Privacy Policy

The purpose of this policy is to inform you (as the data subject) about how the Centre for Cybersecurity Belgium (hereinafter "the CCB") processes your personal data, why we use and share it, how long we keep it and how you can exercise your rights in relation to it.

This information is provided to you in accordance with current data protection and privacy legislation, including the General Data Protection Regulation (EU) 2016/679 "GDPR".

In the case of specific projects or applications, reference should be made, where appropriate, to the personal data protection policy specific to that project or application (see also Annex II: Cookie management policy).

2. Who is the data controller?

The data controller for your personal data is the Centre for Cybersecurity Belgium (CCB), with offices at Rue de la Loi 18, 1000 Brussels.

The CCB determines the purposes for which your data is processed, the means used and the overall characteristics of the processing, which are explained in this policy.

3. For what purposes do we process your personal data?

The purposes for which your personal data is processed derive in particular from the various legal missions entrusted to the CCB (see Annex I: table of purposes).

Under the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security ("NIS2 Law”) and the Royal Decree of 10 October 2014 establishing the Centre for Cybersecurity Belgium, the CCB is responsible, as the national cybersecurity authority, for the following tasks:

• ensure coordination between the various departments and authorities involved in cyber security in Belgium;
• supervise, coordinate and ensure the implementation of the national cyber security strategy;
• oversee the implementation of the NIS2 law (including the registration of entities);
• ensure coordination between the public authorities and the private sector or the scientific world;
• draw up, disseminate and ensure the implementation of standards, guidelines and norms for the cybersecurity of different types of information systems;
• coordinate Belgian representation at international cybersecurity forums, monitor international obligations and present the national viewpoint in this area;
• coordinate the assessment and certification of the security of information and communication systems;
• inform and raise awareness among users of information and communication systems;
• award grants for projects and activities relating to cyber security;
• facilitate and encourage the organisation of cybersecurity training courses for the staff of NIS2 entities.

As the national computer security incident response team ("national CSIRT"), the CCB has the following tasks :

• monitor and analyse cyberthreats, vulnerabilities and incidents at national level and, on request, provide assistance to the essential and important entities concerned to monitor their networks and information systems in real or near-real time;
• activate the early warning mechanism, disseminate warning messages, announcements and information on cyberthreats, vulnerabilities and incidents to NIS2 entities as well as to competent authorities and other relevant stakeholders, if possible in near-real time;
• respond to incidents and provide assistance to NIS2 entities;
• gather and analyse forensic data, and provide a dynamic analysis of risks and incidents and an assessment of the cyber security situation;
• carry out, at the request of an essential and important entity, a proactive scan of the networks and information systems of the entity concerned in order to detect vulnerabilities likely to have a significant impact;
• participate in the CSIRT network, cooperate effectively, efficiently and securely within this network and provide mutual assistance according to its capacities and skills to other members of the CSIRT network at their request;
• act as coordinator for the coordinated vulnerability disclosure process;
• contribute to the deployment of secure information-sharing tools;
• carry out proactive and non-intrusive scanning of publicly accessible networks and information systems where such scanning is carried out for the purpose of detecting vulnerable or insecurely configured networks and information systems and informing the entities concerned, and where it does not adversely affect the operation of the entities' services;
• detect, observe and analyse IT security problems;
• establish and facilitate cooperative relations with the stakeholders concerned
• participate in peer reviews organised under the NIS2 Directive.

In pursuit of these missions related to the NIS2 law, the CCB pursues the following purposes :

• improvement of cybersecurity through the search of a higher level of networks and information systems protection, the reinforcement of prevention and security policies, the prevention of security incidents and the defence against cyberthreats;
• ensure crisis management in case of cyber incidents, in cooperation with the National Crisis Center (NCCN);
• cooperation, among others the exchange of information between the CCB and other authorities, including sectoral authorities, the NCCN and competent authorities for the law of July 1^st, 2011 related to the safety and protection of critical infrastructures, in the framework of the execution of the NIS2 law and the aforementioned law of July 1^st, 2011;
• cooperation between essential and important entities and the competent authorities for the NIS2 law;
• information sharing between the authorities determined by the NIS2 law;
• ensure the continuity of services provided by important or essential entities;
• notification of incidents and near misses;
• control and supervision of essential and important entities, as well as preparation, organisation, management and follow-up of administrative measures and administrative fines;
• without any prosecuting purpose, prevention, research and detection of infringements committed online or through a network or a, electronic communications service, including infringements qualified as serious crimes;
• prevention of serious threats to public security;
• examination of security failures of networks or electronic communications services or information systems;
• dissemination of information on significant incidents to other Member states and, where appropriate, to the general public.

