Data Protection 2021

A practical cross-border insight into data protection law

Eighth Edition

Featuring contributions from:

Anderson Mōri & Tomotsune Homburger Mori Hamada & Matsumoto

Arthur Cox LLP Iriarte & Asociados Naschitz, Brandes, Amir & Co., Advocates
Chandler MHM Limited Khaitan & Co LLP Nikolinakos & Partners Law Firm
CO:PLAY Advokatpartnerselskab King & Wood Mallesons OLIVARES
D’LIGHT Law Group Klochenko & Partners Attorneys at Law Pinheiro Neto Advogados
DQ Advocates Limited Koushos Korfiotis Papacharalambous LLC PLANIT // LEGAL
Drew & Napier LLC Law Firm Pirc Musar & Lemut Strle Ltd S. U. Khan Associates Corporate & Legal
Consultants
FABIAN PRIVACY LEGAL GmbH Lee and Li, Attorneys At Law
SEOR Law Firm
Foucaud Tchekhoff Pochet et Associés (FTPA) Leśniewski Borkiewicz & Partners
White & Case LLP
H & A Partners LPS L@W
in association with Anderson Mōri & Tomotsune Wikborg Rein Advokatfirma AS
LYDIAN
Hajji & Associés McMillan LLP
Hammad and Al-Mehdar Law Firm MinterEllison
 ISBN 978-1-83918-127-6
ISSN 2054-3786

Published by

59 Tanner Street

Data Protection 2021

London SE1 3PL
United Kingdom
+44 207 3
­ 67 0720
[email protected]
www.iclg.com Eighth Edition

Publisher
James Strode

Production Editor
Jane Simmons

Senior Editor Contributing Editors:

Sam Friend
Tim Hickman & Dr. Detlev Gabel
Head of Production
Suzie Levy White & Case LLP
Chief Media Officer
Fraser Allan

CEO
Jason Byles

Printed by
Ashford Colour Press Ltd.

Cover image
www.istockphoto.com

©2021 Global Legal Group Limited.

All rights reserved. Unauthorised reproduction by any means,
Strategic Partners digital or analogue, in whole or in part, is strictly forbidden.

Disclaimer
This publication is for general information purposes only. It does not purport to provide comprehen-
sive full legal or other advice. Global Legal Group Ltd. and the contributors accept no responsibility
for losses that may arise from reliance upon information contained in this publication.
This publication is intended to give an indication of legal issues upon which you may need advice.
Full legal advice should be taken from a qualified professional when dealing with specific situations.

© Published and reproduced with kind permission by Global Legal Group Ltd, London
Table of Contents

Expert Analysis Chapters

The Rapid Evolution of Data Protection Laws
1 Dr. Detlev Gabel & Tim Hickman, White & Case LLP

Privacy By Design as a Fundamental Requirement for the Processing of Personal Data

7 Daniela Fábián Masoch, FABIAN PRIVACY LEGAL GmbH

Initiatives to Boost Data Business in Japan

12 Takashi Nakazaki, Anderson Mōri & Tomotsune

Q&A Chapters
Australia Ireland
19 MinterEllison: Anthony Borgese 161 Arthur Cox LLP: Colin Rooney & Aoife Coll

Belgium Isle of Man

32 LYDIAN: Bastiaan Bruyndonckx, Olivia Santantonio 172 DQ Advocates Limited: Kathryn Sharman & Sinead
& Liese Kuyken O’Connor

Brazil Israel
44 Pinheiro Neto Advogados: Larissa Galimberti, Carla 182 Naschitz, Brandes, Amir & Co., Advocates:
Rapé Nascimento & Luiza Fonseca de Araujo Dalit Ben-Israel & Efrat Artzi

Canada Japan
56 McMillan LLP: Lyndsay A. Wasser & Kristen 193 Mori Hamada & Matsumoto: Hiromi Hayashi &
Pennington Masaki Yukawa

China Korea
68 King & Wood Mallesons: Susan Ning & Han Wu 205 D’LIGHT Law Group: Iris Hyejin Hwang & Hye In Lee

Cyprus Mexico
82 Koushos Korfiotis Papacharalambous LLC: Loizos 215 OLIVARES: Abraham Diaz Arceo & Gustavo Alcocer
Papacharalambous & Anastasios Kareklas
Morocco
Denmark 224 Hajji & Associés: Ayoub Berdai
96 CO:PLAY Advokatpartnerselskab: Heidi Højmark
Helveg & Niels Dahl-Nielsen Norway
234 Wikborg Rein Advokatfirma AS: Gry Hvidsten &
France Emily M. Weitzenboeck
108 Foucaud Tchekhoff Pochet et Associés (FTPA):
Boriana Guimberteau & Clémence Louvet
Pakistan
246 S. U. Khan Associates Corporate & Legal
Germany Consultants: Saifullah Khan & Saeed Hasan Khan
118 PLANIT // LEGAL: Dr. Bernhard Freund & Dr. Bernd
Schmidt Peru
254 Iriarte & Asociados: Erick Iriarte Ahón &
Greece Fátima Toche Vega
129 Nikolinakos & Partners Law Firm:
Dr. Nikos Th. Nikolinakos, Dina Th. Kouvelou &
Poland
Alexis N. Spyropoulos 262 Leśniewski Borkiewicz & Partners: Grzegorz
Leśniewski, Mateusz Borkiewicz & Jacek Cieśliński
India
139 Khaitan & Co LLP: Harsh Walia & Supratim Russia
Chakraborty 274 Klochenko & Partners Attorneys at Law:
Lilia Klochenko
Indonesia
149 H & A Partners in association with Anderson Mōri
Saudi Arabia
& Tomotsune: Steffen Hadi, Sianti Candra & Dimas 284 Hammad and Al-Mehdar Law Firm: Suhaib Hammad
Andri Himawan

© Published and reproduced with kind permission by Global Legal Group Ltd, London
 Table of Contents

Q&A Chapters Continued

Thailand
Senegal 347 Chandler MHM Limited / Mori Hamada & Matsumoto:
293 LPS L@W: Léon Patrice SARR Pranat Laohapairoj & Atsushi Okada
Singapore Turkey
302 Drew & Napier LLC: Lim Chong Kin 355 SEOR Law Firm: Okan Or & Ali Feyyaz Gül

Slovenia
317 Law Firm Pirc Musar & Lemut Strle Ltd: Nataša Pirc
United Kingdom
365 White & Case LLP: Tim Hickman & Joe Devine
Musar & Rosana Lemut Strle
USA
Switzerland 376
328 Homburger: Dr. Gregor Bühler, Luca Dal Molin &
White & Case LLP: F. Paul Pittman & Kyle Levenberg
Dr. Kirsten Wesiak-Schmidt

Taiwan
337 Lee and Li, Attorneys At Law: Ken-Ying Tseng & Sam
Huang

© Published and reproduced with kind permission by Global Legal Group Ltd, London
 36 Chapter 5

