ARTICLE
3 December 2025

"Specific" Data Protection Laws Adopted Under Article 6.3 GDPR: Key Points On Their Drafting

T
Timelex

Contributor

Timelex logo

Timelex is a leading niche law firm specialised in the legal aspects of information technology (IT), privacy & data protection (GDPR), intellectual property, and media & electronic communications. Every day we strive to match law and innovation.

While we focus on the areas in which we excel, we also advise clients on various issues of general commercial and business law, such as about distribution and franchising networks, commercial agency, unfair competition and market practices, consumer protection, product safety and product liability, general sales and purchase terms and conditions, etc.

Explore Firm Details
In addition to the GDPR and national framework laws on the protection of personal data, many specific national laws impose or regulate certain data processing operations by public and private entities.
Belgium Privacy
Janvier Parewyck
Janvier Parewyck’s articles from Timelex are most popular:
  • within Privacy topic(s)
  • in United Kingdom
Timelex are most popular:
  • within Privacy and Technology topic(s)
  • with readers working within the Law Firm industries

In addition to the GDPR and national framework laws on the protection of personal data, many specific national laws impose or regulate certain data processing operations by public and private entities. These laws constitute the "legal basis" for processing within the meaning of the GDPR. Despite their abundance and the important source of obligations, rights and information they represent, there is little discussion of how they should be drawn up. Yet these laws must meet strict requirements. Drafting them often involves a delicate balancing act between, on the one hand, safeguarding the objectives of the GDPR and legal certainty and, on the other, the need to produce laws that are durable and sufficiently flexible. The quality of the drafting will be decisive for the subsequent implementation of the processing operations provided for therein.

This blog article provides an overview of the requirements and best practices in this area. It is aimed at public authorities and legislators who intend to introduce new data processing activities by public or private entities, as well as practitioners who would like to know more about these legal bases and how to deal with them.

The developments that follow are mainly based on experience gained in the drafting of Belgian legislation, but the principles set out should apply in a similar way throughout the Union, subject of course to the specific characteristics of each Member State.

1. When is a specific law required?

Article 6 of the GDPR sets out six legal bases for processing personal data. Most of these bases do not imply the intervention of the legislator, and therefore the existence of any law explicitly making the processing "lawful" within the meaning of the GDPR.

A private entity, or even a public entity, is therefore free to seek the consent of data subjects to process their data for specific purposes (Article 6.1.a of the GDPR).

Similarly, this entity may enter into contracts and invoke their performance to process data, for example employment contracts requiring the processing of workers' data (Article 6.1.b GDPR).

There is also a legal basis available where the processing aims to protect the vital interests of an individual, which is rarely used in practice (Article 6.1.d GDPR).

In addition, a private company is free to determine its "legitimate interests" and, provided it can demonstrate that the risks to data subjects are balanced, to process personal data for purposes in pursuit of its own interests (Article 6.1.f GDPR). In the latter case, the data subject must be informed, but in principle does not have to give his or her prior approval.

In all these cases, the legislator is under no obligation to intervene ex ante.

On the other hand, the legislator is required to intervene in two cases:

  • It wishes to impose a legal obligation on data controllers, whether private or public entities (Article 6.1.c GDPR). For example, the legislator wants to require private companies to send certain information to the tax authorities.
  • It wishes to entrust an entity (usually public, but sometimes private) with a task in the public interest or in the exercise of official authority, for which the processing of personal data will be necessary (article 6.1.e).

Article 6.3 of the GDPR provides that processing operations intended to be based on Article 6.1.c or 6.1.e must be clearly and precisely defined by national (or Union) law (see Recital 41).

It should be noted that, for public bodies carrying out their tasks, the legitimate interests basis of Article 6.1.f is in principle not available (although this provision is generally considered to refer only to their tasks as a public sector body, and not to any ancillary data processing activities that they may undertake). Consequently, except in cases where it is possible to base processing on consent, performance of a contract or vital interest, a specific law will be required.

In practice, the processing carried out by public authorities is mainly based on a specific law.

