Global Data and Cyber Handbook

Belgium

Select a Topic
Start Comparison
Artificial Intelligence, Profiling and Automated Decision Making
Jump to
Artificial Intelligence, Profiling and Automated Decision Making Start Comparison
Are there any restrictions or requirements related to creating profiles of data subjects or utilizing automated decision-making for decisions related to data subjects, including with respect to artificial intelligence?

Last reviewed: January 2025

Yes

         qualified right not to be subject to a decision based solely on automated decision making, including profiling – for example, only applicable if the decision produces legal effects concerning them or similarly significantly affects them

         right to information / transparency requirement

         right to request human review of the automated decision making

          other

The right to request human review of the automated decision making as well as the right to information are subject to specific requirements.

Art. 22 GDPR sets forth a qualified right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning a data subject or similarly significantly affects him or her. This right is not applicable if, in particular, (i) the decision is necessary for entering into or performance of a contract between a data subject and a controller or (ii) the decision is based on the data subject's explicit consent (see next question for further information). Where one of these two exceptions applies, Art. 22 GDPR requires data controllers to implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, which must include, inter alia, at least the right to obtain human intervention on the part of the controller.

Furthermore, Recital 71 of the GDPR specifies that the above mentioned suitable safeguards should include specific information to the data subject and the right to obtain an explanation of the decision reached after such assessment and to challenge the decision.

Also note that further requirements with respect to the use of AI automated decision making, including profiling, affecting data subjects are applicable since the entry into force of the AI Act (see EU Chapter for more information) .

If such restrictions or requirements exist, are they subject to any exceptions?

Last reviewed: January 2025

Yes

The exceptions are as follows:

If the decision:

  • is necessary for entering into, or performance of, a contract between the data subject and a data controller
  • is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights/freedoms and legitimate interests
  • is based on the data subject's explicit consent

For processing by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or execution of criminal sanctions, including the protection against and prevention of threats to public security, any decision based solely on automated processing, including profiling, which produces adverse legal effects concerning the data subject or similarly significantly affects him or her, is allowed if a law, decree, ordinance, EU law or international agreement provides for appropriate guarantees for the rights and freedoms of the data subject, including at least the right to obtain human intervention on the part of the controller (Art. 35 of the DPA).

Any profiling leading to discrimination against natural persons on the basis of the special categories of personal data referred to in Article 34 of the Belgian DPA (i.e., same special categories of personal data defined in Article 9 of the GDPR) is prohibited (Art. 35 of the DPA).

For processing by the Intelligence and Security Services, the authorities competent to issue or withdraw security clearances and the Threat Assessment Coordination Body ("OCAM"), a decision which produces adverse legal effects concerning an individual may not be based solely on an automated processing intended to evaluate certain aspects of his or her personality, except where such decision is based on a provision laid down by law or where it is necessary to safeguard an important public interest. (Art. 82, 115 and 148 of the Belgian DPA).

For processing by the Passenger Information Unit, a decision which produces legal effects concerning an individual may not be based solely on an automated processing intended to evaluate certain aspects of his or her personality (Art. 176 of the Belgian DPA).

Has the data privacy regulator issued guidance on data privacy and artificial intelligence, automated decision-making or profiling?

Last reviewed: January 2025

Yes

In 2024, the Belgian Data Protection Authority has issued specific guidance on “Artificial Intelligence Systems and the GDPR”, addressing the specific challenges posed by AI technologies (accessible in English).

Specifically addressed at legal professionals, Data Protection Officers and IT developers, this brochure delves into the interplay between the GDPR and the AI Act. It notably focusses on how both EU regulations interplay with respect to established key GDPR principles and requirements of lawful, fair and transparent processing, purpose limitation and data minimisation, data accuracy, storage limitation, automated decision-making, security of processing, data subjects’ rights and accountability. It also provides a clear definition of AI systems, supplemented with illustrative examples. To remain practical, this brochure provides user stories that illustrate the application of key GDPR requirements to AI systems in real-world scenarios.

In addition, the Belgian Data Protection Authority has provided some guidance on the use of AI in the context of CCTV monitoring on the workplace (available in French and Dutch). In a Q&A dedicated to COVID-19 on the workplace, the Belgian Data Protection Authority provides that it is in principle not allowed to install in a shop a CCTV system which relies on AI to send an alert to an employee of the shop when a visitor does not wear a face mask. According to the Belgian Data Protection Authority, such use of AI raises issues in light of the GDPR proportionality/data minimization principle (Art. 5), which requires any processing of personal data to rely on appropriate and relevant personal data and not to process more personal data than what is necessary in light of the processing purpose pursued. To rely on such AI system, the shop must demonstrate that such detection through CCTV images is the only efficient measure and that less privacy intrusive solutions (such as visual control by an employee of the shop) would be insufficient. The Belgian Data Protection Authority concludes by considering that such use of AI systems is disproportionate in most cases, save in exceptional circumstances. The Belgian Data Protection Authority takes the same position with respect to CCTV systems relying on AI to send alerts when an employee does not wear a face mask and adds in that respect that in the limited circumstances where such use of AI systems would be proven to be proportionate, the employer must comply with the provisions of the Collective Bargaining Agreement n°68 on CCTV surveillance on the workplace.

