A private association that is commissioned to process personal data on behalf of a federal public authority (autorité publique fédérale) or that receives such data from the latter must appoint a DPO if the processing may give rise to risks referred to in Art. 35 GDPR (Data Protection Impact Assessment) (Art. 21 of the Belgian Data Protection Act).
Data processing pursuant to Art. 8 para. 1 (2) of the Belgian Data Protection Act refers to the processing of a public utility foundation transmitting data of persons suspected of having committed criminal offences with regard to the missing of persons or sexual exploitation. In such a case, the foundation can’t keep files of criminally suspected or sentenced persons and shall appoint a data protection officer.
According to Art. 190 of the Belgian Data Protection Act, if the processing of personal data is likely to result in a high risk (Art. 35 GDPR, subject to a privacy impact assessment), the controller shall designate a data protection officer.