Following the entry into force of the GDPR on 25 May 2018 (see our news “GDPR – Are you ready?”), the law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, which repeals the law of 8 December 1992, has been published in the Belgian Official Journal on 5 September 2018 and entered into force the same day.
Another matter on which the GDPR gives some flexibility to the Member States is the processing of Although the GDPR is directly applicable in all EU Member States, it contains numerous provisions allowing or imposing on the Member States to enact national implementation provisions.
The material scope of the new Belgian law is, however, more extensive than a mere implementation of the GDPR. It also transposes the Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and regulates in details the conditions under which personal data can be processed by various public authorities in that context, including by national intelligence and security services, armed forces, the threat assessment coordination body, the passengers information body, or even the body controlling the police information.
The following overview will focus on the consequences of the law of 30 July 2018 for private undertakings rather than the public sector.
Territorial scope of the law
The territorial scope of the law is determined by criteria similar to those outlined in the GDPR. Therefore, the law applies to any processing of personal data in the context of the activities of the establishment of a controller or a processor in Belgium, as well as to any processing of personal data of data subjects who are in Belgium by a controller or processor not established in Belgium where the processing activities are related to the offering of goods or services to data subjects in Belgium or to the monitoring of the behaviour of data subjects in Belgium.
Age of consent
In accordance with the flexibility provided by the GDPR, the Belgian legislator decided to lower to 13 (instead of 16 in the GDPR) the age from which children can consent themselves to the processing of their personal data by a third party willing to address them a direct offer of information society services.
Another matter on which the GDPR gives some flexibility to the Member States is the processing of so-called ‘sensitive’ data (particularly, personal data revealing the racial or ethnic origin of the data subject, their political opinions, their religious or philosophical beliefs, their trade union membership, data concerning their health or even their sexual orientation). Namely, the GDPR provides that the Member States can enact reasons of substantial public interest allowing, under certain conditions, the processing of such sensitive data. The Belgian legislator has set a list of processing activities based on such reasons including, in particular, the processing by associations for the defence of human rights or for the assistance to missing or sexually exploited children. Additional conditions oversee the processing of genetic data, biometric data or health-related data.
The GDPR enables the Member States to allow, under certain conditions, the processing of personal data relating to criminal convictions and offences or related security measures by other persons than official authorities. In that respect, the Belgian law notably allows the processing of such data by natural persons or by legal persons governed by public or private law, as long as it is necessary for the management of their own disputes. The law also authorises lawyers to process such data if the defence of their clients requires it. Another specific scenario dealt with by the law is when the personal data are made public by the data subject. In such cases, the processing is allowed provided that it is compatible with the purpose for which the data have been made public. Nonetheless, the lawfulness of those processing activities always depends, in particular, on the respect of the confidential nature of these data.
Specific processing purposes
The processing of personal data for journalistic purposes and for the purposes of academic, artistic or literary expression is subject to an alleviated legal regime to avoid restricting excessively such activities. In particular, the law waives the data controller’s obligation to provide information and limits considerably the rights of the data subjects.
The law also provides for a derogatory regime for personal data processing made for purposes of archiving in the public interest, scientific or historical research, or statistical purposes. In accordance with the GDPR, the law oversees such processing with appropriate safeguards.
Procedural aspects and sanctions
Procedurally, the law creates the possibility for data subjects to seek a ceasing order in case of unlawful processing or to potentially assert their rights, in particular their right of access and of rectification, their right to be forgotten, or even their right to restrict the processing. The data subject can also mandate a body, an organisation or an association to act on their behalf. As the case may be, such ceasing order may also be requested by competent authorities. The judge, adjudicating in such proceedings, can order not only the termination of the breach but also publicity measures if they can contribute to the termination of the breach or its effects. The judge can also order the data controller or data processor to inform third-parties that they had access to data which are inaccurate, incomplete or irrelevant, or whose storage is forbidden. The judge can even be seized by an ex parte application if there are serious reasons to believe that evidence could be concealed, could disappear, or could be made inaccessible, and order any measure to prevent such concealment, disappearance or inaccessibility.
Finally, the law provides for various administrative and criminal sanctions, that can be imposed on the data controller or processor, or against their servants or agents.
