A domain name is your web address, the URL of your website and the basis for your e-mail addresses.
Get your website, web store or application online using our reliable and fast hosting.
Create a website or web store you will be proud of by yourself.
Work online without any problems thanks to your mailbox, the Office Suite, etc.
Powerful solutions to keep your website, shop or app online.
Tailored IT advice to improve your business and make it more successful. Whatever your needs, we will always find a suitable solution. From €199 per month.
Take advantage of being a Combell partner.
Since January 1st 2016, the new “Datalek Meldplicht” act, which obliges organizations to report data leaks, has come into effect in the Netherlands. In Belgium, all telecom operators are already subject to this act, and all other organisations will be subject to it as of 2018. This act amends the personal data protection act in two main respects:
This legislative amendment is important for all those who process personal data. Web store administrators should pay particular attention to it, as should “ordinary” websites that process personal data.
Although the new act has come into effect quite some time ago, there are still several grey areas: when exactly does it apply and what does it mean for your organisation?
As previously stated, all Belgian telecom operators are obliged to report personal data leaks. This report must be submitted to the Commission for the protection of privacy, better known as the Privacy Commission. As of 2018, all Belgian companies will be subject to the act.
A data leak occurs when, for instance, a hacker managed to access your database containing personal data. In such a case, you need to contact the Privacy Commission.
In case of severe data loss, you also need to inform the persons concerned, i.e. the people whose data have been disclosed.
The act follows a step-by-step model. Every data leak is different and must therefore be handled in a different way.
For each security incident, you need to look into what exactly went wrong and see if personal data actually leaked. Be careful though, as the reporting obligation extends further than you might think. Accidentally sending an e-mail containing personal information to the wrong person is also seen as a data leak. No matter how harmless it may seem, you should, in theory, report such an incident to the Privacy Commission.
The clock starts ticking as soon as you discover the leak: then, you have 48 hours to report the data leak. Companies can use this 2-day period to optimally assess the extent of damage. This is also a good way to avoid false alerts.
Tip: You should not report every security incident. A data leak occurs only when intruders manage to get hold of personal information.
Notifying the commission does not automatically mean that you should inform the persons concerned. You should do so only if the data leak “can have a negative impact on the privacy” of the persons concerned. And when payment card details or a mishap like the one that befell Ashley Madison – the dating site for married people seeking affairs – are concerned, it seems pretty logical.
But when exactly can an incident have “a negative impact”? The definition is vague, to say the least. So, you are partly responsible for determining if that is the case. Fortunately, the Privacy Commission will inform you step by step, and help you determine when you have to inform the persons concerned.
You can secure your data by taking technical measures, such as encryption or hashing. If you go for hashing, your data will be “mixed up” by an algorithm. This way, the data cannot be read by humans, but a computer can make them readable again. If you have taken such a precaution, you are not obliged to inform the persons concerned. You must, however, notify the Privacy Commission.
The only drawback is that you also need to check if your encryption survived the leak. If not, you will have to inform the persons concerned all the same.
Unfortunately, and yet quite understandably, fines are imposed when personal data are lost. Be careful though: if you submit a report for your data leak to the Privacy Commission, that does not automatically mean you will get a fine. Usually, you will get an injunction requiring you to strengthen your security.
However, if the breach was intentional or when gross negligence is involved, you may get that fine immediately. And it is quite hefty!
A fine for a data leak can reach up to 10 million euros, or 2% of the global annual turnover of the company concerned (provided it is more than 10 million euros).
The Privacy Commission’s aim is not to raise money in fines, but to create awareness, especially among those who process personal information. What really matters is to limit every type of damage.
Imagine that you sell personal information to a third party. That clearly qualifies as a breach. But ‘gross negligence’ can also be interpreted more loosely.
The law does not take account of such cases. It only mentions 'common security measures', which is obviously a highly subjective concept. When determining the amount of your fine, the Privacy Commission determines how common your security measures were. If their verdict does not match what you had in mind, you can always challenge it before a court.
You can also read: Combell’s Automatic Patching protects your website at all times
You can also read: Free Let’s Encrypt SSL-certificate for Combell clients
Tip for Combell customers: Enable Automatic patching in your My Combell control panel.
After reading this article, you will most probably agree with us: having to contact the Privacy Commission is something you want to avoid at all costs. We should, however, stay realistic and admit that security threats are all over the Internet. As a non-telecom operator, you also have two years to fully prepare yourself, so make good use of this time so that you can avoid 100% of data leaks!
You can also read: Should you go for a free Let’s Encrypt certificate or a premium SSL certificate?
To increase the security of HTTPS connections, SSL certificates will be for a shorter duration: from now on, they will have a maximum validity of 1 year. How does that...
It was originally announced that the transition from Comodo to Sectigo SSL certificates would only involve a change of name and logo. However, it now turns out that there has...
In collaboration with the FPS Economy, DNS Belgium will be able to take fraudulent .be websites offline more quickly. What does this measure actually do? The success of e-commerce also...
© 1999 - 2021 Combell nv.All prices exclude VAT.
| General conditions