Global Investigations Review - The law and practice of international investigations

Data Privacy & Transfer in Investigations

Last verified on

Belgium

Peter Van Dyck and Claire Caillol
Allen & Overy LLP
  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?

  2. The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in this jurisdiction.

    The collection and processing of personal data in Belgium is governed by the Act of 30 July 2018 concerning the protection of privacy in relation to the processing of personal data, (the DPA).

    The DPA applies to (i) the processing of personal data in the context of the activities of an establishment of a controller or processor in Belgium, whether or not the processing takes place in Belgium; and (ii) the processing of personal data that is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member state (whether or not the processing takes place in such a country or territory) where: (i) the personal data relates to a data subject who is in Belgium when the processing takes place; and (ii) the processing activities are related to the offering of goods or services to data subjects in Belgium, whether or not for payment, or the monitoring of data subjects' behaviour in Belgium.

    The Belgian Data Protection Authority is the regulator responsible for enforcing the GDPR and the DPA. The functioning and powers of the Belgian Data Protection Authority are set out in the law of 3 December 2017 on the creation of the Data Protection Authority.

    It should be noted that the answers to the following questions take the provisions of the DPA into account and that mention is made to the DPA only to the extent that its provisions differ from those of the GDPR.

  3. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?

  4. Anti-money laundering

    Under the Belgian Anti-Money Laundering Act of 18 September 2017 (AML Act), it is prohibited to disclose to clients and third parties the fact that information has been reported to the Belgian Financial Intelligence Unit (the CTIF-CFI) or that an analysis or investigation is being or may be carried out regarding suspicions of money laundering or terrorism financing.

    As an exception, it is permitted to share such information and data with supervisory authorities or for law enforcement purposes. This information and data can further be shared, subject to certain conditions, between credit or financial institutions belonging to the same group, or between legal professionals, accountants, auditors and tax advisers belonging to the same structure or acting for the same customer and transaction, with a view to preventing money laundering or terrorism financing. 

    The AML Act also indicates that the processing of data under this Act is subject to compliance with the relevant data protection laws.

    Bank secrecy and bank confidentiality

    There are no specific statutory bank secrecy or confidentiality obligations for banks and other financial institutions in Belgium. Case law is scarce on this matter. In the absence of a specific statutory obligation, the scope of the confidentiality principle is not entirely clear. The comments below are therefore necessarily a reasoned analysis. They are also high-level and may not reflect all the nuances or specifics of applicable Belgian rules.

    Banking confidentiality is typically seen as a consequence implied into the contractual relationship between the bank and the client. This stems from articles 1135 and 1160 of the Belgian Civil Code (which are not specific to financial institutions). Article 1135 of the Belgian Civil Code provides that “contractual parties are not only bound by what they explicitly stipulate in their agreement, but also by the consequences that are implied by customs/market practice”. Article 1160 of the Belgian Civil Code provides that “a contract must be completed by the usual provisions, even if these are not expressly included in the contract.” 

    Accordingly, a bank may not in principle disclose to any third party any information about a client gained in the exercise of its professional activity, regardless of whether the client is an individual or a legal person and regardless of whether any confidentiality undertaking is provided for in the contractual documentation. However, this is without prejudice to the obligations that banks and other financial institutions may have to provide specific information about their clients in order to comply with their legal and regulatory obligations. For example, the law of 8 July 2018 on the organisation of a central contact point for accounts and financial contracts (and its implementing royal decrees) imposes important new reporting obligations for financial institutions carrying out business in Belgium. The Central Contact Point (the CCP) is a central register, held by the National Bank of Belgium, to which financial institutions must report certain information on the identity of their clients and the financial products, contracts or transactions.

    Tax

    Under article 318 of the Belgian Income Tax Code of 1992 (the BITC/92), the tax authorities are not authorised to gather information in the accounts, books and documents of banks with a view to taxing their clients.

