Data Privacy & Transfer in Investigations

Last verified on Thursday 30th September 2021

Data Privacy & Transfer in Investigations: Belgium

Peter Van Dyck, Claire Caillol and Eline D'Joos

Allen & Overy LLP

SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

Belgium

The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in this jurisdiction. A number of provisions in the GDPR have particular relevance in the context of investigations. For example, processing of personal data must have a valid legal basis under GDPR. Establishing a legal basis in the context of an investigation is not always straightforward, particularly where investigations involve foreign authorities or courts and where the relevant data includes sensitive data.  Restrictions on international transfers create additional complexity in the context of cross-border investigations, both in relation to transfers within an organisation (and with its advisers) and in relation to transfers to foreign authorities, courts and counterparties in litigation. All processing must comply with the data protection principles under the GDPR, including the principle that processing must be fair, lawful and transparent and the principle of data minimisation. It can be challenging to ensure compliance with these principles in the context of an investigation. 

The Belgian Data Protection Act of 30 July 2018 (DPA) implements the GDPR in Belgium and includes a number of specific provisions, including the processing of criminal data and processing by public authorities.

The functioning and powers of the Belgian Data Protection Authority, the regulator responsible for enforcing the GDPR and the DPA, are set out in the law of 3 December 2017 on the creation of the Data Protection Authority.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

Belgium

Anti-money laundering

Under the Belgian Anti-Money Laundering Act of 18 September 2017 (AML Act), it is prohibited to disclose to clients and third parties the fact that information has been reported to the Belgian Financial Intelligence Unit (the CTIF-CFI) or that an analysis or investigation is being or may be carried out regarding suspicions of money laundering or terrorism financing.

As an exception, it is permitted to share such information and data with supervisory authorities or for law enforcement purposes. This information and data can further be shared, subject to certain conditions, between credit or financial institutions belonging to the same group, or between legal professionals, accountants, auditors and tax advisers belonging to the same structure or acting for the same customer and transaction, with a view to preventing money laundering or terrorism financing. 

The AML Act also indicates that the processing of data under this Act is subject to compliance with the relevant data protection laws.

Bank secrecy and bank confidentiality

There are no specific statutory bank secrecy or confidentiality obligations for banks and other financial institutions in Belgium. Case law is scarce on this matter. The Belgian Supreme Court has decided that the criminal law provisions on professional secrecy in the Belgian Criminal Code do not apply to bankers (Cour de Cassation, 25 October 1978). In 2012, Febelfin, the Belgian bankers’ association, published a Code of conduct setting out principles for good banking relationships with retail customers. Pursuant to this Code, banks operating in Belgium that are members of Febelfin commit to comply with the principles of secrecy, confidentiality and data protection in relation to retail clients. While adoption of this Code of conduct is voluntary, once adopted, a bank is expected to follow the Code and a breach thereof could give rise to civil action.

In the absence of a specific statutory obligation, the scope of the confidentiality principle is not entirely clear. The comments below are therefore necessarily a reasoned analysis and high-level only.

Banking confidentiality is typically seen as implied in the contractual relationship between the bank and the client. This stems from articles 1135 and 1160 of the Belgian Civil Code (which are not specific to financial institutions). Article 1135 of the Belgian Civil Code provides that ‘contractual parties are not only bound by what they explicitly stipulate in their agreement, but also by the consequences that are implied by customs/market practice’. Article 1160 of the Belgian Civil Code provides that ‘a contract must be completed by the usual provisions, even if these are not expressly included in the contract.’ Accordingly, a bank may not disclose to any third party any information about a client gained in the exercise of its professional activity, regardless of whether the client is an individual or a legal person and regardless of whether any confidentiality undertaking is provided for in the contractual documentation. However, this is without prejudice to the obligations that banks and other financial institutions may have to provide specific information about their clients to comply with their legal and regulatory obligations. For example, the law of 8 July 2018 on the organisation of a central contact point for accounts and financial contracts (and its implementing royal decrees) imposes important reporting obligations for financial institutions carrying out business in Belgium. The Central Contact Point is a central register, held by the National Bank of Belgium, to which financial institutions must report certain information on the identity of their clients and the financial products, contracts or transactions (including, for example, the balance of the account).

Tax

Under article 318 of the Belgian Income Tax Code of 1992 (the BITC/92), the tax authorities are not authorised to gather information in the accounts, books and documents of banks with a view to taxing their clients.

Exceptions to this provision include specific provisions in double tax treaties, the presence of indications of fraud, the automatic exchange of information in the framework of Directive 2011/16/EU and if the request is made by a foreign state.

According to a certain doctrine, however, information gathered by the tax authorities in breach of the aforementioned article 318 of the BITC/92 can nevertheless be withheld if certain conditions are met. This doctrine violates case law by the European Court of Justice to the extent that the breach of article 318 of the BITC/92 at the same time implies a breach of the taxpayer’s fundamental rights.

According to article 334 of the BITC/92, if a person is bound by the obligation of professional secrecy, the tax authorities are only authorised to request and gather information in relation to third persons upon approval of the relevant disciplinary authorities. 

Privacy of employee communications 

Privacy of employee communications is regulated by both the GDPR and Collective Bargaining Agreement No. 81 (CBA 81).

The GDPR applies to all personal data, including private emails and professional emails such as those sent between an employer and employee. It also applies to the personal data of employees and other natural persons. Although the scope of CBA 81 is not clearly defined, the general view is that CBA 81 applies to electronic communications that contain private employee information, but not emails relating solely to professional information.

Professional secrecy

Certain professions such as doctors, pharmacists or lawyers are bound by the obligation to respect professional secrecy set out in article 458bis of the Criminal Code. This means that they cannot disclose information which they have acquired in the context of their employment unless specific derogations applies (eg, they have to testify or they are under a legal obligation to disclose information). 

A breach of professional secrecy may give rise to (i) a prison sentence of one to three years, (ii) a fine up to €8,000 or (iii) both a prison sentence and a fine. In addition, specific deontological sanctions are also likely to apply.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

3. What constitutes personal data for the purposes of data protection laws?

Belgium

The GDPR defines personal data as any data relating to a living natural person who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that living person. 

Personal data, therefore, does not relate to legal persons or deceased natural persons.

Data that is truly anonymised will not be ‘personal data’ for the purposes of the GDPR, as it does not identify the individual. Data is not truly anonymised if the data could re-identify the individuals to which the data relates by reasonably available means. Pseudonymised data – information no longer attributable to a specific data subject without the use of additional information, kept separately and subject to appropriate measures – remains personal data for the purposes of the GDPR.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

Belgium

The GDPR applies to ‘processing’, which is defined broadly and includes any activity in relation to personal data (whether or not by automated means), including collecting, review, disclosure and destruction.

The direct obligations under the GDPR apply primarily to controllers (either alone or jointly with others). However, the GDPR also imposes certain direct obligations on processors.

With respect to territorial reach, the GDPR applies to (i) the processing of personal data in the context of the activities of an establishment of a controller or processor in the EEA, whether or not the processing takes place in the EEA; and (ii) the processing of personal data that is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member state of the EEA where: (i) the personal data relates to a data subject who is in the EEA when the processing takes place; and (ii) the processing activities are related to the offering of goods or services to data subjects in the EEA, whether or not for payment, or the monitoring of data subjects' behaviour in the EEA.

The Belgian Data Protection Act of 30 July 2018 has a similar territorial reach in the sense that ‘EEA’ in the previous paragraph should be replaced by ‘Belgium’.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

Belgium

Controllers must comply with the following data protection principles:

  • lawfulness, fairness and transparency;
  • purpose limitation;  
  • data minimisation;  
  • accuracy;  
  • storage limitation;  
  • integrity and confidentiality; and
  • accountability. 

Personal data cannot be processed unless there is a legal basis under article 6 of the GDPR. In an investigations context, relevant legal bases may include:

  • consent by the individual;
  • necessary for the performance of a contract;
  • necessary for compliance with a legal obligation;
  • necessary for performing tasks in the public interest or in the exercise of official functions; or  
  • legitimate interests.

For sensitive personal data such as information relating to racial or ethnic origin, political opinions, religious beliefs or biometric data, the processing must comply with one of the stricter legal bases set out in article 9 of the GDPR.

