6 months ago the General Data Protection Regulation (GDPR) entered into force. If you thought that your efforts for privacy and data protection compliance ended there, you are unfortunately wrong…
The law of 30th July 2018 on the protection of individuals with regard to the processing of personal data is the Belgian Law that gives effect to the GDPR.
This law provides different rules for the Belgian authorities and the processing outside the scope of the EU. Moreover, with this law Belgium implements the open clauses from the GDPR.
Article 21 of this Belgian Law stipulates that “in implementation of article 37.4 of the GDPR, a private body that processes personal data on behalf of a federal government, or to which a federal government passes on personal data, needs to appoint a data protection officer if the processing of this data may involve a high risk as referred to in article 35 of the GDPR”.
When arguing if the processing may involve a high risk to the rights and freedoms of natural persons, you should take into account the nature, scope, context and purposes of the processing and whether a new technology is used.
When processing personal data of a federal government agency , one can assume that there will often be a high risk considering the sensitive nature of the personal data in the hands of that government.
Next to this, in Belgium we have a Decree concerning electronic administrative data traffic (E-government decree of the 18th of July 2008), with specific rules on the protection of natural persons when processing their personal data, applicable to the Flemish government authorities. Every governmental organization processing personal data must appoint a DPO, this was already clear in the GDPR. Now, Article 9 of the Flemish Decree stipulates that, if a body relies on a processor, this processor also needs to appoint a data protection officer. This rule is applicable in every case, independent of the height of the risk.
For now, the Walloon Region is still silent on this matter. Considering both the federal and the Flemish rules, we could assume that the Walloon Region will follow these examples.
We can conclude that if you want remain competitive in the government sector you will need to appoint a Data Protection Officer.