The Belgian Data Protection Authority (DPA) has taken the time to inform the public of the consequences of the GDPR. It has confirmed that in the first half year of GDPR application, not a single fine was issued, although it has noted that some investigations are already ongoing.
The Belgian Act on the protection of physical persons with regard to the processing of personal data (‘Data Protection Act’) came into effect on 5 September 2018. Under the Data Protection Act, employers from the private sector will, in principle, not be able to retain an extract from the criminal records of employees or job applicants, unless one of the exceptions applies. Nevertheless, the DPA has indicated in the past that where an exception does not apply, the employer can ask a candidate to show an extract from his or her criminal records voluntarily, but the employer cannot take a copy, take notes from it or retain it.
There is no case law on the GDPR in an HR context yet. However, many questions have arisen, such as the use of photos of employees and biometric data. The Belgian DPA has confirmed that in principle, the processing of such data requires the employees’ consent.
The question of the admissibility of evidence obtained in breach of an employee’s privacy has been examined by Belgian case law: the Supreme Court has limited the situations in which such irregularly obtained evidence must be excluded. We are now waiting to find out whether or not the GDPR will influence this case law.