Furthermore, the Belgian Data Protection Authority provided some guidance on data protection and AI, including AI automated decision making and profiling, in two opinions issued in 2022 and 2020 (Opinion 94/2022 of 13 May 2022 available in French and Opinion 90/2020 on 11 September 2020 available in French and in Dutch) concerning two draft Walloon decrees with respect to coaching and solution-focused support for job seekers.

The Walloon Decree which gave rise to Opinion 94/2022 provided for the use of AI to assess the "degree of proximity" of job seekers to the job market. The Belgian Data Protection Authority underlines that such data processing activities are high risk for the rights and freedoms of data subjects, which implies a high level of requirements in terms of personal data protection and guarantees for data subjects. The Belgian Data Protection Authority therefore advises the Walloon legislator to provide safeguards for the proper use of AI tools for decision making purposes affecting the rights and freedoms of data subjects, including specifying which assessments will be made by means of AI tools and safeguards to prevent any discrimination and bias in the rankings that will be made with the help of AI tools.

The Belgian Data Protection Authority furthermore recommends the Walloon legislator to complement the draft Walloon Decree by drawing inspiration from the then draft AI Act. In particular, at that time, the draft AI Act identified as high risk AI systems which affect the exercise of individuals' rights and freedoms or which are intended to be used for recruitment or selection or natural persons (notably to broadcast job positions, for preselection or filtering of applications and for the assessment of applicants during interviews or tests). The Belgian Data Protection Authority enumerates some of the main requirements set forth by the then draft AI Act in that respect:

  • the use of AI systems for which a risk management system is established, implemented, documented and kept up to date;
  • the implementation of quality criteria for the data sets used to train, validate and test the AI system (e.g. ensuring the sufficiently large nature of data sets on which the AI system is trained to cover all necessary scenarios, ensuring the data sets are sufficiently representative, formulating relevant hypotheses, assessment allowing to identify potential bias, prior assessment of availability, quality and adequacy of necessary data sets, etc.);
  • record keeping of decisions taken when training the algorithm (e.g. the characteristics of the data sets used and the reason for their choice, in certain cases the data used to train the AI system) and documenting training techniques used to build, test and validate the system;
  • compulsory use of systems for which a technical documentation is established before it is placed on the market and which is kept up to date (and such technical documentation must demonstrate that the AI system meets the requirements of Chapter 2 of the draft AI Act and its Annex IV);
  • mandatory logging of the operation of the AI system throughout its lifecycle, in order to monitor its functioning and the emergence of risks to the health or the protection of the fundamental rights of the persons concerned;
  • use of the AI system in a way that allows users to interpret the results of the system and to use them appropriately;
  • requirement for transparency measures on the capabilities and limitations of the AI system used;
  • requirements with respect to the degree of robustness and accuracy of the AI system used;
  • mandatory introduction of human and technical control mechanisms for the operation of the AI system used and the decisions taken in order to detect in good time any malfunctioning that could have an impact on the individuals concerned.

Furthermore, the Belgian Data Protection Authority underlines in its Opinion 94/2022 that only relevant and appropriate personal data may feed the AI system concerned, in accordance with the GDPR data minimization principle. Lastly, it stresses the importance of communicating qualitative information to data subjects under Art. 13 and 14 GDPR since data subjects need to, on the one hand, be able to understand why a specific profile was attributed to them and, consequently, why they are subject to specific type of coaching and, on the other hand, be able to challenge the elaboration of a specific profile made by automated means and to request a new assessment by human intervention.

In its Opinion 90/2020 concerning a similar draft Walloon Decree, the Belgian Data Protection Authority emphasizes the need to carry out a prior data protection impact assessment with respect to the use of AI tools and to implement measures to mitigate risks posed by AI systems to the rights, freedoms and legitimate interests of data subjects. In that respect, the Belgian Data Protection Authority considers that transparency mechanisms should be set forth, for example concerning the categories of variables that are used by algorithms. The Belgian Data Protection Authority furthermore refers to the European Commission's White Paper on AI of 19 February 2020, in particular the principles it lays down with respect the use of AI systems and which are similar to the requirements provided by the then draft AI Regulation (which were underlined by the Belgian Data Protection Authority in its subsequent Opinion 94/2022 (see above)).

Has the data privacy regulator taken enforcement action in relation to artificial intelligence, including automated decision-making or profiling?

Last review date: January 2025

No enforcement activity to date

To our knowledge, the Belgian Data Protection Authority has not taken any enforcement action in relation to artificial intelligence at this stage, although it has published opinions and guidance on this matter as described above.

Do other (non-personal data or cybersecurity) laws or regulations impose restrictions on use of artificial intelligence, automated decision-making or profiling?

Last reviewed: January 2025

Yes, laws in force

Please refer to the dedicated EU Chapter in the Global Data & Cyber Handbook for relevant EU legislation applicable in Belgium, such as the EU AI Act and the DSA. 

{{ $store.state.loadingScreen.message }} ...