outlines specific national requirements and enforcement mechanisms.
📜 Key Provisions of the Belgian Data Protection Act
1. Lawfulness and Transparency Personal data must be processed lawfully, fairly, and transparently Controllers are required to provide clear privacy notices and ensure that processing activities are documented and compliant with legal bases
2. Data Minimization Data collection and processing must be limited to what is necessary for the intended purposes Controllers should regularly assess data necessity and implement deletion procedures
3. Accountability Organizations must demonstrate compliance through documentation, policies, audits, and staff training Data Protection Officers (DPOs) are required in certain cases and must be registered with the Data Protection Authority
4. Children's Consent For information society services, children aged 13 and above can provide valid consent for those under 13, parental authorization is required
5. Processing of Special Categories of Data Processing of sensitive data, such as genetic, biometric, health-related, or criminal data, is subject to additional requirements Controllers must maintain a list of individuals with access to such data and disclose it to the supervisory authority upon request
⚖️ Enforcement and Penalties
Administrative Fines the Data Protection Authority can impose fines based on the severity of the violation
Up to €10 million or 2% of annual global turnover, whichever is higher, for infringements related to technical and organizational measures.
Up to €20 million or 4% of annual global turnover, whichever is higher, for violations of core principles or data subject rights.
Criminal Sanctions Criminal penalties include fines ranging from €600 to €600,000 and/or imprisonment from 3 months to 2 years, depending on the violation In cases of repeated offenses, fines can be multiplied, and legal entities may face forced winding-up
Civil Remedies Individuals can seek injunctive relief and damages through the Court of First Instance Controllers are liable for damages caused by violations unless they can prove non-causation
🛡️ Data Protection Authority
The Belgian Data Protection Authority oversees compliance with the Privacy Act and GDP. It has investigative powers, can issue fines, and provides guidance to organization. Decisions are published on its website, often anonymized to protect involved parties.
🔄 Recent Development
In January 2023, the Belgian Constitutional Court ruled that a provision preventing third parties from challenging decisions of the Data Protection Authority was unconstitutional. As a result, all decisions since the law's entry into force are now open for appeal by third parties within one month of publication.
RELATED Blog
0 comments