* * *
Philippe Campolini and Charlotte Behets Wydemans
On 10 January 2018, the law of 3 December 2017 concerning the establishment of the Data Protection Authority was published in the Belgian’s official Gazette. This law, reforming the current Commission for the protection of privacy, is one of the necessary legislative efforts to anticipate the entry into force of the European Union’s General Regulation on the protection of natural persons with regard to the processing of personal data and of the free movement of such data (GDPR). As of 25 May 2018 all natural or legal persons, public authorities, agencies or other bodies which process personal data or organise such processing will have to comply with these new rules. What does this mean in practice?
This news aims at providing the reader with an overview of the changes entailed by the GDPR and to give some insight on the necessary measures to be taken to comply with the new legislation.
Will I be affected by the GDPR?
The GDPR applies to the processing of personal data by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Certain exceptions and limited alterations set aside, the GDPR’s material scope of application is identical to the scope of the act of 8 December 1992 on the protection of privacy in relation to the processing of personal data. The latter is currently the must-go-to legislative act in Belgium. In practice, this legislation is important for nearly all undertakings, if only for the management of personnel, clients and suppliers.
The territorial scope of the GDPR includes all undertakings established within the EU, as well as, in specific circumstances, all foreign undertakings that process personal data of individuals located in the EU. The fact that your business is established outside the EU does not necessarily entail that the GDPR does not apply to it.
The major changes brought by the GDPR do not relate to the scope of application of the rules, but to the obligations imposed on data controllers and their processors, as well as to the sanctions for non-compliance with this regulation.
Key changes and what to do in practice?
1) Currently, processing personal data is frequently based on the consent of the individual concerned (hereinafter: the data subject). However, this consent is not always obtained under conditions that guarantee a consent of acceptable quality. Therefore, the GDPR provides for more stringent requirements to obtain an individual’s consent. In the future, any company that bases processing of personal data on the individual’s consent will have to check whether:
- the consent is obtained by a statement or a clear affirmative action (which precludes, for example, the use of pre-ticked boxes);
- the consent is freely given, specific, clear and unambiguous (meaning that the data subject was duly informed of the scope of his/her consent before giving it);
- the consent refers to a processing for one or several specific lawful purposes (general and broad phrasing is not allowed);
- it can easily demonstrate that it obtained the data subject’s consent (the data processor should, therefore, keep records of the consents).
The GDPR will also apply to personal data collected before its entry into force. Hence, all processing of personal data that was consented in a way that is not satisfactory to the new GDPR requirements should be regularised – meaning that the consent should be renewed in a way that meets the GDPR requirements.
- the lawful purposes and legal basis for the processing of personal data;
- the legitimate interests pursued by the data controller or by a third party when processing is based on such legitimate interests;
- as the case may be, the fact that the data controller intends to transfer the personal data to a country that is not an EU Member State, and the existence or absence of an adequacy decision from the Commission or, where applicable, a reference to the appropriate safeguards that are put into place to protect the data subjects;
- where processing is based on a data subject’s consent, the right to withdraw their consent at any time;
- the data subject’s right to lodge a complaint with the national supervisory authority;
- the period during which the personal data will be stored or, if not possible, the criteria used to determine the period of conservation;
- whether the provision of personal data is a statutory or contractual requirement, or necessary to enter into a contract, as well as whether the data subject is obliged to provide his/her personal data and the possible consequences of failure to provide it;
- the existence of automated decision-making, including profiling, and useful information about the underlying logic, as well as the importance and the foreseen consequences of such processing for the data subject.
3) The GDPR explicitly mentions the “right to be forgotten” from which all data subjects will benefit. This right will empower the data subject to ask for a complete erasure of his/her personal data under certain conditions. Although this right of erasure inchoately existed under directive 95/46/CE and was confirmed by the ECJ’s ruling in the Google Spain-case, this right is given prominent placing in the GDPR. All data controllers will have to implement a procedure to be able to respond in practice to a request of erasure “without undue delay”.
4) Every data controller shall set up a procedure to notify every recipient of personal data of all requests of rectification or erasure of such data, as well as of every limitation of processing, unless the provision of such information is impossible or gives rise to disproportionate efforts.
5) Regarding the data subjects’ rights, the creation of a right of data portability – which aims at the independence of customers in the online environment – is the GDPR’s most innovative addition. It gives a data subject, under certain conditions, the right to receive the personal data that he or she has provided to a controller in a structured, commonly used and machine-readable format, to transmit these data to another controller. Data controllers will have to take all appropriate technical measures to be able to act upon such requests.
