You are here: Home > In practice > Privacy in general

Privacy in general

On this page

The processing of my personal data
Collection of personal data
Establishing a purpose
Sensitive data
Quality of the data
Your rights
Your data are transferred abroad

The processing of my personal data

Not a day goes by without us disclosing or transferring our personal data to someone, or better still, without our data being checked by others, used for a specific purpose, or maybe even selected and catalogued in databases.
Personal data includes:

a person's name;
a picture;
a telephone number (even a professional telephone number);
a code;
a bank account number;
an e-mail address;
a fingerprint;
…

Information and communication technologies have evolved rapidly, offering us many possibilities and numerous advantages. Using computers and the internet, companies but also the authorities are able to guarantee a better service and make our everyday life easier.

Using those technologies may, however, also jeopardise our privacy, as the data that is spread by means of technology is often personal. Databases or files containing personal data are created and sold. It is becoming increasingly difficult to know who has which data and what is being done with it. We no longer have control over our data. Consequently, there is a very great danger of abuse.

Since 1992, a Belgian act has ensured that your personal data cannot be processed just like that. The act in question is better known as the Privacy Act. The Belgian Privacy Act describes with great precision how and in which circumstances personal data may be processed or transferred. "Data processing" refers to any possible operation carried out on the data, such as collection, use, management or disclosure. A few examples:

a shop asking you to fill in an answer slip processes data;
a hotel offering online bookings also processes data when asking for your name, the dates of your stay and your credit card number.

The Privacy Act intends to protect citizens when their personal data is used. It establishes the rights and obligations of the person whose data are being processed, as well as the right and obligations of the processor himself.

Before you read on, it is important for you to know that the Privacy Act is not applicable to the collection of data for purely personal or household use, which is the case, for example, for your personal electronic diary or your private address list. Journalists, authors and artists do not have to comply with all the rules set out in the Privacy Act either.

These web pages contain concise information about how personal data has to be processed, who may process them and for which purpose, and about the rights and obligations of the individual processing your data.

If you want to know all the details about the protection of personal data, we advise you to read the document "Protection of personal data in Belgium" or the Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data.

Collection of personal data

A data processing operation starts with the collection of data. Before the data is collected, however, the controller has to notify the processing to the Commission. More information on this subject is available in the feature on notification.

Your data has to be collected fairly and therefore transparently. In other words, the person collecting your data, the controller, has to inform you about the processing.

The controller has to:

clarify why he wishes to obtain your personal data;
transmit his contact details to you;
let you know who your data will be disclosed to;
inform you about your right to access and rectify your data;
mention that you may object free of charge to the use of your data for direct marketing, e.g. commercial actions.

The controller must not:

say that he is aiming at one particular purpose when he has other intentions;
act without your knowledge (e.g. when you order a product on a website and have to disclose your personal data, the website has to include a section informing you about what will happen to your data. This section is usually called "Privacy Policy".)

Personal data may only be collected if it is necessary to achieve the previously announced purpose, and if it is relevant. A shopkeeper may, for example, ask for his customers' name and address in order to send them invoices or inform them about his commercial activities. He has no valid reason, however, to ask them for their date of birth or their profession.

The processor does not always have to contact you directly to obtain your data. He may also collect it from another person or from institutions or companies managing databases.

Two examples:

a general practitioner sends patient data to a specialist;
a company may ask a temporary employment agency to send them the curriculum vitae of potential employees with a specific profile.

Here, too, you have to be informed as data subject, unless you already know that your data was collected.

If it is impossible or if it would involve a disproportionate effort to inform the data subject, the controller is exempt from the obligation to inform you. He always has to justify this to the Commission, however, adding this justification to the notification he makes before the processing operation begins.

Establishing a purpose

The controller may only process your personal data (viz. collect, use, manage, disclose it) after having met a number of conditions. He must not collect and use your personal data without determining a specific purpose. The controller establishes the purpose at the beginning of the processing, determining all further activities. Based on this purpose the controller will decide:

which data he may process;
what he will do with it;
whether he may disclose it and to whom.

After that, he may only carry out the processing operations that help him to achieve this purpose and that are compatible with it. "Compatible" is equal to what the Privacy Act stipulates about compatibility and to what you may reasonably (normally) expect. If the controller uses your data for other purposes that are incompatible with the original purpose, this is punishable.
For example:

a fitness club selling its membership list to a company offering diets;
an ophthalmologist transferring the names of his patients to a company specialised in selling contact lenses (he may, on the contrary, transfer his patient files to a colleague whose opinion he would like to obtain).

The controller must not just establish any purpose. It obviously has to be legitimate, meaning that there has to be a balance between the controller's interests and your interests as the data subject. For example: creating a file of individuals who are close to their sixtieth birthday in order to send them documentation about a funeral insurance "because it is time to think about this ", is not a legitimate purpose. The disadvantage for these individuals undoubtedly exceeds the commercial interest of the person creating the file.