The processing of data about criminal convictions and offences is dealt with separately under Article 10 of the GDPR and article 10 of the Belgian Data Protection Act of 30 July 2018.

Under articles 13 and 14 of the GDPR, the controller should inform the data subject of the processing at the latest when time the personal data are obtained, eg by way of a specific notification or including the information in a general privacy notice. If the personal data has been obtained directly from the data subject, article 13 of the GDPR will apply. 

It may be the case in an investigations context that personal data have not been obtained directly from the data subject. If this is the case, article 14 of the GDPR will apply. The GDPR sets out exemptions to providing transparency under article 14 where this is impossible or would involve disproportionate effort on the part of the controller, but these exemptions are interpreted narrowly.

In addition, personal data may not be transferred to a country or territory outside the EEA unless the European Commission has decided that the third country or territory ensures an adequate level of protection or if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

Belgium

In the context of an internal investigation, any data processing and transfers need to be analysed in the same way as any other processing and transfers of personal data, and so must be carried out in compliance with the GDPR. The data protection requirements applicable to the different parties involved in the investigation depend on their role under the GDPR (ie, whether they qualify as controller or processor). Whether the third party is a processor or (joint) controller will depend on a number of factors including their role in and degree of influence over the processing activity.

In any event, a company carrying out an internal investigation must comply with the GDPR’s basic principles of legitimacy, proportionality and data minimisation and transparency.

Legitimacy means that the company must have a legal basis as set out in article 6 of the GDPR (or article 9 for sensitive data) for the processing of personal data.

Proportionality and data minimisation means that the processing must be limited to the personal data necessary for the purpose of the internal investigation. The appropriate safeguards must be put in place to ensure this proportionality, such as limited access or filtering of data before any collection, storage or review.

Transparency means that specific notice must be provided to the data subjects that their data will be processed in connection with an investigation in accordance with articles 13 and 14 of the GDPR. This transparency can be postponed if there is a risk that the data subject will destroy evidence or hinder the investigation once notified.

Parties assisting with an investigation will also need to ensure that they consider their own data privacy obligations. For example, is that party jointly determining the purposes and means of the processing of personal data, and thereby acting as a joint controller, or simply processing the personal data on behalf of the (sole) controller? If a party assisting in the investigation will likely be considered a data processor, a written contract must be concluded between the company acting as controller and the assisting party acting as processor, complying with the requirements of article 28 of the GDPR. This applies to processors within the same corporate group in the same way as to third-party processors.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

RIGHTS OF INDIVIDUALS

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

Belgium

The consent of the data subject is only one legal basis for processing of personal data under the GDPR. Data subject consent is, therefore, not mandatory for the processing of personal data as part of an investigation, but consent must be obtained if no other legal basis exists.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

Belgium

Consent may be considered as an enabling action when planning an investigation. However, obtaining consent to the processing of personal data can be practically challenging, and proceeding with processing of personal data in reliance solely on this ground is rarely appropriate. One reason is that consent must be capable of being withdrawn at any time (a right that it is not possible to contract out of, which would be difficult to manage in the context of the investigation).

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

Belgium

Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent included within an employment contract, or obtained generally by an employer from an employee, is unlikely to be valid for this reason.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

Belgium

There is no prescribed form for the consent, but it should be freely given, specific, informed and unambiguous. Consent can be withdrawn at any time and must be as easy to withdraw as to give.

In addition, in the case of sensitive data where consent is relied on as legal basis under article 9 GDPR or to the extent relied upon as a basis for international transfers, consent must also be explicit.

A controller may therefore wish to obtain consent by means of an additional formality to demonstrate ‘explicit’ consent (eg, a wet ink signature or a tick box that expressly uses the word ‘consent’).

Consent can be obtained through a website or other electronic means.

Whether consent given in advance, such as through general terms and conditions or account opening information, is sufficient for the purposes of the GDPR depends, among other things, on the balance of power between the controller and data subject. Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties.

Written requests for consent must be clearly distinguishable from other matters, be intelligible, be easily accessible and use clear and plain language. This means that consent should not be hidden among other terms and conditions. In any event, there is a risk that a generic consent provided through general terms and conditions is not specific and informed, and therefore not validly given by the data subject.

