1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
The General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) contains legal obligations to notify affected individuals and the Belgian DPA in case of a personal data breach (Articles 33 and 34 GDPR).
Guidelines on how to interpret these requirements have been given by the European Data Protection Board, adopted on 3 October 2017 (link).
1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
According to Article 33 GDPR, controllers have to notify every personal data breach to the DPA "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
In addition, the controller has to notify the affected data subjects when "the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons".
The processor has to notify the controller without undue delay after becoming aware of a personal data breach.
Article 4 no. 12 GDPR defines a personal data breach as: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed".
A communication to the affected data subjects is not required if any of the following conditions are met:
- The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
- The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
- It would involve disproportionate effect. In such a case, there should instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
Guidance on these criteria can be found in the Guidelines on personal data breaches by the European Data Protection Board (link).
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
In case of a personal data breach the controller needs to notify the Data Protection Authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. Where the notification to the DPA is not made within 72 hours, the notification needs to be accompanied by reasons for the delay.
A personal data breach can be notified to the Belgian DPA by filling in an electronic form and uploading it onto the website of the DPA which can be accessed via this link.
A notification to the DPA has to contain the following:
- Description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- The name and contact details of the data protection officer or other contact point where more information ca be obtained;
- The likely consequences of the personal data breach;
- The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible effects.
Any communications to the affected data subjects should describe in clear and plain language the nature of the personal data breach and contain the following information:
- Name and contact details of the data protection officer or other contact point where more information can be obtained.
- The likely consequences of the personal data breach.
- The measures taken or proposed to be taken by the controller to address the personal data breach, including where appropriate, the measures to mitigate its possible adverse effects.
1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?
A failure to notify a data breach to either the DPA or the data subject when required under the GDPR can lead to regulatory measures by the DPA and civil liability claims by the data subject.
On the basis of the GDPR, the Data Protection Authority has access to a whole host of corrective measures including but not limited to imposing a ban on certain processing activities and administrative fines up to EUR 10,000,000 or 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
A processor or controller can be held liable for any material or non-material damage suffered by a data subject as a result of an infringement of the GDPR.
1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?
1.6 What are the applicable (data protection) laws or guidelines within your country?
The GDPR is directly applicable in Belgium as a European Union law and provides the primary data protection standards.
The GDPR allows Member States to take legislative measures in several areas. In Belgium these have been implemented through:
- the Data Protection Act of 30 July 2018; and
- the Data Protection Authority Act of 3 December 2017.
1.7 Contact information for the local Data Protection Authority:
Data Protection Authority
Rue de la Presse 35, 1000 Brussels, Belgium
+32 2 274 4800
+32 2 274 4835
For more information, contact:
Tom Heremans and Tom De Cordier
Chaussee de La Hulpe 178, B-1170 Brussels, Belgium
+32 2 743 6973
+32 2 743 6901
1 Belgium is a member state of the European Union. Please also refer to the section on the European Union for the general requirements according to the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR).