TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

BELGIUM

 

The Commission for the Protection of Privacy (Belgium) Website: http://www.privacycommission.be/en/

 

The law of 8 December 1992 on Privacy Protection in relation to the Processing of Personal Data obtained from the Commission de la Protection de la vie Priveé:

http://www.privacycommission.be/en/static/pdf/wetgeving/privacy-act-september-2009.pdf

 

What needs to be done prior to Collection?

 

NOTIFY THE COMMISSION

 

Article 17

 

  1. Prior to any wholly or partly automatic operation or set of operations intended to serve a single purpose or several related purposes, the controller or his representative, if any, must notify the Commission for the Protection of Privacy.

The previous paragraph does not apply to operations having the sole purpose of keeping a register that is intended to provide information to the public by virtue of an Act, decree or ordinance and that is open to consultation either by the general public or by any person demonstrating a legitimate interest

 

  1. The Commission shall provide a receipt of the notification within three working days. If the notification is incomplete, the Commission must inform the person having submitted the notification of this fact

 

  1. The notification must mention:

                                                               i.      The date of the notification and the act, decree, ordinance or regulatory instrument regarding the automatic processing, if any;

                                                             ii.      The surname, first names and complete address or the name and registered offices of the controller and of his representative in Belgium, if any;

                                                           iii.      (repealed)

                                                            iv.      The name of the automatic processing;

                                                              v.      The purpose or the set of related purposes of the automatic processing;

                                                            vi.      The categories of personal data being processed and a detailed description of the data referred to in Articles 6 to 8;

                                                          vii.      The categories of recipients the data can be disclosed to;

                                                        viii.      The safeguards that must be linked to the disclosure of the data to third parties;

                                                            ix.      The manner in which the data subjects are informed, the service providing for the exercise of the right to access and the measures taken to facilitate the exercise of that right;

                                                              x.      The period of time after the expiration of which, if necessary, the data may no longer be stored, used or disclosed;

                                                            xi.      A general description allowing for a preliminary assessment of whether the security measures taken pursuant to Article 16 of this Article are adequate;

                                                          xii.      The grounds supporting the controller’s application of Article 3 Section 3 of this act, if any.

 

  1. In the context of its powers of supervision and investigation referred to in Articles 31 and 32, the Commission for the Protection of Privacy is authorised to demand other information, in particular the origin of the personal data, the choice of automation technology and the security measures that are in place.

 

  1. Notification is required for any purpose or set of related purposes for which wholly or partly automatic operations are carried out. The Commission shall determine the nature and structure of the notification.

 

  1. If the data being processed is intended, even on an occasional basis, to be transferred to a foreign country, the notification must also mention the following elements, regardless of the medium that has been used:

                                                               i.      The categories of data being transferred;

                                                             ii.      For each category, the country of final destination

 

  1. If the automatic processing is terminated or if any item of information referred to in Section 3 is modified, notification is also required

 

  1. Having received the opinion of the Commission for the Protection of Privacy, the King can exempt certain categories from notification under this article if, taking into account the data being processed, there is no apparent risk of infringement on the data subject’s rights and freedoms, and if the purposes of the processing, the categories of data being processed, the categories of data subjects, the categories of recipients and the data retention period are specified.

If exemption from the duty of notification has been granted for automatic processing in accordance with the previous paragraph, the controller must disclose the items of information mentioned in Sections 3 and 6 to any person requesting them

 

  1. Upon submission of the notification, the controller shall pay a fee to the person designated as the accountable party at the Commission for the Protection of Privacy, in accordance with the Acts on Public Accounts. The King shall determine the amount for this fee, which must not exceed ten thousand francs[1]. He shall also establish the terms of the payment.

 

CONTACT THE DATA SUBJECT

 

Article 9 – Rights of the Data Subject

 

  1. If personal data relating to the data subject is obtained directly from the data subject, the controller or his representative shall provide the data subject with at least the following information, no later than the moment the data is obtained, unless the data subject has already received such information:
    1. The name and address of the controller and of his representative, if any;
    2. The purposes of the processing;
    3. The existence of the right to object, by request and free of charge, to the intended processing of personal data relating to him, if it is obtained for the purposes of direct marketing;
    4. Other additional information, in particular:

-          The recipients or categories of recipient of the data;

-          Whether it is compulsory to reply, and what the possible consequences of the failure are;

-          The existence of the right to access and rectify the personal data relating to him; except where such additional information, taking into account the specific circumstances in which the data is collected, is not necessary to guarantee correct processing in respect to the data subject

    1. Other information dependant on the specific nature of the processing, as specified by the King, having received the opinion of the Commission for the Protection of Privacy

