Belgium Privacy Impact Assessment Guidance Note

1. Laws

1.1. Laws and regulations

1.1.1. What laws and/or regulations apply to Privacy Impact Assessments?

In addition to the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), the following national laws apply:

• the Law of July 30, 2018 on the Protection of Individuals regarding the Processing of Personal Data, which ensures the local law implementation of the GDPR (only available in Dutch here and in French here) (the Act); and
• the Law of December 3, 2017, establishing the Belgian Data Protection Authority (only available in Dutch here and in French here) (the Law establishing Belgian DPA).

1.2. Supervisory authority

1.2.1. Who is responsible for enforcing the laws and/or regulations and issuing guidelines?

The Belgian Data Protection Authority (Belgian DPA) is the main supervisory authority. Its decisions may be appealed before the Markets Court (which is a division of the Brussels Court of Appeal).

The supervisory authority for ensuring compliance by Flemish public bodies is the Vlaamse Toezichtscommissie (VTC).

1.3. Guidelines

1.3.1. Have any guidelines been issued on Privacy Impact Assessments?

Yes, the following guidelines were issued by the Belgian DPA:

• Data Protection Impact Assessment (DPIA) Guide, version 4.0, issued by the DPA on April 21, 2021 (only available in Dutch here and in French here) (the DPIA Guide);
• Decision 1/2019 on the list of processing activities for which a DPIA needs to be carried out, issued on January 16, 2019, by the General Secretariat of the DPA (only available in French here and in Dutch here);
• Recommendation 1/2018 on data protection impact assessments and prior consultation, issued on February 28, 2018, by the Belgian Commission for the Protection of Privacy (predecessor of the DPA) (only available in French here and in Dutch here);

Additionally, the VTC issued DPIA guidelines and a DPIA assessment tool specifically for Flemish public bodies (only available in Dutch here).

1.3.2. Has a Privacy Impact Assessment blacklist been released?

Yes, both at the level of the Belgian DPA and at the level of the VTC:

Belgian DPA

• Initial list: Recommendation 1/2018, issued on February 28, 2018, by the Belgian Commission for the Protection of Privacy (predecessor of the Belgian DPA) - Annex 3 (only available in French here and in Dutch here) (Recommendation 1/2018); and
• Updated list: Decision 1/2019 on the list of processing activities for which a DPIA needs to be carried out, issued on January 16, 2019, by the General Secretariat of the DPA (only available in French here and in Dutch here) (Decision 1/2019);

VTC

List applicable to processing by Flemish public bodies, issued by the VTC on January 14, 2020, and applicable since May 15, 2020 (only available in Dutch here) (the VTC Public Bodies List).

1.3.3. Has a Privacy Impact Assessment whitelist been released?

No. An unofficial draft whitelist was proposed by the Belgian Commission for the Protection of Privacy (predecessor of the Belgian DPA) in 2018 (see Annex 2 of Recommendation 1/2018), but never formally adopted.

1.3.4. Has a Privacy Impact Assessment template been released?

Not by the Belgian DPA. The VTC has published a template on January 5, 2022 (only available in Dutch here) (the VTC DPIA template)

To view the full pdf, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.