Frequently Asked Questions - Regular notification
Notification implies that controllers inform the Privacy Commission that they will carry out a personal data processing operation. Notification is not intended to request permission or authorisation, but only to notify a processing operation. A notification mainly consists of a description of the processing operation and can be consulted in the public register afterwards.
The notification has to be made by the controller, in other words by the person/organisation determining the purposes of and the means for the processing of personal data. The controller can be a legal person, a natural person, a public service, an un-associated organisation etc.
Sometimes the purposes are determined jointly by several controllers. They will then have to make a joint notification.
A data processing can be notified either on paper, or directly online. An instruction manual is available.
Several notification models can be used:
- a regular notification;
- a VIA/DPR notification;
- a notification of the encoding of personal data for historical, statistical and scientific purposes;
- a notification of a further processing of encoded personal data for historical, statistical and scientific purposes;
- a notification of a further processing of non-encoded personal data for historical, statistical and scientific purposes;
- a theme notification for the installation and use of a surveillance camera in a non-enclosed area;
- a theme notification for the installation and use of a surveillance camera in an enclosed area.
Please be advised that notification is only possible in one of Belgium's official languages.
The answerto this question is two-fold:
- I am a controller from an EU member State. I must make a notification in Belgium if:
- I have a permanent establishment on Belgian territory, and,
- the processing takes place in the context of the actual activities of this establishment.
- I ama controller with a permanent establishment outside EU territory. I must make a notification in Belgium if I use automated or other means on Belgian territory. A permanent establishment or a controller are considered as means. Means purely used to transfer data are not subject to this rule.
Yes, also as the processing operations aim at the same purposes or the purposes relato each other, and the controller is the same.
Yes, if the processing aims at different, non-coherent purposes.
No, a notification mainly consists of a description of the processing. As soon as data subjects know about a certain processing operation following consultation of the public register, they can exercise their rights addressing the controller holding their personal data.
The Privacy Commission sends a receipt within 3 days after it has received the notification..
If the notification is incomplete and/or incorrect, the Privacy Commission will inform controllers about this, requesting them to complete the notification.
If the notification is subject to an exemption the Privacy Commission will also infom controllers.
Within twenty-one days the Privacy Commission will then send you this information:
- your personal identification number (HM number);
- the identification number of your processing operation(VT-number);
- a copy of the notification;
- an invoice.
As a supervisory authority the Privacy Commission can always request additional information.
Finally, it will publish the notification in the public register.
No. You can choose your own password before you send the notification.
Both the password and the VT-number are necessary to change or delete a processing operation. A request for a lost or unknown password needs to be sent to the Privacy Commission by letter and not by fax or telephone, mentioning the e-mail address to which the answer has to be sent. For security reasons this request cannot be sent by e-mail, except when your e-mail address is already included in the notification that needs to be changed.
You can consult the public register. In this register you can find all the notifications that have been submitted to the Privacy Commission.
No. A notification is not intended to request permission or authorisation, but only to notify a processing operation. Except in very specific cases, authorisation is not necessary to start a processing operation of personal data in Belgium. Anotification mainly consists of a description of the data processing operation. Nevertheless, you have to submit your notification before you start the processing operation.
Manual processing operations do not need to be notified. A number of automated processing operations are also exempt from the obligation of notification. These exemptions can be found in the Royal Decree of 13 February 2001 implementing the Privacy Act, and refer to a number of fairly common processing operations such as personnel management, payroll administration, accounting, client and supplier management.
Other applicable legal provisions nevertheless still have to be complied with.
Finally, the obligation of notification does not apply to processing operations with the sole purpose of keeping a register required by law. The register must have the objective of providing the public with information and has to be publicly available. The Registry of Companies is an example of this. For more details, please consult our "Privacy Topics", more particularly the section on notification.
If several companies (and consequently their databases) merge and start operating under a new name, a new notification has to be submitted. For the original files, a so-called notification of termination will have to be submitted.
When a controller (A) who already submitted a notification to the Privacy Commission takes over a complete database from another controller (B) for the same purposes and to process the same data that controller (A) already notified (merging two databases), controller (A) does not have to take additional steps towards the Privacy Commission. Optionally, controller (B) will have to have his notification deleted if he terminates the data processing operation.