Belgium Addresses Pitfalls for International Data Transfers

Privacy in Germany


Belgium has gone to great lengths to adopt a comprehensive framework for international personal data transfers based on the safeguards of Binding Corporate Rules (“BCR”) and contractual clauses. As of 2011, the data protection authority (“DPA”) of Belgium, the Commission for the Protection of Privacy, together with the Belgian Ministry of Justice (the “Ministry”), concluded two protocols to streamline the approval process based on these two solutions. Although not exempt from criticisms, the protocols are welcome improvements overall. They increase legal certainty and reduce formalism for companies seeking to implement a compliant contractual transfer solution.

In this paper, following an introduction on personal data transfers under Belgian law and the main reasons for the protocols (Section I), we analyse the protocol for Binding Corporate Rules (Section II) and the protocol for contractual clauses (Section III). We examine the protocols from a substantive and procedural perspective, providing practical insights based on our experience. We also consider developments of these safeguards under the data protection reform (Section IV) before providing some conclusions (Section V).




Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.