National Data Protection Law

    Europe

    National Data Protection Law

    Law C − 2018/40581 of 30 July 2018

    Belgium’s GDPR implementation law went into effect on 5 September 2018. It introduces specific derogations to Data Subjects’ rights and stipulates that violations to this law are criminal offences.

    Last Updated: July 30, 2019


  • General

    Federal Law of 30 July 2018,  that went into effect by publication in the Official Journal on 5 September 2018, repealing the Law of 8 December 1992. As with the other EU Member States that have passed their Data Protection Laws, this law: 1) mirrors the GDPR in general; and, 2) adds provisions regulating specific aspects.

    Opening clauses and derogations

    It is of particular interest that this law:

    • lowers the age limit for consenting minors in relation to information society services to 13 years of age;
    • introduces specific requirements for the processing of special categories of data: controllers should designate a person, bound by contractual confidentiality obligations, who is entitled to consult these categories of data;
    • lays down restrictions on rights of data subjects (such as the right to information) when personal data are transferred to the Belgian intelligence agency;
    • reconciles the right to the protection of personal data with the right to freedom of expression; and
    • makes the infringement of Data Protection laws a criminal offence.
  • DatabreachPedia

    Overview

    In Belgium, there is a general requirement under the General Data Protection Regulation for data controllers to notify personal data breaches to their regulator and in cases of likely high risk to the rights and freedoms of natural persons, also to them.

    Is it Mandatory to Notify Individuals?

    Yes, if the personal data breach is likely to result in a high risk to their rights and freedoms.

    Is it Mandatory to Notify Regulator?

    Yes, if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.

    Notification Deadline

    72 hours

    Responsible Regulator

    Data Protection Authority (DPA)
    Commission de la protection de la vie privée
    Rue de la Presse 35
    1000 Bruxelles

    Tel. +32 2 274 48 00
    Fax +32 2 274 48 10
    E-mail: [email protected]
    Website: https://www.privacycommission.be/

    Breach Notification Format

    Minimum requirements: nature of the breach, categories and approx. number of data subjects concerned, name and contact details of the DPO, likely consequences, measures taken/proposed to be taken. Belgian regulator advises notifying through its downloadable 17-page electronic form containing a broad range of questions – accessible in French or Dutch.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.