Articles

Belgian Privacy Commission clarifies data breach notification requirement

Belgian Privacy Commission clarifies data breach notification requirement

Belgian Privacy Commission clarifies data breach notification requirement

17.12.2014

As a consequence of several data breaches, the Belgian Privacy Commission (“BPC”) published in January 2013 a recommendation to prevent data breaches. In this recommendation the BPC has for the first time mentioned the existence of a requirement to notify a data breach within 48 hours to the competent authorities. In a recently published Q&A on its website, the BPC now tries to clarify this requirement.

Although the BPC recognizes that there is no legal requirement to notify a data breach, the BPC advises strongly to do so nevertheless. It therefore reiterates the previously mentioned notification period of 48 hours.

The BPC stipulates further that the persons concerned by a data breach will also need to be informed by means that allow the affected persons to receive the relevant information quickly. The notification to the persons affected by the breach should contain the following information, among other things:

  • Contact details from which the data subjects can obtain additional information on a breach incident;
  • A summary of the incident that has affected the personal data of the data subject;
  • The nature and the purpose of the personal data concerned;
  • Conceivable consequences of the data breach for the data subject;
  • Circumstances under which the data breach took place;
  • Measures taken by the data controller to prevent the data breach;
  • The measures on which the data controller advises the data subjects to take to mitigate the damage.

A notification to the data subjects is not required if the data have been sufficiently encrypted. Also, the notification may be postponed if there is a risk that the notification to the data subjects might jeopardize the effectiveness of the investigation. If this occurs, the data controller must indicate on the notification form that it wishes for such permission and explains the reasons for this.

The BPC also sets out further the circumstances in which no notification to the BPC is required: (i) if the data are encrypted, and (ii) if the following three conditions have been fulfilled:

  1. The data subject has immediately been informed of the complete scope of the breach as well as its consequences;
  2. The data breach concerns only a limited group of people (about 100 persons); and
  3. No sensitive or financial data have been compromised.

Finally, the BPC also makes a form available on its website to facilitate the notification procedure. This form must be completed and sent to the BPC via a secured e-forms application on its website.

The complete Q&A of the BPC can be found on: http//www.privacycommission.be.

 

Click here to see a printable version of this article

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

Team

Related news

19.08.2019 EU law
Enable “likes” and bear joint-controllership

Articles - The Court of Justice of the European Union recently ruled, in Case C-40/14 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV,  that a website operator that features “Like” social-media plugin from Facebook likely qualifies as joint-controller with Facebook for its website visitors’ personal data collection and transmission to Facebook.

Read more

23.07.2019 LU law
The Revised CSSF Cloud Circular

Articles - On 27 March 2019, the Luxembourg supervisory authority for the financial sector (the Commission de surveillance du secteur financier or CSSF) published the long-awaited CSSF Circular 19/714 amending the CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure (the Revised Cloud Circular).

Read more

22.07.2019 NL law
HagaZiekenhuis beboet voor datalek

Short Reads - Enkele maanden geleden vierden we de eerste verjaardag van de Algemene Verordening Gegevensbescherming (AVG) met een uitgebreide beschouwing  over de belangrijkste  ontwikkelingen uit  het eerste jaar van de verordening. We concludeerden daarin onder meer dat de door sommigen voorspelde hoge bestuurlijke boetes voor overtredingen van de AVG tot dan toe  - zowel in Nederland als in de andere EU-lidstaten - grotendeels waren uitgebleven.

Read more

08.08.2019 BE law
Regulating online platforms: piece of the puzzle

Articles - The new Regulation no. 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services, applicable as of 12 July 2020, is another piece of the puzzle regulating online platforms, this time focussing on the supply side of the platforms.

Read more

15.07.2019 EU law
ICO to impose record-breaking fines for inadequate security measures and data breaches

Short Reads - Though the European data protection authorities have taken their time in enforcing the GDPR, two announcements by the ICO in the UK regarding proposed fines for British Airways and Marriott demonstrate that large fines are about to start landing regularly. Both of the substantial fines are to be handed out as a result of shortcomings in handling data breaches caused by cyber-attacks.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring