Belgian Companies: Are You Overlooking the Data Protection Officer Requirement?

In our previous article, we explained what Belgium’s new Private Investigations Law (WPO) means for companies and when the law applies. As we highlighted, the law’s scope extends well beyond professional detective firms. In fact, many common workplace actions now fall within the WPO.

The term “private investigation activities” is defined broadly. It includes any effort to gather information about individuals or events on behalf of a third party, such as an employer, with the aim of protecting that party’s interests in the context of an actual or potential conflict, or to trace missing persons or property.

We explained that if your company is planning on using external private investigators or creating an internal investigative unit, they will need to have a license issued by the Minister van Binnenlandse Zaken. That raises a key question: what does your company need to have in place to get that licence?

One key requirement: A DPO

Among the various licensing conditions, one stands out from a privacy perspective: your company must appoint a Data Protection Officer (DPO).
This requirement is part of Section 2 of the WPO (Vergunningsvoorwaarden), which outlines the full set of conditions for obtaining a permit; including compliance with social and tax law, a clean criminal record, and proper legal establishment under Belgian or EEA law. And critically, it includes the obligation to appoint a DPO.

In short: the DPO is not optional. Without one, either internal or external, your company cannot legally obtain a WPO licence.

The HR exception

As we mentioned in our first article, there’s one key exception to the licensing (and DPO) requirement in Article 43 WPO. Employers conducting internal investigations through their HR department do not need a permit/license or an investigator ID card, and as a result, they don’t need to appoint a DPO under the WPO.

However, this only applies if:

• The investigation is handled by members of the personnel department (HR), and
• It’s not part of a structured or dedicated internal investigation service.

That second point is key. If your organisation formalises these activities, meaning; sets up a compliance unit, a risk team, or any ongoing internal service that investigates, it does fall under the WPO’s licensing obligation. And that brings the DPO obligation right back in.

If your company sets up an internal service for private investigations — and as we now know, that term includes many common workplace activities — or if it offers investigation services to others, then the law is clear: you must have a licence issued by the Minister of the Interior.

In other words: most companies who go beyond casual HR reviews will now need a WPO-compliant licence, which includes a DPO.

We’re here to support you

At FIRST PRIVACY, we have extensive experience acting as external Data Protection Officers. We help organisations navigate both GDPR and WPO obligations; including assessing whether a DPO appointment is required under the WPO.

If you’re unsure or would like a second opinion, we’re happy to assist.

Feel free to get in touch!

Your contact persons:

Cihan Parlar
Managing Director
E-mail: cparlar@first-privacy.com
Phone: +31 20 211 7116

Manon Punie
Privacy counsel
E-mail: mpunie@first-privacy.com
Phone: +31 20 211 7262