Belgian privacy regulator on accountability: what does this explanation mean for security incidents?

The issue in this investigation was whether the defendant had its register of "breaches" (read: register of security incidents - and possible notifiable data breaches) in order and whether the risk to the data subject was properly assessed. As a preliminary point, it is worth noting that the GBA is of the opinion(GBA / Case No. 18/2020) that the Respondent did not breach this accountability requirement.

Accountability

Among other things, the GBA indicates the following in this regard:

• The accountability of Article 5(2) AVG is not limited to the principles of Article 5(1) AVG, but (also) relates to the other provisions of the AVG, including, for example, Articles 33 and 34 AVG (security incidents and notifications to the authority and/or data subject). The GBA notes that this arises"from the close connection between Article 5(2), on the one hand, and the obligations for the controller arising from Article 24 AVG, on the other."

• With regard to security incidents, the GBA refers to the WP29 Guidelines (). This means the following for accountability regarding security incidents or 'breaches':

• • All violations must be documented, with:

  • • The facts/details regarding the breach.

    • The causes of the breach, what occurred and the personal data involved.

    • The consequences of the breach.

    • The corrective actions taken.

    • Also, the rationale for the controller's decisions in response to the breach must be documented. This means recording the reasons for reporting/not reporting. The question that needs to be answered here is whether or not the breach poses a risk to the rights and freedoms of natural persons. If the controller believes that a breach is"unlikely to present a risk" to the data subject(s), it must be able to prove this.

  • All violations must be documented, with:

  • This applies to breaches that are and are not reported to the authority.

  • Therefore, a controller must keep an internal register of security incidents. The supervisory authority may request access to this register.

  • Furthermore, the controller must have a reporting procedure in place.

  • Finally, employees should be familiar with this procedure and know how to respond to violations.

• With regard to security incidents, the GBA refers to the WP29 Guidelines (). This means the following for accountability regarding security incidents or 'breaches':

What does this decision mean?

The GBA makes it clear once again that a data controller must be able to demonstrate how it complies with the obligations of the AVG. So this means that, for all applicable mandatory parts of the AVG, the controller must have policies, procedures or rules of conduct available and communicated. Records must also be kept and considerations and decisions must be documented so that evidence can be provided to the authority if necessary.

The connection between Article 5(2) and Article 24 AVG then makes it clear that the controller must also put in place an improvement cycle ("PDCA cycle") by periodically reviewing all obligations and, if necessary, improving and updating them.

More articles from PrivacyTeam

This article can also be found in the files Accountability and Data Breach