compendium of belgian it laws (2005): privacy, monitoring and outsourcing
TRANSCRIPT
![Page 1: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/1.jpg)
![Page 2: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/2.jpg)
Compendium of Belgian IT Laws
An overview of legislation on privacy, monitoring and outsourcing
Johan Vandendriessche
24 May 2005
![Page 3: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/3.jpg)
3
Overview
Privacy (data protection) The law of 8 December 1992 on privacy protection in
relation to the processing of personal data
Monitoring (data protection) CWA (CAO/CCT) nr. 81
Outsourcing Outsourcing by financial and/or insurance companies
![Page 4: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/4.jpg)
4
Data Protection
Security obligation in relation to data processing
Management of processing (organising thereof)
Audit
Quality of legislation on this topic is poor
![Page 5: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/5.jpg)
5
Data Protection
General security obligation appropriate measures
• technical
• organisational
the protection of personal data against accidental or unauthorised destruction, accidental loss, as well as against alteration of, access to and any other unauthorised processing of personal data
Purpose: to prevent unlawful processing
![Page 6: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/6.jpg)
6
Data Protection
Appropriate? A balance must be struck between:
the state of the art and the cost of implementing the measures
the nature of the data to be protected and the potential risks on the other hand
Evolutive appreciation
![Page 7: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/7.jpg)
7
Data Protection
Specific security obligations Ensure data quality
Limitation of access • to the persons that need access
• only to those personal data that they need
Notification of legal provision
ascertain the accordance of the software with the notification under article 17
![Page 8: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/8.jpg)
8
Data Protection Data processing obligations
the choice of a processor providing sufficient guarantees in respect of the technical and organisational security measures
supervision of the compliance therewith (in particular by laying them down in contractual stipulations)
liability regime detail instructions and competences of the data
processor the conclusion in writing or on electronic carrier of
these elements (data processing agreement)
![Page 9: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/9.jpg)
9
Data Protection
Importance of data processing agreement:
Audit
Auditor may be a data processor
![Page 10: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/10.jpg)
10
Monitoring
CWA n° 81 on the monitoring of online communication of employees
Monitoring techniques are highly efficient
Legal?
![Page 11: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/11.jpg)
11
Monitoring
Online communications data?
Content?
![Page 12: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/12.jpg)
12
Monitoring
Purposes The prevention of unlawful acts, libel and acts
contrary to decency The protection of economic, commercial and
financial confidential interests of the company The maintenance of the technical performance
of the computer system The control of the respect of the terms of use
of the computer system
![Page 13: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/13.jpg)
13
Monitoring
Proportionality
The infringement of the privacy of the employee must be restricted to a minimum (if unavoidable)
Interdiction of systematic individualisation
![Page 14: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/14.jpg)
14
Monitoring
Transparency Collective
• To whom? (cascade) • Works council • Committee for prevention and protection • Delegation of the Union • The employee
• How? • Which information?
• The supervision policy • The purposes of the monitoring • Conservation? Place and duration? • The permanent nature of the supervision
![Page 15: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/15.jpg)
15
Monitoring Tranparency
Individual (i.e. the employee) • Which information?
• All the information provided collectively • The conditions of use of the tools that are at the disposal of
the employee and the functional limitation thereof • The rights, obligations and tasks of the employee, and
possible limitations to the use of communications on the network of the company
• Sanctions, if any, provided in the “employee policy” (règlement du travail / Werkreglement)
• How? • General instructions • Employee policy • Contractually • User policy, each time the tool is used
![Page 16: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/16.jpg)
16
Monitoring
Individualisation?
Direct
• Purposes 1 -> 3
Indirect
• Purpose 4
![Page 17: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/17.jpg)
17
Monitoring
Indirect individualisation Procedure
• General information obligation to all employees (first irregularity)
• Identification (second irregularity)
• The concerned employee must be heard before sanctions are taken
• Employee policy
![Page 18: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/18.jpg)
18
Outsourcing
Outsourcing in the financial sector Circular of 10 March 2005 on healthy
management practices concerning the continuity of financial institutions
Circular of 22 June 2004 on healthy management practices concerning the outsourcing by financial institutions
![Page 19: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/19.jpg)
19
Outsourcing
Continuity? Outsourcing of internal processes
• Customer services
• Accountancy
• IT
• Internal audits
• Data management
General service providers are not concerned
![Page 20: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/20.jpg)
20
Outsourcing Principles (10)
Determination of the outsourcing policy Responsibility is retained
• Vis-à-vis the shareholder, the customers, the supervisory entities
• An audit right is mandatory
Outsourcing decision • Documentary evidence
• The description of the outsourced activities • The expected results of the outsourcing operation • Evaluation of the involved risks
![Page 21: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/21.jpg)
21
Outsourcing
Principles The choice of the service provider and
the maintenance of the continuity • Reputation, financial state, capacities
(technical / operational / insurance)
• Termination issues
Written agreement
![Page 22: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/22.jpg)
22
Outsourcing
Security
Subcontracting
Internal audit and compliance
Revisory and prudential supervision
Applicability of Belgian law
![Page 23: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/23.jpg)
23
Outsourcing
Transborder outsourcing?
Activities with licence
• EEA?
• Outside EEA?
Information to CBFI
![Page 24: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/24.jpg)
24
Future developments
Privacy and monitoring
Implementation of Directive 2002/58/EC
• Security obligations
• Privacy issues related to electronic communications (localisation, cookies and spyware, …)
![Page 25: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/25.jpg)
25
Future developments
Security obligation for electronic communications service providers
Security obligation for the providers of public communications networks
Security obligation for providers of software for electronic communications
![Page 26: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/26.jpg)
26
Future developments
Location data processing by mobile communications service providers
Anonymous
Part of service related to location data
![Page 27: Compendium of Belgian IT Laws (2005): privacy, monitoring and outsourcing](https://reader033.vdocuments.net/reader033/viewer/2022060200/5598a4701a28aba34d8b4650/html5/thumbnails/27.jpg)
Thank you for your attention!
Johan Vandendriessche
Associate
Lontings & Partners
Tel: +32 2 708 40 00
Fax: +32 2 708 40 99
E-mail : [email protected]
www.lontingsandpartners.be