Belgium: Non-public Investigation Act — The way it impacts your inner investigations

In short

Belgium’s new Non-public Investigation Act (PIA) was printed within the Official Gazette on 6 December 2024 (fr and nl), with most of its provisions having entered into drive on 16 December 2024. The PIA replaces the 1991 Belgian Act on Non-public Detectives with the purpose of modernizing the relevant authorized framework in gentle of latest investigation strategies and the applying of the Normal Information Safety Regulation (GDPR). With its broader scope of software – this laws is now additionally relevant to inner investigations – and the numerous further necessities it imposes, the PIA will undoubtedly affect many companies working in Belgium.

Contents

1. Is my firm affected?
2. What to concentrate to when finishing up inner investigations: predominant obligations
3. What are the dangers in case of non-compliance?
4. When is the Non-public Investigation Act relevant?
5. Subsequent steps

Many corporations working in Belgium might be affected by this new laws which not solely applies to personal investigations carried out by conventional exterior investigators, but additionally to inner investigations performed in Belgium. The PIA applies to inner investigation companies, specifically a service organised by a pure or authorized particular person for its personal wants so as to conduct personal investigation actions in a structural method, which implies that the personal investigation actions should be a part of the duties of at the least one affiliate. This contains investigation actions carried out inside the identical firm group.

Non-public investigation actions are outlined as actions carried out by a pure particular person on the request of a principal and consisting within the assortment and processing of data regarding pure or authorized individuals or relating to exact circumstances of information dedicated by these individuals. The purpose of personal investigations is to supply the data obtained to the principal so as to protect its pursuits within the context of a possible or efficient dispute, or of researching lacking individuals or misplaced/stolen items.

Sure actions are excluded from the scope of the PIA, for instance:

• Skilled actions of notaries, attorneys, bailiffs, journalists, auditors and statutory auditors.
• Actions and professions in search of particularly to determine, analyse and course of cybersecurity incidents.
• Actions performed on behalf of the principal within the efficiency of authorized obligations, resembling within the case of investigations within the framework of whistleblowing reviews or complaints regarding psychosocial dangers at work (carried out by the well being and security prevention advisor). Nonetheless, when the investigation outcomes are used exterior the mere execution of authorized obligations – which seems to be a troublesome line to attract in apply – the PIA is relevant.

The PIA imposes numerous onerous obligations to be complied with when conducting inner investigations, most significantly:

• License: personal investigation corporations and inner investigation companies should acquire a previous authorization or license from the Ministry of Inside to lawfully conduct personal investigations in Belgium. The license is granted for a renewable interval of 5 years. This requires to have a prison document clear from particular prison offences, bear particular coaching and be a nationwide of and have one’s predominant residence within the European Financial Space (EEA) or Switzerland (or within the UK for personal investigators).
  Word that an exemption to the license requirement exists for inner HR departments which conduct personal investigations for the wants of their employers, within the context of “incident investigations” – an idea that isn’t outlined – in opposition to staff. Whereas HR departments should not be licensed by the Ministry of Inside on this case, they have to however adjust to the opposite necessities of the PIA.
• Inside laws/coverage: inner investigations can solely be initiated by an employer in opposition to its staff, offered that an inner regulation or coverage offering clear and clear info relating to the permissibility and modalities of investigations has been carried out. Firms have till 16 December 2026 to implement such inner laws or coverage.
• Mission assertion or mission register: earlier than the beginning of any investigation, a written mission assertion should be entered into between the principal and the agent, which should point out the scope of the mission, its function and period along with different necessary info enumerated by the PIA. For inner investigations, if the personal investigator is employed by the principal, as a substitute of a mission assertion, the personal investigator should maintain an updated mission register with numerous particular info necessities and hold it for 5 years.
• Investigation report: the agent should present the principal with a written investigation report (with sure necessary contents) on the newest inside one month from the final investigation act carried out.
• GDPR and privateness obligations: sure particular fields of investigation are explicitly prohibited (e.g., investigations into the political, spiritual or philosophical convictions, racial or ethnic origin, and many others. of the particular person beneath investigation). Moreover, the PIA requires prior consent of the particular person beneath investigation for particular fields of investigation (e.g., investigation into an individual’s familial, monetary or skilled state) and investigation strategies (e.g., interviews). Moreover, in case the principal needs to make use of the data and private knowledge contained within the investigation report, it should inform the agent in writing inside 30 days from receiving the report. The agent should subsequently present the individuals investigated and another individuals identifiable within the report with particular necessary info in writing, together with on their proper of entry, rectification and erasure. The principal might not use the data contained within the investigation report till the individuals investigated and another identifiable individuals have been knowledgeable and been given the chance to train their rights.
• Authorized help: interviewees might request the help of an individual of their alternative (e.g., lawyer, commerce union consultant) throughout interviews.

Non-compliance with the PIA can provide rise to a spread of sanctions:

• Administrative sanctions, together with the non-deliverance, suspension or withdrawal of the license and administrative fines of as much as EUR 25,000.
• GDPR sanctions, together with administrative fines of as much as EUR 20 million or 4% of the overall annual worldwide turnover.
• Nullity of proof gathered in contravention with particular provisions of the PIA, which can thus not be upheld in court docket. That is notably the case the place the personal investigation is performed with out the required license or the required inner laws or coverage (as of 16 December 2026), issues prohibited fields (see above) or entails info or proof that the personal investigator (knew or must have recognized had been) obtained unlawfully.

The above is with out prejudice to prison sanctions which may be imposed.

The provisions of the PIA are relevant since 16 December 2024, with the next exceptions:

• A sound request to acquire a license should be submitted by personal investigation corporations and inner investigation companies that, on 16 December 2024, legitimately carried out personal investigation actions inside six months from the entry into drive of the PIA, i.e., by 16 June 2025.
• Workers of the stated personal investigation corporations and inner investigation companies have 18 months after their firm obtained a license to bear the required coaching and acquire a license card.
• The inner laws or coverage should be carried out inside two years from the entry into drive of the PIA, i.e., by 16 December 2026.

The PIA will undoubtedly have a big affect on many companies working in Belgium, which have to re-consider their inner investigation processes in gentle of the brand new necessities it imposes, making an allowance for the prevailing privateness and GDPR necessities, specifically these relevant to the session of staff’ e-mails and different digital communications.

Don’t hesitate to succeed in out to Baker McKenzie Brussels’ specialists for help in assessing the affect of the PIA in your present inner investigation processes and in implementing the required documentation and insurance policies.