The GDPR and the Privacy Act both relate to the processing of personal data. The new European ‘law’, i.e. the GDPR, will eventually replace the obsolete Belgian law in the future.

The five major differences between the two are listed below:

1.    The GDPR has a much wider scope of application

At territorial level, the GDPR applies as a regulation throughout the entire European Union (hereafter: ‘EU’). Moreover, even non-EU companies may come within its scope of application if they sell products or services to EU citizens. With respect to content, too, the same text – including its translation into the 24 languages of the EU – is the sole regulation that applies throughout the entire EU. There is hardly any margin for individual member states to depart from the European standard.

The Privacy Act, on the other hand, is – as its name suggests – an Act and applies exclusively in Belgium. However, the Privacy Act is a consequence of the 1995 European Directive, which ensures that the main points of the EU’s data protection legislation are the same as regards content. But the differences were still big enough to induce the EU legislator to intervene in view of the free traffic of data within the EU.

2.    More drastic sanctions

Under the Privacy Act, the monitoring authority (the Privacy Commission in Belgium) is completely ineffectual. But the GDPR will enable this authority to impose astronomical administrative fines of up to € 20,000,000 or 4% of the global annual turnover. In addition, this authority is currently being given more resources for effectively investigating and correcting situations, such as an option for conducting on-site investigations.

Those concerned will also be able to submit complaints against the party responsible for processing data and the data processor more easily with effect from 25 May 2018; this can be done via a sort of ‘class action’ after this date as well.

3.    Data leaks

Under current legislation, there is no obligation to report data leaks to the Privacy Commission in Belgium unless you are a telecom operator. This state of affairs will change drastically when the GDPR enters into force. In the event of a data leak, you will have to report this within 72 hours and in some cases you will have to notify the relevant parties personally that their data has been leaked as well.

4.    The GDPR now targets sole suppliers (processors)

Although the Privacy Act only imposes obligations on parties responsible for processing data, the GDPR now targets sole suppliers as well. For example, if a company compiles your contact details in order to send you newsletters, such companies often outsource the actual sending of these newsletters to a marketing or communications agency. Pursuant to the GDPR, these agencies will also have to adhere to certain regulations such as guaranteeing data security.

5.    Appointing a DPO

The GDPR will create a new type of job, i.e. the Data Protection Officer (DPO; this has the somewhat laborious title of functionaris gegevensbescherming in Dutch). This person will be responsible for compliance with the GDPR at a certain company or government body. If you’d like to know whether you are obliged to appoint a DPO, you can use our handy DPO checker.

This post is also available in: Dutch

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *