1. What is the purpose of this policy?

The purpose of this policy is to inform you (as a natural person data subject) about the way the Centre for Cybersecurity Belgium (hereinafter "CCB") processes your personal data (hereinafter "the personal data"), as well as the reasons why we use and share it, their retention period and the rules for exercising your rights in relation to this data.

This information is provided to you in accordance with applicable legal provisions on data protection and privacy, including the General Data Protection Regulation (EU) 2016/679 "GDPR".

In the context of a specific project or application, reference should be made, where appropriate, to the personal data protection policy relating to that project or application (see Annex II – for cookie policy).

2. Who is the controller?

The controller of your data is the Centre for Cybersecurity Belgium (CCB), located at Rue de la Loi 18, 1000 Brussels.

The CCB determines the purposes for which your data are processed, the means used and all the characteristics of the processing. These are explained in this policy.

3. For what purposes do we process your personal data?

The purposes for which your personal data are processed derive in particular from the various legal missions entrusted to the CCB (see Annex I: table of purposes).

The Royal Decree of 10 October 2014 establishing the Centre for Cybersecurity Belgium lists some of the legal purposes for which the CCB may need to process your personal data:

1. to monitor, coordinate and supervise the implementation of the Belgian cybersecurity strategy;
2. to manage the various cybersecurity projects from an integrated and centralised approach;
3. to ensure coordination between the relevant departments and governments, and between governments and the private or scientific sector;
4. to formulate proposals to adapt the cybersecurity regulatory framework;
5. to ensure crisis management in the event of cyber incidents;
6. to establish, disseminate and monitor the implementation of standards, guidelines and security standards for the various information systems of administrations and public institutions;
7. to coordinate the Belgian representation in international cybersecurity forums, follow up international commitments and propose of the national position in this field;
8. to coordinate the evaluation and certification of the security of information and communication systems;
9. to inform and raise awareness among users of information and communication systems;
10. to act as a national coordination centre within the meaning of Article 6 of European Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Centre of Excellence for Industry, Technology and Research in Cybersecurity and the Network of National Coordination Centres.

Persuant to the Act of 7 April 2019 establishing a framework for the security of network and information systems of public interest for public safety ("NIS Act"), the CCB, as the national computer security incident response team ("national CSIRT"), is also entrusted with the following statutory tasks:

1. monitor incidents at national and international level, including the processing of personal data related to the monitoring of these incidents;
2. issue early warnings, alerts, notifications and disseminate information on risks and incidents for the benefit of relevant interested parties;
3. respond to incidents;
4. provide dynamic risk and incident analysis and situational awareness;
5. detect, monitor and analyse computer security problems;
6. promote the adoption and use of common or standardised incident and risk handling procedures and incident, risk and information classification systems;
7. ensure cooperative liaison with the private sector and other government departments or agencies;
8. participate in the CSIRT network;
9. report vulnerabilities in network and information systems.

Pursuant to the Act of 20 July 2022 on Information and Communications Technology Cybersecurity Certification and Designating a National Cybersecurity Certification Authority ("CSA Act"), the CCB, as the National Cybersecurity Certification Authority, performs the following statutory tasks:

1. be responsible for the issuance of European cyber security certificates and the management of complaints;
2. supervise and, where appropriate, impose sanctions on holders of EU cybersecurity certificates, issuers of EU Declarations of Conformity and conformity assessment bodies;
3. participate in the European Cybersecurity Certification Group (EGC);
4. cooperate with other governments.

In particular, as a federal government agency, the CCB may also process your data to the extent that it does not have a legal basis in the above provisions:

• for the use of its websites;
• for the use of its applications or tools;
• for the reception of its visitors;
• for the attendance of its events (physical or online);
• to answer your questions, provide you with assistance or contact you;
• to manage its human resources;
• to manage its public contracts, agreements, etc.

4. On what legal grounds do we use your personal data?

We collect and use your personal data as necessary:

• to comply with a legal obligation or to carry out one of our legal mandates;
• for the performance of tasks of public interest or in the exercise of public authority vested in us;
• in the context of a contractual or pre-contractual relationship;
• on the basis of your consent to processing operations proposed to you outside our legal mandates.

5. What personal data do we process?

The information we process may include:

• your identification data (your surname, first name, photo, ID card, national registration number, name of your organisation, CBE number, etc.);
• your contact details (your postal and e-mail address, phone number, your organisation's address, etc.);
• your family situation (your marital status, number of children, etc.); 
• information relating to your education and employment (your position, resume, etc.);
• data about your interactions with us through our websites, our applications, phone calls, emails, interviews (your IP address, IP address range, domain names, language, cookies, metadata, etc.);
• your data relating to video surveillance of private, non-public places (for security reasons when you visit our offices);
• your data relating to administrative sanctions.

The data we process may have been requested directly from you or from other sources in order to verify or complete our databases.

6. With whom may we share your personal data?

Data relating to you will be processed confidentially and securely to protect your personal data.

We sometimes use service providers who work for us as subcontractors and, as such, must also comply with the GDPR and our contractual provisions. These service providers may not process your data for any purposes other than those specified by the CCB.