Belgium
Belgium

Bastiaan Bruyndonckx

Olivia Santantonio

LYDIAN Liese Kuyken

and has the powers and competences that the GDPR requires
12 Relevant Legislation and Competent national supervisory authorities to possess.
Authorities A second act, the law of 30 July 2018 on the protection of
individuals with respect to the processing of personal data (the
1.1 What is the principal data protection legislation? “GDPR Implementation Act”), addresses the national substan-
tive aspects of the GDPR and introduces several specifications
Since 25 May 2018, the principal data protection legislation in and derogations, such as determining the age of consent for chil-
the EU has been Regulation (EU) 2016/679 of the European dren in an online context and providing specific legal grounds
Parliament and of the Council of 27 April 2016 on the protection and imposing additional security measures in relation to sensi-
of natural persons with regard to the processing of personal data tive data. At the same time, it abolishes and replaces the 1992
and on the free movement of such data, and repealing Directive Data Protection Act and the 2001 Royal Decree which imple-
95/46/EC (the “General Data Protection Regulation” or mented it.
“GDPR”). The GDPR repealed Directive 95/46/EC (the
“Data Protection Directive”) and has led to increased (though 1.3 Is there any sector-specific legislation that impacts
not total) harmonisation of data protection law across the EU data protection?
Member States.
Book XII of the Code of Economic Law, which deals with
1.2 Is there any other general legislation that impacts certain legal aspects of information society services, provides a
data protection? specific set of rules regarding the use of personal data for direct
marketing purposes via electronic post, which includes email,
The law of 13 June 2005 on electronic communications imple- SMS and MMS. Books VI and XIV of the Code of Economic
ments the requirements of Directive 2002/58/EC (as amended Law, which deal with market practices and consumer protection,
by Directive 2009/136/EC) (the “ePrivacy Directive”), provide a specific set of rules regarding the use of personal data
which provides a specific set of privacy rules to harmonise the for direct marketing purposes via telephone, fax and automatic
processing of personal data by the telecoms sector. In January calling machines without human intervention.
2017, the European Commission published a proposal for an The law of 3 August 2012 contains provisions relating to the
ePrivacy regulation (the “ePrivacy Regulation”) that would processing of personal data carried out by the Federal Public Service
harmonise the applicable rules across the EU Member States – Finance in the framework of the carrying out of its mission.
and replace the current ePrivacy Directive (and its implementing The Flemish Decree of 18 July 2008 provides a specific set of
national legislation). Originally, the ePrivacy Regulation was rules concerning the exchange of administrative data by regional
intended to apply from 25 May 2018 together with the General authorities within the Flemish region.
Data Protection Regulation. Unlike with the GDPR, however, The Camera Act of 21 March 2007 regulates the installation
the EU states have not yet been able to agree on the draft legisla- and use of surveillance cameras.
tion. The last draft was published on 5 January 2021. As regards employee monitoring, Collective Bargaining
In addition, the Belgian legislator has adopted secondary Agreement No 68 on the use of cameras in the workplace and
legislation pursuant to the GDPR. Collective Bargaining Agreement No 81 on the monitoring of
The law of 3 December 2017 on the establishment of the electronic communications in the workplace are relevant.
Data Protection Authority implements the requirements of the On 8 October 2020, the Belgian legislator approved an Act
GDPR with respect to national supervisory authorities, and prohibiting life and health insurers from processing health-
reforms the Belgian Commission for the Protection of Privacy. sensor data. The Belgian legislator intends to prevent insurers
As of 25 May 2018, the Belgian Commission for the Protection from providing discounts on the basis of health-sensor data,
of Privacy carries the name “Data Protection Authority” even if the insurers have their policy-holders’ consent.

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
 LYDIAN 37

1.4 What authority(ies) are responsible for data 32 Territorial Scope

protection?

3.1 Do the data protection laws apply to businesses

Since 25 May 2018, the former Commission for the Protection established in other jurisdictions? If so, in what
of Privacy carries the name “Data Protection Authority” circumstances would a business established in another
and has the powers and competences that the GDPR requires jurisdiction be subject to those laws?
national supervisory authorities to possess.
The “Flemish Supervisory Commission” was established by The GDPR applies to businesses that are established in any
the Decree of 8 June 2018. As a supervisory authority, the Flemish EU Member State, and that process personal data (either as
Supervisory Commission is responsible for supervising the appli- a controller or processor, and regardless of whether or not
cation of the GDPR by the Flemish administrative bodies. The the processing takes place in the EU) in the context of that
competences of the Flemish Supervisory Commission are in establishment.
addition, and without prejudice, to the competences of the Data A business that is not established in any Member State but is
Protection Authority. There are no similar authorities in the subject to the laws of a Member State by virtue of public inter-
Walloon or Brussels-Capital region yet. national law is also subject to the GDPR.
The GDPR applies to businesses outside the EU if they (either
22 Definitions as controller or processor) process the personal data of EU resi-
dents in relation to: (i) the offering of goods or services (whether
2.1 Please provide the key definitions used in the or not in return for payment) to EU residents; or (ii) the moni-
relevant legislation: toring of the behaviour of EU residents (to the extent that such
behaviour takes place in the EU).
■ “Personal Data”
This means any information relating to an identified or 42 Key Principles
identifiable natural person; an identifiable natural person
is one who can be identified, directly or indirectly, in 4.1 What are the key principles that apply to the
particular by reference to an identifier such as a name, an processing of personal data?
identification number, location data, an online identifier
or to one or more factors specific to the physical, physio- ■ Transparency
logical, genetic, mental, economic, cultural or social iden- Personal data must be processed lawfully, fairly and in a
tity of that natural person. transparent manner. Controllers must provide certain
■ “Processing” minimum information to data subjects regarding the
This means any operation or set of operations which is collection and further processing of their personal data.
performed on personal data or on sets of personal data, Such information must be provided in a concise, trans-
whether or not by automated means, such as collection, parent, intelligible and easily accessible form, using clear
recording, organisation, structuring, storage, adaptation and plain language.
or alteration, retrieval, consultation, use, disclosure by ■ Lawful basis for processing
transmission, dissemination or otherwise making avail- Processing of personal data is lawful only if, and to the
able, alignment or combination, restriction, erasure or extent that, it is permitted under EU data protection
destruction. law. The GDPR provides an exhaustive list of legal bases
■ “Controller” on which personal data may be processed, of which the
This means the natural or legal person, public authority, following are the most relevant for businesses: (i) prior,
agency or other body which, alone or jointly with others, freely given, specific, informed and unambiguous consent
determines the purposes and means of the processing of of the data subject; (ii) contractual necessity (i.e., the
personal data. processing is necessary for the performance of a contract
■ “Processor” to which the data subject is a party, or for the purposes
This means a natural or legal person, public authority, of pre-contractual measures taken at the data subject’s
agency or other body which processes personal data on request); (iii) compliance with legal obligations (i.e., the
behalf of the controller. controller has a legal obligation, under the laws of the EU or
■ “Data Subject” an EU Member State, to perform the relevant processing);
This means an individual who is the subject of the relevant or (iv) legitimate interests (i.e., the processing is neces-
personal data. sary for the purposes of legitimate interests pursued by the
■ “Sensitive Personal Data” controller, except where the controller’s interests are over-
These are personal data revealing racial or ethnic origin, ridden by the interests, fundamental rights or freedoms of
political opinions, religious or philosophical beliefs, trade- the affected data subjects).
union membership, data concerning health or sex life and It should be noted that businesses require stronger grounds to
sexual orientation, genetic data or biometric data. process sensitive personal data. The processing of sensitive
■ “Data Breach” personal data is only permitted under certain conditions, of
This means a breach of security leading to the accidental or which the most relevant for businesses are: (i) explicit consent
unlawful destruction, loss, alteration, unauthorised disclo- of the data subject; (ii) the processing is necessary in the
sure of, or access to, personal data transmitted, stored or context of employment law; or (iii) the processing is necessary
otherwise processed. for the establishment, exercise or defence of legal claims.
■ Other key definitions ■ Purpose limitation
“Personal Data relating to Criminal Convictions” are Personal data may only be collected for specified, explicit
personal data relating to criminal convictions and offences and legitimate purposes and must not be further processed
or related security measures.

