Formal procedure guidelines

To which formal procedures am I subject?

In general terms, processing that falls under the article 11-1 of the law n° 1.165 (suspected illegal or unlawful activities comprising biometric data or implemented for surveillance purposes) are subject to an authorisation request from the Commission.
By default or in the absence of other elements, all other processing are subject to the simplified declaration, or the ordinary declaration.
Are subject to a simplified déclaration, all processing compliant to a referenced Ministerial Order. If the processing exceeds the scope of the Ministerial Order or when no Ministerial Order exists then the processing shall be subject to an ordinary declaration.
More specifically, processing relating to research in the domain of health are subject to a legal advisory request. With the exception of all processing in the domain of biomedical research under the terms of the law n° 1.265 of the 23 December 2002 relating to the protection of persons in biomedical research, which are subject to a legal advisory request, an ordinary declaration, or an authorisation request depending on the specific case, and nature of the data controller.
Furthermore, processing implemented by natural or legal persons governed by public law, public authorities, organisations governed by private law entrusted with a mission of general interest or a concessionaire of public utility are also subject to the legal advisory request. With the exception to processing of private entities, may be subject to the authorisation request according to the assumptions developed by the article 11-1 of the law n° 1.165, amended.
Lastly, data transfers to a country that does not have an adequate level of protection are always subject to the authorisation request pursuant to articles 20 and 20-1 of the law n° 1.165, amended, and shall be instructed using the authorisation request form provided for such transfers.

To complete the file for the formal procedures, the following questions need to be answered:

Who is the data controller?

The person in charge of the processing or 'data controller' shall be considered as the natural or legal entity, governed by private law or public law, public authority, agency or any other body which alone or jointly with others determines the purposes of the data processing and means used and decides that it is to be implemented.

Who is the signing authority of the legal advisory request?

The signing authority is a natural or legal entity that is qualified and possesses the qualities to hire a natural person governed by the relevant public or private law.

What is the purpose of the processing?

The data controller determines the purpose of the data processing and the means used, and decides what will be done with the computerised file. The purpose must be predetermined, explicit and legitimate. Therefore, the data controller must establish the main purpose of the processing, that is, the principal reason for the file’s existence (for example, management of human resources, management of suppliers, management of contacts, and so on).

What are the practical purposes of the processing?

After the purposes have been determined, the data controller must list the different practical purposes of the processing. For example, for a file for managing human resources (staff management), the practical purposes may include: vacation management, career development, and so on.

Is the processing justified?

In application of the article 10-2 of the law, the processing of personal data must be justified:

  • by consent from the data subject(s), or;
  • by compliance with a legal obligation to which the data controller or their representative is subject, or;
  • by it being in the public interest, or
  • by a contract or pre-contractual measures with the data subject, or;
  • by the fulfilment of a legitimate motive on the part of the data controller or their representative or by the recipient, on condition that the interests or fundamental rights and freedoms of the data subject are not infringed.
This justification must be specified and detailed in the formal procedure.

Regarding the justification of specific processing

For the processing of sensitive and confidential data

Article 12 of the law forbids carrying out processing, whether automated or not, which reveals, directly or indirectly, political, religious or philosophical beliefs, trade union membership, racial or ethnic origin; or data in the field of health, including genetic data, data concerning the party's sex life, lifestyle or relating to social welfare measures.

This information can nevertheless be exploited by natural or legal persons governed by private law where:

  • The data subject has freely given their written and express consent, in particular under Act n° 1.265 of 23 December 2002 on the protection of persons in biomedical research, except where the Act provides that the ban described in the first paragraph may not be lifted by the consent of the data subject. The latter data subject may, at any time, withdraw his or her consent and request that the data controller or user of the processed data destroy or delete their data;
  • It is in the public interest, the processing described in Article 7, where processing has been decided by the competent authorities or bodies following a reasoned opinion issued by the Commission de Contrôle des Informations Nominatives (CCIN);
  • The processing pertains to the members of an ecclesiastical institution or a body with a political, religious, philosophical, humanitarian or trade-union aim, as part of company or association objects and for the purposes of its functioning, on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data is not disclosed to a third party without the consent of the data subjects;
  • The data processing relates to information that has manifestly been made public by the data subject;
  • The data processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services and social welfare schemes, or in the interests of research and where such data is processed by a health professional subject to the obligation of professional secrecy or by another person subject to an equivalent obligation of secrecy;
  • The data processing is required in order to record, exercise, or in the defence of rights before the Courts or to meet a legal obligation.
This justification must be specified and detailed in the formal procedure.

For data processing pertaining to the authorisation request procedure, the data controller must justify, pursuant to the article 11-1 subparagraph 2, that the processing is required to fulfil an essential and legitimate objective and that the rights and freedoms provided for by the Constitution are enshrined.

This justification must be specified and detailed in the formal procedure.

 

Who is the recipient of the processing?

To answer this question, it is necessary to identify the natural and legal persons who, as well as the entity that exploits the processing, receive the disclosed information contained in the processing.

These persons must be differentiated from the persons who have a direct access to the database.

Is the processing secured?

The security of data processing is a major requirement of the law. This security addresses all forms of data processing related to their creation, their utilisation, their protection, their archiving or their destruction; it also includes their confidentiality, their authenticity, and their availability.

Which is why, the declaration that must be addressed to the Commission must contain all supporting elements to enable the Commission to understand the security measures that have been taken by the data controller:

  • System architecture;
  • Data flow schema;
  • Physical security measures;
  • Logical security measures;
  • Copies of contracts with past subcontractors (and so on).
In order to assist the data controller with the description of his system’s operations as well as with the relevant security measures, an appendix on the security is provided. Complete the appendix and enclose it with the other supporting documents with the file.