Although European's General Data Protection Regulation(GDPR) directly applies in all European Union (EU) member, each state interprets and applies the GDPR differently because of two reasons: The GDPR itself allows member states to create and apply different rules on around 50 areas of the regulation, and each EU member state’s Data Protection Authority and its national courts interpret and enforce GDPR in their own ways, different from each other.
Therefore, businesses should pay attention to each EU member state’s interpretation of the EU GDPR and their national data protection laws. In this article, we will focus on one of the key EU countries' data protection law regimes: Belgium.
Belgium data protection law in a nutshell
In Belgium, there are two key laws that apply to the processing of personal data:
The Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data ('the Act”).
When does the Belgium privacy law apply and how? Let's look at it in details.
Both public and private entities fall under the scope of the Act and the GDPR.
However, public authorities and their appointees and agents cannot be subject to administrative fines under article 83 of the GDPR.
Territorial scope of Law
The Act applies to the processing of personal data when this processing takes place in the context of activities of an establishment of a controller or processor in Belgium. Furthermore, it is irrelevant whether the actual processing is carried out in Belgium or not.
However, if a data controller located in another EU country uses a data processor established in Belgium, the law of that EU country will apply to the data processing, not the Belgium Data Protection Act.
The Act becomes applicable even when a controller or processor that processes the personal data of people in Belgium is not established in the EU if the processing activities relate to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Belgian territory; or
- the monitoring of their behavior as far as it takes place within the Belgian territory.
What is the relationship between the Act and the GDPR
The Act implements the EU GDPR and also covers matters that are left to the discretion of EU member states under the GDPR. For example, the Act incorporates the following changes as allowed under the GDPR:
Creating exceptions to the fulfilment of data subject rights based on scientific and historical research purposes
Setting the age limit for consent to 13, instead of 16
How can businesses make sure they're in line with the data protection law in Belgium and go after compliance?
Key requirements of Belgium data privacy law and how to comply
The key requirements of Belgium's Data Protection law are highly similar to the GPDR, subject to minor differences as allowed by the GDPR. To process personal data in accordance with Belgium law, you need to comply with the following requirements:
Comply with six fundamental principles of the GDPR
When you collect, use, share and process personal data, you must adhere to the six fundamental principles of the GDPR.
1. Data should be processed fairly, lawfully, and transparently;
2. You should only collect data for specific, explicit, and legitimate purposes and not process it in a manner incompatible with those purposes;
3. personal data shall be adequate, relevant, and not excessive to what is necessary considering the purpose of data processing;
4. Personal data must be accurate and, where necessary, up to date;
5. kept in an identifiable form for no longer than necessary;
6. Personal data shall be kept secure.
Demonstrate your compliance
Article 5(2) of the GDPR requires you to be able to demonstrate how you comply with these six principles. This is referred to as the “accountability principle”. You need to implement appropriate documentation and technical measures to have proper proof of your compliance efforts.
For example, you may demonstrate your compliance with GDPR principles by doing the following:
Signing data processing agreements with your vendors,
Carrying out data protection impact assessments before you start collecting and using personal data in certain circumstances,
Keeping records of all data breaches
Identify and document a legal basis to process personal data
When you collect, use and process personal data, you must rely on one of the six bases listed in article 6 of the GDPR. These legal bases include ‘consent’, ‘legitimate interests’, and ‘ contractual necessity’.
When you rely on consent, obtain consent in a GDPR-compliant way
When you rely on data subjects’ consent to collect and process personal data, consent must satisfy GDPR standards.
Valid consent under the GDPR must conform to the following:
Freely given: Individuals must have a genuine choice as to giving or refusing to give consent.
Specific: Consent should be for a specific data processing activity and for a purpose.
Informed: You must be transparent to individuals about how you collect and use their data. For instance, You must provide individuals with clear information about your identity, and explain the purposes for data processing and each data processing activity.
Unambiguous: Consent should be affirmative.
Additionally, keep in mind that organizations must document and keep records of all consents provided.
Satisfy data subject requests
Individuals are entitled to the following rights related to their personal data:
Right to be informed
Right to access
Right to rectification
Right to erasure
Right to object/opt-out
Right to data portability
Right not to be subject to automated decision-making
Right to restriction of processing
In order to learn more about Data subject Access Requests (DSARs), make sure to check our complete guide on the topic:
Adhere to breach notification rules
This requirement reflects the GDPR requirements for breach notification.
Cookies according to the Belgium privacy law: How to comply
Belgium has incorporated the cookie requirements of the E-Privacy Directive into its national law.
What types of cookies require the consent of individuals?
You need to obtain “valid” consent of data subjects before you can place the following types of cookies and/or similar technologies on their device:
- Analytics cookies
- Advertising cookies
- Social media cookies
What cookies do not require consent?
If the cookies fall under the following category, you do not have to obtain the consent of individuals:
- Strictly necessary “functional” cookies
For example, cookies that enable remembering items on a shopping cart or cookies that ensures the security of payments fall under this category.
Can you use cookie walls?
Belgium Data Protection Authority embraces the European Data Protection Board’s approach to cookie walls and it prohibits the use of cookie walls to obtain consent.
How to obtain “valid” consent in Belgium?
Belgium Data Protection Authority states that consent must conform to the GDPR requirements.
For example, consent must be via clear and affirmative action. Therefore, pre-ticked boxes, scrolling, or navigating a web page do not amount to valid consent.
Furthermore, the website must provide their users with a ‘granular’ choice for consent to each cookie category. For instance, websites ask for consent to each separate cookie category such as “functional cookies”, “analytical cookies”, and “advertising cookies”.
Lastly, giving consent must be as easy as giving it. For example, if individuals can consent to cookies with a single click on the ‘Accept’ button, the ‘Reject’ button must also be via a single button.
Do you need a consent management platform?
The Law does not require businesses to adopt a certain consent management tool. There are no specific instructions on what means can be used to obtain and record consent.
However, businesses are advised to implement a consent management tool so that they can record and manage consent provided by data subjects. This will also enable businesses to satisfy the accountability requirements of the GDPR.
To find out more, take a look at our Consent Management Platform (CMP):
What are the penalties if you fail to comply with Belgian data privacy law?
If you fail to comply, you may face the following penalties:
Administrative fines as set out in the GDPR, depending on the type of infringement, you may face the following fines:
Fines of up to 4% of annual worldwide turnover or €20m, whichever is the greater;
Fines of up to 2% of annual worldwide turnover or €10m, whichever is the greater.
Criminal sanctions under the Belgium Law
Failure to comply with the Belgium data Protection law may indeed expose controllers and processors to criminal sanctions. Data subjects can also bring claims against controllers or processors for infringements.
How to start getting ready for Belgium's data protection law today
If you want to satisfy all requirements of the Belgium Data Protection Law and the EU GDPR, you need to start by relying on a legal basis to justify your data processing activities. Consent is one of the most common legal bases you will rely on, and it can justify the use of third-party advertising and analytics cookies, ad personalization, and email marketing.
However, you must obtain consent as specified by the GDPR and be able to prove that you obtained consent lawfully. With a Consent management platform to collect consent in a GDPR-compliant manner and to keep a record of all consent obtained.
Customer privacy has to become a priority for brands, and businesses operating in Belgium, this means complying with the GDPR and national data Protection Law.