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
38 Belgium

in a manner that is incompatible with those purposes. If longer needed for their original purpose (and no new lawful
a controller wishes to use the relevant personal data in a purpose exists); (ii) the lawful basis for the processing is
manner that is incompatible with the purposes for which the data subject’s consent, the data subject withdraws that
they were initially collected, it must: (i) inform the data consent, and no other lawful ground exists; (iii) the data
subject of such new processing; and (ii) be able to rely on a subject exercises the right to object, and the controller has
lawful basis as set out above. no overriding grounds for continuing the processing; (iv)
■ Data minimisation the data have been processed unlawfully; or (v) erasure is
Personal data must be adequate, relevant and limited to necessary for compliance with EU law or national data
what is necessary in relation to the purposes for which protection law.
those data are processed. A business should only process ■ Right to object to processing
the personal data that it actually needs to process in order Data subjects have the right to object, on grounds relating
to achieve its processing purposes. to their particular situation, to the processing of personal
■ Proportionality data where the basis for that processing is either public
The processing of personal data must be balanced between interest or legitimate interest of the controller. The
the means used and the intended aim. controller must cease such processing unless it demon-
■ Retention strates compelling legitimate grounds for the processing
Personal data must be kept in a form that permits identifi- which override the interests, rights and freedoms of the
cation of data subjects for no longer than is necessary for relevant data subject or requires the data in order to estab-
the purposes for which the personal data are processed. lish, exercise or defend legal rights.
■ Data security ■ Right to restrict processing
Personal data must be processed in a manner that ensures Data subjects have the right to restrict the processing of
appropriate security of those data, including protection personal data, which means that the data may only be
against unauthorised or unlawful processing and against held by the controller, and may only be used for limited
accidental loss, destruction or damage, using appropriate purposes if: (i) the accuracy of the data is contested (and
technical or organisational measures. only for as long as it takes to verify that accuracy); (ii) the
■ Accountability processing is unlawful and the data subject requests restric-
The controller is responsible for, and must be able to tion (as opposed to exercising the right to erasure); (iii)
demonstrate, compliance with the data protection princi- the controller no longer needs the data for their original
ples set out above. purpose, but the data are still required by the controller
to establish, exercise or defend legal rights; or (iv) verifica-
52 Individual Rights tion of overriding grounds is pending, in the context of an
erasure request.
■ Right to data portability
5.1 What are the key rights that individuals have in
relation to the processing of their personal data? Data subjects have a right to receive a copy of their personal
data in a commonly used machine-readable format and
transfer their personal data from one controller to another
■ Right of access to data/copies of data or have the data transmitted directly between controllers.
A data subject has the right to obtain from the controller ■ Right to withdraw consent
the following information in respect of the data subject’s A data subject has the right to withdraw his/her consent,
personal data: (i) confirmation of whether, and where, the freely, at any time. The withdrawal of consent does not
controller is processing the data subject’s personal data; affect the lawfulness of processing based on consent
(ii) information about the purposes of the processing; (iii) before its withdrawal. Prior to giving consent, the data
information about the categories of data being processed; subject must be informed of the right to withdraw consent.
(iv) information about the categories of recipients with It must be as easy to withdraw consent as to give it.
whom the data may be shared; (v) information about the ■ Right to object to marketing
period for which the data will be stored (or the criteria Data subjects have the right to object, freely, at any time,
used to determine that period); (vi) information about and without justification, to the processing of personal data
the existence of the rights to erasure, to rectification, to for the purpose of direct marketing, including profiling.
restriction of processing and to object to processing; (vii) ■ Right to complain to the relevant data protection
information about the existence of the right to complain authority(ies)
to the relevant data protection authority; (viii) where the Data subjects have the right to lodge complaints
data were not collected from the data subject, information concerning the processing of their personal data with
as to the source of the data; and (ix) information about the the Data Protection Authority, if the data subjects live in
existence of, and an explanation of the logic involved in, Belgium or the alleged infringement occurred in Belgium.
any automated processing that has a significant effect on ■ Right to basic information
the data subject. Data subjects have the right to be provided with infor-
Additionally, the data subject may request a copy of the mation on the identity of the controller, the reasons for
personal data being processed. processing their personal data and other relevant informa-
■ Right to rectification of errors tion necessary to ensure the fair and transparent processing
Controllers must ensure that inaccurate or incomplete data of personal data. This is, in principle, proactively provided
are erased or rectified. Data subjects have the right to by the controller at the start of collecting personal data or
rectification of inaccurate personal data. when entering into contact for the first time with the data
■ Right to deletion/right to be forgotten subject.
Data subjects have the right to erasure of their personal
data (the “right to be forgotten”) if: (i) the data are no

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
 LYDIAN 39

to a country not offering adequate protection of personal data

62 Registration Formalities and Prior and that are based upon (i) bespoke contractual safeguards
Approval rather than Standard Contractual Clauses approved by the
EU Commission, (ii) Binding Corporate Rules, (iii) a code of
6.1 Is there a legal obligation on businesses to register conduct, or (iv) a certification mechanism.
with or notify the data protection authority (or any other
governmental body) in respect of its processing activities?
6.10 Can the registration/notification be completed online?

No, the obligation to notify the Data Protection Authority of any

wholly or partially automated processing of personal data, which This is not applicable in our jurisdiction.
existed prior to the entry into force of the GDPR, has been abol-
ished as of the entry into force of the GDPR on 25 May 2018. 6.11 Is there a publicly available list of completed
registrations/notifications?
6.2 If such registration/notification is needed, must it be
specific (e.g., listing all processing activities, categories This is not applicable in our jurisdiction.
of data, etc.) or can it be general (e.g., providing a broad
description of the relevant processing activities)?
6.12 How long does a typical registration/notification
process take?
This is not applicable in our jurisdiction.
This is not applicable in our jurisdiction.
6.3 On what basis are registrations/notifications made
(e.g., per legal entity, per processing purpose, per data
category, per system or database)?
72 Appointment of a Data Protection Officer

7.1 Is the appointment of a Data Protection Officer

This is not applicable in our jurisdiction. mandatory or optional? If the appointment of a
Data Protection Officer is only mandatory in some
6.4 Who must register with/notify the data protection circumstances, please identify those circumstances.
authority (e.g., local legal entities, foreign legal entities
subject to the relevant data protection legislation, The appointment of a Data Protection Officer for controllers or
representative or branch offices of foreign legal entities processors is only mandatory in some circumstances, including
subject to the relevant data protection legislation)?
where there is: (i) large-scale regular and systematic monitoring
of individuals; (ii) large-scale processing of sensitive personal
This is not applicable in our jurisdiction. data; or (iii) processing carried out by a public authority or body,
except in the exercise of judicial functions by courts.
6.5 What information must be included in the The Belgian legislator has not adopted secondary legisla-
registration/notification (e.g., details of the notifying tion that renders the appointment of a Data Protection Officer
entity, affected categories of individuals, affected mandatory in cases other than those described in the GDPR.
categories of personal data, processing purposes)? Where a business designates a Data Protection Officer voluntarily,
the requirements of the GDPR apply as though the appointment were
This is not applicable in our jurisdiction. mandatory. In order to avoid this, it is recommended to call such
person a ‘Privacy Manager’ or ‘Privacy Responsible’, for instance.

6.6 What are the sanctions for failure to register/notify

where required? 7.2 What are the sanctions for failing to appoint a Data
Protection Officer where required?

This is not applicable in our jurisdiction.

In the circumstances where appointment of a Data Protection
Officer is mandatory, failure to comply may result in the wide
6.7 What is the fee per registration/notification (if range of penalties available under the GDPR.
applicable)?

7.3 Is the Data Protection Officer protected

This is not applicable in our jurisdiction. from disciplinary measures, or other employment
consequences, in respect of his or her role as a Data
6.8 How frequently must registrations/notifications be Protection Officer?
renewed (if applicable)?
The appointed Data Protection Officer should not be dismissed or
This is not applicable in our jurisdiction. penalised for performing his/her tasks and should report directly
to the highest management level of the controller or processor.
6.9 Is any prior approval required from the data
protection regulator? 7.4 Can a business appoint a single Data Protection
Officer to cover multiple entities?

Prior approval of the Data Protection Authority is required for

transfers outside the European Economic Area (the “EEA”) A group of undertakings may appoint a single Data Protection

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
40 Belgium

Officer provided that the Data Protection Officer is easily acces- It is essential that the processor appointed by the business
sible from each establishment. complies with the GDPR.

