open search
Belgium Internationales Arbeitsrecht

Belgium: A ‘first aid’ guide to deal with data breaches

Print Friendly, PDF & Email

This article sets out the steps organisations should take in dealing with a breach of data privacy from an employment law perspective, based on recent regulatory guidance in Belgium. What should you do if your company is affected by a cyber-attack and hackers purchase your employees’ personal data, or one of your employees loses a USB stick or laptop containing personal data? Guidance issued by the Article 29 Data Protection Working Party (‘WP29’) on 3 October 2017 has clarified the steps organisations should take in dealing with personal data breaches.

Under the General Data Protection Regulation organisations acting as data controllers must notify a data breach when there is a risk to data subjects’ rights and freedoms. Data processors (any person or organisation processing data for the controller) also have a role to play, since they must notify all breaches to the data controller. A distinction has to be made between notifying the supervisory authority and notifying the data subjects affected by a data breach.

Notification of the data breach to the supervisory authority

A data controller is obliged to notify a data breach when there is a risk to data subjects’ rights and freedoms. There will be such a risk where the loss of personal data could lead, for example, to identity theft or fraud, financial loss or reputation damage.

In this case, the controller must notify the breach to the supervisory authority without undue delay, and (where feasible) not later than 72 hours after having become aware of it. If it is not possible to notify within 72 hours, the notification must be accompanied by reasons for the delay when it is made.

What does ‘become aware’ mean?

According to WP29, a controller has ‘become aware of a breach’ when they have a reasonable degree of certainty that a security incident involving personal data has occurred. This will vary from case to case, but if an incident occurs, it is important to investigate whether the security of personal data has been breached, and if so, to take action and notify the breach if necessary.

In order to conduct such an investigation, the controller should have internal processes in place to detect and handle the breach. Furthermore, the controller must document all breaches.

Where a Data Protection Officer (‘DPO’) has been appointed, the DPO acts as a contact point for the supervisory authority and the data subjects affected by the breach of data privacy.

When the data breach presents a high risk to data subjects’ rights and freedoms, the controller must also communicate that breach to the affected data subjects. The controllers can seek advice from the supervisory authority on whether they have to be informed or not.

Notifying data subjects affected by a personal data breach

Where a data breach is likely to result in a high risk to a data subject’s rights and freedoms, the data controller should notify the affected individual ‘without undue delay’. To assess whether there is a high risk, the data controller should take into account the specific circumstances. For example, when medical records come into the hands of unauthorised parties, the risk to the rights and freedoms of the data subject concerned will be higher than if those records had simply been lost.

When there is a high risk to the data subject’s rights and freedoms, they must be notified regarding the breach. This notification must include both the nature of the breach, and proposed measures to mitigate its possible adverse effects (for example, changing the individual’s password).

In principle, the affected subjects should be notified individually, unless doing so would be disproportionate. If this is the case, affected data subjects can be informed by a public communication, for example by a prominent website banner, a newsletter or a general email. It is extremely important that as many data subjects as possible are reached and that information regarding the breach is communicated in clear language.

Consequences of not notifying a data breach

If a breach is not notified to the supervisory authority or to the data subjects affected where necessary, this may lead to an administrative fine of EUR 10,000,000 or 2% of the employer’s total worldwide annual turnover in the foregoing financial year, whichever is the greater.

Preparing to manage a data breach

Organisations should prepare a plan to detect and handle data breaches, to determine the risk for data subjects and to notify those affected by the breach if necessary. Notification to the supervisory authority must also be a part of this plan.

The plan should cover:

  • detecting and handling data breaches;
  • determining the risk for affected data subjects;
  • notifying the breach to the supervisory authority;
  • notifying the affected data subjects, if required.

Dealing with a data breach when it happens

Where you identify or are informed of a safety incident involving a breach of personal data, consider adopting the three-step plan below.

Step 1: Check if the breach could result in a risk to data subjects’ rights and freedoms (such as identity theft or fraud, or reputational damage).

No? No requirement to notify the supervisory authority or the data subjects affected.

Yes? You must notify the supervisory authority within 72 hours of becoming aware of the breach.

Step 2: Check if the breach results in a high risk to data subjects’ rights and freedoms.

No? No requirement to notify the data subjects affected.

Yes? You must notify the affected data subjects of the breach and inform them of the measures they can take to mitigate the damage.

Step 3: Document all data breaches (including facts, consequences and corrective measures adopted).

Verwandte Beiträge
Internationales Arbeitsrecht Neueste Beiträge

Using ‘mystery calls’ to detect discrimination in recruitment in Belgium

A recent change in the law in Belgium lowers the threshold for labour inspectors to use ‘mystery calls’ to test for discrimination in recruitment. Our annual survey of HR trends showed that one in five companies have been faced with an informal or formal discrimination complaint, mainly on the grounds of apparent race or ethnic origin. Discrimination in recruitment still seems to be difficult to…
Internationales Arbeitsrecht Neueste Beiträge

Bereavement leave in Belgium will be extended and made more flexible

On 17 June 2021, a bill was passed in the Belgian Parliament to extend and ease bereavement leave in the event of the death of a partner or a child. The aim of this law is to allow sufficient time, in a medical sense, for a natural and normal grieving process. Death of a spouse, cohabiting partner or child From 25 July 2021, bereavement leave…
Belgium Internationales Arbeitsrecht

Belgium: posted worker system declared compliant by European Court of Justice

The European Court of Justice has ruled that Belgian legislation cannot circumvent EU law by acting unilaterally against fraudulently acquired A1 declarations. Legislative action of that kind oversteps the limits of what Member States are allowed to do under EU law. On 11 July 2018, the Court of Justice ruled that Belgium has violated European rules by giving national judges, the National Social Security Office…
Abonnieren Sie den KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.

Die Abmeldung ist jederzeit möglich.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht.