Julien Hick, Jacqueline van Essen and Vincent Wellens of NautaDutilh write:
Belgium recently experienced two significant data breaches (involving, amongst other companies, the Belgian railway operator), which resulted in the online disclosure of personal data relating to thousands of people. These events led the Belgian data protection authority (the Privacy Commission) to issue a recommendation on the security of information and data breaches. This recommendation was published on 21 January 2013 and can be consulted on the Privacy Commission’s website (www.privacycommission.be).
Well, maybe they could find them, but the site’s English version isn’t fully operational. So unless you can read French or Dutch, you may want to read more of the NautaDutilh attorneys’ commentary on Association of Corporate Counsel. Their recap of the data breach notification section is interesting:
Notification of data breaches
The Belgian Data Protection Act of 8 December 1992 does not include a breach notification procedure. In its recommendation, the Privacy Commission provides for a new duty to notify data breaches, in accordance with the following procedure:
Notification of the cause of the breach and the resulting harm to the Privacy Commission within 48 hours;
Launch of a public information campaign by the data controller within 24 to 48 hours after the abovementioned notification to the Privacy Commission.
But that’s just a recommendation, right, at this point?