    Exceptions to this provision include specific provisions in double tax treaties, the presence of indications of fraud, the automatic exchange of information in the framework of Directive 2011/16/EU and if the request is made by a foreign state.

    According to a certain doctrine, however, information gathered by the tax authorities in breach of the aforementioned article 318 of the BITC/92 can nevertheless be withheld if certain conditions are met. This doctrine violates case law by the European Court of Justice to the extent that the breach of article 318 of the BITC/92 at the same time implies a breach of the taxpayer’s fundamental rights.

    According to article 334 of the BITC/92, if a person is bound by the obligation of professional secrecy, the tax authorities are only authorised to request and gather information in relation to third persons upon approval of the relevant disciplinary authorities. 

    Privacy of employee communications 

    Privacy of employee communications is regulated by both the GDPR and Collective Bargaining Agreement No. 81 (CBA 81), which is further discussed in question 15.

    Professional secrecy

    Certain professions such as doctors, pharmacists or lawyers are bound by the obligation to respect professional secrecy set out in article-458 bis of the Criminal Code. This means that they cannot disclose information which they have acquired in the context of their employment unless specific derogations applies (eg, they have to testify or they are under a legal obligation to disclose information). 

    A breach of professional secrecy may give rise to (i) a prison sentence of one to three years, (ii) a fine up to €8,000 or (iii) both a prison sentence and a fine. In addition, specific deontological sanctions are also likely to apply.

  5. 3.

    What can constitute personal data for the purposes of data protection laws?

  6. The GDPR defines personal data as any data relating to a living individual who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that living person. 

    Data that are truly anonymised will not be "personal data" for the purposes of the GDPR, as they do not identify the individual.

  7. 4.

    Does personal data protection relate only to natural persons or also legal persons?

  8. Under the GDPR, personal data protection only extends to natural persons. It does not also cover legal persons.

  9. 5.

    To whom do data protection laws apply?

  10. The direct obligations under the GDPR apply primarily to controllers. A controller is defined in the GDPR as a person who (either alone or jointly with others) determines the purposes for which and the manner in which any personal data are processed.

    However, the GDPR also imposes certain direct obligations on processors. A processor is defined in the GDPR as a person who processes personal data on behalf of the controller.

  11. 6.

    What acts or operations on personal data are regulated by data protection laws?

  12. The GDPR applies to "processing", which is defined broadly and includes any activity in relation to personal data (whether or not by automated means). A number of examples are provided in the GDPR, including the collection, use, disclosure and destruction or erasure of personal data.

  13. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?

  14. A privacy notice should be provided to the data subject at the time the personal data are obtained (unless an exemption applies). In all circumstances, this must include (articles 13 and 14 of the GDPR):

    • the identity and contact details of the controller;  
    • the contact details of the data protection officer, where applicable; 
    • the purposes and legal basis for the processing (including any legitimate interests relied upon where this is the legal basis for processing, and the right to withdraw any consent at any time, where consent is the legal basis for processing);  
    • the categories of personal data concerned;  
    • any recipients or categories of recipients of the personal data;
    • where applicable, the fact that the controller intends to transfer personal data to a third country, the existence (or absence) of an adequacy decision by the European Commission and, if there is no adequacy decision, the safeguards used for the transfer of that personal data (see question 16); and
    • any further information necessary to make that particular processing of data fair and transparent.

    The controller should also inform the data subject of the period for which their personal data will be stored; the existence of the right to request access, rectification or erasure; the right to restrict the processing; the right to object to the processing; the right to data portability; the existence of automated decision making (including profiling); and the right to lodge a complaint with a supervisory authority.

    If the personal data has been obtained directly from the data subject, article 13 of the GDPR will apply and the controller must also inform the data subject whether the provision of personal data is subject to a statutory or contractual requirement and of any potential consequences of failing to provide that personal data. 

    It may be the case in an investigations context that personal data have not been obtained directly from the data subject. If this is the case, article 14 of the GDPR will apply and the fair processing information given to data subject must also include the categories of personal data processed, the source of personal data and details of any personal data obtained from directly accessible sources.

