Belgium: Private Investigation Act — How it impacts your internal investigations

20 Jan 2025    6 minute read
PIA Private Investigation Act Belgian Act on Private Detectives GDPR Data Protection Privacy & Cybersecurity Compliance CI Featured Content

In brief

Belgium's new Private Investigation Act (PIA) was published in the Official Gazette on 6 December 2024 (fr and nl), with most of its provisions having entered into force on 16 December 2024. The PIA replaces the 1991 Belgian Act on Private Detectives with the aim of modernizing the applicable legal framework in light of new investigation methods and the application of the General Data Protection Regulation (GDPR). With its broader scope of application – this legislation is now also applicable to internal investigations – and the significant additional requirements it imposes, the PIA will undoubtedly impact many businesses operating in Belgium.

Contents

  1. Is my company affected?
  2. What to pay attention to when carrying out internal investigations: main obligations
  3. What are the risks in case of non-compliance?
  4. When is the Private Investigation Act applicable?
  5. Next steps

Is my company affected?

Many companies operating in Belgium will be affected by this new legislation which not only applies to private investigations carried out by traditional external investigators, but also to internal investigations conducted in Belgium. The PIA applies to internal investigation services, namely a service organised by a natural or legal person for its own needs in order to conduct private investigation activities in a structural manner, which means that the private investigation activities must be part of the tasks of at least one associate. This includes investigation activities carried out within the same company group.

Private investigation activities are defined as activities performed by a natural person at the request of a principal and consisting in the collection and processing of information concerning natural or legal persons or regarding precise circumstances of facts committed by these persons. The aim of private investigations is to provide the information obtained to the principal in order to preserve its interests in the context of a potential or effective dispute, or of researching missing persons or lost/stolen goods.

Certain activities are excluded from the scope of the PIA, for example:

  • Professional activities of notaries, lawyers, bailiffs, journalists, auditors and statutory auditors.
  • Activities and professions seeking specifically to identify, analyse and process cybersecurity incidents.
  • Activities conducted on behalf of the principal in the performance of legal obligations, such as in the case of investigations in the framework of whistleblowing reports or complaints concerning psychosocial risks at work (performed by the health and safety prevention advisor). However, when the investigation results are used outside the mere execution of legal obligations – which appears to be a difficult line to draw in practice – the PIA is applicable.

What to pay attention to when carrying out internal investigations: main obligations

The PIA imposes a number of onerous obligations to be complied with when conducting internal investigations, most importantly:

  • License: private investigation companies and internal investigation services must obtain a prior authorization or license from the Ministry of Interior to lawfully conduct private investigations in Belgium. The license is granted for a renewable period of five years. This requires to have a criminal record clean from specific criminal offences, undergo specific training and be a national of and have one's main residence in the European Economic Area (EEA) or Switzerland (or in the UK for private investigators).
    Note that an exemption to the license requirement exists for internal HR departments which conduct private investigations for the needs of their employers, in the context of "incident investigations" – a concept that is not defined – against employees. While HR departments must not be authorized by the Ministry of Interior in this case, they must nevertheless comply with the other requirements of the PIA.
  • Internal regulations/policy: internal investigations can only be initiated by an employer against its employees, provided that an internal regulation or policy providing clear and transparent information regarding the permissibility and modalities of investigations has been implemented. Companies have until 16 December 2026 to implement such internal regulations or policy.
  • Mission statement or mission register: before the start of any investigation, a written mission statement must be entered into between the principal and the agent, which must indicate the scope of the mission, its purpose and duration together with other mandatory information enumerated by the PIA. For internal investigations, if the private investigator is employed by the principal, instead of a mission statement, the private investigator must hold an up to date mission register with a number of specific information requirements and keep it for five years.
  • Investigation report: the agent must provide the principal with a written investigation report (with certain mandatory contents) at the latest within one month from the last investigation act performed.
  • GDPR and privacy obligations: certain specific fields of investigation are explicitly prohibited (e.g., investigations into the political, religious or philosophical convictions, racial or ethnic origin, etc. of the person under investigation). Furthermore, the PIA requires prior consent of the person under investigation for specific fields of investigation (e.g., investigation into a person's familial, financial or professional state) and investigation methods (e.g., interviews). Additionally, in case the principal wishes to use the information and personal data contained in the investigation report, it must inform the agent in writing within 30 days from receiving the report. The agent must subsequently provide the persons investigated and any other persons identifiable in the report with specific mandatory information in writing, including on their right of access, rectification and erasure. The principal may not use the information contained in the investigation report until the persons investigated and any other identifiable persons have been informed and been given the opportunity to exercise their rights.
  • Legal assistance: interviewees may request the assistance of a person of their choice (e.g., lawyer, trade union representative) during interviews.

What are the risks in case of non-compliance?

Non-compliance with the PIA can give rise to a range of sanctions:

  • Administrative sanctions, including the non-deliverance, suspension or withdrawal of the license and administrative fines of up to EUR 25,000.
  • GDPR sanctions, including administrative fines of up to EUR 20 million or 4% of the total annual worldwide turnover.
  • Nullity of evidence gathered in contravention with specific provisions of the PIA, which will thus not be upheld in court. This is notably the case where the private investigation is conducted without the required license or the required internal regulations or policy (as of 16 December 2026), concerns prohibited fields (see above) or involves information or evidence that the private investigator (knew or ought to have known were) obtained unlawfully.

The above is without prejudice to criminal sanctions that may be imposed.

When is the Private Investigation Act applicable?

The provisions of the PIA are applicable since 16 December 2024, with the following exceptions:

  • A valid request to obtain a license must be submitted by private investigation companies and internal investigation services that, on 16 December 2024, legitimately performed private investigation activities within six months from the entry into force of the PIA, i.e., by 16 June 2025.
  • Employees of the said private investigation companies and internal investigation services have 18 months after their company obtained a license to undergo the required training and obtain a license card.
  • The internal regulations or policy must be implemented within two years from the entry into force of the PIA, i.e., by 16 December 2026.

Next steps

The PIA will undoubtedly have a significant impact on many businesses operating in Belgium, which need to re-consider their internal investigation processes in light of the new requirements it imposes, taking into account the existing privacy and GDPR requirements, in particular those applicable to the consultation of employees' e-mails and other electronic communications.

Do not hesitate to reach out to Baker McKenzie Brussels' experts for assistance in assessing the impact of the PIA on your current internal investigation processes and in implementing the required documentation and policies.

Contact Information
Elisabeth Dehareng
Partner at BakerMcKenzie
Brussels
Read my Bio
elisabeth.dehareng@bakermckenzie.com
Caroline Serbanescu
Associate
Brussels
Read my Bio
caroline.serbanescu@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.