1. What is the purpose of this policy?

The purpose of this policy is to inform you (as a natural person data subject) about the way the Center for Cybersecurity Belgium (hereinafter "CCB") processes your personal data (hereinafter "the personal data"), as well as the reasons why we use and share them, their retention period and the rules for exercising your rights in relation to that data.

This information is provided to you in accordance with applicable legal provisions on data protection and privacy, including the General Data Protection Regulation (EU) 2016/679 "GDPR".

In the context of a specific project or application, reference should be made, where appropriate, to the personal data protection policy relating to that project or application (see Annex II – for cookie policy).

2. Who is the controller?

The controller for your data is the Center for Cybersecurity Belgium (CCB), with offices at Rue de la Loi 18, 1000 Brussels.

The CCB determines the purposes for which your data will be processed, the means used and all characteristics of the processing. These are explained in this policy.

3. For what purposes do we process your personal data?

The processing purposes of your personal data arise in particular from the various legal missions entrusted to the CCB (see Annex I: table of purposes).

The Royal Decree of 10 October 2014 establishing the Center for Cybersecurity Belgium lists some of the legal purposes for which the CCB may need to process your personal data:

1. to monitor, coordinate and oversee the implementation of Belgium's cybersecurity strategy;
2. to manage the various cybersecurity projects from an integrated and centralized approach;
3. to ensure coordination between relevant departments and governments, and governments and the private or scientific sector;
4. to formulate proposals to adapt the cybersecurity regulatory framework;
5. to ensure crisis management in case of cyber incidents;
6. to establish, disseminate and oversee the implementation of standards, guidelines and security standards for the various information systems of administrations and public institutions;
7. to coordinate Belgian representation in international cybersecurity forums, follow-up of international obligations and proposals of the national position in this field;
8. to coordinate the evaluation and certification of information and communication systems security;
9. to inform and raise awareness among users about information and communication systems;
10. to act as a national coordination center within the meaning of Article 6 of European Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Centre of Excellence for Industry, Technology and Research in Cybersecurity and the Network of National Coordination Centers.

Under the Act of 7 April 2019 establishing a framework for the security of network and information systems of public interest for public safety ("NIS Act"), the CCB, as the national computer security incident response team ("national CSIRT"), is also entrusted with the following statutory duties:

1. to monitor incidents at the national and international level, including the processing of personal data related to the monitoring of these incidents;
2. for the benefit of relevant interested parties, to issue early warnings, alerts, announcements and dissemination of information on risks and incidents;
3. to respond to incidents;
4. to provide dynamic risk and incident analysis and situational awareness;
5. to detect, observe and analyze computer security problems;
6. to encourage the adoption and use of common or standardized practices in incident and risk handling procedures, and incident, risk and information classification systems;
7. to ensure cooperative contacts with the private sector and with other administrative departments or authorities;
8. to participate in the CSIRT network;
9. to report vulnerabilities in network and information systems.

Pursuant to the Act of 20 July 2022 on Information and Communications Technology Cybersecurity Certification and Designating a National Cybersecurity Certification Authority ("CSA Act"), the CCB, as the National Cybersecurity Certification Authority, performs the following statutory duties:

1. to be responsible for issuing European cyber security certificates and complaint management;
2. to supervise holders of EU cybersecurity certificates, issuers of EU declarations of conformity and conformity assessment bodies and, where appropriate, impose sanctions;
3. to participate in the European Cybersecurity Certification Group (EGC);
4. to collaborate with other governments.

