Belgium: Data Protection Laws of the World Handbook: Second Edition - Belgium
E-Commerce and Privacy Alert

LAW

Belgium implemented the EU Data Protection Directive 95/46/EC with the Data Protection Act dated 8 December 1992 ("Act"). Enforcement is ensured by the Data Protection Authority ("DPA").

DEFINITION OF PERSONAL DATA

Personal data means any information relating to an identified or identifiable natural person.

A person is considered to be an identifiable person when he or she can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

DEFINITION OF SENSITIVE PERSONAL DATA

The Belgian Data Protection Act distinguishes between three categories of sensitive personal data, for which distinct rules apply:

• personal data revealing a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life or trade union membership;
• health related data personal data; and
• personal data relating to disputes which have been submitted to courts and tribunals as well as to administrative judicial bodies, regarding suspicions, prosecutions or convictions in matters of crime, administrative sanctions or security measures.

NATIONAL DATA PROTECTION AUTHORITY

Commission for the Protection of Privacy

REGISTRATION

Unless an exemption applies, data controllers who process personal data by automatic means must notify the DPA so that their processing of personal data may be registered and made public. Changes to the processing of personal data will require the notification to be amended.

The notification shall inter alia include the following information (as outlined in the DPA standard notification form):

• the purpose(s) of the processing;
• the controller's contact details and if relevant the contact details of the controller's representative;
• the types of personal data being processed;
• whether categories of sensitive personal data are processed and if so, which categories;
• the categories of recipients of the data and the guarantees which must be applied to the communication to third parties;
• the way in which data subjects will be informed of the processing and the department which data subjects may contact to use their right to access;
• the data retention terms;
• a general description of security measures; and
• in cases where the data will be transferred outside the European Economic Area categories of data to be transferred and for each category of data, the country of destination.

DATA PROTECTION OFFICERS

There is no legal requirement in Belgium for organisations to appoint a data protection officer. It is, however, recommended to do so.

The Act requires controllers and processors to take adequate technical and organisational security measures.

As part of this obligation the DPA has issued "Security Guidelines", which reflect what is to be considered as constituting 'adequate technical and organisation security measures'. Although the Security Guidelines are not part of the Act itself and are not binding, they do have an important moral value.

The Security Guidelines recommend controllers to appoint a so called "information security officer". This security officer is responsible for the implementation of the personal data security policy.

COLLECTION AND PROCESSING

Data controllers may collect and process personal data when any of the following conditions are met:

• the data subject consents;
• the processing is necessary to fulfil a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into such a contract;
• the processing is necessary to enable the controller to fulfil a legal obligation;
• the processing is necessary to protect the vital interests of the data subject;
• the processing is necessary to perform a task in the public interest;
• the processing is necessary to exercise official authority; or
• the processing is necessary to enable the controller or third parties to whom the data is disclosed to protect a legitimate interest, except where such interest is overridden by the interests of the data subject.

Where sensitive personal data is processed, a different list of specific conditions applies.

Whichever of the above conditions is relied upon, the controller must first provide the data subject with certain information, unless an exemption applies. The notification shall include information on the identity of the controller, the purposes of the processing, the existence of the right to object in the case of personal data processing for direct marketing purposes, as well as the right to access and rectification, the recipients or categories of recipients of the personal data, and whether or not it is obligatory to respond to the data controller's request to submit personal data and any possible consequences of not responding.

TRANSFER

Transfer of a data subject's personal data to non EU/European Economic Area countries is allowed if the countries provide "adequate protection".

For the transfer of data to the United States, companies which adhere to the US/EU Safe Harbor principles are deemed to offer adequate protection.

Data controllers may transfer personal data out of the European Economic Area to countries which are not deemed to offer adequate protection if any of the following exceptions apply:

• the data subject has consented to the transfer;
• the transfer is necessary for the performance of a contract between the data subject and the data controller, or for the performance of tasks at the request of the data subject prior to entering into such a contract;
• the transfer is necessary for the conclusion or performance of a contract with a third party in the interest of the data subject;
• the transfer is necessary in order to protect the vital interests of the data subject;
• the transfer is necessary in order to establish, exercise or defend a legal claim;
• the transfer is necessary or legally required in order to protect an important public interest; or
• there is statutory authority for demanding data from a public register.

