On 5 September 2018, the act of 30 July 2018 "on the protection of natural persons with regard to the processing of personal data" was published in the Belgian Official Gazette. The act of 5 September 2018 establishing the Information Security Committee was published on 10 September 2018. Both acts are part of the implementation of the General Data Protection Regulation (GDPR). 


On 5 September 2018, the act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (the "Framework Act") was published. The Framework Act definitively repeals the Data Protection Act of 8 December 1992 and further implements certain aspects of GDPR. The Framework Act first sets out a number of general provisions for the implementation of GDPR. The impact of these provisions for companies is rather limited. Some of the new provisions include the following: 

  • the age of children for giving valid consent in relation to information society services is set at 13 years (article 7);
  • there is now an obligation to maintain a list of the names and capacities of persons processing health or criminal data (articles 8-10); and 
  • there is now an obligation to conclude a protocol when a federal authority shares personal data with another organisation (article 20). 

The Framework Act contains specific provisions for the police, intelligence and security services (Titles 2 and 3) and for the processing of, among other things, scientific research (Title 4). Finally, the Framework Act also regulates the legal remedies (Title 5) and the sanctions (Title 6). The Framework Act entered into force on 5 September 2018, except for the protocol obligation as stipulated in article 20, for which a transitional period of 6 months applies.

On 10 September 2018, the act of 5 September 2018 establishing the Information Security Committee was also published in the Belgian Official Gazette. This act provides for the creation of the Information Security Committee ("ISC"), an independent body designed to (partially) address the abolition of the sectoral committees of the former Privacy Commission pursuant to the act of 3 December 2017 establishing the Data Protection Authority. The ISC consists of a social security and health chamber and a federal authorities chamber (article 2, §2). It will deliberate on matters including certain communications of personal data within the Federal Government, transfers of data via the Crossroads Bank for Social Security and transfers of health data. In this way, the ISC will preventively verify whether the transfers are in accordance with the basic principles of GDPR. This act entered into force on 10 September 2018.