As a consequence of certain recent data compromise cases, on 21 January 2013 the Belgian Privacy Commission published a recommendation (01/2013) on security measures to be taken to avoid data breaches (the Recommendation). The main points of the Recommendation can be summarised as follows:

  1. The Commission proposes some general measures to be taken such as, for example, the implementation of at least three DMZ-zones to separate the local network from devices that are connected to the Internet;
  2. The Commission refers to the guidelines on information security of personal data which were published in June 2012 for a specific overview of measures;
  3. The Commission insists that data breaches be notified within 48 hours and that a public information campaign should be undertaken within 24 to 48 hours after the notification has been sent to the Privacy Commission;
  4. Based on its finding that Article 16, §4 of the Belgian Data Protection Act (the obligation to take all necessary technical and organisational measures) is not sufficiently complied with, the Commission announces that it will address the Federal Parliament to seek the necessary competences to make its recommendations on the necessary security measures enforceable. Pending this request, the Commission will use all its powers to ensure that data controllers that breach their obligations under Article 16, §4 of the Data Protection Act are held legally liable. To this end, it will notify the public prosecutor of any such violation of the Data Protection Act that comes to its attention. (CL)

The recommendation can be found on