Note that article 10 of the Belgian Data Protection Act of 30 July 2018 requires consent for the processing of data relating to criminal offences to be given in writing.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

Belgium

Right of access

A data subject has a right to request information regarding whether their personal data is being processed, known as a data subject access request. The controller must also provide a copy of the personal data to the data subject.

A controller is not required to provide personal data in response to a ‘manifestly unfounded or excessive’ request from a data subject (article 12(5) of the GDPR). If relying on this exemption, a controller should retain evidence to demonstrate why it considers the request to be unfounded or excessive. If a controller refuses to act on a request, they must also inform the data subject.

Right of rectification

Data subjects have the right to request rectification of any personal data relating to them that is inaccurate, and completion of any incomplete data.

Right of erasure

In certain circumstances, data subjects have the right to obtain the erasure of their personal data. This includes where the data is no longer necessary or where the data subject has withdrawn consent (and there is no other legal ground for the processing).

In certain circumstances, such as when a controller is relying upon legitimate interests or the processing is necessary for performing tasks in the public interest or in the exercise of official functions, data subjects have a right to object to the processing of their personal data at any time. A controller must adhere to this objection unless it can demonstrate a legitimate basis for the processing that overrides the interests of the data subject, or if the processing is necessary within legal proceedings.

Right to object

A data subject also has a right to obtain a restriction of processing from the controller where it believes the relevant personal data is inaccurate, the processing is unlawful or the controller no longer needs the data for the purposes of the processing. If the latter is the case, the data subject can require the controller to limit the processing to that required in the context of legal proceedings.

Competent authorities may be authorised to limit data subjects’ rights when processing personal data for the purposes of criminal law investigation, prevention and enforcement purposes if the processing is described under articles 11 to 17 of the Belgian Data Protection Act of 30 July 2018. The requirements apply to, among others, the police, judicial authorities, the Financial Intelligence Unit, the Passenger Information Unit, customs authorities, intelligence and security services, armed forces and the coordination unit for threat assessment.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

EXTRACTION, LEGAL REVIEW AND ANALYSIS BY THIRD PARTIES, INTERNATIONAL TRANSFER

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

Belgium

Where data is processed by a processor on behalf of the controller, the controller must ensure that the third-party processor is complying with the requirements on the security of data set out in the GDPR. A written contract must be entered into between the processor and controller, for which article 28 of the GDPR sets out certain mandatory provisions.

Where a processor engages a sub-processor, the contract between them must reflect the same data protection obligations.

The GDPR also imposes certain direct obligations on processors. These include an obligation to: (i) maintain a written record of processing activities carried out on behalf of each controller; (ii) designate a data protection officer where required; (iii) appoint a representative (when not established in the EU) in certain circumstances; and (iv) notify the controller without undue delay on becoming aware of a personal data breach.

These provisions of the GDPR apply to processors within the same corporate group in the same way as to other third-party processors.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

Belgium

Yes, if this falls under one of the legal bases of article 6 GDPR. A transfer of personal data to a third-party law firm of personal data for the purposes of providing legal advice needs to be analysed in the same way as any other transfer of personal data, and so must be carried out in compliance with the GDPR and the principles relating to the processing of personal data.

The following legal bases might be relevant in this regard:

  • consent;
  • processing is necessary for the performance of a contract to which the data subject is a party or for the taking of steps at the request of the data subject with a view to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject; or
  • the legitimate interests pursuant by the controller or third party.

In addition, with respect to sensitive data, article 9 of the GDPR specifically states that processing is permitted if necessary for the establishment, exercise or defence of legal claims, which includes legal advice.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

Belgium

In line with article 29 Working Party’s Opinion 01/2010 on the concepts of ‘controller’ and ‘processor’, law firms are generally characterised as independent controllers when processing data in the course of legally representing their clients in court or advising clients as to their legal rights.

As controller, the law firm is directly accountable under data protection laws. The client and the law firm are likely considered as independent controllers with separate responsibility, because the law firm has its own legitimate interest in representing its client and its own processes in place to comply with the GDPR.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

15. What is the position and status of legal process outsourcing firms under data protection laws?

Belgium

Generally, legal process outsourcing firms providing, eg, document review or hosting services are considered processors.

