Health data in Belgium : What you need to know
When does Belgian privacy law apply ?
As a company established outside Belgium but making business in Belgium, you may ask yourself: does Belgian Privacy Act apply to me? And the answer is … Yes. More precisely, Belgian Privacy Act applies to you :
- if you offer goods or services to data subjects on Belgian territory, irrespective of whether it is connected to a payment;
- if you monitor the behaviour of data subjects on Belgian territory in so far as their behaviour takes place within Belgian territory.
It is also worth noting that, as a controller established within the Union, if you use a processor established within Belgian territory, Belgian Privacy Act applies to the processor, as long as the processing takes place within the Belgian territory.
If Belgian privacy law applies to your company, what does it mean regarding medical data ?
The previous legislation
Article 7 of the previous Privacy Act (1992) prohibited the processing of data concerning health, except in some enumerated cases. And when the process was permitted, it should only be carried out under the responsibility of a healthcare professional except in the case where the data subject had given his written consent about the absence of professional, or when the process was necessary for the prevention of a concrete danger or for the punishment of a specific criminal offence.
The new Privacy Act
Prohibition – As provided for in article 9 of the GDPR, processing of health data is still prohibited. This is because this kind of data is among the special categories of personal data. However, the prohibition does not apply in some cases (enumerated at paragraph 2 of article 9 of the GDPR).
No Belgian exception – Belgian law (30th of July) does not provide for specific exception. An amendment had been proposed concerning the processing of data concerning health by insurance companies. However, this amendment was finally withdrawn.
No more healthcare professional required but complementary measures – Regarding the processing of data concerning health, the requirement to use a healthcare professional is no longer included in the new Privacy Act.
But the new Act adds some complementary measures that must be taken by the data controller when processing genetic data, biometric data or health data:
- Drafting a list
- The controller or the processor must design the categories of persons having access to the data.
- The name of those persons must not be mentioned, but a clear description of their function in relation to the processing of the health data.
- This list must be at disposal of the Data protection authority.
- Confidentiality – The designated persons are required to respect the confidential nature of the data in question. It can be by a legal or statutory obligation, or by a contractual provision.
Check which European Member State law applies to your business.
If you are handling health data, it is very likely that you have to comply with local peculiarities and should ask for a local advice.
von Eléonore Colson