    The GDPR sets out a number of data protection principles that controllers must comply with. The first principle is that personal data must be processed "lawfully, fairly and in a transparent manner". This means that data cannot be processed unless there is a legal basis under article 6 of the GDPR. The following legal bases are available:

    • the data subject has given his or her consent to the processing for one or more specific purposes;  
    • the processing is necessary for the performance of a contract to which the data subject is a party or for the taking of steps at the request of the data subject with a view to entering into a contract;  
    • the processing is necessary for compliance with a legal obligation to which the controller is subject;  
    • the processing is necessary to protect the vital interests of the data subject or another natural person;  
    • the processing is necessary for performing tasks in the public interest or in the exercise of official functions by the controller; or  
    • the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where the processing is unwarranted by reason of prejudice to the interests and fundamental rights and freedoms of the data subject.

    In respect of sensitive data (or “special categories of personal data”), the processing must also comply with one of the stricter legal bases set out in article 9 of the GDPR. Sensitive data is defined as information relating to: racial or ethnic origin; political opinions; religious and philosophical beliefs; trade union membership; genetic data and biometric data for the purpose of uniquely identifying a natural person; data concerning health; and sex life and sexual orientation. In an investigations context, relevant conditions for the processing of sensitive data may include where:

    • the individual has given their explicit consent to the processing for one or more specified purposes;
    • the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
    • the processing is necessary for reasons of substantial public interest, on the basis of Union or member state law, where this is proportionate to the relevant aim and safeguards the rights and interests of data subjects.

    The processing of data about criminal convictions and offences is dealt with separately to sensitive data, under article 10 of the GDPR. This provides that such data can only be processed where authorised under national law.

    Under article 10 of the DPA, personal data relating to criminal convictions and offences or related security measures may also be processed:

    • by natural persons, or public or private bodies, where necessary in the context of litigation;
    • by lawyers and legal advisers where necessary for the defence of legal claims;
    • where the processing is necessary for reasons of significant public interest for the performance of tasks of general interest entrusted by or under a Belgian law, decree or order or European Union law; or
    • where the processing is necessary for scientific research, historical or statistical information or for archival purposes.

    The controller or the processor (if applicable) is required to create and maintain a list of the categories of people who have access to the data, as well as a detailed description of their functions in respect of the processing. The controller must ensure that the people with access to personal data relating to criminal convictions and offences or related security measures are bound by a legal or statutory obligation or by an equivalent contractual provision, to maintain the confidentiality of the data concerned.

    Under the other data protection principles in the GDPR, controllers must comply with the following data protection principles:

    • Principle 1: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”, see above for further details on transparency requirements);
    • Principle 2: personal data should be obtained only for specified, explicit and legitimate purposes and should not be further processed in any manner incompatible with those purposes (“purpose limitation”);  
    • Principle 3: personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);  
    • Principle 4: personal data should be accurate and, where necessary, kept up to date (“accuracy”);  
    • Principle 5: personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);  
    • Principle 6: personal data should be processed in a manner that ensures appropriate security of that personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”); and
    • The controller must also be able to demonstrate compliance with each of these principles (“accountability”). 

    In addition, under Chapter V of the GDPR personal data may not be transferred to a country or territory outside the EEA unless the European Commission has decided that the third country or territory ensures an adequate level of protection or if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

    DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  15. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?

  16. While there are no specific steps required under the GDPR, it is advisable to check that non-locally generated data was transferred to, or within, the jurisdiction in compliance with relevant data protection laws and regulations. This may include: 

    • ascertaining what data has been transferred to, or within, the jurisdiction and the natural and/or legal persons to which that data relates;  
    • reviewing the privacy notice provided to data subjects;  
    • ascertaining the legal basis for the processing (see question 7); and/or  
    • determining whether a contract or other safeguard applies to the transfer of that data (eg, a data processing agreement, data transfer agreement or binding corporate rules, as appropriate).

