The Belgian Privacy Commission recently concluded a Protocol Agreement with the Ministry of Justice, which clari es the administrative procedure for data transfer agreements. Data transfer agreements which contain minor deviations from the EU model clauses, and data transfer agreements which are embedded in a broader commercial agreement and which do not contradict the EU model clauses, will be deemed to be in conformity with the EU model clauses, and do not require approval by royal decree.
DATA TRANSFERS UNDER BELGIAN LAW
The Belgian Privacy Commission recently took measures to better deal with the increasing number of crossborder transfers of personal data. As a general rule, the Belgian Data Protection Act2 provides that personal data cannot be transferred to a third country unless such third country is deemed to offer adequate protection. As only a limited number of countries is deemed to offer such adequate level of protection3, companies generally require an alternative solution in case they wish to transfer data to third countries.
The Data Protection Act provides for two alternative solutions. Firstly, the Act includes an (exhaustive) list of special circumstances in which personal data can be transferred to third countries. Examples include the data subject’s explicit consent and the necessity for compliance with a legal obligation. However, in practice,
we fnd that companies are rarely able to invoke one or more of these special circumstances as a general legal basis for their data transfers.
Companies therefore often resort to the second alternative, which consists of agreeing contractual provisions regarding the data transfer with the company receiving the data, i.e. the so-called data transfer agreements. Indeed, the Data Protection Act provides that, in case the data controller adduces additional and appropriate privacy
safeguards, notably via contractual arrangements, a transfer to a third country which does not provide adequate protection may be approved by royal decree. The European
Commission has issued model clauses which are typically used as a basis for data transfer agreements4.
PROTOCOL AGREEMENT CLARIFIES THE PROCEDURE FOR APPROVAL AND CONFIRMATION OF DATA TRANSFER AGREEMENTS
In the summer of 2013, the Belgian Privacy Commission and Ministry of Justice concluded a Protocol Agreement which clarifes the rules and procedures applicable to data transfer agreements. In summary:
- Submission of data transfer agreements
All data transfer agreements must be submitted to the Privacy Commission, which will verify whether the agreement adduces suffcient safeguards. Depending on whether the data transfer agreement is deemed to be in conformity with the EU model clauses by the Privacy Commission, a different procedure will be followed.
- Data transfer agreements in conformity with the EU model clauses
Data transfer agreements are deemed to be in conformity with the EU model clauses in the following cases:
– Data transfer agreements which are identical to the EU model clauses and which have been completed where required (e.g. name of the parties, types of personal data);
– Data transfer agreements which only contain minor deviations compared to the EU model clauses (e.g. punctuation and translation), whereby these deviations do not affect the scope and meaning of the EU model clauses; and
– Data transfer agreements which are embedded in a broader agreement and/or which contain other (commercial) provisions, to the extent they do not directly or indirectly contradict the model clauses and do not affect the fundamental rights and freedoms of the data subjects.
For these data transfer agreements, no royal decree authorisation is required. The Privacy Commission will examine the data transfer agreement and in case they consider the agreement is in conformity with EU model clauses, they will notify the requesting party thereof. As from the moment of receipt of this confrmation, the personal data may be transferred between the parties to the agreement.
The Protocol Agreement thus confrms the Privacy Commission’s existing practice for data transfer agreements based on the EU model clauses, and clarifes that the transfer cannot occur until the Privacy Commission noti es the requesting party of its con rmation that the agreement is in conformity with the EU model clauses.
- Data transfer agreements which deviate from the EU model clauses
For data transfer agreements which are not (and cannot be deemed to be) in conformity with the EU model clauses, a more extensive procedure needs to be followed.
In each case where the Privacy Commission fnds that the data transfer agreement is not in conformity with the EU model clauses, the Privacy Commission will inform the requesting party of the fact that a royal decree authorisation will be required. The Privacy Commission will provide the opportunity to modify the data transfer agreement so as to ensure conformity with the EU model clauses.
If the requesting party wishes to maintain its data transfer agreement without further changes, the Privacy Commission will evaluate whether the agreement provides suf cient safeguards with respect to privacy and fundamental rights and freedoms, based on the principles set out in the Protocol Agreement. It will inform the Ministry of Justice and the requesting party of its assessment. In case the Privacy Commission considers that suffcient safeguards are provided, it will provide the Ministry of Justice with a draft royal decree. The Ministry of Justice will only verify whether the procedures set out in the Protocol Agreement have been followed, and will not perform an assessment as regards content. The Ministry of Justice will provide for publication of the royal decree in the Belgian State Gazette.