The private investigation law

On Dec. 16, 2024, the law regulating private investigation into force, replacing the law of July 19, 1991 regulating the profession of private investigator. This revision reforms the legal framework for private investigators in Belgium.

Our lawyers have in-depth knowledge about the new legislative framework on private investigation. Below we discuss the important elements of this new law.

Background and need for the new law

The Private Investigation Act was introduced to modernize the outdated Detective Act of 1991. The legislature saw a need for revision for several reasons:

1. Technological progress: The existing regulations were not adapted to the latest developments and technologies in private investigation.
2. Imbalance in regulation: Public investigators (such as police departments) are increasingly subject to stricter rules (BIM/BOM, Salduz, Franchimont), while the rules for private investigators lagged behind in this area.
3. Data Protection: The General Data Protection Regulation (AVG/GDPR). required better protection of personal data within private investigations.

Scope

Definition of private investigation

The law defines private investigation as activities that meet the following cumulative conditions:

1. Performed by a natural person: Investigative activities are performed by a physical person (the assignment holder). The assignment holder can be either an external party or a company's own internal department.
2. On behalf of a client: The assignment holder performs detection activities on behalf of a client.
3. Intelligence gatheringIt concerns the collection of information obtained by processing information on natural or legal persons or concerning the facts committed by them.
4. Objective: The purpose of the activity is to provide collected intelligence to the client in order to safeguard its interests in the context of an actual conflict or potential conflict or to locate missing persons or lost or stolen property.

Exclusions

The law provides for a number of activities that do not fall within the scope of the Private Investigation Act. These include:

1. Activities of notary, lawyer, bailiff, journalist, corporate auditor, statutory auditor. Also, the activity of the (internal) auditor is excluded to the extent that no information about persons is collected with the purpose of clarifying facts undesirable to the principal.
2. The activities of a expert appointed by a judicial authority (e.g., a judicial expert appointed by the court).
3. The occupations in which the mere activity of information collection is done exclusively from the data subject him or herself (e.g., a surveyor).
4. Activities of public service officers and agents.
5. Provision of public administrative or financial information on individuals and credit analyses based on them.
6. Insurance claim settlement (e.g., technical experts), provided there is no investigation of fraud.
7. Regulated financial operations subject to specific financial supervision.
8. Activities and occupations specifically aimed at identifying, analyzing and handling cyber security incidents.
9. Activities exercised on behalf of the principal in execution of legal obligations or orders that do not pursue private investigation as their own goal, but are merely an inference from these obligations and assignments (e.g., prevention advisor, whistleblowing officer), provided that the results are not used further outside of these obligations or assignments.

What are the conditions for being allowed to conduct private research?

Obligations for assignment holders

Contract holders must have a permit obtained from the FPS Interior. The permit requirements are:

• Company must be incorporated under the laws of Belgium or an EEA country.
• Company must meet social and tax obligations.
• Company under the form of a legal entity (such as a BV, NV, VOF, ComV) must not have been criminally convicted.
• A Data Protection Officer (DPO) must be appointed.
• The manager of the company must not be subject to a professional ban

The executives of the assignment holder must meet a number of conditions. For example, they must be over 21 years of age, not have a criminal conviction, not be a member of a police or security force, etc.

The obtained permit must be stated in all documents (website, invoices, letters, announcements, etc.). Those in charge of the assignment holder as well as the private investigators themselves should have a identification card to dispose of.

Companies doing private investigation may no other activities exercise (other than providing safety advice).

Importantly, an assignment holder must henceforth verify that the principal has a legitimate interest has. This legitimate interest must also be described in the assignment document. An assignment holder must refuse an unlawful assignment (e.g., conducting investigations to falsely accuse, extort, or stalk someone).

What about members of a human resources department?

Employers may also have to their human resources department directing private investigation activities to be carried out at the expense of one of the employees under a incident investigation (e.g. viewing camera footage, questioning colleagues, reading badge readers, etc).

Staff members are exempt from the requirement to apply for a license and have an identification card. However, they must comply with the rules applicable to research methods.

Obligations for employers who are principals

Employers who wish to conduct private investigations of their employees can only do so if they have a "regulations" (e.g., a policy) that explicitly and transparently provides for the authorization and modalities of this investigation. Employees must have been informed of these regulations in advance.

These regulations are due no later than by December 16, 2026 to have been prepared.

How should a private investigation be conducted?

The law places explicit restrictions on research methods and requires that private researchers cannot go beyond what is legally permissible for ordinary citizens in their activities. This prohibited actions are:

• No use of methods and means of coercion exclusively reserved for police and security forces.
• Prohibition from entering non-public places without written permission from the manager of that place.
• Prohibition of surveillance in homes, private places and in all places where individuals have a legitimate expectation that their privacy is protected there (fitting rooms, hotel rooms, bathing rooms, restrooms, relaxation establishments, school, factory, hall where a private party takes place, etc).
• Giving the impression during an interview that the interviewee cannot answer freely.
• Prohibition of provocative techniques and ruses (such as impersonating another profession).
• No consultation of personal data that is not publicly available.
• Prohibition on use of information obtained through felony or unlawful means.