2. Content of the specific law: "Essential elements" to be defined

When the GDPR came into force in 2018, the content and precision that such laws should embody gave rise to many questions. Many processing operations continued (and still continue today) to be carried out on the basis of laws predating the GDPR.

Today, the requirements for precision and the criteria to be met by such specific law have been greatly clarified by the supervisory authorities and the competent courts (Belgian Council of State and Constitutional Court).

First of all, Recital 41 of the GDPR states that a certain level of predictability is required and refers to the case law of the Court of Justice of the European Union (CJEU) and the European Court of Human Rights, which includes the extensive case law on interference with privacy.

Recital 45 of the GDPR then tempers this by specifying that each of the processing operations does not have to be individually defined.

It therefore follows from the GDPR that the objective, or ratio legis, of Article 6.3 GDPR is to ensure that processing carried out in the public interest or imposed by the legislator is sufficiently framed, without however requiring that such processing be described in minute detail (more on this below).

The Belgian Data Protection Authority ("APD") and the Vlaamse Toezichtcommissie ("VTC"), in close alignment with case law of the Belgian Constitutional Court and the Council of State, have taken the view, in their communications, opinions and decisions, that the following essential elements must be specified in a law that intends to permit the processing of personal data:

- the precise and specific purpose(s) of the processing;

Point of attention: Purposes and objectives are two different things, which are often confused - wrongly so.

- the identity of the data controller(s);

Point of attention: This requirement is not always as obvious as it might seem. Data protection authorities frequently request the controllers to be identified explicitly when the legislator seems to assume that their identities are implicitly clear. Moreover, although the entity or entities covered by the proposed law is/are generally known, it is also necessary to determine for what purposes they are responsible (and a contrario, where their responsibilities end).

Laws which, upstream, simply states that an entity is "controller of the platform", without any further clarification of which exact processing activities are covered by this provision, is likely to be difficult to interpret downstream.

- the (categories of) data necessary to achieve the intended purpose(s);

Point of attention: It can be difficult to foresee, in advance, all the categories of data that may be collected, received or generated. It is necessary to find wording that covers all the data that may be processed, without being vague or encompassing any data whatsoever.

- the categories of data subjects whose data will be processed;

Point of attention: Some knowledge of the project is required to answer this question properly.

- the maximum data retention period;

Point of attention: This requirement can prove particularly arduous, especially as the law is not intended to list all the (sub)processing that will potentially be necessary. The authorities may in some cases accept general or maximum durations, or durations determined according to objective criteria.

- the (categories of) recipients to whom the data will be disclosed and the circumstances in which it will be disclosed, together with the reasons for doing so;

Point of attention: The recipients may not only be entities directly covered by the proposed law, but also other natural or legal persons who will need the data to achieve certain purposes (specific subcontractors, public authorities involved, etc.).

It may also be necessary to take account of the legislation already applicable to these entities in order to articulate the texts.

Future data exchange protocols between public institutions will be able to refer directly to these provisions.

- where applicable and to the extent necessary, the limitation of the obligations and/or rights referred to in Articles 5, 12 to 22 and 34 of the GDPR.

Point of attention: Such limitations will obviously be examined more closely, and with significant strictness on their necessity, by the authorities. It is therefore crucial to ensure that there is a need and an explicit justification to introduce them and to consider sufficient safeguards to meet the proportionality requirement of Article 23 GDPR.

Beyond these essential elements, the authorities are attentive to the technical and organisational measures contained in the draft specific law or its preparatory work, and to all other elements relevant to mitigating the risks for data subjects and protecting their rights.

More fundamentally, the authority will examine whether the data processing is not only possibly useful for the public interest objectives pursued, but actually necessary for achieving them (and therefore that no other means are available), and will assess the proportionality of the interference with citizens' rights in relation to the objective pursued.

To conclude on the content of the specific law, according to the data protection authorities, it is not enough to vaguely enumerate objectives and cite a few examples of processing operations, but rather to provide a framework for authorised processing operations and, ultimately, to guide data controllers who are covered by the law.

This last aspect should not be overlooked. Laws that are too vague, hastily drafted and adopted can considerably increase the workload of the entities concerned and their data protection officers, or even prevent certain processing operations from being carried out, and run the risk of providing inadequate protection for data subjects (notably due to a lack of legal certainty). In addition, the APD has already found infringements of the GDPR in relation to processing operations even though the specific law did not appear to preclude them.

Moreover, the rationale for these essential elements should not be overlooked. Their inclusion in the law is not merely an administrative procedural formality. Rather, they are a safeguard that aims to ensure that data subjects can reasonably determine what processing activities might be undertaken, and how those processing activities are likely to affect them. With that in mind, a certain degree of flexibility can be accepted when scoping or describing these essential elements, but only insofar as this does not undercut the legal certainty to which a citizen is entitled with respect to their fundamental right to data protection.

In any case, data protection authorities are paying increasing attention to these essential elements, as well as to the effect that the phrasing of the legislator has on the predictability and foreseeability of processing operations, when issuing opinions on draft laws.

3. Legal certainty vs. flexibility and efficiency

That said, it is not the intention to unduly restrict the scope of action of the entities in question, which must be given a certain amount of leeway in order to fulfil their missions and obligations. These entities remain responsible for the implementation of the processing necessary to achieve the purposes as well as for the methods used.

It is clear that the GDPR did not intend to remove entirely from data controllers the ability to determine how they process personal data. In a 2022 ruling, the CJEU pointed out the flexibility granted to data controllers, which – although it must be balanced with the rights of data subjects – "is necessary because of the unknowns in digital life". In fact, with the exception of the limitations that may be adopted by the national legislator under Article 23 of the GDPR, the GDPR and all its principles continue to have their full effect on data controllers, even when they base their processing on Article 6.1.c or .e. This freedom, and the choices and actions of data controllers that result from it, are accompanied by the GDPR principle of accountability and remain subject to the control of data protection authorities.

Consequently, it is not necessary, at the stage of drafting the law, to describe in detail all the processing and sub-processing operations hypothetically concerned. This will in fact be the role of the data controllers and, where applicable, their data protection officers.

It is rather a matter of defining the purposes for which the data is processed, the conceivable methods and the strict limits of the processing envisaged, taking into account the nature of the data processed and the risks for the data subjects. Once the law has been adopted in due and proper form, data processing that reasonably falls within the scope of this law may be carried out in order to achieve the intended purposes, with the principal rule of thumb being the extent to which an average data subject would have been able to deduce the processing activity on the basis of the phrasing in the law. This examination is the responsibility of the data controller. The APD has had occasion to state that for a public authority to be able to base a processing operation on a specific law entrusting it with a public interest task, it had to be reasonably inferable that the envisaged processing operation fell within that law and its purposes.

And with good reason: in a context of constant technological change, it is generally undesirable to set too rigid a limit on the possibilities open to data controllers. They need to be able to adapt their processing operations in order to effectively achieve their objectives. In particular, the platforms and IT solutions for exchanging data set up by legislators, for example as part of efforts to simplify administration and create a one-stop shop or to centralise health data, should be able to evolve – without, however, being used for purposes other than those laid down by the legislator.

It can therefore be argued that laws should remain, as far as possible, technology agnostic and leave some room for manoeuvre to the data controllers.

The preparatory work for the draft law, such as the explanatory memorandum and the comments on the articles, also have an important role to play in the drafting process and will help to clarify the provisions and guide the data controllers (and their processors).

In short, when drafting the specific law, it is necessary to strike a reasonable balance between legal certainty and flexibility, which will be possible as long as the drafter(s) have sufficient insight into the project, its implications and its technical aspects.

4. What type of law should the essential elements be included in?

Another question that arises is that of the nature of the legal instrument that incorporates the essential elements.

This question is not insignificant and is directly linked to the balance mentioned above: an executive order is easier to amend than an act emanating from the legislature, which enjoys a higher hierarchy within the legal system.

The APD has repeatedly taken the position that a "formal law" is generally required to comply with Article 6.3 of the GDPR - in other words, a regulation issued by the legislature. The APD bases its reasoning in particular on Article 22 of the Belgian Constitution relating to the right to privacy, the substance of which can also be found in other legal systems.

However, the APD accepts that, under certain conditions, processing operations may initially be provided for in a formal law and then further specified in an implementing order - in other words, an act issued by the executive power. Recital 41 of the GDPR recognises this possibility. The APD has had occasion to indicate which of the essential elements mentioned above could potentially be determined in such acts. The possibility of delegation nevertheless remains limited, just as in traditional Belgian administrative law.

These legal texts, issued by a parliament or a government, must or may be subject to an opinion from the protection authority prior to their adoption, which will examine whether the essential elements appear to be sufficiently defined and accompanied by guarantees suitable to address the risks for data subjects. This process, whose modalities and stages of which are determined by the authority in accordance with the legislation establishing it, takes place, where applicable, in parallel with the opinion procedure before the Legislation Section of the Belgian Council of State.

5. Is it necessary to carry out a DPIA when the specific law is being drafted? How can the drafting process best be prepared?

Take the time needed to carry out a DPIA, to save a lot of time afterwards

A Data Protection Impact Assessment (DPIA) must be carried out by the controller if the processing operation meets certain conditions set out in Article 35 of the GDPR. In principle, processing operations may not begin until the DPIA has been carried out and concluded that the risk level for data subjects is acceptable.

In contrast, the legislator is not obliged, at the stage of drafting the law, to carry out such an analysis. The GDPR does, however, explicitly consider this possibility, providing that if the legislator has performed a DPIA, the controller does not have to perform one again (Article 35.10 RGPD).

In fact, although it is not compulsory to carry out an impact assessment at the stage of drafting the law, it is strongly recommended to do so when the processing activities are likely to be considered sensitive, particularly innovate, or when they could create substantial risks to the rights and freedoms of the data subjects.

A DPIA makes it possible to gain an overview of the processing operations envisaged and the associated risks, the technical procedures, the data recipients, and so on. It will therefore be of invaluable assistance to those drafting the law.

Since, in practice, it will generally be the administrations concerned that draft the specific law, the DPIA can be drawn up by them, in conjunction with any other data controllers involved. Sometimes, the future controllers will be in the best position to propose a DPIA. The involvement of the various data protection officers is recommended. For some projects, the assistance of law firms is sought.

This first stage will enable any difficulties in the fundamentals of the project to be detected. For example, the principles of data minimisation and accuracy require the multiplication of personal data(bases) to be avoided. In a country with several levels of government such as Belgium, particular attention will often need to be paid to the articulation of technological solutions...

In addition, during the process of requesting an opinion from the APD, the authority will invite the drafters to submit all documents relevant to understanding the project and its context, and may ask the author of the text to provide clarifications. The DPIA will therefore be an important document supporting the project.

At a later date, the DPIA can be re-used by the data controllers covered by the adopted law, and updated if necessary.

Of course, it is not always possible to carry out a full DPIA at the stage of drafting the law, which takes place well before the processing operations in question are undertaken. This in no way detracts from its usefulness: a DPIA is in any case an iterative process.

The drafting of the specific law is above all a collaborative process

Whether or not a DPIA is carried out, sustained exchanges between the administrations in charge of the project, the political representatives of the government concerned (and the legislative body) are in practice crucial.

Generally speaking, the drafting process should not be carried out in isolation from the private or public entities that will actually be carrying out the processing.

Throughout the process, it is also important to ensure that the mechanisms put in place comply with public and administrative law, which imposes certain requirements that may overlap with those of data protection.

The drafting process will ultimately result in a draft specific law, together with the preparatory work (including the explanatory memorandum and commentaries on the articles and, where appropriate, a DPIA), which can finally be examined by members of parliament. The latter are, inevitably, often more distant from the concrete and technical aspects of the project, and will be able to comprehend the project all the better if its objectives and issues are properly set out - as is the case for all draft legislation.

Conclusion

The drafting of legislation providing for the processing of personal data, and the implementation of full-fledged platforms and new technological solutions, is a complex exercise. If carried out properly, it will enable compliant, future-proof processing.

Originally published 25/03/2025

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Janvier Parewyck
Janvier Parewyck
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More