 

  1. If the personal data is not collected from the data subject, the controller or his representative must provide the data subject with at least the information below when recording the personal data or when considering communication to a third party, and at the very latest when the data is first disclosed, unless the data subject has already received such information:
    1. The name and address of the controller and of his representative, if any;
    2. The purposes of the processing;
    3. The existence of a right to object, by request and free of charge, to the intended processing of personal data relating to him, if it is obtained for the purposes of direct marketing; in that case, the data subject must be informed prior to the first disclosure of the personal data to a third party or prior to the first use of the data for the purposes of direct marketing on behalf of third parties;
    4. Other additional information, in particular:

-          The categories of data concerned;

-          The recipients or categories of recipients of the data;

-          Whether compliance with the request for information is compulsory or not, as well as what the consequences of the failure to comply are;

-          The existence of the right to access and rectify the personal data relating to him; except where such additional information, taking into account the specific circumstances in which the data is collected, is not necessary to guarantee correct processing in respect to the data subject

    1. Other information dependant on the specific nature of the processing, as specified by the King, having received the opinion of the Commission for the Protection of Privacy

 

The controller is exempt from the duty to provide information under this paragraph where:

  1. Informing the data subject proves impossible or would involve a disproportionate effort, in particular for statistical purposes or for the purpose of historical or scientific research, or for the purpose of medical examination for the population with a view to protecting and promoting public health;
  2. Personal data is recorded or provided with a view to the application of a provision laid down by or by virtue of an act, decree or ordinance. By decree after deliberation in the Council of Ministers, having received the opinion of the Commission of the Protection of Privacy, the King shall establish the conditions for the application of the previous paragraph

 

If the first disclosure of data took place before this provision took effect, the data subject must be informed, by way of derogation from the first paragraph, at the very latest within 3 years of the enforcement date of this provision. The data subject does not have to be informed, however, if the controller was exempt from the duty to inform the data subject of the recording of the data by virtue of legal and regulatory provisions applicable on the day preceding the date this stipulation took effect.  

 

What needs to be done prior to shipping?

 

TRANSFER OF PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION

 

Article 21

 

  1. Personal data being processed after is has been transferred to a country outside the European Community may only be transferred if the country in question ensures an adequate level of protection and if the other provisions of this Act and its implementing decrees have been complied with. The adequacy of the level of protection is assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations; particular consideration is given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third party country in question and the professional rules and security measures which are complied with in that country.

 

  1.  Having received the opinion of the Commission for the Protection of Privacy and pursuant to Article 25 of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the King shall lay down the categories of processing operations for which and the circumstances in which the transfer of personal data to countries outside the European Community is not authorised

 

Article 22

 

  1. By way of derogation from Article 21, a transfer or a set of transfers of personal data to a country outside the European Community which does not ensure an adequate level of protection may take place in one of the following cases:

                                                               i.      The data subject has unambiguously given his consent to the proposed transfer;

                                                             ii.      The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject’s request;

                                                           iii.      The transfer is necessary for the conclusion or performance of a contract concluded or to be concluded between the controller and a third party in the interest of the data subject;

                                                            iv.      The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims;

                                                              v.      The transfer is necessary in order to protect the vital interests of the data subject;

                                                            vi.      The transfer is made from a register which, according to acts or regulations, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the case in hand

 

Without prejudice to the provisions of the previous paragraph, having received the opinion of the Commission for the Protection of Privacy, the King may authorise a transfer or a set of transfers of personal data to a country outside the European Community which does not ensure an adequate level of protection, if the controller ensures adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals, and regarding the exercise of the corresponding rights; such safeguards can result from appropriate contractual clauses in particular.

 

What are the sanctions for non-compliance?

 

Article 39

 

A fine of EUR 100 to EUR 100,000 shall be imposed on:

-          Any controller, his representative in Belgium, agent or assignee having failed to comply with the duties imposed by Article 9;

-          Any controller, his representative in Belgium, agent or assignee having started, managed, continued to manage or terminated the automatic processing of personal data without meeting the requirements of Article 17;

-          Any controller, his representative in Belgium, agent or assignee having communicated incomplete or incorrect information in the notifications imposed by Article 17;

-           Any person who transfers personal data or has personal data transferred to a country outside the European Community included in the list referred to in Article 21 Section 2, or any person who authorises such transfers despite the requirements of Article 22

 

 

 

 

 

 

Please refer to the Commission for the Protection of Privacy (Belgium) Website for further details on the Statute

 


 

[1] Belgium has since joined the Euro – 10,000 francs = 247.89 EUR

 
© TRILANTIC - All rights reserved. | Disclaimer | Client Login