Your data may be shared with other governments and government agencies where necessary to fulfil their public interest functions.

7. How do we protect your data?

The CCB and its subcontractors take appropriate technical and organisational measures to ensure that the security level of your personal data is appropriate to the risks.

In particular, your data will be protected against unauthorised access, unauthorised use, loss and unauthorised modification.

8. How long do we keep your personal data?

We will not retain your personal data longer than is necessary for the purposes for which it is processed, unless retention is necessary for other essential purposes, including but not limited to compliance with our legal obligations, complaint handling or dispute resolution.

In principle, the maximum retention period will be:

- , unless your IP address is processed by the CCB as part of a phishing attempt in order to identify the rogue site and take the necessary steps to condemn it. In this case, your IP address may be retained for a period of one (1) week to one (1) month, depending on the circumstances (e.g. difficulty in identifying the website, large number of phishing attempts for the same website and for different users, etc.);

• cookies: this period is described in detail in Annex II: cookie policy;
• exchanges via the contact form and via e-mail: 12 months after the last exchange;
• log files: 13 months from their creation.

In the context of the use of the Safeonweb@Work platform, the maximum retention period is as follows

• your identification data (name, first name, e-mail address, postal address, phone number, position, organisation name, organisation CBE number, organisation postal address): for as long as you use the platform;
• your national registration number: five years after your last use of the platform;
• your IP address and IP address range: five years from your last use of the platform,
• your domain name: five years from your last use of the platform;
• cookies: 13 months from the creation of the cookie;
• log files: 13 months from creation.

If your personal data needs to be retained for essential purposes, including but not limited to compliance with our legal obligations, dispute resolution and complaint handling, it may be retained for longer than the above.

As a federal government body, we are also subject to the Archives Act of 24 June 1955, and are therefore not free to destroy the documents in our possession. In addition, documents of a public administration that no longer have any administrative and/or legal value may still have historical, scientific or statistical importance. They are then transferred to the State Archives. From this point of view, the administrative documents in our possession are kept for a certain period of time in collaboration with the State Archives.

9. What are your rights and how can you exercise them?

In accordance with applicable regulations and subject to statutory exceptions, you have the following rights:

• Right of access: you can obtain information about the processing of your personal data and a copy of that data.
• Right to rectification:if your personal data in our possession is incorrect or incomplete, you can have it corrected accordingly.
• Right to erasure:you may request that your personal data be deleted. However, your request will not be granted if the processing of your data is necessary for us within the scope of our legal mandates, for the fulfillment of one of our tasks of public interest or in the exercise of public authority vested in us, or still for the performance of a contract or pre-contractual measures.
• Right to restrict processing:you may request that the processing of your personal data be restricted if you exercise your right to object, you contest the accuracy of the data, their processing appears to you to be unlawful, or if you need them for the establishment, exercise or substantiation of a legal claim. Thus, except in exceptional cases, the processing of your data will be suspended for the time necessary to process your request.
• Right to object: you may be able to object to the processing of your personal data for reasons relating to your particular situation.
• Right to withdraw your consent:if your personal data are processed solely on the basis of your consent, you have the right to withdraw this consent at any time.

To exercise the rights to your personal data, please attach a copy (scan or photo) of your identity card, passport or similar document, with your signature, on which you can hide the data that are not relevant to verify your identity as a person concerned. You can also indicate on this copy the name of the organization, the date and the object of your request so that it cannot be used later for other purposes. However, if you have a general question, there is no need to provide us with this evidence.

You can send our data protection officer an e-mail or letter. Below are the details:

CENTRE FOR CYBERSECURITY BELGIUM

For the attention of the Data Protection Officer (DPO)

Rue de la Loi 18

1000 Brussels

E-mail: privacy@ccb.belgium.be

For more information on personal data protection, visit the Data Protection Authority website: https://www.gegevensbeschermingsautoriteit.be.

10. What are the exceptions to exercising your rights?

The exercise of some of your rights (see previous point) may, in a justified manner, be limited or may be refused to you by the CCB, in particular when the processing of your data is necessary for the application of some legal provisions and the exercise of these rights is incompatible with this.

11. Complaints

If, after contacting our Data Protection Officer, you consider that the Center for Cybersecurity Belgium would not have processed your personal data in accordance with the applicable regulations, you have the right to lodge a complaint with the Data Protection Authority:

Data Protection Authority (DPA)

Drukpersstraat 35

1000 Brussels

Tel. +32 2 274 48 00

Fax +32 2 274 48 35

E-mail: contact@apd-gba.be

Website: https://www.gegevensbeschermingsautoriteit.be

12. Who to contact regarding your personal data?

For more information about our data protection policy, please contact our Data Protection Officer: privacy@ccb.belgium.be. 

13. Can this policy be changed?

We regularly review our policy and reserve the right to modify it at any time taking into account changes in our business or new legal requirements.

To inform you of those changes, we will publish updated versions of our policies on our various websites: "www.ccb.belgium.be","www.cert.be", "www.safeonweb.be", "atwork.safeonweb.be" or “https://community.ncc.belgium.be”. You can find the "last update" date at the top of this policy so you can check when the policy was last revised.