What is data processing?

"Data processing" means any operation performed on the data such as collection, use, management or disclosure.

A few examples:

  • a shop asking customers to fill in an answer slip processes data;
  • a hotel offering the possibility of online reservation also processes data if it requires guest names, the dates of their stay and their credit card number.

Information and communication technologies have evolved rapidly, offering many possibilities and numerous advantages.

Thanks to computers and the internet, companies as well as public authorities can guarantee a better service, and make our daily lives easier.

Using technologies can also jeopardise our privacy, however, since the data disseminated by new technologies are often personal. Databases or files containing personal data are created, used, disclosed and sold. Consequently, it is becoming ever more difficult to know who has which data and what is being done with them. We no longer have control over our data, and the risk of abuse has grown accordingly.

Since 1992 Belgium has had an act ensuring that personal data cannot be processed unconditionally, better known as the Privacy Act. The Belgian Privacy Act gives a very precise description of the way and the circumstances in which personal data may be processed or transferred. It establishes a framework for the use of personal data and determines the rights and duties of those whose personal data are processed, as well as of processors.

Before you continue, it is important to know that the Privacy Act does not apply when data are collected for purely personal or household purposes.

Examples are a personal electronic diary or a private address file. Furthermore, journalists, writers and artists are exempt from certain obligations imposed by the Privacy Act in the context of journalistic and artistic freedom.

A data processing operation starts with the collection of data. But prior to collection the controller has to notify the processing to the Privacy Commission. You can read more details about notifications in the corresponding theme section. Since notification is only possible in French or Dutch, you are kindly requested to consult the French or Dutch version of this section.

Data must be collected in all honesty and transparency, which means that the individual to whom the data relate (data subject) must be informed about the processing by the controller or a representative, if any.

Controllers must:

  • indicate why they wish to obtain the personal data;
  • provide their contact details;
  • inform data subjects who will receive their data;
  • mention that data subjects have the right to access their data and have them rectified; 
  • mention that data subjects can object free of charge to the use of their data for direct marketing, such as publicity campaigns.

Controllers must not:

  • say that they are trying to achieve a certain purpose whereas they have other intentions with the data collected;
  • act without the data subjects' knowledge. If the latter have placed an order on a website, for instance, disclosing their personal data in the process, the website must provide for a section mentioning what will be done with the data. This section is usually called "privacy policy". It is therefore important that data subjects read this section in advance.

Personal data may only be collected if they are necessary to achieve the purpose indicated and if they are relevant.

For example: a shopkeeper may ask for his customers' name and address for invoicing purposes or to inform customers about his commercial activities. He has no valid reason, however, to ask customers for their date of birth or profession.

Those who process data do not always have to address data subjects directly to obtain their personal data. They can also obtain the data from another individual or from bodies or companies managing databases.

Two examples:

  • a GP sends patient data to a specialist;
  • a company can ask a temporary employment agency to send them a list of the CV's of individuals meeting the desired professional profile.

However, the principle establishing that data subjects must be informed still holds.

If it is impossible or would involve a disproportionate effort, controllers are exempt from this obligation to inform data subjects, but they always have to justify this to the Privacy Commission adding the justification to their notification prior to starting the processing operation.