7.5 Please describe any specific qualifications for the 8.2 If it is necessary to enter into an agreement, what
Data Protection Officer required by law. are the formalities of that agreement (e.g., in writing,
signed, etc.) and what issues must it address (e.g., only
processing personal data in accordance with relevant
The Data Protection Officer should be appointed because of instructions, keeping personal data secure, etc.)?
professional qualities and should have an expert knowledge of data
protection law and practices. While this is not strictly defined, it is
clear that the level of expertise required will depend on the circum- The processor must be appointed under a binding agreement in
stances. For example, the involvement of large volumes of sensi- writing. The contractual terms must stipulate that the processor:
tive personal data will require a higher level of knowledge. (i) only acts on the documented instructions of the controller; (ii)
imposes confidentiality obligations on all employees; (iii) ensures
the security of personal data that it processes; (iv) abides by the rules
7.6 What are the responsibilities of the Data Protection regarding the appointment of sub-processors; (v) implements meas-
Officer as required by law or best practice? ures to assist the controller with guaranteeing the rights of data
subjects; (vi) assists the controller in obtaining approval from the
The Data Protection Officer should be involved in all issues which relevant data protection authority; (vii) either returns or destroys the
relate to the protection of personal data. The GDPR outlines the personal data at the end of the relationship (except as required by EU
minimum tasks required by the Data Protection Officer, which or Member State law); and (viii) provides the controller with all infor-
include: (i) informing the controller, processor and their rele- mation necessary to demonstrate compliance with the GDPR, and
vant employees who process data of their obligations under the allows for and contributes to audits, including inspections, conducted
GDPR; (ii) monitoring compliance with the GDPR, national by the controller or another auditor mandated by the controller.
data protection legislation and internal policies in relation to
the processing of personal data including internal audits; (iii) 92 Marketing
advising on data protection impact assessments and the training
of staff; and (iv) co-operating with the Data Protection Authority
9.1 Please describe any legislative restrictions on
and acting as the Data Protection Authority’s primary contact the sending of electronic direct marketing (e.g., for
point for issues related to data processing. marketing by email or SMS, is there a requirement to
obtain prior opt-in consent of the recipient?).
7.7 Must the appointment of a Data Protection Officer
be registered/notified to the relevant data protection Direct marketing per electronic post (which includes email, SMS
authority(ies)? and MMS) is only authorised where the recipient specifically and
freely consented to it (opt-in). However, there are two excep-
Yes, the controller or processor must notify the Data Protection tions to this rule. Firstly, sending electronic direct marketing
Authority of the contact details of the designated Data Protection to legal entities using a non-personal email address (e.g., info@
Officer. company.com) is allowed on an opt-out basis. Secondly, sending
electronic direct marketing to existing customers about identical
or similar products is also allowed on an opt-out basis, provided
7.8 Must the Data Protection Officer be named in a
a number of strict conditions are met. It should be noted that,
public-facing privacy notice or equivalent document?
even when the recipient previously consented to the use of his/
her electronic contact details for direct marketing purposes, he/
The Data Protection Officer does not necessarily need to be named she can at any time oppose the further use of his/her electronic
in the public-facing privacy notice. However, the contact details contact details for direct marketing purposes.
of the Data Protection Officer must be notified to the data subject
when personal data relating to that data subject are collected. As a
matter of good practice, the Article 29 Working Party (the “WP29”) 9.2 Are these restrictions only applicable to business-
to-consumer marketing, or do they also apply in a
(now the European Data Protection Board (the “EDPB”)) recom-
business-to-business context?
mended in its 2017 guidance on Data Protection Officers that both
the Data Protection Authority and employees should be notified of
the name and contact details of the Data Protection Officer. The restrictions apply to business-to-consumer marketing as
well as in a business-to-business context.
82 Appointment of Processors
9.3 Please describe any legislative restrictions on
8.1 If a business appoints a processor to process the sending of marketing via other means (e.g., for
personal data on its behalf, must the business enter into marketing by telephone, a national opt-out register must
any form of agreement with that processor? be checked in advance; for marketing by post, there are
no consent or opt-out requirements, etc.).

Yes. The business that appoints a processor to process personal

For marketing by telephone, a national opt-out register (the
data on its behalf, is required to enter into an agreement with the
so-called “Do Not Call Me Robinson List”) exists and busi-
processor which sets out the subject matter for processing, the
nesses carrying out direct marketing by telephone are required
duration of processing, the nature and purpose of processing,
to check this list in advance.
the types of personal data and categories of data subjects and
the obligations and rights of the controller (i.e., the business).

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
 LYDIAN 41

Direct marketing by post does not require the prior consent

of the addressee but can be carried out on an opt-out basis. For
102 Cookies
direct marketing (on a personalised basis) by post, a national
opt-out register has been put in place but is only mandatory for 10.1 Please describe any legislative restrictions on the
use of cookies (or similar technologies).
businesses that are members of the Belgian Direct Marketing
Association (the “BDMA”). For non-personalised advertising
by post, anyone can ask to be provided with “Stop-Pub” stickers The law of 13 June 2005 on electronic communications imple-
to stick on his/her mailbox. ments Article 5 of the ePrivacy Directive. Pursuant to Article 5 of
For marketing by fax or via automated calling machines the EU ePrivacy Directive, the storage of cookies (or other data) on
without human intervention, the prior consent of the recipient an end user’s device requires prior consent (the applicable standard
is required (opt-in). of consent is derived from the GDPR). For consent to be valid, it
must be informed, specific, freely given and must constitute a real
and unambiguous indication of the individual’s wishes. This does
9.4 Do the restrictions noted above apply to marketing
not apply if: (i) the cookie is for the sole purpose of carrying out
sent from other jurisdictions?
the transmission of a communication over an electronic commu-
nications network; or (ii) the cookie is strictly necessary to provide
Yes, they do. an “information society service” (i.e., a service provided over the
internet) requested by the subscriber or user, which means that it
9.5 Is/are the relevant data protection authority(ies) active must be essential to fulfil the user’s request.
in enforcement of breaches of marketing restrictions? The use of cookies is only authorised if the person has had, before
any use of cookies, clear and precise information concerning the
Under the GDPR, the Data Protection Authority will have purpose of the processing and his/her rights. The controller must
the right to carry out investigations and enforce the GDPR, also freely give the opportunity to the subscriber or users to with-
including by imposing administrative sanctions. Aside from draw their consent at any time. Information must also be provided
the Data Protection Authority, the Economic Inspection (which with respect to the term of validity of the cookies used.
is part of the Federal Public Service Economy) has powers to The EU Commission intends to pass a new ePrivacy Regulation
enforce the specific rules on direct marketing which form part that will replace the respective national legislation in the EU
of Books VI, XII and XIV of the Code of Economic Law. Both Member States.
authorities are active in enforcement of breaches of marketing
restrictions. Most investigations are, however, started on the 10.2 Do the applicable restrictions (if any) distinguish
basis of complaints filed by individuals. between different types of cookies? If so, what are the
relevant factors?

9.6 Is it lawful to purchase marketing lists from

third parties? If so, are there any best practice The applicable restrictions indeed distinguish between different
recommendations on using such lists? types of cookies. A distinction is made, amongst others, between
session cookies (which have a time limit and are deleted after the
Yes, provided that data protection legislation is complied with. browsing session) and permanent cookies (which are kept on
This means, amongst others, that the collection and processing the user’s hard drive for an indefinite duration). Furthermore, a
of the data must have been carried out in compliance with the distinction is made between first-party cookies (which are placed
principles of the GDPR (including lawful basis, compliance by the website owner) and third-party cookies (which are placed
with the opt-in and opt-out rules, transparency, purpose limita- by a third party, e.g., Facebook or Google). A distinction is also
tion, accuracy, security and confidentiality). made between tracking cookies (which are used to collect data
Businesses are strongly advised to seek appropriate guaran- about the browsing behaviour of the user on various websites)
tees from the seller of marketing lists, including with respect and other cookies. In principle, the storage of cookies on an end
to: (i) the fact that the data have been gathered and processed user’s device requires prior consent. This does not, however,
in compliance with the GDPR; (ii) the fact that the individuals apply to merely technical cookies and necessary cookies.
whose data are included have consented to the use of their data
for direct marketing purposes; and (iii) the fact that the transfer 10.3 To date, has/have the relevant data protection
of the data is in accordance with the fair processing notices authority(ies) taken any enforcement action in relation
provided to the individuals and with the GDPR. to cookies?

9.7 What are the maximum penalties for sending The Belgian Institute of Postal Services and Telecommunications
marketing communications in breach of applicable (the “BIPT/IBPT”) is in charge of monitoring compliance by
restrictions? businesses with the law of 13 June 2005 on electronic commu-
nications, together with the Data Protection Authority. In 2017,
Based on a breach of Books VI, XII and XIV of the Code of the Commission for the Protection of Privacy (being the prede-
Economic Law, in case of proceedings before Belgian criminal cessor of the Data Protection Authority) took aim at Facebook in
courts, the maximum penalty for sending marketing commu- connection with the use of cookies for the purposes of tracking
nications in breach of applicable restrictions is a criminal fine internet users and instituted proceedings against Facebook in
of EUR 10,000. This amount is to be multiplied by eight in connection therewith. By a decision dated 16 February 2018,
accordance with the law on criminal surcharges. Based on a Facebook was condemned by the Brussels Court of First
breach of GPDR, in case of proceedings before the Belgian Instance for having tracked an internet user without them either
Data Protection Authority, the maximum penalty is the higher knowing or consenting. The court issued a fine of EUR 250,000
of EUR 20,000,000 or 4% of worldwide turnover. per day with a maximum fine of EUR 100,000,000.

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
42 Belgium

In addition, recently, the Belgian Data Protection Authority appropriate safeguards on the data transfer, as prescribed by the
imposed an administrative fine of EUR 15,000 on a company GDPR. The GDPR offers a number of ways to ensure compli-
that manages a website with legal news and information, as the ance for international data transfers, of which one is consent of
company did not comply with the provisions of the GDPR and the relevant data subject. Other common options are the use of
the provisions of the ePrivacy Directive. SCCs or Binding Corporate Rules (“BCRs”).
Businesses can adopt the Standard Contractual Clauses
drafted by the EU Commission – these are available for transfers
10.4 What are the maximum penalties for breaches of
applicable cookie restrictions? between controllers, transfers from controller to a processor or
from a processor to a controller and transfers between proces-
sors. New sets of SCC have been published on 4 June 2021
There are no specific (criminal) sanctions linked to the breach by the EU Commission. Moreover, based on the Schrems II
of the applicable cookie restrictions as laid down in the law of Decision, organisations needed to re-evaluate their data trans-
13 June 2005 on electronic communications. To the extent the fers to third countries if based on SCCs. Whether the SCCs are
breach also constitutes a breach of the applicable data protec- still a sufficient safeguard for transfers to certain third coun-
tion laws (e.g., the obligation to inform the data subject of the tries will require further examination. For instance, in the US,
processing of personal data), the controller could, however, be it is hard to see how the concerns raised by the CJEU regarding
sanctioned with fines applicable for breaches of the data protec- the Privacy Shield would not apply when the SCCs are at issue.
tion laws. Indeed, based on a breach of GPDR, in case of International data transfers may also take place on the basis of
proceedings before the Belgian Data Protection Authority, the contracts agreed between the data exporter and data importer
maximum penalty is the higher of EUR 20,000,000 or 4% of provided that they conform to the protections outlined in the
worldwide turnover. GDPR, and they have prior approval by the relevant data protec-
tion authority.
112 Restrictions on International Data International data transfers within a group of businesses can
Transfers be safeguarded by the implementation of BCRs. The BCRs will
always need approval from the relevant data protection authority.
11.1 Please describe any restrictions on the transfer of Most importantly, the BCRs will need to include a mechanism to
personal data to other jurisdictions. ensure they are legally binding and enforced by every member in
the group of businesses. Among other things, the BCRs must
set out the group structure of the businesses, the proposed data
Data transfers to other jurisdictions that are not within the
transfers and their purpose, the rights of data subjects, the mech-
EEA can only take place if the transfer is to an “Adequate
anisms that will be implemented to ensure compliance with the
Jurisdiction” (as specified by the EU Commission), the busi-
GDPR and the relevant complainant procedures.
ness has implemented one of the required safeguards as spec-
ified by the GDPR, or one of the derogations specified in the
GDPR applies to the relevant transfer. The EDPB Guidelines 11.3 Do transfers of personal data to other jurisdictions
(2/2018) set out that a “layered approach” should be taken with require registration/notification or prior approval from the
respect to these transfer mechanisms. If the transfer is not to an relevant data protection authority(ies)? Please describe
which types of transfers require approval or notification,
Adequate Jurisdiction, the data exporter should first explore the
what those steps involve, and how long they typically take.
possibility of implementing one of the safeguards provided for
in the GDPR before relying on a derogation.
It is likely that the international data transfer will require prior
approval from the relevant data protection authority unless they
11.2 Please describe the mechanisms businesses have already established a GDPR-compliant mechanism as set
typically utilise to transfer personal data abroad in
out above for such transfers.
compliance with applicable transfer restrictions (e.g.,
consent of the data subject, performance of a contract In any case, most of the safeguards outlined in the GDPR will
with the data subject, approved contractual clauses, need initial approval from the data protection authority, such as
compliance with legal obligations, etc.). the establishment of BCRs. When personal data is transferred to
an Adequate Jurisdiction or using Standard Contractual Clauses,
Under the GDPR, transfers are only allowed to countries that prior approval from the relevant data protection authority is not
provide an adequate level of protection, or under one of the required. On the contrary, international data transfers based
other provisions of Chapter 5 of the GDPR. upon BCRs, bespoke contractual clauses, codes of conduct or
The EU Commission has compiled a list of third countries certification mechanisms require prior approval from the rele-
that are deemed to offer an adequate level of protection such vant data protection authority.
as Andorra, Argentina, Canada, Japan, and Switzerland. Since
the recent Schrems II Decision of the Court of Justice, the United 11.4 What guidance (if any) has/have the data
States no longer benefits from the Privacy Shield mechanism and protection authority(ies) issued following the decision
is not considered a country offering adequate protection. On of the Court of Justice of the EU in Schrems II (Case
the other hand, the Court of Justice declared that examination C‑311/18)?
of Decision 2010/87 on Standard Contractual Clauses (“SCCs
Decision”) in light of the Charter of Fundamental Rights (the The (brief) guidance of the Belgian Data Protection Authority
“Charter”) has disclosed nothing to affect the validity of that summarises the conclusions of the Court of Justice, advises
decision, but nevertheless questioned the Standard Contractual companies to consult the FAQ published by the EDPB and
Clauses (“SCCs”) validity for transfers to the US and other explains that the Belgian Data Protection Authority is investi-
third countries. gating the consequences of Schrems II but has so far not published
When transferring personal data to a country other than an any additional guidance.
Adequate Jurisdiction, businesses must ensure that there are

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
 LYDIAN 43

11.5 What guidance (if any) has/have the data organisations must comply with the minimum obligations of the
protection authority(ies) issued in relation to the directive. For companies with 50 to 249 employees, a Member
European Commission’s revised Standard Contractual State can still provide an exception regarding the obligation to
Clauses? set up internal reporting channels: this obligation can be post-
poned until 17 December 2023.
No guidance has been published by the Belgian Data Protection
Authority in this respect. 12.2 Is anonymous reporting prohibited, strongly
discouraged, or generally permitted? If it is prohibited or
122 Whistle-blower Hotlines discouraged, how do businesses typically address this
issue?

