In the summer of 2013, the Belgian Privacy Commission and Ministry of Justice concluded a Protocol Agreement which clarifies the rules and procedures applicable to data transfer agreements.
Submission of data transfer agreements
All data transfer agreements must be submitted to the Privacy Commission, which will verify whether the agreement adduces sufficient safeguards. Depending on whether the data transfer agreement is deemed to be in conformity with the EU model clauses by the Privacy Commission, a different procedure will be followed.
Data transfer agreements in conformity with the EU model clauses
Data transfer agreements are deemed to be in conformity with the EU model clauses in the following cases:
Data transfer agreements which are identical to the EU model clauses and which have been completed where required (e.g. name of the parties, types of personal data);
Data transfer agreements which only contain minor deviations compared to the EU model clauses (e.g. punctuation and translation), whereby these deviations do not affect the scope and meaning of the EU model clauses; and
Data transfer agreements which are embedded in a broader agreement and/or which contain other (commercial) provisions, to the extent they do not directly or indirectly contradict the model clauses and do not affect the fundamental rights and freedoms of the data subjects.
For these data transfer agreements, no royal decree authorisation is required. The Privacy Commission will examine the data transfer agreement and in case they consider the agreement is in conformity with EU model clauses, they will notify the requesting party thereof. As from the moment of receipt of this confirmation, the personal data may be transferred between the parties to the agreement.
The Protocol Agreement thus confirms the Privacy Commission’s existing practice for data transfer agreements based on the EU model clauses, and clarifies that the transfer cannot occur until the Privacy Commission notifies the requesting party of its confirmation that the agreement is in conformity with the EU model clauses.
Data transfer agreements which deviate from the EU model clauses
For data transfer agreements which are not (and cannot be deemed to be) in conformity with the EU model clauses, a more extensive procedure needs to be followed.
In each case where the Privacy Commission finds that the data transfer agreement is not in conformity with the EU model clauses, the Privacy Commission will inform the requesting party of the fact that a royal decree authorisation will be required. The Privacy Commission will provide the opportunity to modify the data transfer agreement so as to ensure conformity with the EU model clauses.
If the requesting party wishes to maintain its data transfer agreement without further changes, the Privacy Commission will evaluate whether the agreement provides sufficient safeguards with respect to privacy and fundamental rights and freedoms, based on the principles set out in the Protocol Agreement. It will inform the Ministry of Justice and the requesting party of its assessment. In case the Privacy Commission considers that sufficient safeguards are provided, it will provide the Ministry of Justice with a draft royal decree. The Ministry of Justice will only verify whether the procedures set out in the Protocol Agreement have been followed, and will not perform an assessment as regards content. The Ministry of Justice will provide for publication of the royal decree in the Moniteur Belge.