    In particular, the above may inform whether certain restrictions may apply to further processing of that data.

  17. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?

  18. Additional provisions of the GDPR apply where the data are processed by a processor on behalf of the controller. The primary factor considered is control of the data rather than its possession, so the controller must ensure that the third-party processor is complying with the requirements on the security of data set out in the GDPR. A written contract to this effect must be entered into between the processor and controller (article 28 of the GDPR). This contract must include a description of the data processing activities and require the processor, among other things, to:

    • act only on the documented instructions of the controller (including with regard to international transfers of data to a third country);  
    • ensure that persons who process the data have committed to confidentiality or are under a statutory duty of confidentiality;  
    • implement appropriate security measures in accordance with the GDPR;  
    • engage a sub-processor only with the prior authorisation of the controller;  
    • assist the controller in carrying out its obligations to respond to requests by data subjects to exercise their rights under the GDPR; and  
    • assist the controller in ensuring its compliance with its data security obligations.

    Where a processor engages a sub-processor, the contract between them must reflect the same data protection obligations as set out in the contract between the controller and the processor.

    These provisions of the GDPR apply to processors within the same corporate group in the same way as to other third-party processors.

    The GDPR also imposes certain direct obligations on processors. These include an obligation to: (i) maintain a written record of processing activities carried out on behalf of each controller; (ii) designate a data protection officer where required; (iii) appoint a representative (when not established in the EU) in certain circumstances; and (iv) notify the controller without undue delay on becoming aware of a personal data breach.

  19. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?

  20. The consent of the data subject is one legal basis for processing of personal data under the GDPR. Data subject consent is, therefore, not mandatory for the processing of personal data, but consent must be obtained if no other legal basis exists.

    There is no prescribed form for the consent, but it should be freely given, specific, informed and unambiguous. In addition, to the extent relied upon as a basis for international transfers, consent must also be explicit (see question 16). Consent can also be withdrawn at any time and must be as easy to withdraw as to give.

    Consent can be obtained through a website or other electronic means.

    In the case of sensitive data, where consent is relied on to provide a legal basis under article 9 GDPR, it must also be explicit. A controller may therefore wish to obtain consent by means of an additional formality to demonstrate “explicit” consent (eg, a wet ink signature or a tick box that expressly uses the word “consent”).

    In this respect, please also see question 15.

  21. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?

  22. Consent may be considered as an enabling action when planning an investigation. However, obtaining consent to the processing of personal data can be practically challenging, and proceeding with processing of personal data in reliance solely on this ground is rarely appropriate. One reason is that consent must be capable of being withdrawn at any time (a right that it is not possible to contract out of, which would be difficult to manage in the context of the investigation).

  23. 12.

    Is it possible for data subjects to give their consent to such processing in advance?

  24. Whether consent given in advance, eg through general terms and conditions or account opening information, is sufficient for the purposes of the GDPR depends, among other things, on the balance of power between the controller and data subject. Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent included within an employment contract, or obtained generally by an employer from an employee, is unlikely to be valid for this reason.

    Written requests for consent must be clearly distinguishable from other matters, be intelligible, be easily accessible and use clear and plain language. This means that consent should not be hidden among other terms and conditions. In any event, there is a risk that a generic consent provided through general terms and conditions is not specific and informed, and so not validly given by the data subject.

    The controller should also consider the requirement for consent to the processing for sensitive data to be explicit (see question 7).

  25. 13.

    What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

  26. A data subject has a right to request information regarding whether their personal data is being processed, known as a data subject access request (DSAR). The information that can be requested includes a description of the data, the purpose for which it is being processed and to whom it may be disclosed. The controller must also provide a copy of the personal data to the data subject.

    A controller is not required to provide personal data in response to a “manifestly unfounded or excessive” request from a data subject (article 12(5) of the GDPR). If relying on this exemption, a controller should retain evidence to demonstrate why it considers the request to be unfounded or excessive. If a controller refuses to act on a request, they must also inform the data subject of the reason why and tell the data subject that they can complain to their relevant supervisory authority and enforce their right through judicial remedy.

    Data subjects have the right to request rectification of any personal data relating to them that is inaccurate, and completion of any incomplete data, including by way of a supplementary statement. There is an obligation on a controller under the GDPR to ensure the personal data it keeps is accurate (see question 7).

    Data subjects have the right to obtain from the controller the erasure of their personal data without undue delay if one of the specified grounds applies. This includes where the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject has withdrawn consent (and there is no other legal ground for the processing).

    Data subjects have a right to object to the processing of personal data concerning them at any time. A controller must adhere to this objection unless it can demonstrate a legitimate basis for the processing that overrides the interests of the data subject, or if the processing is necessary within legal proceedings. A data subject also has a right to obtain a restriction of processing from the controller where it believes the relevant personal data is inaccurate, the processing is unlawful or the controller no longer needs the data for the purposes of the processing. If the latter is the case, the data subject can require the controller to limit the processing to that required in the context of legal proceedings.

    TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  27. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?

  28. In line with article 29 Working Party’s Opinion 01/2010 on the concepts of “controller” and “processor”, law firms are generally characterised as independent controllers when processing data in the course of legally representing their clients.

    It is, however, less clear whether legal process outsourcing firms would be considered data controllers or data processors. Of course, if their work is done by lawyers, the legal process outsourcing firm must be considered a data controller for the processing involved in that work.

  29. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

  30. Requirements for financial institutions

    Financial institutions in Belgium must also comply with, among other the guidelines on material outsourcing established by the European Banking Authority (EBA). The EBA’s guidelines (which will apply from 30 September 2019) set out a series of recommendations that providers of financial services must adhere to in respect of any outsourcing to the cloud, including in respect of the security of data, where geographically data is located and processed and the importance of contingency planning.

    Requirements relating to monitoring of employee communications

    Requirements relating to the monitoring of email correspondence differ depending on whether the correspondence concerns employee personal data or not.

    The GDPR applies to all personal data, including private emails and professional emails such as those sent between an employer and employee. It also applies to the personal data of employees and other natural persons. Under Belgian law, the privacy of employee communications is regulated by both the GDPR and Collective Bargaining Agreement No. 81 (CBA 81). Although the scope of CBA 81 is not clearly defined, the general view is that CBA 81 applies to electronic communications that contain private employee information, but not emails relating solely to professional information. 

    CBA 81 and the GDPR provide that the data in employees’ electronic communications can only be processed under certain conditions if they contain personal or private information. The following conditions apply: 

    • Monitoring of employees’ electronic communications is only permitted for one of four legitimate purposes described by CBA 81.
    • Monitoring should be proportionate to its objective.
    • Certain information on the monitoring of employee communications must be provided to the individual employees and their representatives, ie, the employee representatives on the competent Works Council, health and safety committee or trade union delegation.
    • The relevant employee representatives must be consulted regularly in view of the on-going evaluation of any monitoring system.
    • Electronic online communications may only be individualised (ie individually identified) following a specific procedure provided under CBA 81. When electronic online communications data is individualised and irregularities are found with this data, the employer must organise a meeting with the employee.

    CBA 81 does not apply to electronic communication data which solely relate to professional information. However, in that case the GDPR still applies and employers must comply with the requirements set out in the GDPR (see question 7).

    Finally, as private electronic communication cannot always be readily distinguished from professional emails, the employer could also consider applying the principles of CBA 81 to the monitoring of professional emails of its employees.

  31. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

  32. The GDPR distinguishes between transfers to other jurisdictions within the EEA and transfers of data to jurisdictions outside the EEA.

    Within the EEA

    A transfer of personal data from this jurisdiction to a processor or controller in another EEA member state must comply with the same requirements as if the transfer was made within the jurisdiction (see question 7).

    Outside the EEA

    Personal data subject to the GDPR cannot be transferred to a country or territory outside the EEA unless that third country or territory provides an adequate level of protection for personal data.

