Global Data and Cyber Handbook

Belgium

Select a Topic
Start Comparison
DPOs and Notification Requirements
Jump to
DPOs and Notification Requirements Start Comparison
Is the concept of data protection officer (DPO) recognized in the jurisdiction?

Last reviewed: January 2025

Yes.

Are there circumstances in which it is mandatory to appoint a DPO or similar position?

Last reviewed: January 2025

Yes

If yes, under what circumstances?

         the processing is carried out by a public authority or body, except for courts acting in their judicial capacity

☒         the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale

☒         the core activities of the controller or the processor consist of processing on a large scale of special categories of data

☒         other

Under the Belgian DPA, a private body that processes personal data on behalf of a federal public authority or to which a federal public authority transfers personal data must appoint a DPO if the processing is likely to result in a high risk to the rights and freedoms of natural persons (as referred to in Art. 35 of the GDPR with regard to DPIA) (Art. 21).

Besides, in the context of processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, the controller must appoint a DPO where the processing of personal data is likely to result in a high risk as referred to in Article 35 GDPR (Art. 190).

The DPA also contains rules concerning the appointment of a DPO in the context of certain processing of personal data by the following public authorities:

  • competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or execution of criminal sanctions, including the protection against and prevention of threats to public security (Art. 63 to 65);
  • Intelligence and Security Services (Art. 91);
  • authorities competent to issue or withdraw security clearances (Art. 124); and
  • the Threat Assessment Coordination Body ("OCAM") (Art. 158).

In addition, it is worth noting that, as per Article 9 of the Flemish Decree regarding the electronic exchange of administrative data of 18 July 2008, as amended in 2018, which applies to electronic data flows within and between regional public authorities, where a Flemish public authority (as defined in the Decree) relies on a processor, the processor must also appoint a DPO.

Lastly, the appointment of a DPO may be imposed under a specific sectoral legislation. For example, an obligation to appoint a DPO (or to rely on an external DPO) applies to private investigation companies and internal investigation services under the Private Investigation Act of 18 May 2024.

Where a DPO is appointed, does the DPO have to meet specific requirements?

Last reviewed: January 2025

If yes, what are these requirements?

☒         legal qualifications / experience

☒         other professional qualifications / experience

☒         other

According to Art. 37 GDPR, the DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks of the DPO.

Are there obligations to notify, submit filings to, register with or obtain approval from local data protection authorities to collect and/or process personal data generally?

Last reviewed: January 2025

Yes

CCTV Notification

  • Under the Act of 21 March 2007 regarding the installation of surveillance cameras, as amended by the Act of 21 March 2018, the decision to install a surveillance camera and to modify such surveillance system must be notified to the police services on a platform provided by the Public Federal Service Interior (and no longer to the Belgian Data Protection Authority).

Authorization of principle for the communication of health data

  • Pursuant to Article 42, § 2, 3° of the Act of 13 December 2006 containing various health provisions, as amended by the Act of 5 September 2018, any communication of personal data relating to health is subject to an authorization of principle of the Social Security and Health Chamber of the Information Security Committee (Comité de sécurité de l'information or Informatieveiligheidscomité). The scope of this requirement and the relevant exceptions must be checked on a case-by-case basis.

Registration with the competent authority under the Belgian NIS 2 Act

  • Organizations that fall within the scope of the Belgian NIS 2 Act have an obligation to register with the competent authority as determined by the Belgian NIS 2 Act and the NIS 2 Royal Decree.
{{ $store.state.loadingScreen.message }} ...