Support Centre

Belgium

Summary

Law: Act of 3 December 2017 Establishing the Data Protection Authority, Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data ('the Act'), and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Data Protection Authority (Belgian DPA) 

Summary: Belgium implemented the GDPR in 2018 through the Act of July 30, 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data (the Act).

Notably, the Act derogated from the GDPR by creating exceptions to data subject rights for purposes such as scientific or historical research and in setting the age of consent for children's data to 13 years of age. The Act designates the Data Protection Authority (the Belgian DPA) as the supervisory authority. The Belgian DPA often releases guidance in both Dutch and French, and sometimes German, addressing key concerns such as data protection officer appointments, Data Protection Impact Assessments, and Binding Corporate Rules. The Belgian DPA is particularly active in issuing opinions and enforcement decisions, which often concern organizations' responses to data subject access requests and unlawful use of video surveillance.

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview on the rules and guidelines for DPO contact registration across Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, and Greece.