GDPR: Belgian act (finally) in force

04 Oct 2018Regulations

The protection of individuals with regard to the processing of their personal data is now governed by a new act, adopted following the General Data Protection Regulation (GDPR).

We hereby review some of the major new provisions of the act.


First, it is useful to recall that the GDPR is (and remains) directly applicable in domestic law.


The Belgian act, in force since 5 September 2018, does not replace the GDPR but complements it, in order to settle the questions that were left open.


We hereby highlight some of the provisions of this act:


  • For the processing of so-called special categories of personal or "sensitive" data (health, genetic and biometric data), the controller must ensure the following additional guarantees:


- Designate the categories of persons having access to the data;

- Keep a list of these categories of persons at the disposal of the Data Protection Authority;

- Ensure that the designated persons are required to respect the confidentiality of this data;


  • Data relating to convictions and criminal offenses cannot be processed, except in the case of exhaustively listed situations, in particular if the processing is necessary for managing its own litigation, or if it is carried out by an attorney for the defense of his clients;


  • The act defines three "important public interest grounds", allowing the processing of sensitive data:


- Treatment by an association defending and promoting human rights;

- Processing by Child Focus;

- The processing of data relating to sex life by an association for the purpose of assessing, guiding and treating behavior of sexual offenses;


  • Regarding the rights of the data subjects (information, erasure, opposition, etc.), various hypotheses allow to restrict them, among which:


- Authorities involved in public security are generally exempted from respecting these rights, or when data comes from specifically designated authorities. Also, a data controller who communicates data to these authorities is generally not allowed to inform the data subject;

- When the data is processed in a judicial context (decision, filing, criminal investigation), the rights are exercised in accordance with the provisions governing the procedure;

- In case of transfer to a joint databank created by public authorities (e.g. the Crossroads Bank for Social Security), the data subject cannot be informed.


What to remember?


The GDPR remains the point of reference for the processing of personal data.


In its content, most of the provisions of the new act concern the processing of data by public authorities, in order to mitigate the non-applicability of the GDPR to certain situations.



For employers, the impact of the act is therefore to be relativized, in view of the existing framework applicable since 25 May 2018.


However, some provisions cannot be neglected, especially in the case of processing of sensitive data (e.g. biometric data), where additional guarantees are required.


Source: Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data, Belgian Official Gazette, 5 September 2018, p. 68616.