Pursuant to Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Centre of Excellence for Industry, Technology and Research in the field of Cybersecurity and the Network of National Coordination Centers, the CCB, as the national coordination center, performs the following legal tasks:

1. to act as a point of contact at the national level under the aforementioned regulation;
2. to provide expert advice and actively contribute to the strategic tasks referred to in the aforementioned regulation;
3. to promote, encourage and facilitate at the national level the participation of civil society, industry, especially start-ups and SMEs, the academic and research community and other stakeholders in cross-border projects and cybersecurity actions funded by the relevant Union programs;
4. to provide technical assistance to stakeholders by supporting them at the application stage for projects managed by the knowledge center related to its mission and objectives;
5. to seek synergies with relevant activities at national, regional and local levels, such as national cybersecurity research, development and innovation policies, especially those outlined in national cybersecurity strategies;
6. to carry out specific actions to which the knowledge center has awarded grants;
7. to consult with national authorities on possible contributions to the promotion and dissemination of cybersecurity education programs;
8. to promote and disseminate the relevant results of the work of the network, the knowledge community and the knowledge center at the national, regional or local level;
9. to assess requests from entities based in Belgium to be part of the knowledge community;
10. to advocate for and promote the involvement of relevant entities in the activities of the knowledge center, network and knowledge community and, if necessary, monitor the level of involvement in and amount of public financial support for cybersecurity research, development and deployment.

In particular, as a federal government agency, to the extent that it does not have a legal basis in the above provisions, the CCB may also process your data:

• for the use of its websites;
• for the use of its applications or tools;
• for welcoming its visitors;
• for participation in any of its events (physical or online);
• to answer your questions, help you or contact you;
• for its personnel administration;
• for managing its public contracts, agreements, etc.

4. On what legal grounds do we use your personal data?

We collect and use your personal data as necessary:

• to fulfill a legal obligation or to carry out one of our legal mandates;
• for the performance of duties of public interest or in the exercise of public authority vested in us;
• in the context of a contractual or pre-contractual relationship;

based on your consent for processing operations proposed to you outside our legal mandates.

5. What personal data do we process?

The information we process may include the following:

• your identifying information (your name, first name, photo, ID card, national register number, name of your organization, CBE number, etc.);
• your contact information (your postal and e-mail address, phone number, address of your organization, etc.);
• your family situation (your marital status, number of children, etc.); 
• information related to your education and employment (your position, resume, etc.);
• data about your interactions with us through our websites, our applications, phone calls, emails, interviews (your IP address, IP address range, domain names, language, cookies, metadata, etc.);
• your data related to video surveillance of private, non-public places (for security reasons when you visit our offices);
• your data related to administrative sanctions.

The data we process may have been requested directly from you or from other sources to verify or supplement our databases.

6. With whom may we share your personal data?

Data relating to you will be processed confidentially and securely to protect your personal data.

We sometimes use service providers who work for us as subcontractors and, as such, must also comply with the GDPR and our contractual provisions. These service providers may not process your data for purposes other than those determined by CCB.

Your data may possibly be shared with other governments and government agencies as necessary to fulfill their public interest functions.

7. How do we protect your data?

The CCB and its subcontractors take appropriate technical and organizational measures to ensure that the security level of your personal data is appropriate to the risks.

In particular, your data is protected against unauthorized access, unauthorized use, loss and unauthorized modification.

8. How long do we keep your personal data?

We will not retain your personal data longer than necessary for the purposes for which the data is processed, unless its retention is necessary for other fundamental purposes, including but not limited to compliance with our legal obligations, complaint handling or dispute resolution.

In principle, the maximum retention period is:

- of your IP address: 24 hours, except when your IP address is processed by CCB as part of a phishing attempt to identify the rogue site and take the necessary steps to condemn it. In that case, your IP address may be kept for a period of one (1) week to one (1) month, according to events (e.g.: difficulty in identifying the website, large number of phishing attempts for the same website and for different users, etc.);

• cookies: this period is described in detail in Annex II: cookie policy;
• exchanges through the contact form and via e-mail: 12 months from the last exchange;
• log files: 13 months from creation.

