On 12 June 2018, after having obtained the Council of State’s advice, the Belgian draft GDPR bill was submitted to Parliament. However, the text is not yet final and will be subject to further discussions and amendments in Parliament.
The draft bill is a second step in the implementation process of the GDPR in Belgium. In December 2017, a law was enacted in respect of the transformation of the existing Privacy Commission into the Data Protection Authority, thereby granting the latter the powers of a supervisory authority as required by the GDPR.
The draft bill constitutes so-called 'secondary legislation' and further implements the GDPR, in particular in those areas where the GDPR left a margin of discretion to the EU Member States. Once adopted, it will abolish and replace the current 1992 Data Protection Act and the 2001 Royal Decree which implements it.
Aside from implementing the GDPR by way of secondary legislation, the draft bill also implements Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
Here are some of the important takeaways with respect to the processing of personal data under GDPR in general.
Age of consent
The draft bill provides that the processing of personal data relating to children with regard to the offer of online services is lawful when consent has been given by children aged 13 and over. The GDPR provides that Member States may decide to set the age at which children can validly give consent at an age between 13 and 16 years. Parental consent will therefore only be required in Belgium for the processing of a child’s personal data with regard to the offer of online services if the child is below the age of 13.
Special category data
Special categories of data are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
The GDPR stipulates that the processing of special category data is prohibited, except in specific cases. The exceptions include such processing when it is necessary for reasons of 'substantial public interest', on the basis of Union or Member State law (Art. 9 (2) (g) GDPR).
On the basis of Article 9 (2) (g) GDPR, the draft bill allows a number of named associations and organisations to process special categories of personal data (e.g. associations for the defence and promotion of human rights and fundamental freedoms). The practicalities and technicalities for processing by said associations and organisations are to be determined by Royal Decree.
Health-related, biometric and genetic data
In relation to the processing of health-related, biometric and genetic data, the draft bill introduces a number of additional security measures that controllers must take and which are inspired by the (to be abolished) 1992 Data Protection Act and the 2001 Royal Decree which implements it.
When processing health-related, biometric and genetic data, controllers must take the following additional security measures:
- the controller must keep a list of the categories of persons having access to the data, including a description of their capacity in relation to the data;
- the controller must communicate this list to the supervisory authority if requested; and
- the persons having access to the data should be bound by a (statutory or contractual) confidentiality obligation.
Criminal conviction data
The GDPR provides that the processing of data relating to criminal convictions and offences or related security measures should only be carried out under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.
The draft bill gives specific grounds for the processing of criminal conviction data and introduces specific security measures for the processing of this type of data.
Data related to criminal convictions can be processed:
- by private undertakings, if necessary for the management of litigation to which they are a party;
- by lawyers or other legal advisors, to the extent necessary to defend the interests of their clients;
- by other persons, when the processing is necessary for the fulfilment of purposes established by or pursuant to a law; and
- if necessary for archiving purposes, scientific or historical research or statistical purposes.
The additional security measures which apply in respect of the processing of health-related, biometric and genetic data and which are set out above also apply in to the processing of criminal conviction data.
Public authorities
The draft bill provides restrictions on the data subject’s rights in the following three cases:
- prevention and detection of criminal offences;
- protection of important objectives of general public interest such as economic or financial interests, including in the monetary, budgetary and fiscal fields, public health or social security; and
- control, inspection or regulatory missions related to the exercise of public authority.
In order for these restrictions to be lawful, the draft bill provides specific safeguards in favour of the data subject (e.g. the controller must justify the restrictions at the request of the data protection authority etc.).
Processing for journalistic purposes and for academic, artistic or literary expression
The draft bill also includes various restrictions on data subject rights when personal data is processed for journalistic purposes and for the purpose of academic, artistic or literary expression, provided that the controller abides by the ethical rules applicable to professional journalism. For instance, data subjects will not have the right to object to the processing of their data nor the right to access or rectify such data.
You can read the text of the draft bill (in Dutch and French) here.
This draft bill will now be discussed in Parliament. We will closely monitor its progress and inform you as soon as the legislation is final.
Authors:
Bastiaan Bruyndonckx • +32 2 787 90 93 • bastiaan.bruyndonckx@lydian.be
Blandine de Lange • +32 2 787 91 14 • blandine.delange@lydian.be