BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
5. International Considerations 5.1 Restrictions on International Data Transfers Transfers of personal data from Belgium to a country outside the EEA are regulated by Chap - ter V of the GDPR. No additional restrictions apply under Belgian law. General As the GDPR is a European instrument, all EU countries are subject to the same requirements. However, when personal data is transferred out - side the EU, the following rules must be taken into account to ensure that the level of protection of data subjects under the GDPR is not under - mined. The transfer of data outside the EU is subject to: • an adequacy decision of the European Com - mission (Article 45 of the GDPR); • appropriate safeguards (Article 46 of the GDPR), such as binding corporate rules; or • in the event of a specific situation, one of the derogations set forth in Article 49 of the GDPR. The European Commission has (so far) recog - nised Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zea - land, the Republic of Korea, Switzerland and the United Kingdom under the GDPR and the Law Enforcement Directive (LED), and the United States (commercial organisations participating in the EU–US Data Privacy Framework) and Uru - guay as providing adequate protection. In the absence of an adequacy decision, data transfers outside the EU are still possible if appropriate safeguards have been enforced.
have been informed and given the right to object if necessary. The seller should make clear agreements about their liability and co-operation post-transfer, and ensure the buyer will process the data lawfully and in accordance with applicable legislation. Change of Data Controller in Asset Deal Once ownership is transferred, the buyer will be considered the new data controller for personal data related to the business operations. The business information is transferred at the time of ownership transfer – or at a later date, which is often the case – virtually or even physically. The originals of employment contracts, individual accounts, etc, must be transferred to the new employer, and contracts with customers and/or suppliers are transferred, as well as all relevant databases with personal data. Once this transfer has effectively taken place, it is the responsibil - ity of the new data controller to ensure GDPR compliance, provide all data subjects with prop - er information about their data processing and respect all their rights. Data Processing in a Transitional Services Agreement Post-transfer, the buyer and seller may contin - ue to collaborate. For example, the seller might handle payroll until the buyer finds a suitable provider. In such cases, the seller acts as a pro - cessor for the buyer. The reverse can also hap - pen, where the buyer handles complaints for the seller. A transitional services agreement should be made addressing data processing and ensur - ing necessary safeguards on the part of the data controller.
26
CHAMBERS.COM
Powered by FlippingBook