Compendium of Belgian IT Laws

An overview of legislation on privacy, monitoring and outsourcing

Johan Vandendriessche

24 May 2005

3

Overview

Privacy (data protection) The law of 8 December 1992 on privacy protection in

relation to the processing of personal data

Monitoring (data protection) CWA (CAO/CCT) nr. 81

Outsourcing Outsourcing by financial and/or insurance companies

4

Data Protection

Security obligation in relation to data processing

Management of processing (organising thereof)

Audit

Quality of legislation on this topic is poor

5

Data Protection

General security obligation appropriate measures

• technical

• organisational

the protection of personal data against accidental or unauthorised destruction, accidental loss, as well as against alteration of, access to and any other unauthorised processing of personal data

Purpose: to prevent unlawful processing

6

Data Protection

Appropriate? A balance must be struck between:

the state of the art and the cost of implementing the measures

the nature of the data to be protected and the potential risks on the other hand

Evolutive appreciation

7

Data Protection

Specific security obligations Ensure data quality

Limitation of access • to the persons that need access

• only to those personal data that they need

Notification of legal provision

ascertain the accordance of the software with the notification under article 17

8

Data Protection Data processing obligations

the choice of a processor providing sufficient guarantees in respect of the technical and organisational security measures

supervision of the compliance therewith (in particular by laying them down in contractual stipulations)

liability regime detail instructions and competences of the data

processor the conclusion in writing or on electronic carrier of

these elements (data processing agreement)

9

Data Protection

Importance of data processing agreement:

Audit

Auditor may be a data processor

10

Monitoring

CWA n° 81 on the monitoring of online communication of employees

Monitoring techniques are highly efficient

Legal?

11

Monitoring

Online communications data?

Content?

12

Monitoring

Purposes The prevention of unlawful acts, libel and acts

contrary to decency The protection of economic, commercial and

financial confidential interests of the company The maintenance of the technical performance

of the computer system The control of the respect of the terms of use

of the computer system

13

Monitoring

Proportionality

The infringement of the privacy of the employee must be restricted to a minimum (if unavoidable)

Interdiction of systematic individualisation

14

Monitoring

Transparency Collective

• To whom? (cascade) • Works council • Committee for prevention and protection • Delegation of the Union • The employee

• How? • Which information?

• The supervision policy • The purposes of the monitoring • Conservation? Place and duration? • The permanent nature of the supervision

15

Monitoring Tranparency

Individual (i.e. the employee) • Which information?

• All the information provided collectively • The conditions of use of the tools that are at the disposal of

the employee and the functional limitation thereof • The rights, obligations and tasks of the employee, and

possible limitations to the use of communications on the network of the company

• Sanctions, if any, provided in the “employee policy” (règlement du travail / Werkreglement)

• How? • General instructions • Employee policy • Contractually • User policy, each time the tool is used

16

Monitoring

Individualisation?

Direct

• Purposes 1 -> 3

Indirect

• Purpose 4

17

Monitoring

Indirect individualisation Procedure

• General information obligation to all employees (first irregularity)

• Identification (second irregularity)

• The concerned employee must be heard before sanctions are taken

• Employee policy

18

Outsourcing

Outsourcing in the financial sector Circular of 10 March 2005 on healthy

management practices concerning the continuity of financial institutions

Circular of 22 June 2004 on healthy management practices concerning the outsourcing by financial institutions

19

Outsourcing

Continuity? Outsourcing of internal processes

• Customer services

• Accountancy

• IT

• Internal audits

• Data management

General service providers are not concerned

20

Outsourcing Principles (10)

Determination of the outsourcing policy Responsibility is retained

• Vis-à-vis the shareholder, the customers, the supervisory entities

• An audit right is mandatory

Outsourcing decision • Documentary evidence

• The description of the outsourced activities • The expected results of the outsourcing operation • Evaluation of the involved risks

21

Outsourcing

Principles The choice of the service provider and

the maintenance of the continuity • Reputation, financial state, capacities

(technical / operational / insurance)

• Termination issues

Written agreement

22

Outsourcing

Security

Subcontracting

Internal audit and compliance

Revisory and prudential supervision

Applicability of Belgian law

23

Outsourcing

Transborder outsourcing?

Activities with licence

• EEA?

• Outside EEA?

Information to CBFI

24

Future developments

Privacy and monitoring

Implementation of Directive 2002/58/EC

• Security obligations

• Privacy issues related to electronic communications (localisation, cookies and spyware, …)

25

Future developments

Security obligation for electronic communications service providers

Security obligation for the providers of public communications networks

Security obligation for providers of software for electronic communications

26

Future developments

Location data processing by mobile communications service providers

Anonymous

Part of service related to location data

Thank you for your attention!

Johan Vandendriessche

Associate

Lontings & Partners

Tel: +32 2 708 40 00

Fax: +32 2 708 40 99

E-mail : johan.vandendriessche@lontings.be

www.lontingsandpartners.be