Under the law of 20 July 2022 on cybersecurity certification of information and communication technologies and designating a national cybersecurity certification authority ("CSA law"), the CCB assumes the role of National Cybersecurity Certification Authority with the following legal tasks:

• issue European cybersecurity certificates and managing complaints;
• monitor holders of European cybersecurity certificates, issuers of EU declarations of conformity and conformity assessment bodies and, where appropriate, impose penalties;
• participate in the European Cybersecurity Certification Group (ECCG);
• cooperate with other public authorities.

Under Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Cyber Security Industry, Technology and Research Competence Centre and the Network of National Coordination Centres, the CCB assumes the role of national coordination centre, with the following legal tasks:

• engage effectively and coordinate with industry, the public sector, the academic and research community in order to build a local community
• act as a contact point at national level within the framework of the above-mentioned regulation;
• provide expertise and actively contribute to the strategic tasks set out in the above-mentioned regulation;
• promote, encourage and facilitate the participation of civil society, industry, in particular start-ups and SMEs, academic and research communities and other stakeholders at national level in cross-border projects and actions on cybersecurity funded by relevant EU programmes;
• provide technical assistance to stakeholders by helping them in their application phase for projects managed by the Competence Centre in line with its mission and objectives;
• endeavour to create synergies with relevant activities at national, regional and local level, such as national research, development and innovation policies in the field of cybersecurity, in particular the policies set out in national cybersecurity strategies;
• implement specific actions for which grants have been awarded by the Competence Centre;
• enter into dialogue with national authorities regarding possible contributions to the promotion and dissemination of educational programmes on cybersecurity;
• promote and disseminate the relevant results of the work of the Network, the Community and the Competence Centre at national, regional or local level;
• assess applications from entities established in Belgium to become part of the community;
• promote and facilitate the participation of relevant entities in the activities resulting from the Competence Centre, the Network and the Community, and monitor, where appropriate, the level of participation in cybersecurity research, development and deployment and the amount of public financial support provided.

In its capacity as a federal public administration and insofar as it does not have a legal basis in the provisions listed above, the CCB may also process your data in particular:

• for the use of its websites;
• for the use of its applications or tools;
• to welcome its visitors;
• for participation in one of its events (physical or online);
• to answer your questions, assist you or contact you;
• for the administration of its staff ;
• for the management of its public procurement, contracts, etc.

The CCB processes data coming from surveillance camera in order to ensure the safety of its buildings, its goods, its staff and its visitors. The use of cameras by the CCB is governed by the law of March 21^st, 2007 on the installation and the use of surveillance cameras. Only the authorized staff members have access the camera recordings, as well as the authorized staff members of the building’s managing body where applicable, as well as the police services or the judicial authorities if necessary and always in conformity with the aforementioned law of March 21^st, 2007.

The viewing of the images in real time from one or more fix surveillance cameras located in a publicly available space shall only be done, where applicable, under the control of police services The regulatory pictures placed at the entry of the concerned locations shall inform you of any surveillance cameras.

4. On what legal grounds do we use your personal data?

We collect and use your personal data where necessary:

• to comply with a legal obligation or to carry out one of our legal missions;
• as part of the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
• as part of a contractual or pre-contractual relationship;
• on the basis of your consent concerning the processing which is proposed to you beyond our legal missions.