The DPA may allow transfers even if the above conditions are not fulfilled if the controller adduces additional safeguards with respect to the protection of the rights of the data subject. Such safeguards may inter alia result from contractual clauses, e.g. by standard contractual clauses approved by the European Commission, or via an organisation's Binding Corporate Rules.

Currently, in the context of a notification procedure, the DPA usually requests a copy of data transfer agreements, in particular to verify whether any changes were made to the EU model clauses. No formal approval of EU model clauses based data transfer agreements is required.

However, the DPA recently indicated that in the near future, this could change and an authorisation decree may be required for each contract based international transfer of personal data – regardless of whether the international transfer is based on the EU Model Clauses.

SECURITY

Data controllers and processors must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

The DPA has issued (non binding) guidelines in respect of such security measures.

BREACH NOTIFICATION

The Act does not provide for a data security breach notification duty.

ENFORCEMENT

The DPA is authorised to investigate complaints, and to act as a mediator in case of complaints. The DPA may also appoint experts, may require the provision of documents, and may require access to certain places. In the case of criminal actions, the DPA must notify the public prosecutor.

Failure to comply with the Act may be criminally sanctioned with imprisonment or fines up to EUR 600,000.

ELECTRONIC MARKETING

The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (e.g. an email address is likely to be "personal data" for the purposes of the Act). The Act does not prohibit the use of personal data for the purposes of electronic marketing but provides individuals with the right to object to the processing of their personal data (i.e. a right to "opt out") for direct marketing purposes.

Additionally, specific rules are set out in Belgian E-Commerce Act (Act of 11 March 2003) regarding opt-in requirements:

• These rules apply to all "electronic messages", i.e. traditional emails, text messages (Short Message Systems or SMS), etc. Other types such as instant messaging and chat may also fall within the scope of these rules depending on the specific context. This covers not only clear promotional messages, but also newsletters and similar communications. Indeed, 'any form of communication intended for the direct or indirect promotion of goods, services, the image of a company, organization or person which/who exercises a commercial, industrial or workmanship activity or regulated profession' falls within the scope of these rules.
• As a general principle, the prior, free, specific and informed consent of the recipient of the message must been obtained ('opt-in principle').
• Two exceptions apply to the opt-in principle. No prior, free, specific and informed consent is to be obtained if:
• • – the electronic marketing message is sent to existing customers of the service provider; or
  • – the electronic message is sent to legal persons (e.g. to a general email address such as info@company.com).
• These exceptions are, however, subject to compliance with strict conditions. The exception applicable to existing customers for instance requires that the electronic marketing message sent to such existing customer relates to goods or services similar to those goods or services purchased by the customer.
• All electronic messages must contain a clear reference to the recipient's right to opt out, including means to exercise this right electronically.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

Cookies

Article 5 (3) of the E-Privacy Directive has been implemented into Belgian Law by means of amendment of article 129 of the Belgian Electronic Communication Act.

The use and storage of cookies and similar technologies requires: a) clear and comprehensive information; and b) consent of the website user.

Consent is not required for cookies that are:

• used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
• strictly necessary for the provision of a service requested by the user.

Regulatory guidance on the informed consent requirement is expected to be issued in the near future.

Location data

Article 123 of the Belgian Electronic Communication Act stipulates that mobile network operators may process location data of a subscriber or an end user only to the extent the location data has been anonymised or if the processing is carried out in the framework of the provision of a service regarding traffic or location data.

The processing of location data in the framework of a service regarding traffic or location data is subject to strict conditions set forth in article 123.

Processing of location data must in addition also comply with the general rules stipulated by the Data Protection Act.

Traffic data

In accordance with article 122 of the Belgian Electronic Communication Act, mobile network operators are required to delete or anonymise traffic data of their users and subscribers as soon as such data is no longer necessary for the transmission of the communication (subject to compliance with cooperation obligations with certain authorities).

Subject to compliance with specific information obligations and subject to specific restrictions, operators may process certain location data for the purposes of:

• invoicing and interconnection payments;
• marketing of the operator's own electronic communication services or services with traffic or location data (subject to the subscriber's or end user's prior consent); and
• fraud detection.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com