    The European Commission has determined that certain non-EEA countries and recipients ensure an adequate level of protection for personal data and so a transfer can be made to such countries in compliance with the rules that provide restrictions on transfers outside the EEA. Currently, these countries are Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.  

    Alternatively, the controller as transferor could ensure an adequate level of protection through:

    • entering into standard contractual clauses approved by the European Commission for both controller-to-processor and controller-to-controller transfers; or  
    • for transfers within the same group, adoption of binding corporate rules.

    For transfers of personal data to eligible and appropriately certified recipients in the United States, the controller may also rely on the “Privacy Shield”.

    Data can otherwise be transferred if one of the following derogations, among others, applies:

    • the data subject has consented to the transfer (as noted above, this consent should be explicit as well as freely given, specific, informed and unambiguous);  
    • the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;  
    • the transfer is necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests;  
    • the transfer is necessary for important reasons of public interest;  
    • the transfer is necessary for the establishment, exercise or defence of legal claims; or  
    • the transfer is necessary to protect the vital interests of the data subject.

    Where none of the above derogations is available, a transfer to a third country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller (which are not overridden by the interests or rights and freedoms of the data subject), and the controller has assessed all the circumstances surrounding the transfer and has, on the basis of that assessment, provided suitable safeguards with regard to protection of personal data. This ground for processing may only be relied upon where no other legal basis is available. The controller shall inform the supervisory authority of the transfer and, in addition to providing the information referred to in articles 13 and 14, shall inform the data subject of the transfer and on the compelling legitimate interests pursued. As such, this derogation is unlikely to be of practical application in the context of an investigation. 

    TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  33. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

  34. The transfer of personal data to regulators and enforcement authorities within the jurisdiction must comply with the GDPR in the same way as any other processing (see question 7). In particular, a legal basis must be established under article 6 GDPR. 

  35. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

  36. The provisions applying to cross-border data transfer generally (see question 16) also apply to the transfer of data to regulators and law enforcement authorities out of the jurisdiction. Any transfer to an overseas regulator would have to comply with the GDPR in the same way as any other processing.

    Any disclosure of personal data to an overseas regulator or law enforcement authority would engage the first data protection principle (including the requirement to establish a legal basis under article 6 GDPR) and prohibitions on cross-border transfers of personal data. In particular, the first principle provides that processing of personal data must be fair, lawful and transparent.

    Any transfer of personal data to an overseas regulator or law enforcement authority may breach this principle on the basis that this is not a purpose about which the data subjects will have been sufficiently informed. The GDPR sets out exemptions to providing a privacy notice where this is impossible or would involve disproportionate effort on the part of the controller, but these exemptions are interpreted narrowly.

    The cross-border transfer of personal data would additionally require safeguards for the relevant transfer and a legal basis for processing. There is no clear exemption or derogation from either the first principle, the requirement for a legal basis for processing, or the prohibition on cross-border transfers that will routinely cover requests for data by a foreign regulator or law enforcement authority.

    The transfer may lack a legal basis, depending on the circumstances of the processing. The possible legal bases that a controller may rely on in this context include:

    • the consent of each affected data subject to the disclosure and transfer. However, as noted above, this can be problematic to obtain, can be withdrawn at any time and (in the case of sensitive data) consent must be explicit;
    • that the processing is necessary for the establishment, exercise or defence of legal claims, depending on the circumstances;
    • that the processing is in the legitimate interests of the controller (see question 16 for further details); or
    • that the processing is necessary for the performance of a task carried out in the public interests (see question 7 for further details on the application of this basis to the processing of sensitive data).

    The prohibition on cross-border transfers provides that personal data should not be transferred to a country outside the EEA that does not provide an adequate level of protection, unless an exemption applies or safeguards for the personal data are in place. Article 49 of the GDPR provides for derogations to the requirement for an adequacy decision or implementing safeguards in certain circumstances, including where the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims.

    Article 48 of the GDPR provides that, without prejudice to other grounds for international transfers, a decision from third country authorities, courts or tribunals does not in itself justify the transfer of personal data to a non-EEA country. This is the case unless the transfer is based on an international agreement, such as a mutual legal assistance treaty. The European Data Protection Board guidelines state, in relation to article 48: "In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement."

  37. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

  38. The recipient of such a request may consider taking the following steps, amongst others:

    • Consider if there is a legal obligation to respond to the request and, if so, to what extent.  
    • Seek further information in writing from the requesting regulator to evaluate the purpose of the request.  
    • If possible, negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation.  
    • In accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose.  
    • Consider whether it is practicable to obtain data subject consent and/or give a further privacy notice.
    • Put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a processor).
    • Consider transfer via an MLAT as, in some cases, it may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement.
  39. 20.

    What are the sanctions and penalties for non-compliance with data protection laws?

  40. There is a tiered approach to penalties for breaches of the GDPR. This permits data protection authorities to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover and €20 million (eg, for breach of requirements relating to cross-border transfers or the principles for processing, such as conditions for consent). Other specified infringements attract a fine of up to the higher of 2 per cent of annual worldwide turnover and €10 million.

    The GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement. 

    A data subject who suffers material or non-material damage as a result of a breach of the GDPR by a controller may bring a civil claim for compensation.

    The Data Protection Authority is responsible for receiving complaints on and investigating compliance with the DPA. Other than imposing the above-mentioned administrative fines, the actions that can be taken by the Data Protection Authority include:

    • imposing a temporary or final restriction (including a prohibition) to the processing;
    • requesting the rectification, or erasure of personal data; and
    • involving the public prosecutor.

    Criminal sanctions flowing from breaches of the DPA are pursued by the public prosecutor and the courts. The possible criminal sanctions for breaches of the DPA include fines up to €240,000 and the publication of the judgment.

    In accordance with Belgian criminal law (see article 5 of the Belgian Criminal Code), both legal and natural persons can incur criminal sanctions for data protection breaches (alternatively or cumulatively depending on the scenario). This means for example, that directors and officers may incur criminal sanctions (including fines) for non-compliance with data protection laws.

    CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  41. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?

  42. A controller’s obligations under the GDPR are continuing for as long as it remains a controller. As a result, it should ensure compliance with the GDPR, where applicable, at all stages of the investigation.

    Practical steps that a controller should follow include:

    • ensuring that any third-party processing data on behalf of the controller signs a data processing agreement and/or data transfer agreement, as applicable;  
    • ensuring that all personal data processed is accurate and, where applicable, that the consent of data subjects remains valid;
    • complying with the restrictions on the transfer of data to third parties set out at question 16 (whether within or outside of the EEA), including any transfer to a regulator or law enforcement authority; and
    • maintain a record of processing and respond to data subject requests.
  43. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?

  44. The original and intervening data controllers should ensure that a written agreement is in place between them and follow the steps to address their continuing obligations set out at question 21.

    RELEVANT MATERIALS

  45. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Interested in contributing to this Know-how?

E-mail our Insight Manager


Questions

  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?


  2. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?


  3. 3.

    What can constitute personal data for the purposes of data protection laws?


  4. 4.

    Does personal data protection relate only to natural persons or also legal persons?


  5. 5.

    To whom do data protection laws apply?


  6. 6.

    What acts or operations on personal data are regulated by data protection laws?


  7. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?


  8. DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  9. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?


  10. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?


  11. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?


  12. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?


  13. 12.

    Is it possible for data subjects to give their consent to such processing in advance?


  14. 13.

    What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?


  15. TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  16. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?


  17. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?


  18. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?


  19. TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  20. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?


  21. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?


  22. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?


  23. 20.

    What are the sanctions and penalties for non-compliance with data protection laws?


  24. CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  25. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?


  26. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?


  27. RELEVANT MATERIALS

  28. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.