5. What personal data do we process?

In particular, the information we process may include:

• your identification data (surname, first name, photo, identity card, national register number, name of your organisation, CBE number, etc.);
• your contact details (postal and e-mail address, telephone number, address of your organisation, etc.);
• your family situation (marital status, number of children, etc.) ;
• your training and employment details (job title, CV, etc.) ;
• your data relating to your interactions with us via our websites, applications, telephone conversations, e-mails and interviews (IP address, IP ranges, domain names, language, cookies, metadata, etc.);
• your data relating to video surveillance of enclosed areas not accessible to the public (for security reasons when you visit our offices);
• your data relating to administrative penalties.

The data we process may have been collected either directly from you or from other sources in order to verify or add to our databases.

6. With whom do we share your personal data?

The data we process about you is treated confidentially and securely, in order to protect your personal data.

We sometimes use service providers who act on our behalf as subcontractors and who, in this capacity, must also comply with the GDPR and our contractual provisions. These service providers may not process your data for purposes other than those set out in the CCB.

Your data may be shared with other public authorities and bodies where this is necessary for the performance of their general interest duties.

7. How do we protect your data?

The CCB and its subcontractors implement appropriate technical and organisational measures to guarantee a level of security for your personal data appropriate to the risk.

In particular, your data is protected against unauthorised access, unlawful use, loss and unauthorised modification.

8. How long do we keep your personal data?

We will not retain your personal data beyond the time necessary to fulfil the purposes for which the data is processed, unless retention is necessary for other fundamental purposes, including but not limited to complying with our legal obligations, handling complaints or settling disputes.

In principle, the maximum retention period :

• of your IP address is 24 hours, except when your IP address is processed by the CCB as part of a phishing attempt in order to identify the malicious site and take the necessary measures to block the website. In this case, your IP address may be kept for a period of one (1) week to one (1) month depending on the circumstances (e.g. difficulty in identifying the website, large number of phishing attempts for the same website and for different users, etc.);
• of cookies is detailed in Annex II: Cookie management policy;
• of exchanges via the contact form and e-mails is 12 months from the last exchange;
• of the logs is 13 months from their creation;
• of data from surveillance camera is 1 month, in case there is no security incident.

As part of the use of the Safeonweb@Work platform, the maximum retention period :

• of your identification data (surname, first name, e-mail address, address, telephone number, job title, organisation name, organisation's CBE number, organisation's postal address) lasts throughout your use of the platform;
• of your national register number is 5 years from your last use of the platform;
• of your IP address and IP ranges is 5 years from your last use of the platform;
• of your domain name is 5 years from your last use of the platform;
• of cookies is detailed in Annex II: Cookie management policy;
• of the logs is 13 months from their creation.

Where the retention of your personal data is necessary for fundamental purposes, including but not limited to compliance with our legal obligations, dispute resolution and complaint handling, your personal data may be retained for longer than the periods specified above.

As a federal authority, we are also subject to the law relating to archives of 24 June 1955 and cannot therefore freely destroy all the documents in our possession. In addition, when the documents of a public administration are no longer of administrative and/or legal use, they may nevertheless be of historical, scientific or statistical interest. They are then transferred to the State Archives. With this in mind, the administrative documents in our possession are kept for a set period in collaboration with the Kingdom's Archives.

9. What are your rights and how can you exercise them?

In accordance with the applicable regulations and unless otherwise stipulated by law, you have a number of rights:

• Right of access: you can obtain information about the processing of your personal data and a copy of this data.
• Right of rectification: if the personal data we hold about you is inaccurate or incomplete, you may request that it be amended accordingly.
• Right to erasure: you may request the erasure of your personal data. However, your request will not be granted if the processing of your data is necessary for the performance of our statutory duties, the performance of a task carried out in the public interest or in the exercise of official authority vested in us, the performance of a contract or pre-contractual measures.
• Right to limit processing: you may request that the processing of your personal data be limited when you exercise your right to object, when you dispute the accuracy of the data, when you consider that the processing of your data is unlawful, or when you need the data for the establishment, exercise or defence of legal claims. This means that, with certain exceptions, the processing of your data will be suspended while your request is processed.
• Right to object: you may object to the processing of your personal data for reasons relating to your particular situation.
• Right to withdraw your consent: if the processing of your personal data is based solely on your consent, you have the right to withdraw that consent at any time.

