BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
These could be binding corporate rules, stand - ard data protection clauses as adopted or approved by the European Commission, etc. Based on the case law of the CJEU (Schrems I and II), data exporters are required to conduct a data transfer impact assessment. They must identify and implement supplementary measures to ensure that personal data transferred to a third country that has not received an adequacy deci - sion is given an essentially equivalent level of protection. Derogations In the absence of an adequacy decision for a specific third country or appropriate safeguards, it is still possible to transfer personal data to a third country or an international organisation, subject to one of the following conditions: • the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks; • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request; • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject; • the transfer is necessary for important rea - sons of public interest; • the transfer is necessary for the establish - ment, exercise or defence of legal claims; • the transfer is necessary in order to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or • the transfer is made from a register that, according to EU or member state law, is
intended to provide information to the public and which is open to consultation. 5.2 Government Notifications and Approvals As mentioned in 5.1 Restrictions on Interna- tional Data Transfers , for a company to transfer data, an adequacy decision or other adequate safeguards are required. As many of these mechanisms have been approved before, no additional government notification or approval is required. However, in the event that the company invokes binding corporate rules, the latter must have been approved by a supervisory authority before personal data can be transferred to a third coun - try (Article 47.1 of the GDPR). 5.3 Data Localisation Requirements There are currently no specific data localisa - tion requirements in Belgium. However, the EU will introduce data localisation requirements as part of the European Health Data Space (EHDS) Regulation. 5.4 Blocking Statutes European entities can sometimes face repercus - sions in relation to the extraterritorial enforce - ment of unilateral sanctions by third countries. The EU considers that such enforcement is con - trary to international law and has implemented Regulation 2271/96, (the blocking statute) as a way of protecting itself. The blocking statute has been transposed into Belgian legislation through Law of 2 May 2019. The blocking statute prohibits European entities from complying with specific sanctions, prohibit - ing co-operation with the relevant third country’s authorities.
27
CHAMBERS.COM
Powered by FlippingBook