6) The GDPR also establishes the foundations of data protection “by design” and “by default”. To respect these principles, the data controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation. These technical and organisational measures should also ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. These principles will not only affect the content of products, websites or mobile applications that collect personal data, but also undertakings’ general business strategy. Therefore, this requires in-depth thinking by all data controllers.
7) Data controllers and processors established outside the EU which must comply with the GDPR requirements (because they offer products and services to data subjects within the EU or monitor individuals that reside within the EU) should designate a representative in the EU as a point of contact for national supervisory authorities and data subjects.
8) Another element of attention is the relationship between the data controller and the data processor. The GDPR defines the data processor as a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller. It provides for specific requirements that both future and existing outsourcing agreements for the processing of personal data will have to satisfy. These agreements should notably:
- define the subject-matter, duration, nature and purpose of the processing;
- define the type of personal data and categories of data subjects;
- mention that the processor ensures that the persons authorised to process the personal data have committed to respect the confidentiality of such data;
- include the appropriate technical and organisational measures that the processor shall take to ensure a proper level of security in light of the risk at hand;
- compel the processor to make sure that any subsequent processor implements the same technical and organisational measures;
- compel the processor that he/she deletes or returns the personal data to the controller at the end of the provision of services relating to the processing;
- make available to the controller all information necessary to demonstrate its compliance with the obligations laid down in the GDPR.
9) Every data controller should also keep track of the processing activities in a record containing the following information: the name and contact details of the controller; the purposes of the processing; a description of the categories of data subjects and of personal data; the categories of recipients to whom the personal data have been or will be disclosed, including transfers to third countries; the envisaged time limits for erasure of the different categories of data; a general description of the technical and organisational security measures.
10) In case of personal data breach, the data controller must, on some occasions, notify the breach to the national supervisory authority. When the breach is likely to result in a high risk for the rights and freedoms of natural persons, the data controller must also notify the data subject. Therefore, the data controller has to set up procedures ensuring that such notification is made within the mandatory terms of the GDPR (in principle, notification to the supervisory authority should be done within 72 hours of the personal data breach).
11) Where a type of processing is likely to result in a high risk for the rights and freedoms of natural persons, the controller shall, prior to the processing, assess the impact of the envisaged processing operations on the protection of personal data. When the assessment identifies a high risk for a certain type of processing, the data controller shall, prior to the processing, ask the national supervisory authority for advice.
12) Last but not least, under specific circumstances, undertakings will have to designate a data protection officer. This obligations applies when processing is carried out by a public authority or body, but also when the core activities of the controller or the processor consist of (i) processing which, by nature or because of its scope and/or purposes, requires regular and systematic monitoring of data subjects on a large scale or (ii) processing sensitive data on a large scale (sensitive data are, for example, data related to health, sexual orientation, political opinions, ethnic origin or data related to criminal convictions or offences).
The GDPR substantially changes the powers granted to the national supervisory authorities and the sanctions applicable. Administrative fines can be inflicted upon infringers of data protection regulations by the Data Protection Authority. Their amount varies depending on the gravity of the infringement. For the most severe infringements, the administrative fines can reach up to EUR 20,000,000 or, in the case of an undertaking, 4% of the total worldwide total annual turnover of the preceding financial year, whichever is higher. Moreover, the Data Protection Authority is mandated to propose settlement agreements, give warnings and reprimands, command to act upon a data subject’s request to exercise his/her rights, incur changes to the processing of data or temporarily or permanently prohibit the processing of personal data.
In evolving to a Single Digital Market, the use of consumer data becomes more and more important for service providers. With regard to financial institutions, exploiting payment data is of particular interest, not only to reduce costs and improve product quality, but also to offer new and innovative financial services and, in general, an increased customer experience. The access to and the control over such data is therefore crucial.
One of the ways by which the EU legislator wants to promote this is by mandating banks to “open up the bank account” to external parties. This is often referred to as the ‘access to account’ rule (‘XS2A’) which is for instance embodied in the revised Directive on payment services in the internal market (“PSD2”).
Also from a consumer’s perspective, Europe wants to further strengthen a person’s control over his personal data and support the free flow of such data. This is one of the goals of the new General Data Protection Regulation (“GDPR”),and in particular the new “right to data portability”.
The GDPR applies from 25 May 2018. In order to bring further clarification for undertakings implementing it, the Working Party 29 (“WP 29”) recently published several guidelines. One concerned the right to data portability.
This article intends to give an overview of the most important points elaborated by WP 29 and, although the scope of this right concerns personal data in general, give particular attention to the portability of bank account information.