To exercise your rights with regard to the data concerning you, please attach a copy (scan or photo) of your identity card, passport or similar document, bearing your signature but on which you can hide any data that is not relevant for checking your identity as the person concerned. You may also indicate on this copy the name of the organisation, the date and the subject of your request so that it cannot be used at a later date for other purposes. However, if your request is of a general nature, it is not necessary to provide us with this proof.

You can send an e-mail or letter to our Data Protection Officer the following address:

CENTRE FOR CYBERSECURITY BELGIUM

For the attention of the Data Protection Officer (DPO)

Rue de la Loi, 18

1000 Brussels

E-mail : privacy@ccb.belgium.be

More information on the protection of personal data can be found on the Data Protection Authority's website: https://www.dataprotectionauthority.be.

10. What are the exceptions to exercising your rights?

The exercise of some of your rights (see previous point) may, for good reason, be restricted or refused by the CCB, in particular where the processing of your data is necessary for the application of certain legal provisions and renders the exercise of these rights incompatible.

11. Claims

If, after contacting our Data Protection Officer, you consider that the Centre for Cybersecurity Belgium has not processed your personal data in accordance with the regulations in force, you have the right to lodge a complaint with the Data Protection Authority :

Data Protection Authority (DPA)

Rue de la Presse 35

1000 Brussels

Tel. +32 2 274 48 00

Fax +32 2 274 48 35

email: contact@apd-gba.be

website: https://www.dataprotectionauthority.be

12. Who to contact about your personal data

If you have any queries about our data protection policy, including queries related to surveillance camera, please contact our Data Protection Officer: privacy@ccb.belgium.be.

If you constatez que des données gérées par le CCB seraient perdues, détruites ou rendues publiques sans autorisation (vous trouvez par exemple un dossier, un laptop ou un smartphone clairement identifié comme appartenant à un membre de notre personnel, vous constatez que des données ou mots de passe liés au CCB circulent sur internet...), vous pouvez nous le signaler via l’adresse e-mail : privacy@ccb.belgium.be.

13. Can this policy be changed?

We regularly review our policy and reserve the right to make changes at any time to take account of changes in our business or new legal requirements.

To inform you of these changes, we will publish updates to our policy on our various websites: "www.ccb.belgium.be", "www.safeonweb.be", "atwork.safeonweb.be", "community.ncc.belgium.be" or "notif.safeonweb.be".

You can check the "last updated" date at the top of this policy to see when it was last revised.

We use cookies on our websites ("www.ccb.belgium.be", "www.safeonweb.be", "atwork.safeonweb.be", "community.ncc.belgium.be" or "notif.safeonweb.be") or on our applications in order to provide an optimal service.

A cookie is a small file stored on your computer or telephone. The cookie can be retrieved when you visit the same site at a later time.

These cookies are not kept for longer than is necessary to achieve their intended purpose (see details below).

CCB sites and applications use the following cookies:
 

1. Technical cookies (always required):

These cookies are necessary purely for technical reasons in the framework of a normal visit of the website. Given the necessity from a technical point of view, only an obligation of information is applicable and these cookies are placed once you access the website.

2. Functional cookies (always required):

These cookies are strictly necessary to allow for the provision of the service that you (explicitly) required. These cookies cannot be denied if you desire to navigate the website in an optimal manner but it is placed only after a choice has been made regarding the placing of cookies

3. Statistical cookies (optional):

A cookie is described as "statistical" when it measures the audience of a website or application. You can refuse cookies below if you wish to browse our website.

4. External links

Our websites or applications sometimes include external links to document certain information. Activating these links is the responsibility of the user. However, we advise you to consult the privacy statement and cookie policy of the site concerned

5. How can I see which cookies are installed on my device and how can I delete them?

If you want to know which cookies are installed on your device or if you want to delete them, you can use a setting in your browser. You can find more information on how to do this in the links below.

Are you using another browser? Check that the procedure for your browser is included on the www.allaboutcookies.org/manage-cookies website. This site is only available in English.