New Approval Process for Data Transfer Agreements in Belgium
The Belgian Privacy Commission and Ministry of Justice have executed a protocol that puts in place a new approval process for data transfer agreements (DTA). For customized DTA, it brings considerable improvement, but unfortunately it also adds a layer of administrative burden in relation to the use of the EU Model Clauses. The Protocol now acknowledges that it is sometimes justified for data exporters to make (some) changes to the EU Model Clauses. In order to facilitate this, the approval process has therefore been streamlined. But while this is a big step forward, at the same time, it is a big step backwards when it comes to the use of EU Model Clauses. Prior to the Protocol, no formal approval was required when the EU Model Clauses were used in an unaltered form. A data exporter simply had to submit a copy to the Privacy Commission when filing the notification. This has now changed. It has come to light that the Belgian Privacy Commission did not intend to increase the administrative burden for the use of EU model clauses. While the Protocol clearly uses the word 'authorizing', this should not be interpreted as introducing a formal authorization requirement, but rather as a confirmation given to the data exporter that the DTA used does indeed comply with the EU model clauses.