Once the controller has established a legitimate purpose, he also has to meet at least one of the following conditions. He may only process your data if:

you give your unambiguous, free and informed consent;
the processing is necessary for the performance of a contract you have entered into with the controller (e.g. a bank that has given you a mortgage loan);
if it is required by law. An employer has the obligation, for example, to disclose certain data about his members of staff to a social security institution;
if the processing is of vital importance to you, for example when medical data are collected about the victim of an accident to provide medical care;
if the processing has to be carried out in public interest. The Belgian postal service has the right to create a file containing address changes of its clients, so that it can continue to deliver letters after their removal;
if the processing is necessary for the promotion of the legitimate interests of the controller or any other individual, except if they are overridden by the data subject's interests.

Sensitive data

Some data are so delicate that they may only be processed in specific cases. Your name and address are rather innocent data, but this does not hold true for your race, health, political opinions, philosophical beliefs (religious or atheist, etc.), sexual preferences or your judicial past. The Privacy Law most strictly regulates registration and use of those data.

The controller may process sensitive data relating to you (except for judicial data) if:

he has your consent in writing;
if it is needed to provide you with a necessary treatment;
it is compulsory under employment law.

Political parties, congregations, trade unions, public health insurance and other institutions may obviously register and use their members' data. However, they must not disclose the data to other persons without the data subjects' consent. Judicial data (about suspicions, persecutions and convictions) may be processed by a public authority if that is necessary for the performance of its duties.

There are also a number of other measures the controller has to respect when processing sensitive data. For a complete overview we advise you to read the document "Personal data protection in Belgium".

Quality of the data

The data itself also have to meet specific conditions. The controller has to ensure:

good quality of the data, in other words the data has to be precise;
confidentiality of the data. He must ensure that not just anybody can access and disclose the data;
security of the data. He must ensure that the data is not lost or stolen. The more sensitive the data, the higher the level of security has to be;
that he does not keep the data any longer than necessary to achieve his purpose. At the end of the processing operation, he therefore has to delete the data.

Your rights

As soon as your data is being processed, you have the right to:

be informed. You have to be warned that your data will be processed and why. The Act has established the information the controller has to provide you with;
ask questions to the controller. You may ask him whether he owns data about you. He has to tell you which data he has about you and why, what type of data it is and who will receive it;
directly access your data. This means that you may stay informed about your data at all times. It is important to observe, however, that the right of access does not automatically mean that you are given a copy of the list you are registered in. The controller may also simply inform you (by letter and even on the phone) that he has data about you and which data is involved (e.g. your name and address, your phone number, your date of birth, …). Thanks to your right of access you know where the data comes from and how a certain decision was taken (for example why you were not granted a loan).
To exercise your right of access, you have to write a letter or a fax to the controller and include a copy of your identity card, or send an e-mail with your electronic signature;
indirectly access your data. There is data you cannot access just like that, not even if they are your own. This is the case for data kept for the protection of national security, public security, defence or for preventing or punishing offences. In all those cases, if you wish to know whether data about you is being processed, you have to write a letter to the Commission and include a copy of your identity card. The Commisison will then act as intermediary and access the data for you. Afterwards the Commission will inform you that it has checked the data and, if necessary, that it had your data modified, without disclosing the data itself.
Data regarding your health may also be involved. You may access those directly, or the controller may ask an intermediary to do so for you, in order to prevent you from, for example, also accessing a family member's sensitive data;
rectify your data. If you have noticed that incorrect, incomplete, superfluous or prohibited data about you is in circulation, you may have it rectified or erased, or have the use of the data prohibited free of charge. If the controller has not remedied the situation within one month, you may submit a complaint to the Commission in writing;
object. You may always object to the use of your data, but you must have serious reasons for that. You cannot object to a processing operation imposed by a law or a regulatory provision. On the other hand, you may object free of charge and without any reason to the use of your data for direct marketing purposes;
not to be subject to an automatic decision. It would not be a good thing if a certain decision about you only depended on a machine. That is why it is prohibited by law that a decision having far-reaching consequences for you is taken on the basis of an automatic data processing operation assessing certain aspects of your personality. This prohibition, however, is not applicable when a contract has been entered into, for example a loan or insurance, or in the case of an obligation under a law or a regulatory provision. You will nevertheless always have the chance to express your opinion;
to submit a complaint to the Commission or to a court. If you are experiencing difficulties exercising your rights or if you have noticed that a controller does not respect his duties, you may submit a complaint to the Commission, which will try to mediate and come to an amicable settlement. The Commission will treat your complaint free of charge.
If this attempt is unsuccessful, it may report the violation to the Procurator of the King or bring the case before a court. You may also do so yourself.

Your data are transferred abroad

If you require further details on this subject, we advise you to read the feature on "Cross-border transfers of personal data".

Also read our FAQ on privacy in general.

Read more