12.1 What is the permitted scope of corporate whistle-

blower hotlines (e.g., restrictions on the types of issues Anonymous reporting is not prohibited under EU data protec-
that may be reported, the persons who may submit a tion law; however, it raises problems as regards the essential
report, the persons whom a report may concern, etc.)? requirement that personal data should only be collected fairly.
In Opinion 1/2006, the WP29 considered that only identified
Internal whistle-blowing schemes are generally established in reports should be advertised in order to satisfy this requirement.
pursuance of a concern to implement proper corporate govern- Businesses should not encourage or advertise the fact that anon-
ance principles in the daily functioning of businesses. Whistle- ymous reports may be made through a whistle-blower scheme.
blowing is designed as an additional mechanism for employees An individual who intends to report to a whistle-blowing
to report misconduct internally through a specific channel and system should be aware that he/she will not suffer due to his/
supplements a business’ regular information and reporting her action. The whistle-blower, at the time of establishing the
channels, such as employee representatives, line management, first contact with the scheme, should be informed that his/her
quality-control personnel or internal auditors who are employed identity will be kept confidential at all the stages of the process,
precisely to report such misconduct. and in particular will not be disclosed to third parties, such as
The WP29 has limited its Opinion 1/2006 on the application the incriminated person or to the employee’s line management.
of EU data protection rules to internal whistle-blowing schemes If, despite this information, the person reporting to the scheme
to the fields of accounting, internal accounting controls, auditing still wants to remain anonymous, the report will be accepted
matters, fight against bribery, banking and financial crime. The into the scheme. Whistle-blowers should be informed that their
scope of corporate whistle-blower hotlines, however, does not identity may need to be disclosed to the relevant people involved
need to be limited to any particular issues. In the Opinion, in any further investigation or subsequent judicial proceed-
it is recommended that the business responsible for the whis- ings instigated as a result of any enquiry conducted by the whis-
tle-blowing scheme should carefully assess whether it might be tle-blowing scheme.
appropriate to limit the number of persons eligible for reporting
alleged misconduct through the whistle-blowing scheme and 132 CCTV
whether it might be appropriate to limit the number of persons
who may be reported through the scheme, in particular in the 13.1 Does the use of CCTV require separate registration/
light of the seriousness of the alleged offences reported. notification or prior approval from the relevant data
In 2007, the Commission for the Protection of Privacy also protection authority(ies), and/or any specific form of
issued a recommendation on internal whistle-blowing schemes. public notice (e.g., a high-visibility sign)?
The recommendation provides guidance to organisations on
how to implement and operate whistle-blowing schemes in A data protection impact assessment (“DPIA”) must be under-
accordance with data protection law, and is largely inspired by taken with assistance from the Data Protection Officer when
the WP29 Opinion 1/2006 discussed above. there is a systematic monitoring of a publicly accessible area on
Moreover, the Directive (EU) 2019/1937 applies to both the a large scale. If the DPIA suggests that the processing would
private and public sectors and applies to anyone who reports result in a high risk to the rights and freedoms of individuals
or discloses the obtained information concerning breaches in a prior to any action being taken by the controller, the controller
work-related context. (Ex-)employees, civil servants, consult- must consult the data protection authority.
ants, (un)remunerated trainees, directors and shareholders are During the course of a consultation, the controller must
all protected when they report a breach in good faith. provide information on the responsibilities of the controller and/
The material scope of the Directive is wide. It concerns, inter or processors involved, the purpose of the intended processing,
alia, breaches on financial services and markets, money laun- a copy of the DPIA, the safeguards provided by the GDPR to
dering, public procurement, transport safety, protection of protect the rights and freedoms of data subjects and where appli-
the environment, consumer protection, public health, protec- cable, the contact details of the Data Protection Officer.
tion of privacy and personal data, as well as breaches relating If the data protection authority is of the opinion that the
to the internal market. The national legislation can extend this CCTV monitoring would infringe the GDPR, it has to provide
scope with a view to ensuring that there is a comprehensive and written advice to the controller within eight weeks of the request
coherent whistle-blower protection framework. of a consultation and can use any of its wider investigative, advi-
Belgium has to implement this directive in national legislation sory and corrective powers outlined in the GDPR.
by 17 December 2021. The Belgian legislator introduced a new administrative obli-
There is currently no legislation in place, except for the gation in the Surveillance Camera Act as well as in the Police
banking and insurance sectors and for certain public authorities Service Act with regard to recording the use of cameras. This
or organisations. It is not yet clear whether, and if so to what register forms an extensive logbook about the use of the cameras.
extent, Belgium will provide more protective rules. Moreover, according to current Belgian legislation on surveil-
However, by 17 December 2021, all companies with 50 lance cameras, installing CCTV in public areas is only permitted
or more employees in the private sector and all public sector after positive advice from the communal or city council and the

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
44 Belgium

chief of police, which requires a safety investigation. In addi- purposes of such monitoring, and if it is only to monitor
tion, when installing CCTV in public areas, the controller must the employees, the use of the CCTV must be temporary.
inform the local chief of police.
When installing CCTV, a sign must be placed to warn indi-
14.2 Is consent or notice required? Describe how
viduals that the area is under CCTV surveillance and to inform employers typically obtain consent or provide notice.
them of the identity and contact details of the controller.
Consent is not required as it would not be freely given, taking
13.2 Are there limits on the purposes for which CCTV into account the imbalance of power between the employer
data may be used? and the employee. Fair processing notices are always required.
Employers usually inform the workers of the monitoring via the
CCTV for surveillance purposes can only be installed and Work Regulations, via a specific policy or, when it is punctual,
used for the following purposes: (i) to prevent, record or detect before the monitoring activity.
offences; (ii) to prevent, record or detect disturbances; or (iii) to
maintain public order.
14.3 To what extent do works councils/trade unions/
CCTV can only be used in the workplace for the following employee representatives need to be notified or
purposes: (i) health and safety; (ii) protection of company prop- consulted?
erty; (iii) surveillance of the production process; or (iv) moni-
toring of the work of employees. The employer must clearly and
Pursuant to Collective Bargaining Agreement N° 68 on the
explicitly define the purposes of the CCTV system installed in
protection of privacy of workers with regard to CCTV in the work-
the workplace.
place and Collective Bargaining Agreement N° 81 concerning the
protection of workers’ private lives in respect of the monitoring of
142 Employee Monitoring electronic communications in the workplace, the Works Council
or, in the absence of a Works Council, the Committee for Health
14.1 What types of employee monitoring are permitted and Safety or the employee representatives, must be informed of
(if any), and in what circumstances? the use of CCTV in the workplace and the monitoring of elec-
tronic communications in the workplace.
According to, amongst others, Collective Bargaining Agreement
N° 68 (on the use of CCTV in the workplace) and Collective 152 Data Security and Data Breach
Bargaining Agreement N° 81 (on the monitoring of electronic
communications in the workplace): 15.1 Is there a general obligation to ensure the security
■ the employer may monitor the hours worked through the of personal data? If so, which entities are responsible
use of a time registration system, but only if the employee for ensuring that data are kept secure (e.g., controllers,
has been informed of this use beforehand; processors, etc.)?
■ the employer may consult the electronic agenda of an
employee if it is necessary for the proper conduct of the Yes. Personal data must be processed in a way which ensures
business and there are no other, less intrusive, means to security and safeguards against unauthorised or unlawful
obtain the information; processing, accidental loss, destruction and damage of the data.
■ the employer may systematically monitor the professional Both controllers and processors must ensure they have appro-
telephone conversations in order to monitor the quality priate technical and organisational measures to meet the require-
of the service, depending on the employee’s function; ments of the GDPR. Depending on the security risk, this may
call centres must always inform their employees that the include: the encryption of personal data; the ability to ensure the
conversations may be recorded and listened to; ongoing confidentiality, integrity and resilience of processing
■ emails of a professional nature may be accessed by the systems; an ability to restore access to data following a technical
employer in the absence of the employee, in order to or physical incident; and a process for regularly testing and eval-
ensure the continuity of service, provided the employer uating the technical and organisational measures for ensuring
complies with the data protection legislation; the employer the security of processing.
must inform the employee beforehand that such access
may happen and only look at the emails which seem to be
related to ongoing cases and are related to the period in 15.2 Is there a legal requirement to report data breaches to
which the employee was absent without the correspondent the relevant data protection authority(ies)? If so, describe
what details must be reported, to whom, and within
knowing it;
what timeframe. If no legal requirement exists, describe
■ monitoring of electronic communications in the work- under what circumstances the relevant data protection
place is permitted to the extent the data protection laws and authority(ies) expect(s) voluntary breach reporting.
Collective Bargaining Agreement N° 81 are complied with;
■ the use of geo-localisation is permitted under strict condi-
The controller is responsible for reporting a personal data
tions and only if there is no other, less intrusive, manner
breach without undue delay (and in any case within 72 hours of
to monitor the employees; the data should not be kept
first becoming aware of the breach) to the relevant data protec-
longer than necessary; if the employer wishes to conduct
tion authority, unless the breach is unlikely to result in a risk to
an in-depth investigation, he must inform the employee
the rights and freedoms of the data subject(s). A processor must
and provide him the opportunity to be heard; and
notify any data breach to the controller without undue delay.
■ monitoring of employees through CCTV installed in
The notification must include the nature of the personal data
the workplace is permitted to the extent the data protec-
breach, including the categories and number of data subjects
tion laws and Collective Bargaining Agreement N° 68
concerned, the name and contact details of the Data Protection
are complied with; the employer must clearly define the
Officer or relevant point of contact, the likely consequences

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
 LYDIAN 45

of the breach and the measures taken to address the breach, (e) Non-compliance with a data protection authority:
including attempts to mitigate possible adverse effects. The GDPR provides for administrative fines which will be
EUR 20,000,000 or up to 4% of the business’s worldwide
annual turnover of the proceeding financial year, which-
15.3 Is there a legal requirement to report data
breaches to affected data subjects? If so, describe what ever is higher.
details must be reported, to whom, and within what
timeframe. If no legal requirement exists, describe 16.2 Does the data protection authority have the power
under what circumstances the relevant data protection to issue a ban on a particular processing activity? If so,
authority(ies) expect(s) voluntary breach reporting. does such a ban require a court order?

Controllers have a legal requirement to communicate the breach The GDPR entitles the relevant data protection authority to
to the data subject, without undue delay, if the breach is likely impose a temporary or definitive limitation, including a ban on
to result in a high risk to the rights and freedoms of the data processing. Pursuant to the law of 3 December 2017 on the
subject. establishment of the Data Protection Authority, the inspection
The notification must include the name and contact details chamber of the Data Protection Authority can order, by way of
of the Data Protection Officer (or point of contact), the likely a temporary measure, the suspension, limitation or freezing of
consequences of the breach and any measures taken to remedy the processing under review, if the data concerned could cause
or mitigate the breach. damage which is serious, immediate and difficult to repair.
The controller may be exempt from notifying the data subject The litigation chamber can order the temporary or definitive
if the risk of harm is remote (e.g., because the affected data is freezing, restriction or prohibition of the processing.
encrypted), the controller has taken measures to minimise the
risk of harm (e.g., suspending affected accounts) or the notifi-
cation requires a disproportionate effort (e.g., a public notice of 16.3 Describe the data protection authority’s approach to
the breach). exercising those powers, with examples of recent cases.

Before the law of 3 December 2017 on the establishment of the

15.4 What are the maximum penalties for data security
breaches? Data Protection Authority, the Commission for the Protection
of Privacy did not have the power to issue a ban on a particular
processing activity. However, it could institute proceedings
The maximum penalty is the higher of EUR 20,000,000 or 4% against the controller before the regular courts and tribunals in
of worldwide turnover. order to obtain such a ban or transfer the matter to the Public
Prosecutor for criminal proceedings against the controller. In
162 Enforcement and Sanctions 2017, the Commission for the Protection of Privacy instituted
proceedings against Facebook before the Court of First Instance
16.1 Describe the enforcement powers of the data in Brussels. On 16 February 2018, the Brussels Court of First
protection authority(ies). Instance condemned Facebook for having tracked internet users
without their knowledge or consent, and ordered the ceasing of
(a) Investigative Powers: The Data Protection Authority has the unlawful processing under penalty of a fine of EUR 250,000
wide powers to order the controller and the processor to per day with a maximum of EUR 100,000,000.
provide any information it requires for the performance On 2 April 2019, the Data Protection Authority issued a ban
of its tasks, to conduct investigations in the form of data on processing activities that were infringing data protection
protection audits, to carry out reviews on certificates laws, which could not be rectified. The case involved the place-
issued pursuant to the GDPR, to notify the controller or ment of cameras in the common areas of student rooms. The
processor of alleged infringement of the GDPR, to access placement of such cameras was to be disproportionate to the
all personal data and all information necessary for the objective of combatting vandalism, damage and nuisance. In
performance of controllers’ or processors’ tasks and access other cases, it was ordered that a processing operation shall be
to the premises of the data including any data processing made compliant with the GDPR.
equipment.
(b) Corrective Powers: The Data Protection Authority has 16.4 Does the data protection authority ever exercise
a wide range of powers, including to issue warnings or its powers against businesses established in other
reprimands for non-compliance, to order the controller jurisdictions? If so, how is this enforced?
to disclose a personal data breach to the data subject, to
impose a permanent or temporary ban on processing, to The Data Protection Authority does indeed exercise its powers
withdraw a certification and to impose an administrative against businesses established in other jurisdictions. On 16
fine (as below). February 2018, the Brussels Court of First Instance condemned
(c) Authorisation and Advisory Powers: The Data Facebook, including Facebook Ireland Limited and Facebook
Protection Authority has a wide range of powers to advise Inc., for having tracked internet users without their knowl-
the controller, accredit certification bodies and to authorise edge or consent. The court ordered the ceasing of the unlawful
certificates, contractual clauses, administrative arrange- processing under the penalty of a fine of EUR 250,000 per day
ments and binding corporate rules as outlined in the GDPR. with a maximum of EUR 100,000,000. The judgment has,
(d) Imposition of administrative fines for infringements however, been appealed by Facebook and the matter will now
of specified GDPR provisions: The GDPR provides for be heard by the Court of Appeals of Brussels. The latter referred
administrative fines which can be EUR 20,000,000 or up the case for a ruling to the European Court of Justice (C-645/19).
to 4% of the business’s worldwide annual turnover of the The case concerns questions on the lead supervisory authority
proceeding financial year. and the cooperation between authorities in cross-border

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
46 Belgium

GDPR cases. The Advocate General states that the supervi-

sory authority in the Member State where a data controller or
182 Trends and Developments
processor (in this case Facebook) has its main EU establishment
(which is Ireland for Facebook) has a general competence to start 18.1 What enforcement trends have emerged during the
previous 12 months? Describe any relevant case law.
court proceedings for GDPR infringements in relation to cross-
border data processing. The Advocate General emphasised the
one-stop-shop nature of a ‘lead’ supervisory authority in cross- The Data Protection Authority’s Litigation Chamber already
border data processing cases – a contrary situation meaning the announced a substantial number of decisions. The sanctions
coherence of the whole system would be impacted. However, imposed are diverse, as are the subject matters involved. The
such lead supervisory authority cannot be the sole enforcer of the Belgian Data Protection Authority has most definitely shown its
GDPR in cross-border cases, and ought to closely cooperate with teeth in the last years as the Litigation Chamber issued multiple
other relevant supervisory authorities. Moreover, the Advocate- fines. The highest fine was imposed on Google (EUR 600,000),
General does not exclude the possibility that other national other fines vary between EUR 1,000–100,000 depending on the
supervisory authorities can also commence proceedings in their severity of the infringements as well as the so-called ‘exemplary
respective Member States, if the GDPR expressly allows them to role’ of the defendant.
do so, for example, where national supervisory authorities: The most notable decisions contain the following learnings
■ act outside the material scope of the GDPR; for undertakings operating in Belgium:
■ investigate into cross-border data processing carried out ■ undertakings should take note that, when opting for an
by public authorities, in the public interest, in the exercise internal Data Protection Officer, his/her position should
of official authority or by controllers not established in the be carefully assessed, including whether there are possible
Union; conflicts of interests and incompatibilities such as for
■ adopt urgent measures; or Compliance Officers;
■ intervene following the lead supervisory authority having ■ undertakings should be aware that a notification of a data
decided not to handle a case. breach might be a trigger for the Belgian Data Protection
In its decision of 15 June 2021, the Court of Justice considers Authority to look for other possible infringements and
that the GDPR authorises, under certain conditions, a non-lead may therefore give rise to an in-depth inspection by the
supervisory authority of a Member State to exercise its power to Belgian Data Protection Authority’s Inspection Service;
bring any alleged infringement of the GDPR before a court of ■ as regards compliance with data subject’s requests, control-
that State and to initiate or engage in legal proceedings in rela- lers should only request proof of identity where reasonable
tion to an instance of cross-border data processing. doubt exists as to the identity of the person exercising the
data subject right; and
172 E-discovery / Disclosure to Foreign Law ■ as regards surveillance cameras, it should be noted that
controllers should (i) carefully consider the purposes of
Enforcement Agencies the use of surveillance cameras, (ii) consider whether the
placing of surveillance cameras is proportionate to such
17.1 How do businesses typically respond to foreign purposes, (iii) notify the placement of surveillance cameras
e-discovery requests, or requests for disclosure from
to the police, and (iv) ensure the related processing is
foreign law enforcement agencies?
mentioned in their records of processing activities.
The Litigation Chamber was somewhat tempered in its
Where e-discovery requests or requests for disclosure from enthusiasm to sanction non-compliance controllers and
foreign law enforcement agencies require a transfer of personal processors by the Brussels Market Court, as it has already
data to non-EEA countries not offering adequate protection of reversed a number of decisions of the Litigation Chamber.
personal data, businesses typically either (i) agree on appropriate
safeguards with the recipient (if and to the extent possible), (ii)
seek the explicit consent of the data subjects for the disclosure 18.2 What “hot topics” are currently a focus for the data
protection regulator?
and transfer, (iii) limit the disclosure to anonymous data, and/or
(iv) provide a legal opinion from a reputable law firm to confirm
that the disclosure and transfer is not permitted under applicable In the 2019–2025 Strategic Plan, the Belgian Data Protection
data protection laws. Authority indicated that it will focus its actions on the following
aspects of the GDPR:
■ the role of the data protection officer, with a particular focus
17.2 What guidance has/have the data protection
on companies that have appointed a data protection officer
authority(ies) issued?
without allowing them to act in accordance with the GDPR;
■ the lawfulness of data processing activities, and more
The WP29 has issued an Opinion 1/2009 on pre-trial discovery particularly the (abusive) processing of personal data based
for cross-border litigation, which provides guidance to control- on the legitimate interests legal basis; and
lers subject to EU law in dealing with requests to transfer ■ data subjects’ rights, specifically the scope of some of these
personal data to another jurisdiction for use in civil litigation. rights.
The Data Protection Authority has not issued any specific opin- The Data Protection Authority also has a number of social
ions on the subject, but has indicated (amongst others, in an issues high on its agenda, such as photos and cameras, data
opinion of 2008 on the SWIFT case) that it follows the opinion protection online and sensitive data.
of the WP29.

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
 LYDIAN 47

Bastiaan Bruyndonckx is a Partner in LYDIAN’s Commercial & Litigation department and heads the Information & Communications
Technology (ICT) practice as well as the Information Governance & Data Protection (Privacy) practice.
Bastiaan has a particular focus on information governance, privacy, data protection and cybersecurity and advises businesses on a broad
range of industry sectors.
Bastiaan is a fellow of the Belgian American Educational Foundation (BAEF) and is a member of the International Association of Privacy
Professionals (IAPP).
Bastiaan is a regular speaker at seminars, workshops and conferences on privacy and data protection. He also regularly publishes in interna-
tional legal reviews such as Computerrecht, Privacy & Informatie, DataGuidance, Tijdschrift voor Privacy en Persoonsgegevens and Bulletin
des Assurances. Bastiaan also contributed to the book Data Protection – The Impact of the GDPR in Insurance with a chapter regarding the new
rules on consent and the processing of special categories of data under the GDPR.

LYDIAN Tel: +32 2 787 90 93

Avenue du Port 86C b113 Email: [email protected]
1000 Brussels URL: www.lydian.be
Belgium

Olivia Santantonio is counsel in LYDIAN’s Information Governance & Data Protection (Privacy) practice and IP and ICT practice.
Olivia frequently advises on data protection issues regarding, inter alia, the obligations and liability of the data controller and data processor,
the transfer of data into and out of the EU and the processing of sensitive data. She also frequently assists clients to assess their level of
compliance with the new legislation, and assists them in case of data subject requests, data breaches or Data Protection Authority requests.
She also specialises in global privacy issues (GDPR compliance, contracts review, etc.).
Olivia is a member of the International Association of Privacy Professionals (IAPP) and an active member of the International Association for
the Protection of Intellectual Property (AIPPI).

LYDIAN Tel: +32 2 787 90 07

Avenue du Port 86C b113 Email: [email protected]
1000 Brussels URL: www.lydian.be
Belgium

Liese Kuyken is an associate in Lydian’s Information & Communications Technology (ICT), Information Governance & Data Protection
(Privacy) and Intellectual Property practices.
She frequently assists clients in data protection matters regarding, for instance, data processing agreements, privacy and cookie policies,
and data subject rights. Liese is involved in several procedures regarding the processing of personal data, before the Belgian Data Protection
Authority as well as the Belgian courts. She teaches Media Law in the journalism programme at KU Leuven, where she educates students
on issues such as privacy and image rights. Furthermore, Liese is a member of the International Association of Privacy Professionals (IAPP)
and has published in the legal review Tijdschrift voor Privacy en Persoonsgegevens.

LYDIAN Tel: +32 2 787 91 34

Avenue du Port 86C b113 Email: [email protected]
1000 Brussels URL: www.lydian.be
Belgium

LYDIAN is a full-service Belgian business law firm with an Anglo-Saxon on a global basis. We frequently advise clients on multi-jurisdictional data
approach to practising law. Through a fine blend of transactional law expertise protection (privacy) compliance projects, either dealing with the local Belgian
and litigation skills, we deliver straight to-the-point solutions that add true value. aspects or leading the project for our clients with the support of local corre-
Our Information Governance & Data Protection (Privacy) team represents spondent firms advising on local law issues.
clients, large and small, from all industry sectors (including technology, retail, LYDIAN is one of the few independent law firms in Belgium operating outside
telecommunications, healthcare and life sciences, media, energy, insurance, a US/UK law firm banner. We are a popular referral choice for foreign firms
banks and other financial institutions, as well as printing and publishing seeking a high-quality law firm in Belgium with recognised skills in informa-
industries), on all aspects of information governance and data protection. tion governance and data protection, such as Hogan Lovells, Luther, Norton
Our range of services includes corporate privacy risk management, GDPR Rose Fulbright, Taylor Wessing and Willkie Farr & Gallagher.
compliance, international data transfers, records management, e-discovery, www.lydian.be
(direct) marketing, e-commerce, cybersecurity and cybercrime.
We provide assistance to our clients, from legal advice to integrated
consulting on corporate privacy risk management, as well as legislative stra-
tegic policy advice and legal compliance. We also litigate on behalf of clients
in data protection-related matters.
We advise clients on global data protection and privacy compliance chal-
lenges, including by taking into account data protection and privacy rules

Data Protection 2021

© Published and reproduced with kind permission by Global Legal Group Ltd, London
Other titles in the ICLG series

Alternative Investment Funds Digital Health Oil & Gas Regulation

Anti-Money Laundering Drug & Medical Device Litigation Patents
Aviation Finance & Leasing Employment & Labour Law Pharmaceutical Advertising
Aviation Law Enforcement of Foreign Judgments Private Client
Business Crime Environment & Climate Change Law Private Equity
Cartels & Leniency Environmental, Social & Governance Law Product Liability
Class & Group Actions Family Law Project Finance
Competition Litigation Fintech Public Investment Funds
Construction & Engineering Law Foreign Direct Investment Regimes Public Procurement
Consumer Protection Franchise Real Estate
Copyright Gambling Renewable Energy
Corporate Governance Insurance & Reinsurance Restructuring & Insolvency
Corporate Immigration International Arbitration Sanctions
Corporate Investigations Investor-State Arbitration Securitisation
Corporate Tax Lending & Secured Finance Shipping Law
Cybersecurity Litigation & Dispute Resolution Technology Sourcing
Derivatives Merger Control Telecoms, Media & Internet
Designs Mergers & Acquisitions Trade Marks
Digital Business Mining Law Vertical Agreements and Dominant Firms

@ICLG_GLG The International Comparative Legal Guides are published by: