The Belgian UBO-Register in light of the privacy legislation
What is the UBO-Register?
The Belgian UBO-Register is a national database that organizes and structures adequate, accurate and up-to-date information regarding Ultimate Beneficial Owners (hereinafter referred to as the “UBOs”) of corporate or other legal entities incorporated in or operating on the Belgian territory. By 30 September 2019 all Belgian corporate or other legal entities are obliged to identify their UBOs and upload the required information in the Belgian UBO-Register.
Is the UBO-Register necessary?
The obligation to create an UBO-Register in each Member State of the European Union results from the Fourth Anti-Money Laundering Directive 2015/849 of 20 May 2015 (hereinafter referred to as the “Directive”), which has been transposed into Belgian law by means of the Law of 18 September 2017 for the prevention of money laundering and terrorist financing and for the limitation of the use of cash (hereinafter referred to as the “Law”) and the Royal Decree of 30 July 2018 regarding the operating modes of the UBO-Register (hereinafter referred to as the “Royal Decree”).
The UBO-Register is established as a tool in the combat against money laundering and terrorist financing. The institution responsible for the UBO-Register in Belgium is the General Administration of the Treasury of the Federal Public Service Finance.
Collection of personal data by the UBO-Register
It goes without saying that a lot of personal data regarding the UBOs (being always a natural person) will be processed in light of the UBO-Register. The UBO-Register will receive, amongst others, the identification details, including the identification number of the National Register of the UBOs.
Therefore, the implications under the Law, the Royal Decree and the General Data Protection Regulation 2016/679 (hereinafter referred to as the “GDPR”) as well as two advices which were published by the Belgian Privacy Commission (currently the Belgian Data Protection Authority, hereinafter referred to as the “Belgian DPA”) deserve a closer look.
Data protection obligations imposed by the Royal Decree
As stated above, the UBO-Register will process a lot of personal data. Therefore, corporate and other legal entities will need to comply with the principles imposed by both European and national privacy legislation when identifying and registering their UBOs.
In accordance with the obligations imposed by the Royal Decree, corporate and other legal entities will need to inform the UBOs on a durable medium about:
- the obligation to communicate the information regarding the UBOs as mentioned in the Royal Decree (i.e. identification details and certain other information regarding the UBO);
- the registration and storage of this (personal) data in the UBO-Register;
- the name and address of the department within the General Administration of the Treasury entrusted with the management of the UBO-Register;
- the possibilities for the entities and persons listed in the Royal Decree (i.e. competent authorities, obliged entities, citizens, etc.) , to access the UBO-Register;
- their right to be informed about the (personal) data that are registered in their name;
- their right to rectify and erase the data that are registered in their name;
- the retention period of ten years;
Moreover, the General Administration of the Treasury will inform the UBOs about their registration in the UBO-Register and provide them with the information that is registered in their name. Besides that, the UBOs can directly, or via the General Administration of the Treasury, request free of charge to rectify or delete any inaccurate data that is registered in their name. The corporate or other legal entity will also be obliged to rectify or delete any inaccurate data concerning the UBOs and notify these changes without delay to the UBO-Register.
Interpretation and advice of the Belgian DPA of the Belgian UBO-Register
The Belgian DPA already identified in its advice of 24 May 2017 an issue with article 74, §1 of the Law which stipulates that “the UBO-Register has as its purpose to make available sufficient, accurate and up-to-date information regarding the UBOs […]”. It is clear that this provision does not provide for a sufficiently precise demarcation of the finality / purpose of the processing of the personal data in light of the UBO-Register. Consequently, the Belgian DPA recommended to determine the essential elements (i.e. the processed personal data, the purposes of the processing and the possible recipients of the personal data) regarding the UBO-Register more clearly.
In its advice of 23 May 2018 the Belgian DPA reviewed and commented upon the Royal Decree, which determines the aforementioned essential elements, and expressed a favorable opinion with minor remarks. More specifically, the Belgian DPA discussed the below mentioned matters more in depth.
- Identification of Data Controller
The General Administration of the Treasury, who is responsible for the Belgian UBO-Register, is specifically identified by the Royal Decree as data controller. Besides that the corporate and other legal entities who have to identify their UBOs shall act as data controller in this respect as well in order to comply with the obligations of the Law and the Royal Decree.
- Purpose and lawfulness
The processing ground of general / public interest is confirmed in the Law since the personal data regarding the UBOs will only be processed in light of the prevention of money laundering and terrorist financing.
- Proportionality
The information regarding the UBOs to be collected and uploaded in the UBO-Register is listed in an exhaustive way in the Royal Decree. The required information generally concerns identification details and details regarding the category of UBO and the participation of the UBO in corporate and other legal entities. The information regarding the UBOs is considered to be proportionate in light of the identification and verification of the UBOs.
- Retention period and technical and operational measures
The personal data contained in the Belgian UBO-Register will be retained for ten years counting from the day on which the corporate or other legal entity loses its legal personality or definitively terminates its activities.
- Rights of the data subjects
Besides the already mentioned right to provide the required information as set out under the Royal Decree, a request can be filed in order to limit the access to the information in the UBO-Register regarding minor UBOs, UBOs with a legal incapacity or in the event of a disproportionate risk of, for example, fraud, blackmail, extortion or kidnapping.
For sake of completeness, the reader will note that all rights that are generally granted under the GDPR remain applicable to all involved parties, including but not limited to, the data controller, data processor and UBOs. However, since the UBO-Register has been created in light of a matter of general / public interest, the rights of a data subject (i.e. UBOs) under the GDPR (such as a.o. the right to be forgotten) shall be limited.
Sanctions
In case of any violation of the principles of the GDPR, administrative fines can be imposed on the corporate and other legal entities by the Belgian DPA to the amount of 2% or 4% of their annual worldwide turnover.
Besides that, the Law provides for criminal fines going from 50 EUR to 5.000 EUR (to be multiplied by 8) and administrative fines going from 250 EUR to 50.000 EUR to be imposed on managers / directors of the corporate or other legal entities not complying with the specific UBO-obligations of the Law and the Royal Decree.
Therefore, make sure to consider the aforementioned obligations and to reach out to us for further updates on this topic or for advice or assistance on this matter.