The long awaited new Belgian Privacy Act adapting Belgian law to the GDPR has been officially published this Wednesday September 5, 2018 and has come into force the very same day.
Here are some of the highlights of the new Belgian Privacy Act in a nutshell:
- Age of consent in relation to the offer of information society services directly to a child is set to 13 years old. Where the child is below the age of 13 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child;
- Identification of organizations entitled to process, for important public interest, special categories of personal data as defined in Article 9 of GDPR;
- Additional measures to implement for the processing of genetic, biometric or health data;
- Extended categories of persons authorized to process personal data relating to criminal convictions and offences (with additional protective measures to be implemented in such case);
- Exceptions, subject to conditions, for processing personal data for journalistic purposes and the purposes of academic, artistic or literary expression;
- Limitation of data subject rights when processing is pursued by public authorities for public interest or exercise of public force, enforcing safeguards in such case;
- Criminal penalties are provided in some cases of infringement to the GDPR or the Belgian Privacy Act.
In addition to adapting national law to the GDPR (EU) 2016/679, it also implements Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (hence the length of the act, which is 286 articles long!).