EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
In December 2024, the Belgian Private Investigation Act (PIA) entered into force, replacing the 1991 Private Detectives Act. The new Act modernizes the legal framework for conducting private investigations in Belgium, aligning it with data protection regulations such as the General Data Protection Regulation (GDPR). It imposes clear obligations on both external and internal private investigation services. As such, the PIA has a direct impact on Belgian employers, including internal audit departments that perform or oversee investigative activities.
What is the scope of the Act?
The Act focuses on private investigation activities, defined as structured activities aimed at collecting information about an individual's behavior, private life, or personal situation, with the purpose of clarifying facts that are considered undesirable by the instructing party.
It applies to:
- External private investigators operating on behalf of clients (e.g., detective agencies, freelance investigators, consulting firms offering investigation services); and
- Internal investigation services—structured units within a company (including group structures) that are regularly tasked with conducting private investigations (e.g., related to fraud, compliance, or employee misconduct).
It also applies—though with fewer requirements—to occasional internal investigations, such as those performed by HR. While these do not require a license, they must still adhere to the Act’s procedural safeguards regarding consent, transparency, and documentation.
The Act does not apply to certain types of investigations, including (but not limited to):
- Investigations conducted pursuant to a legal obligation (e.g., audits or inspections imposed by law or supervisory authorities, whistleblower investigations required by law);
- Regular audit activities, provided that these do not involve collecting personal data with the aim of uncovering facts that the employer would consider undesirable (e.g., misconduct, fraud).
What does the PIA mean for internal audit functions?
Internal audit departments must evaluate whether their activities fall under the scope of the PIA and take action accordingly:
1. Structured Internal Investigation Services
If the internal audit function is formally tasked with conducting private investigations as a structured and recurring service, it may qualify as an internal private investigation service under the Act. In this case, a license must be obtained from the Belgian Ministry of Internal Affairs. Additionally, the designated head of the internal investigation service (e.g., the Head of Internal Audit) must obtain an identification card issued by the Ministry.
2. Auditing PIA Compliance
Regardless of whether internal audit performs investigations directly with a proper license, it must assess whether other departments (e.g., HR, compliance, legal) conduct private investigation-like activities. If so, these activities should be reflected in the audit universe, risk assessment, and risk-based internal audit plan. Compliance with the PIA can be audited as a dedicated topic (for instance, for first-time audits) or integrated into other audits (such as those on compliance and ethics, GDPR, and fraud). In these audits, internal audit should assess whether a proper evaluation was made regarding the applicability of the Act, whether the proper licenses were obtained, and whether the rules outlined in the Act were properly integrated into internal policies and procedures and implemented by the teams involved in the investigations.
What are the consequences of non-compliance?
Violations of the Act - such as failing to obtain a license, neglecting to implement internal policies, or using prohibited investigative methods - may lead to the nullification of all findings. This means that the collected evidence becomes inadmissible in court.
In addition to the nullification of evidence, non-compliance with the Act may lead to administrative fines imposed by the competent authorities, and in some cases, may expose the investigator or organization to civil or criminal liability under related legislation, including GDPR and labor law.
Please get in touch with Frederik Verhasselt (from our Forensic Team), Marissa Steuns or Sigrid Hansen (from our Internal audit Team) should you wish to discuss your needs and concerns in this matter.