The Privacy Act regulates the registration and use of sensitive data very strictly.
In principle it is prohibited to collect, register or ask for the disclosure of the abovementioned sensitive data. Nevertheless, there are a few exceptions to this rule. Controllers may process sensitive data (excluding judicial data) if:
- the data subjects have given their written consent;
- it is necessary to provide care to the data subject;
- it is compulsory under employment law or with a view to the application of social security;
- the data subjects themselves have made the data public;
- it is necessary to establish, exercise or defend a right;
- it is necessary for scientific research.
Political parties, congregations, trade unions, healthcare institutions and other bodies may obviously register and use their members' data. They must not transmit the data to others, however, without the data subjects' consent.
Judicial data (regarding suspicions, prosecutions and sentences) may be processed by a public body if this is necessary for its missions. Such data may also be processed if it is allowed by legislation or regulations, or if the controllers need them to manage their litigations.
Furthermore, there are a few additional measures controllers have to observe when processing sensitive data. For a complete overview we suggest you consult the document "Protection of personal data in Belgium".
- In general
- Theme sections
- Sensitive data
- Information security
- Data quality
- The different rights
- Cross-border transfers