Logo_GDPR_Masters_Schild.png

DATA BREACH MODULE

REGISTRATION

REPORT DUTY

 

WHEN IS THERE A REPORT DUTY?

The reporting obligation to the Authority applies if there is a "risk to the rights and freedoms of the person concerned". For example, this may involve a loss of confidentiality of a communication, as a result of which billing information, addresses, etc. are temporarily visible to third parties.

You also have the obligation to communicate the data breach to the data subject if there is a high risk for the data subject. There are various methods for estimating high risks for those involved.

Regarding the reporting obligation in the telecom sector, similar rules apply at Belgian and European level in addition to the GDPR.

 

WHO SHOULD REPORT TO THE AUTHORITY?

The report must be made by the controller or by the processor if the controller has made explicit written agreements with the processor.

The notification allows the Authority to assess the risk of the data leak together with the controller of the leaked data, and to make recommendations on how to reduce the risk for the data subject, compliance with the legal rules concerning data processing and the security thereof. An additional advantage of such a report is that it obliges the controller to think about how he organizes and protects his data processing, now and in the future.

 

WITHIN WHAT TIME?

The reporting period outside the telecom sector is a maximum of 72 hours after the data leak has been determined. If in the first instance the controller has insufficient information to investigate the nature of the problem, he can make a first report and, after investigation, supplement it with an additional report.

TO WHO?

In all cases, the notification is addressed to the Authority. In addition, in some cases a notification must be made to the data subjects.

 

HOW TO INFORM THE AUTHORITY?

For the sake of simplicity, the notification is made to the Authority within and outside the telecom sector via a web form that can be found via: https://www.gegevensbeschermingsautoriteit.be/meldform-voor-gegevenslekken (Belgium)

 

HOW SHOULD THE NOTIFICATION HAPPEN TO THE DATA SUBJECTS?

The controller reports the data leak to the data subjects with means of communication that guarantee that the information is received quickly. If it is impossible to identify the injured persons, the controller may inform those persons through the media, although he continues to try to find out the identity of those persons so that they can also inform them individually.

The notification to the data subjects is written in clear language and is easy to understand. The Authority recommends providing at least the following information:

  1. The nature of the problem

  2. A brief description of the data affected

  3. A brief description of the measures taken by the controller to remedy the problem

  4. The possible consequences of the data leak for the data subjects,

  5. Contact details of a point of contact where additional information can be obtained (for example, the coordinates of the DPO).

 

IN WHICH CASES SHOULD THE DATA BREACH NOT BE COMMUNICATED TO THE DATA SUBJECTS?

The DPO must always be involved in any matter concerning the protection of personal data. In case of doubt, the DPO must therefore be consulted about whether or not to report the data breach to the data subjects.

 

IN WHICH CASES SHOULD THE DATA BREACH NOT BE COMMUNICATED TO THE AUTHORITY?

In addition to the circumstances that indicate that the data breach will not affect the privacy or personal data of the data subjects, there are two other cases where the controller does not have to inform the Authority of the data breach:

  • when the controller has demonstrated that the data was encrypted or otherwise protected, so that it is incomprehensible to the third parties who may be in possession of it. The key to crack the security must of course not be leaked;

  • when the data subjects were immediately informed of the full extent and consequences of the data breach AND only a limited group of people (around 100) were affected AND no sensitive data (eg medical data, data on religion, sexual orientation, political racial or ethnic origin) or financial data (eg the combination of a person's name with his account or bank card number) are involved in the data breach.

 

In case of doubt, the responsible person should make a report to the Authority.

 

LOGGING OF ANY INCIDENT

Even if the controller does not report the data breach to the Authority, it is best to keep a log of incidents. This should contain a brief description of each data breach and an explanation for not reporting it.

A data breach module was included in the GM application, so that the logging of incidents / data breaches is recorded. A data breach procedure is also created after an inventory of the processing activities.