Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Article 16(4) of the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the ‘Data Protection Act’) provides that data controllers and data processors must implement sufficient technical and organisational security measures with respect to the protection of personal data against destruction, accidental loss and any non-authorised processing of data. Although the Data Protection Act imposes no specific security measures, the notification form used by the Belgian Data Protection Authority for the notification of data processing activities lists a wide range of possible security measures, including physical access control, encryption, appropriate clauses in contracts with personnel and processors, access logging and prevention plans.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

Data owners or controllers must inform the individuals of a data breach without undue delay if there is a high risk that their data could be used by third parties. Notification is not required if the data is encrypted or if measures have been taken to ensure that the data subject cannot be identified. However, the Belgian Data Protection Authority can always order the data controller to inform the individual of the data breach.

Are data owners/processors required to notify the regulator in the event of a breach?

At present, the only legal notification requirement applies to companies in the telecoms sector.

Pursuant to Articles 114(2)-(3) of the Act of June 13 2005 on Electronic Communication (the ‘Electronic Communication Act’), data owners (ie, companies offering electronic communication services) must notify the Belgian Data Protection Authority and the Belgian telecoms regulator in case of a data breach.

Pursuant to Article 33 of the EU General Data Protection Regulation, the data owner must notify the Belgian Data Protection Authority in case of a data breach, unless the breach is unlikely to result in a risk. On the other hand, the data processor must always notify the data owner in case of a data breach.

Click here to view the full article.