As a consequence of several data breaches, the Belgian Privacy Commission (“BPC”) published in January 2013 a recommendation to prevent data breaches. In this recommendation the BPC has for the first time mentioned the existence of a requirement to notify a data breach within 48 hours to the competent authorities. In a recently published Q&A on its website, the BPC now tries to clarify this requirement.
Although the BPC recognizes that there is no legal requirement to notify a data breach, the BPC advises strongly to do so nevertheless. It therefore reiterates the previously mentioned notification period of 48 hours.
The BPC stipulates further that the persons concerned by a data breach will also need to be informed by means that allow the affected persons to receive the relevant information quickly. The notification to the persons affected by the breach should contain the following information, among other things:
- Contact details from which the data subjects can obtain additional information on a breach incident;
- A summary of the incident that has affected the personal data of the data subject;
- The nature and the purpose of the personal data concerned;
- Conceivable consequences of the data breach for the data subject;
- Circumstances under which the data breach took place;
- Measures taken by the data controller to prevent the data breach;
- The measures on which the data controller advises the data subjects to take to mitigate the damage.
A notification to the data subjects is not required if the data have been sufficiently encrypted. Also, the notification may be postponed if there is a risk that the notification to the data subjects might jeopardize the effectiveness of the investigation. If this occurs, the data controller must indicate on the notification form that it wishes for such permission and explains the reasons for this.
The BPC also sets out further the circumstances in which no notification to the BPC is required: (i) if the data are encrypted, and (ii) if the following three conditions have been fulfilled:
- The data subject has immediately been informed of the complete scope of the breach as well as its consequences;
- The data breach concerns only a limited group of people (about 100 persons); and
- No sensitive or financial data have been compromised.
Finally, the BPC also makes a form available on its website to facilitate the notification procedure. This form must be completed and sent to the BPC via a secured e-forms application on its website.
The complete Q&A of the BPC can be found on:http//www.privacycommission.be.