In the context of using the Safeonweb@Work platform, the maximum retention period is:

• your identifying information (name, first name, e-mail address, address, phone number, position, organization name, organization CBE number, organization mailing address): this term runs as long as you use the platform;
• your national register number: five years from your last use of the platform;
• your IP address and IP address range: five years from your last use of the platform,
• your domain name: five years from your last use of the platform;
• cookies: 13 months from the creation of the cookie;
• log files: 13 months from creation.

If your personal data needs to be retained for fundamental purposes, including but not limited to compliance with our legal obligations, dispute resolution and complaint handling, it may be retained for longer than stated above.

As a federal government agency, we are also subject to the Archives Act of 24 June 1955, and are therefore not free to destroy the documents in our possession. Moreover, documents of a public administration that no longer have administrative and/or legal utility may still have historical, scientific or statistical importance. They are then delivered to the State Archives. From this point of view, the administrative documents in our possession are kept for a certain time in cooperation with the State Archives.

9. What are your rights and how can you exercise them?

In accordance with applicable regulations and subject to statutory exceptions, you have the following rights:

• Right of access:you can obtain information about the processing of your personal data and a copy of that data.
• Right to rectification: if your personal data in our possession is incorrect or incomplete, you can have it corrected accordingly.
• Right to data erasure: you may request that your personal data be deleted. However, your request will not be granted if the processing of your data is necessary for us within the scope of our legal mandates, for the fulfillment of one of our tasks of public interest or in the exercise of public authority vested in us, or still for the performance of a contract or pre-contractual measures.
• Right to restrict processing: you may request that the processing of your personal data be restricted if you exercise your right to object, you contest the accuracy of the data, their processing appears to you to be unlawful, or if you need them for the establishment, exercise or substantiation of a legal claim. Thus, except in exceptional cases, the processing of your data will be suspended for the time necessary to process your request.
• Right to object:you may be able to object to the processing of your personal data for reasons relating to your particular situation.
• Right to withdraw your consent: if your personal data are processed solely on the basis of your consent, you have the right to withdraw this consent at any time.

To exercise the rights to your personal data, please attach a copy (scan or photo) of your identity card, passport or similar document, with your signature, on which you can hide the data that are not relevant to verify your identity as a person concerned. You can also indicate on this copy the name of the organization, the date and the object of your request so that it cannot be used later for other purposes. However, if you have a general question, there is no need to provide us with this evidence.

You can send our data protection officer an e-mail or letter. Below are the details:

CENTRE FOR CYBERSECURITY BELGIUM

For the attention of the Data Protection Officer (DPO)

Rue de la Loi 16

1000 Brussels

E-mail: privacy@ccb.belgium.be

For more information on personal data protection, visit the Data Protection Authority website: https://www.gegevensbeschermingsautoriteit.be.

10. What are the exceptions to exercising your rights?

The exercise of some of your rights (see previous point) may, in a justified manner, be limited or may be refused to you by the CCB, in particular when the processing of your data is necessary for the application of some legal provisions and the exercise of these rights is incompatible with this.

11. Complaints

If, after contacting our Data Protection Officer, you consider that the Center for Cybersecurity Belgium would not have processed your personal data in accordance with the applicable regulations, you have the right to lodge a complaint with the Data Protection Authority:

Data Protection Authority (DPA)

Drukpersstraat 35

1000 Brussels

Tel. +32 2 274 48 00

Fax +32 2 274 48 35

E-mail: contact@apd-gba.be

Website: https://www.gegevensbeschermingsautoriteit.be

 

12. Who to contact regarding your personal data?

For more information about our data protection policy, please contact our Data Protection Officer: privacy@ccb.belgium.be. 

 

13. Can this policy be changed?

We regularly review our policy and reserve the right to modify it at any time taking into account changes in our business or new legal requirements.

To inform you of those changes, we will publish updated versions of our policies on our various websites:"www.ccb.belgium.be", "www.safeonweb.be" or "atwork.safeonweb.be".

You can find the "last update" date at the top of this policy so you can check when the policy was last revised.