To which formal procedures am I subject?
In general terms, processing that falls under the article 11-1 of the law n° 1.165 (suspected illegal or unlawful activities comprising biometric data or implemented for surveillance purposes) are subject to an authorisation request from the Commission.
By default or in the absence of other elements, all other processing are subject to the simplified declaration, or the ordinary declaration.
Are subject to a simplified déclaration, all processing compliant to a referenced Ministerial Order. If the processing exceeds the scope of the Ministerial Order or when no Ministerial Order exists then the processing shall be subject to an ordinary declaration.
More specifically, processing relating to research in the domain of health are subject to a legal advisory request. With the exception of all processing in the domain of biomedical research under the terms of the law n° 1.265 of the 23 December 2002 relating to the protection of persons in biomedical research, which are subject to a legal advisory request, an ordinary declaration, or an authorisation request depending on the specific case, and nature of the data controller.
Furthermore, processing implemented by natural or legal persons governed by public law, public authorities, organisations governed by private law entrusted with a mission of general interest or a concessionaire of public utility are also subject to the legal advisory request. With the exception to processing of private entities, may be subject to the authorisation request according to the assumptions developed by the article 11-1 of the law n° 1.165, amended.
Lastly, data transfers to a country that does not have an adequate level of protection are always subject to the authorisation request pursuant to articles 20 and 20-1 of the law n° 1.165, amended, and shall be instructed using the authorisation request form provided for such transfers.
To complete the file for the formal procedures, the following questions need to be answered:
Who is the data controller?
The person responsible for processing or 'data controller' shall be considered as the natural or legal entity, governed by private law or public law, public authority, agency or any other body which alone or jointly with others determines the purposes of the data processing and means used and decides that it is to be carried out.
Who is the signing authority of the legal advisory request?
Typically, the signing authority is a natural or legal entity that is qualified and possesses the qualities to hire a natural person governed by the relevant public or private law.
What is the purpose of the processing?
The data controller determines the purpose of the data processing and the means used and decides what will be done with the computerised file. The purpose must be predetermined, explicit and legitimate. Therefore, the data controller must establish the main purpose of the processing, that is, the principal reason for the file’s existence (for example, management of human resources, management of suppliers, management of contacts, and so on).
What are the practical purposes of the processing?
After the purposes have been determined, the data controller must list the different practical purposes of the processing. For example, for a file for managing human resources (staff management), the practical purposes may include: vacation management, career development, and so on.
Is the processing justified?
In application to the article 10-2 of the law, the processing of personal data must be justified by:
This justification must be specified and detailed in the formal procedure.
Regarding the justification of specific processing
Article 12 of the law forbids carrying out processing, whether automated or not, which reveals, directly or indirectly, political, religious or philosophical beliefs, trade union membership, racial or ethnic origin, or data in the field of health, including genetic data, data concerning the party's sex life, lifestyle or relating to social welfare measures.
This information can nevertheless be exploited by natural or legal persons governed by private law where:
This justification must be specified and detailed in the formal procedure.
According to the article 11 of the law, only the judicial and administrative authorities can implement processing within the limits of their missions:
The Commission is extremely vigilant as to how such categories of data are used. The Commission verifies systematically that the judicial and administrative authorities use these data appropriately especially with regards to public security within the limits of its missions.
For data processing relevant to the authorisation request procedure, the data controller must justify, pursuant to the article 11-1 subparagraph 2, that the processing is required to fulfil an essential and legitimate objective and that the rights and freedoms provided for by the Constitution are enshrined.
This justification must be specified and detailed in the formal procedure.
Who is the recipient of the processing?
To answer this question, it is necessary to identify the natural and legal persons who, as well as the entity that exploits the processing, receive the divulged information contained in the latter.
These persons must be differentiated from the persons who have a direct access to the database.
Is the processing secured?
The security of data processing is a major requirement of the law. This security addresses all forms of data processing related to their creation, their utilisation, their protection, their archiving or their destruction; it also covers their confidentiality, their authenticity, and their availability.
Which is why, the declaration addressed to the Commission must unconditionally contain all supporting elements to enable the Commission to understand the security measures that have been implemented by the data controller:
In order to assist the data controller with the description of his system’s operations as well as with the relevant security measures, an appendix on security is provided. Complete the appendix and enclose it with the other supporting documents with the file.