New Belgian data protection law has come into force


The Belgian Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (“Law of 30 July 2018”) entered into force on 5 September 2018. This extensive piece of legislation abolishes the Law of 8 December 1992 on privacy protection when processing personal data (“Law of 1992”), which regulated the processing of personal data in Belgium for almost 26 years.

The Law of 30 July 2018 brings to a logical end the peculiar coexistence of the Law of 1992 and the EU General Data Protection Regulation 2016/679 (“GDPR”). The GDPR came into force on 25 May 2018 and directly applies to data processing activities performed by Belgium-based controllers and processors. After the Law of 3 December 2017 creating the Data Protection Authority (replacing the Commission for the Protection of Privacy), tasked with monitoring compliance by Belgian entities with their privacy obligations, the Law of 30 July 2018 is the second piece of Belgian legislation triggered by the GDPR.

The entry into force of the Law of 30 July 2018 is unlikely to have a significant impact on companies processing personal data.

However, the Law of 30 July 2018 impacts, among others, organizations relying on consent from children or processing special categories of data. The Belgian legislator set 13 as the age from which children may provide consent for the use of an information service, lower than the age of 16 set by the GDPR. An entity processing genetic data, biometric data, data concerning health or data related to criminal convictions and offences must maintain a list of the categories of persons who have access to that data, together with a description of their function related to processing such data. The list must be disclosed to the competent supervisory authority on request. Although the latter obligation is not part of the GDPR, it existed previously under the Law of 1992 and its implementing acts.

In implementing Directive 2016/680 on the processing of personal data by criminal authorities, the Law of 30 July 2018 imposes certain requirements on government entities that before were hardly affected by the Law of 1992. For example, army forces and intelligence and security services must now comply with requests from data subjects to exercise certain data protection rights, albeit in a restricted fashion.

The Law of 30 July 2018 also consolidates the patchy Belgian data protection regulatory framework. For example, it incorporates the provisions of the Law of 25 December 2016 on the processing of passenger data.

Belgium-based data controllers and processors should start reviewing their data protection documentation (for example, their privacy notices) to update any references to the Law of 1992. Where applicable, affected entities must implement the new requirements under the Law of 30 July 2018.