umraniye escort pendik escort
maderba.com
implant
olabahis
canli poker siteleri meritslot oleybet giris adresi betgaranti
escort antalya
istanbul escort
sirinevler escort
antalya eskort bayan
brazzers
sikis
bodrum escort
Articles

Belgian Privacy Commission clarifies data breach notification requirement

Belgian Privacy Commission clarifies data breach notification requirement

Belgian Privacy Commission clarifies data breach notification requirement

17.12.2014

As a consequence of several data breaches, the Belgian Privacy Commission (“BPC”) published in January 2013 a recommendation to prevent data breaches. In this recommendation the BPC has for the first time mentioned the existence of a requirement to notify a data breach within 48 hours to the competent authorities. In a recently published Q&A on its website, the BPC now tries to clarify this requirement.

Although the BPC recognizes that there is no legal requirement to notify a data breach, the BPC advises strongly to do so nevertheless. It therefore reiterates the previously mentioned notification period of 48 hours.

The BPC stipulates further that the persons concerned by a data breach will also need to be informed by means that allow the affected persons to receive the relevant information quickly. The notification to the persons affected by the breach should contain the following information, among other things:

  • Contact details from which the data subjects can obtain additional information on a breach incident;
  • A summary of the incident that has affected the personal data of the data subject;
  • The nature and the purpose of the personal data concerned;
  • Conceivable consequences of the data breach for the data subject;
  • Circumstances under which the data breach took place;
  • Measures taken by the data controller to prevent the data breach;
  • The measures on which the data controller advises the data subjects to take to mitigate the damage.

A notification to the data subjects is not required if the data have been sufficiently encrypted. Also, the notification may be postponed if there is a risk that the notification to the data subjects might jeopardize the effectiveness of the investigation. If this occurs, the data controller must indicate on the notification form that it wishes for such permission and explains the reasons for this.

The BPC also sets out further the circumstances in which no notification to the BPC is required: (i) if the data are encrypted, and (ii) if the following three conditions have been fulfilled:

  1. The data subject has immediately been informed of the complete scope of the breach as well as its consequences;
  2. The data breach concerns only a limited group of people (about 100 persons); and
  3. No sensitive or financial data have been compromised.

Finally, the BPC also makes a form available on its website to facilitate the notification procedure. This form must be completed and sent to the BPC via a secured e-forms application on its website.

The complete Q&A of the BPC can be found on: http//www.privacycommission.be.

 

Click here to see a printable version of this article

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

Team

Related news

04.03.2021 BE law
Webinar: Responding to Personal Data Breaches in the Post-GDPR era

Seminar - On 24-26 March 2021 ERA (Adademy of European Law) organises an online Conference "Responding to Personal Data Breaches in the Post-GDPR era". Erik Valgaeren, our Brussels TMT partner, addresses the topic "Managing personal data breach in a complex international scenario", including cross border cases in the EU and breaches at non-EU establishments.

Read more

12.02.2021 EU law
After the Uber case and the Airbnb case … the Star Taxi App case: focus on the question of the qualification as “Information Society Service”

Articles - Societal and digital developments are reflected in the case law of the CJEU. For several years now, European judges resolve disputes relating to digital applications and the services they provide. On 3 December 2020, they handed down a judgment in a case concerning Star Taxi App. This blog analyses the Star Taxi App case law in the light of the Uber case law and the Airbnb case law. The three judgments have in common the question of the qualification of services as Information Society Services.  

Read more