Articles

Belgian Privacy Commission clarifies data breach notification requirement

Belgian Privacy Commission clarifies data breach notification requirement

Belgian Privacy Commission clarifies data breach notification requirement

17.12.2014

As a consequence of several data breaches, the Belgian Privacy Commission (“BPC”) published in January 2013 a recommendation to prevent data breaches. In this recommendation the BPC has for the first time mentioned the existence of a requirement to notify a data breach within 48 hours to the competent authorities. In a recently published Q&A on its website, the BPC now tries to clarify this requirement.

Although the BPC recognizes that there is no legal requirement to notify a data breach, the BPC advises strongly to do so nevertheless. It therefore reiterates the previously mentioned notification period of 48 hours.

The BPC stipulates further that the persons concerned by a data breach will also need to be informed by means that allow the affected persons to receive the relevant information quickly. The notification to the persons affected by the breach should contain the following information, among other things:

  • Contact details from which the data subjects can obtain additional information on a breach incident;
  • A summary of the incident that has affected the personal data of the data subject;
  • The nature and the purpose of the personal data concerned;
  • Conceivable consequences of the data breach for the data subject;
  • Circumstances under which the data breach took place;
  • Measures taken by the data controller to prevent the data breach;
  • The measures on which the data controller advises the data subjects to take to mitigate the damage.

A notification to the data subjects is not required if the data have been sufficiently encrypted. Also, the notification may be postponed if there is a risk that the notification to the data subjects might jeopardize the effectiveness of the investigation. If this occurs, the data controller must indicate on the notification form that it wishes for such permission and explains the reasons for this.

The BPC also sets out further the circumstances in which no notification to the BPC is required: (i) if the data are encrypted, and (ii) if the following three conditions have been fulfilled:

  1. The data subject has immediately been informed of the complete scope of the breach as well as its consequences;
  2. The data breach concerns only a limited group of people (about 100 persons); and
  3. No sensitive or financial data have been compromised.

Finally, the BPC also makes a form available on its website to facilitate the notification procedure. This form must be completed and sent to the BPC via a secured e-forms application on its website.

The complete Q&A of the BPC can be found on: http//www.privacycommission.be.

 

Click here to see a printable version of this article

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

Team

Related news

03.07.2020 NL law
E-book NOW-2: Tweede tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid

Articles - Op 17 maart 2020 kondigde het kabinet het eerste noodpakket aan met steunmaatregelen om de economische gevolgen van de coronacrisis te dempen. Onderdeel van dit noodpakket zijn onder andere de Eerste tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid (“NOW-1”) en de Tijdelijke overbruggingsregeling zelfstandige ondernemers (“Tozo-1”).

Read more

20.05.2020 NL law
Stibbe in Amsterdam answers questions from consumers, small business foundations and NGOs about the coronavirus [updated]

Inside Stibbe - In a special Q&A (in Dutch), lawyers from our Amsterdam office share their legal expertise and strive to provide answers to questions put to us by consumers, self-employed persons, enterprises large and small, foundations and NGOs as a result of the corona crisis.

Read more

07.05.2020 NL law
E-book 'De huidige NOW en de verwachte wijzigingen in de nieuwe/verlengde NOW (NOW 2.0)'

Articles - Op 1 april 2020 werd de Tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid gepubliceerd (“NOW”). Sinds 6 april 2020 is het UWV-loket geopend en kunnen werkgevers een aanvraag doen voor loonkostensubsidie onder de NOW. Op 30 april 2020 waren er ongeveer 114.000 aanvragen ingediend bij het UWV.

Read more