Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Article 16(4) of the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the ‘Data Protection Act’) provides that data controllers and data processors must implement sufficient technical and organisational security measures with respect to the protection of personal data against destruction, accidental loss and any non-authorised processing of data. Although the Data Protection Act imposes no specific security measures, the notification form used by the Belgian Data Protection Authority for the notification of data processing activities lists a wide range of possible security measures, including physical access control, encryption, appropriate clauses in contracts with personnel and processors, access logging and prevention plans.

The General Data Protection Regulation (GDPR) does not specify the security measures that companies should undertake. What is considered to be appropriate depends on a range of factors (eg, the sensitivity of the data, the risks to individuals in case of a security breach, the state of the art, the costs of implementation and the nature of the processing). The GDPR promotes the pseudonymisation and encryption of data. Testing the effectiveness of implemented security measures on a regular basis is also required where appropriate.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Data owners or controllers must inform the individuals of a data breach without undue delay if there is a high risk that their data could be used by third parties. Notification is not required if the data is encrypted or if measures have been taken to ensure that the data subject cannot be identified. However, the Belgian Data Protection Authority can always order the data controller to inform the individual of the data breach.

Are data owners/processors required to notify the regulator in the event of a breach?

At present, the only legal notification requirement applies to companies in the telecoms sector.

Pursuant to Articles 114(2)-(3) of the Act of June 13 2005 on Electronic Communication (the ‘Electronic Communication Act’), data owners (ie, companies offering electronic communication services) must notify the Belgian Data Protection Authority and the Belgian telecoms regulator in case of a data breach.

Pursuant to Article 33 of the GDPR, data owners must notify the Belgian Data Protection Authority in case of a data breach, unless the breach is unlikely to result in a risk to the rights and freedom of individuals (eg, identify theft). Notification should be given within 72 hours.

Further, data processors must notify the relevant controller of any breach without undue delay after becoming aware of it.

Click here to view the full article.