However, if their work is done by lawyers, the legal process outsourcing firm must be considered a data controller for the processing involved in that work.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

Belgium

Requirements for financial institutions

Financial institutions in Belgium must also comply with, among other, the outsourcing rules under the applicable regulatory framework. For credit institutions and payment institutions, we refer, for example, to the guidelines on material outsourcing established by the European Banking Authority (EBA). The EBA’s guidelines (which apply since 30 September 2019, with a transitional regime until 31 December 2021) set out a series of recommendations that providers of financial services must adhere to in respect of any outsourcing arrangement, including to cloud service providers, regarding the security of data, where geographically data is located and processed and the importance of contingency planning. Similar rules and guidelines apply to other types of financial institutions, such as insurance undertakings or investment firms.

Requirements relating to monitoring of employee communications

Requirements relating to the monitoring of email correspondence differ depending on whether the correspondence concerns employee personal data or not.

The GDPR applies to all personal data, including private emails and professional emails such as those sent between an employer and employee. It also applies to the personal data of employees and other natural persons. Under Belgian law, the privacy of employee communications is regulated by both the GDPR and Collective Bargaining Agreement No. 81 (CBA 81). Although the scope of CBA 81 is not clearly defined, the general view is that CBA 81 applies to electronic communications that contain private employee information, but not emails relating solely to professional information. However, in that case, employers must still comply with the requirements set out in the GDPR.

CBA 81 and the GDPR provide that the data in employees’ electronic communications can only be processed under certain conditions if they contain personal or private information. The following conditions apply: 

  • monitoring of employees’ electronic communications is only permitted for one of four legitimate purposes described by CBA 81;
  • monitoring should be proportionate to its objective;
  • certain information on the monitoring of employee communications must be provided to the individual employees and their representatives (ie, the employee representatives on the competent Works Council, health and safety committee or trade union delegation);
  • the relevant employee representatives must be consulted regularly in view of the ongoing evaluation of any monitoring system; and
  • electronic online communications may only be individualised (ie, individually identified) following a specific procedure provided under CBA 81. When electronic online communications data is individualised and irregularities are found with this data, the employer must organise a meeting with the employee.

As private electronic communication cannot always be readily distinguished from professional emails, the employer could also consider applying the principles of CBA 81 to the monitoring of professional emails of its employees.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

Belgium

The GDPR distinguishes between transfers to other jurisdictions within the EEA versus outside the EEA.

Within the EEA

Personal data can circulate freely from this jurisdiction to another EEA member state as long as the general principles of the GDPR are respected. This is because EEA member states apply the same level of protection when processing personal data.

Outside the EEA

Personal data subject to the GDPR cannot be transferred to a country or territory outside the EEA unless that third country or territory provides an adequate level of protection for personal data.

The European Commission has determined that certain non-EEA countries and recipients ensure an adequate level of protection for personal data. Currently, these countries are Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United Kingdom.

Alternatively, the controller as transferor could ensure an adequate level of protection through:

  • entering into standard contractual clauses approved by the European Commission for both controller-to-processor and controller-to-controller transfers; or  
  • for transfers within the same group, adoption of binding corporate rules.

On 16 July 2020, the CJEU held that the standard contractual clauses should be viewed as offering only the basic level of protection and they may only be used where the protection provided by the contract is not undermined in the particular circumstances. This means that controllers exporting personal data and looking to rely on standard contractual clauses approved by the European Commission (or another article 46 GDPR international transfer mechanism), must assess on a case-by-case basis whether additional safeguards are needed to remedy any identified deficiency and ensure adequate data protection. 

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

Belgium

Data can otherwise be transferred if one of the following derogations, among others, applies:

  • the data subject has consented to the transfer (as noted above, this consent should be explicit as well as freely given, specific, informed and unambiguous);  
  • necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;  
  • necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests;  
  • necessary for important reasons of public interest;  
  • necessary for the establishment, exercise or defence of legal claims; or  
  • necessary to protect the vital interests of the data subject.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

Belgium

The transfer of personal data to regulators and enforcement authorities within the jurisdiction must comply with the GDPR in the same way as any other processing. 

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

Belgium

The provisions applying to cross-border data transfer generally also apply to the transfer of data to regulators and law enforcement authorities out of the jurisdiction. Any transfer to an overseas regulator would have to comply with the GDPR in the same way as any other processing.

Any disclosure of personal data to an overseas regulator or law enforcement authority would require that the processing of personal data is legitimate, proportionate and transparent. The cross-border transfer of personal data would require a legal basis for processing and safeguards for the relevant transfer.

The possible legal bases that a controller may rely on in this context include:

  • consent of each affected data subject to the disclosure and transfer. However this can be problematic to obtain, can be withdrawn at any time and (in the case of sensitive data) must be explicit;
  • necessary for the establishment, exercise or defence of legal claims,;
  • legitimate interests; or
  • necessary for the performance of a task carried out in the public interests.

The prohibition on cross-border transfers provides that personal data should not be transferred to a country outside the EEA that does not provide an adequate level of protection, unless an exemption applies or safeguards for the personal data are in place. Article 49 of the GDPR provides for derogations to the requirement for an adequacy decision or implementing safeguards in certain circumstances, including where the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims.

Article 48 of the GDPR provides that a decision from (administrative) authorities, courts or tribunals outside the EEA does not in itself justify the transfer of personal data to a non-EEA country. The transfer is enforceable when based on an international agreement, such as a mutual legal assistance treaty. The European Data Protection Board guidelines state, in relation to article 48: ‘In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement.’

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

Belgium

The recipient of such a request may consider taking the following steps, amongst others:

  • consider if there is a legal obligation to respond to the request and, if so, to what extent;  
  • seek further information in writing from the requesting regulator to evaluate the purpose of the request;
  • if possible, negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation;  
  • in accordance with principles of data minimisation, limit the scope of any data disclosed and transferred to that necessary for the purpose;  
  • consider whether it is practicable to obtain data subject consent and/or give a further privacy notice;
  • put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a processor); and
  • consider transfer via a MLAT as, in some cases, it may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

ENFORCEMENT AND SANCTIONS

22. What are the sanctions and penalties for non-compliance with data protection laws?

Belgium

For all phases of an investigation, there is a tiered approach to penalties for breaches of the GDPR. This permits data protection authorities to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover and €20 million (eg, for breach of requirements relating to cross-border transfers or the conditions for consent). Other specified infringements attract a fine of up to the higher of 2 per cent of annual worldwide turnover and €10 million.

The GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement. 

A data subject who suffers material or non-material damage as a result of a breach of the GDPR by a controller may bring a civil claim for compensation.

The Data Protection Authority is responsible for receiving complaints on and investigating compliance with the Belgian Data Protection Act of 30 July 2018 (DPA). Other than imposing the above-mentioned administrative fines, the actions that can be taken by the Data Protection Authority include:

  • imposing a temporary or final restriction (including a prohibition) to the processing;
  • requesting the rectification, or erasure of personal data; and
  • involving the public prosecutor.

In accordance with article 5 of the Belgian Criminal Code, both legal and natural persons can incur criminal sanctions for data protection breaches (alternatively or cumulatively depending on the scenario). This means for example, that directors and officers may incur criminal sanctions (including fines) for non-compliance with data protection laws.

Criminal sanctions flowing from breaches of the DPA are pursued by the public prosecutor and the courts. The possible criminal sanctions for breaches of the DPA include fines up to €240,000 and the publication of the judgment.

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

RELEVANT MATERIALS

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Belgium

EU General Data Protection Regulation (2016/679)

Belgian Data Protection Act (French version)

Belgian Data Protection Act (Dutch version)

Law on the creation of the Belgian Data Protection Authority:

French version

https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2017120311&table_name=loi

Dutch version

https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=nl&la=N&cn=2017120311&table_name=wet

Collective Bargaining Agreement 81

French version

http://www.cnt-nar.be/CCT-COORD/cct-081.pdf

Dutch version

http://www.cnt-nar.be/CAO-COORD/cao-081.pdf

Answer contributed by Peter Van Dyck, Claire Caillol and Eline D'Joos

Get unlimited access to all Global Investigations Review content