The main elements of data portability
Article 20.1 GDPR allows a data subject (e.g. a bank’s customer) “to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format
and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”.
The goal is thus to provide a data subject with the capacity to obtain, reuse and transfer its personal data from one data controller (e.g. Bank A) to another (e.g. a third party payment service provider such as an AISP).
WP 29 specifies that, in order for a controller to fulfill its obligations towards data portability, technical measures should be implemented to enable such ‘transfer’. This could be done by providing the data subject with the possibility to download the data or, at the request of the data subject, by sending the data directly to the other provider.
As is stated by the GDRP, the data should be provided “in a structured, commonly used and machine-readable format”. WP 29 does not give specific recommendations to this regard except, whatever format is chosen by the first controller, it should make the data interoperable and effectively useable for a second controller.
It is worth noting that executing its right to data portability, and thus transferring its personal data from one controller to another, does not mean that the ‘initial’ controller (e.g. Bank A) has the obligation to delete the transferred data. Unless, for example, a data subject would invoke its right of erasure (in accordance with article 17 GDPR), the controller is still allowed to retain the data for the initial retention period.
With regard to the receiving entity, he, as a data controller, shall of course have to process the acquired data in accordance with the provisions of the GDPR as well.
When does data portability apply?
As article 20.2 GDPR states, this right only applies for two processing operations. On the one hand, when the processing of the data is based upon the data subject’s consent or, on the other hand, when it is based upon a contract.
Moreover, the right only applies when it concerns processing ‘carried out by automated means’, thus excluding paper files.
Which personal data is concerned?
WP 29 sets forth three conditions.
First, the guidelines clarify it only concerns personal data related to the requesting data subject. Anonymous data or data related to a third party are excluded. However, WP 29 emphasizes the latter should be interpreted pragmatically. For instance, the transaction history of a person’s bank account can by principle be transferred by its bank, although the history shall contain details about third parties (i.e. the sender or receiver of the transaction).
Second, the right is limited to the data provided by the data subject itself. In this regard WP 29 points out that it should not be limited to data that is ‘actively and knowingly’ provided by the data subject, but also include personal data that are generated by and collected from the activities of the users. How extensively the latter should be interpreted remains vague. What is certain is that ‘inferred’ or ‘derived’ data are excluded. This means, for example, that if a data subject wishes to transfer all its personal data from Bank A to an AISP, it shall concern all data the data subject actively provided to Bank A (e.g. contact details, data about the transactions made via the account) as well as the data generated by using the bank’s services (e.g. an overview of all its bank transactions or location data). Other information the bank would have derived based upon the usage of their services and the data provided hereby, for instance a profile containing information on the consumer’s solvency, the number of credit transfers executed to a certain person, etc. does not have to be provided by the bank.
Third, the rights and freedoms of third parties may not be adversely affected. This means the execution of the right should be done in respect to personal data concerning other data subjects. WP 29 gives as an example the transmission of a bank account history. If the concerned data is processed by the second controller for the same purpose (i.e. as ‘bank account history’) such processing does not give rise to any legal problems. This would however be the case if the data related to the third party would be used for another purpose, such as marketing. The execution of the right to data portability should also be with respect to data covered by intellectual property and trade secrets.
Some other obligations for the data controller
The GDPR explicitly obligates data controllers to inform the data subjects about their different rights under the Regulation. One must thus be notified about the existence of his right to data portability and how it differs from other rights under the Regulation. This should be done at the time when personal data are obtained, but WP 29 recommends to include such information also before any account closure.
Furthermore, a controller is not allowed to charge the requesting data subject a fee, exceptional circumstances left aside.
Finally, a data controller should implement an authentication procedure in order to confirm the identity of the data subject requesting to execute its right to data portability. This can, for example by using passwords or a digipass, which are already common practices in the banking sector.
To conclude, in order to give a person more control on its personal data, the right to data portability is one of the means by which the EU tries to achieve it. As the European Banking Association (EBA) recognized in its Discussion Paper on innovative uses of consumer data by financial institutions,
allowing the portability of consumer data would significantly reduce the risks for a “lock-in” with one single service provider and, as a consequence, foster competition. What the effects will be in practice, in particular in combination with the XS2A rule under PSD2, will be seen as of 2018.
For further information, please contact Simont Braun’s Digital Finance Team: email@example.com – +32 (0)2 543 70 80