In addition, strict transparency obligations:

• Interviews, confrontations and reconstructions require the person's prior written consent.
• Affected persons should be informed extensively that they are not required to respond and are entitled to a copy of any interview recording.
• Consent given must comply with GDPR requirements.

Before the examination begins, a written research paper be drawn up detailing the assignment and its legitimate purposes. This document must be signed by both parties. For internal investigations, an internally maintained assignment register is sufficient. Each investigation additionally requires a detailed investigation file, in which all steps and findings are recorded chronologically. This file can be consulted by the controlling government authorities. No later than one month after the last investigative act, a written final report delivered to the client.

Personal data obtained during the study may be used only for the specific study and must be confidential remain. It is prohibited to use information from an investigation file in another file to avoid conflicts of interest.

Processing of personal data

Given the nature of private investigation activities, the processing of personal data is unavoidable. The law therefore imposes specific obligations regarding data protection in order to comply with the General Data Protection Regulation (GDPR).

Controller

The law designates the following parties as processors of personal data:

• Enterprises and internal private investigation services are responsible for the personal data they collect, analyze, process, store and report.
• Contractors are responsible for the personal data they report to the client.
• Principals are responsible for personal data provided to the assignment holder prior to the investigation as well as further processing after receipt of the report.

These parties are to be considered joint controllers of processing and should document in writing their respective responsibilities and obligations under the AVG/GDPR.

Mandatory appointment of Data Protection Officer (DPO)

Every company or internal private investigation service is required to appoint a DPO. This DPO can be appointed internally or externally and must monitor compliance with the AVG/GDPR and the Private Investigation Act, advise and inform on precautionary and control measures and monitor compliance etc..

Permission

In certain situations, the law requires private tracking express consent from data subjects. This consent must meet the AVG requirements: free, specific, informed and unambiguous. Consent must be in writing after explicit information about the purpose of the investigation and the identity of the party to whom consent is being granted.

Prohibited research areas

Research in certain sensitive areas is explicitly prohibited under penalty of nullity, including:

• Political views
• Religious, philosophical or philosophical beliefs
• Membership in a union or health insurance fund
• Genetic and biometric data
• Sexual behavior or sexual orientation
• Health data (exceptions possible for insurance under specific conditions)
• Racial or ethnic origin
• Undisclosed suspicions and court information
• Journalistic sources of information
• Classified information

Retention periods

Investigation files are kept for 3 years from the date of the final report to the client or until the court has had the opportunity to examine the findings of the private investigation. After this period, files must be destroyed. Assignment records must be kept for 5 years.

Transparency obligations

Under the AVG, affected individuals have a right to information about the processing of their personal data. Information must be provided within a reasonable time, at the latest within one month of obtaining the personal data, unless this obligation risks making impossible or seriously jeopardizing the achievement of the purposes of such processing

If the client decides not to follow up on research results, they must be destroyed immediately and data subjects need not be informed. When following up on results, detailed information must be provided immediately to data subjects, such as identity of the controller, nature and purpose of the research, start and end dates of the research, and their rights to access, correct and delete personal data.

Until data subjects have been able to exercise their rights, the principal may not take any action based on the investigation report.

Control and sanctions

The control on compliance with the provisions of the law private investigation is exercised by different agencies:

• Data Protection Authority (DPA): responsible for supervision when breaches involve personal data processing.
• Police departments and specific inspectors: have broad powers of inspection. Their reports have probative value until proven otherwise. The various inspection services can also exchange data for evidence in the case of established infringements.
• Courts: ultimate authority to check whether the results of a private investigation were obtained lawfully.

The individuals and organizations that can be monitored and sanctioned are broad:

• Principals
• Contractors (including staff)
• Private researchers and executives
• Training institutions

For violations of the law, various sanctions be imposed, such as a warning, an administrative fine or an out-of-court settlement.

In addition, certain essential provisions of the Private Investigation Act are explicitly prescribed "under penalty of nullity." This means that evidence obtained in violation of these provisions may not be used in judicial proceedings (i.e., the Antigone doctrine does not apply). These include cases of:

• Lack of a valid permit.
• Lack of internal regulations among employers regarding private investigations.
• The use of prohibited research methods and means.
• Violation of prohibitions regarding certain sensitive areas.
• Use of data from other investigation files or obtained through a crime or unlawfully.

Why choose our law firm?

Navigating the complexities of the new private investigation law requires specialized legal expertise. Our law firm has a team of experienced attorneys who specialize in labor law and data protection law.

Our partner Stijn De Meulenaer is a frequent speaker on private investigation law and, among other things, co-author of a book On the application of the law. Our partner Joris Deene, is an expert on the AVG/GDPR and its impact on private investigation law.

We can guide you through:

• Creating and implementing internal research regulations: We help you create regulations that meet all legal requirements and fit the specific needs of your organization.
• Advice and support for internal investigations: Our team provides legal advice throughout the investigation process to ensure that all steps are compliant and that the rights of all stakeholders are respected.
• DPO: Our lawyers offer DPO services so you can meet your obligations as a private investigator.
• Training and awareness: We provide training for HR professionals and management teams to make them aware of the implications of the new law and how to conduct internal investigations in a legally sound manner.

By working with our law firm, you ensure expert guidance and minimize the risk of legal complications when conducting internal investigations.