Articles

Belgian Privacy Commission clarifies data breach notification requirement

Belgian Privacy Commission clarifies data breach notification requirement

Belgian Privacy Commission clarifies data breach notification requirement

17.12.2014

As a consequence of several data breaches, the Belgian Privacy Commission (“BPC”) published in January 2013 a recommendation to prevent data breaches. In this recommendation the BPC has for the first time mentioned the existence of a requirement to notify a data breach within 48 hours to the competent authorities. In a recently published Q&A on its website, the BPC now tries to clarify this requirement.

Although the BPC recognizes that there is no legal requirement to notify a data breach, the BPC advises strongly to do so nevertheless. It therefore reiterates the previously mentioned notification period of 48 hours.

The BPC stipulates further that the persons concerned by a data breach will also need to be informed by means that allow the affected persons to receive the relevant information quickly. The notification to the persons affected by the breach should contain the following information, among other things:

  • Contact details from which the data subjects can obtain additional information on a breach incident;
  • A summary of the incident that has affected the personal data of the data subject;
  • The nature and the purpose of the personal data concerned;
  • Conceivable consequences of the data breach for the data subject;
  • Circumstances under which the data breach took place;
  • Measures taken by the data controller to prevent the data breach;
  • The measures on which the data controller advises the data subjects to take to mitigate the damage.

A notification to the data subjects is not required if the data have been sufficiently encrypted. Also, the notification may be postponed if there is a risk that the notification to the data subjects might jeopardize the effectiveness of the investigation. If this occurs, the data controller must indicate on the notification form that it wishes for such permission and explains the reasons for this.

The BPC also sets out further the circumstances in which no notification to the BPC is required: (i) if the data are encrypted, and (ii) if the following three conditions have been fulfilled:

  1. The data subject has immediately been informed of the complete scope of the breach as well as its consequences;
  2. The data breach concerns only a limited group of people (about 100 persons); and
  3. No sensitive or financial data have been compromised.

Finally, the BPC also makes a form available on its website to facilitate the notification procedure. This form must be completed and sent to the BPC via a secured e-forms application on its website.

The complete Q&A of the BPC can be found on: http//www.privacycommission.be.

 

Click here to see a printable version of this article

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

Team

Related news

21.03.2019 EU law
Our TMT team examines the interaction between GDPR and other key legal domains during a seminar 'GDPR 360°'

Seminar - Erik Valgaeren, Partner TMT, and his team organize a seminar which focuses on the interaction between GDPR and litigation, corporate law, administrative law and employment law.

Read more

18.02.2019 EU law
Erik Valgaeren moderates a panel on Data Governance and Compliance during IBA's Silicon Beach Conference

Speaking slot - The discussion topic will cover various legal aspects relating to data lifecycle management, both for personal and non personal data. These aspects will include rights in and obligations regarding data, such retention obligations and portability rights. Practical suggestions on holistic data management and the role of the chief data officer will be debated.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring