Belgium - Data Protection
History of Data Protection in BELGIUM
Prior to 1992, the rules on medical secrecy constituted
the only data protection measures in Belgium. It was clear that these rules
alone were inadequate to deal with the automatic processing of medical personal
data. The Law of 8 December 1992, which incorporated Convention No. 108 of the
Council of Europe into Belgian law, contained specific provisions for the protection
of personal medical data.
Directive 95/46/EC was implemented in Belgium through the law of 11 December
1998 (and its implementation order; Royal Decree of 13 February 2001). This
law comprehensively modified the protection of personal data in Belgium.
Summary of Data Protection in BELGIUM
| Title of Data Protection Legislation |
Law
of December 8, 1992 on Privacy Protection in relation to the Processing
of Personal Data as modified by the law of December 11, 1998 implementing
Directive 95/46/EC - Unofficial English translation by K Buyens |
| Name of supervisory authority | Commission for the Protection of Privacy |
| General Powers of supervisory authority |
Article 23 of the 1992 law establishes the Commission. The Commissions' key powers are outlined in articles 29,30 and 31.29(1). The Commission can give advice (Art 29) or recommendations (Art 30) either on its own initiative or upon the request of the Government or regional bodies on any matter relating to the application of the principles of privacy protection with regard to the processing of personal data. Without prejudice to any legal action and any different legal provision, the Commission shall investigate the signed and dated complaints that are submitted to it. |
| Who has standing to notify the supervisory authority of breaches? | The data subject (Art 13). |
| What are the penalties for data controllers if they breach the law? |
Penalties are set out in Articles 37-43 of the 1998 law. They range from fines (Arts 37-39), publishing judgements after conviction in a newspaper (Art 40), confiscation of filing systems (unless they are computers), orders to erase data (Art 41). |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Not in the data protection law, but in the Regulations of the National Register of Natural Persons (see Article 5). |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is always necessary to obtain consent unless it is impracticable or inappropriate according to Article 20 of the Royal Decree of February 13 2001. |
| Does the Data Protection Legislation cover the deceased? | Article 2 of the law refers to every ‘natural person’ in order to exclude ‘legal’ persons from the field of application. No conclusion can be derived as to the application of the law regarding a dead ‘natural person’. |
| Who is able to indirectly identify the data subject? | Anybody |
- Privacy Protection in relation to the Processing of Personal Data as modified by the law of 11 December 1998 - unofficial English translation by K. Buyens
- Decree of 13 February 2001 implementing the Law of 8 December 1992 - in French and Dutch
- Belgian Data Protection Authority (in French and Dutch)
- Interdisciplinary Centre for Law and Information Technology
- Research Center for Computer and Law (CRID)
- National Ethics Committee - Comite Consultatif de Bioethique de Belgique (in French and Dutch)
- National Medical Board - Conseil National de l'ordre des Medecins (in French and Dutch)
- Royal Academy of Medicine - Academie Royale de Medecine (in French)
- National Medical Research Fund - Fonds de la Recherche Scientifique Medicale(in French and English)
- Scientific Institute of Public Health - Institut Scientifique de Sante Publique (in Dutch, English and French)