EN

Privacy Statement for ‘BEAM’ App by BSC

This privacy statement is issued by BSC in its capacity as the data controller, aimed at informing users of the Beam application about how their personal data is processed in accordance with the General Data Protection Regulation (GDPR) and the Belgian Act of July 30, 2018, on the protection of natural persons with regard to the processing of personal data.

The Beam Application

Beam is a secure instant messaging application developed solely for professional communication between and within Belgian government services and certain partner organizations. The application features end-to-end encryption for all messages. Beam is hosted and managed within the European Economic Area. All communication is end-to- end encrypted, ensuring that neither BSC nor third parties have access to the content. Beam is a private application for the government sector and selected organizations, and therefore access is restricted to these users only.

Contact Information for BSC and the Data Protection Officer

Belgian Secure Communications (BSC) Email: privacy@securecommunications.be Phone: +32 220 66 220

For inquiries regarding this privacy statement or the processing of personal data, you can contact the Data Protection Officer (DPO): Email: privacy@securecommunications.be Phone: +32 220 66 220

BSC processes your personal data based on:

Article 6(1)(a) of the Data Protection Act Article 6(1)(e) of the Data Protection Act: the performance of a task carried out in the public interest, namely facilitating secure communication among Belgian government employees and ensuring information security as provided in Royal Decree 2024 BSC (Article 2).

The processed data will be used for:

  • Management of user accounts and access control

  • Sending push notifications

  • Secure private and group communication

  • Optionally: sharing contact details in your address book

Categories of Processed Data

Registration and Account Management:

  • First name, last name

  • Professional email address and domain validation

  • Mobile number (only for account validation via SMS code)

  • Unique user ID in the form @pseudonym:domain name

During the Use of the App (User Data):

  • Name

  • Profile picture

  • User ID

  • Full name of the linked backend server

Metadata of Communication and Chat Groups (only encrypted during transport):

  • User ID

  • Profile name

  • Profile picture

  • Timestamps

  • Account type

  • Names and subjects of chat groups

  • Event IDs

Device Data:

  • IP addresses

  • App and OS versions

  • Browser data

  • Device model

  • Session ID

Push Notifications:

  • User ID, group name, name and device ID

Address Book:

Name, email address, and phone number of other government employees. The user decides whether to be visible in the address book. This decision has no negative consequences during the use of the application. However, if a user chooses not to be included in the address book, it may be difficult to involve the person in a conversation unless the exact email address or user ID is known. The phone number can never be used to look up or enumerate users and is solely used for account creation.

Not processed by BSC: Content of Communications

The following data is not processed within Beam by BSC and is thus not considered personal data. It is only processed in an encrypted manner by BSC, and BSC does not possess the keys to this encrypted data:

  • Content of text messages, voice messages, emojis

  • Geolocation (if enabled) - (feature to be available in a later phase)

  • Content of attachments

  • Content of audio and video calls

Retention Periods

User Data:

User data is retained as long as the account is active. Automatic deletion takes place on active systems within 60 days after unsubscribing.

In case of temporary deactivation (e.g., medical leave), access can be blocked upon request, and the status “deactivated” will be shown to other users. This request can only be made to BSC by authorized persons such as the security officer of the user’s organization.

Logs (e.g., IP address):

For security purposes, logs necessary for adequate security monitoring are retained for a longer period as determined internally by BSC.

Push Notification Data

Not retained after creation

Transfer and International Transfers

No Transfer to Third Parties

Your personal data will never be shared with commercial third parties or external entities for marketing purposes. Data exchange will only occur if and to the extent that it is legally required (e.g., in the context of legal proceedings or statutory investigative powers of competent authorities). There is no linkage with other data sources.

Processing within the EEA

All processing takes place within the European Economic Area (EEA). The servers and backups where the Beam application is hosted are located in Belgium and/or other EU member states.

No Transfer to Third Countries

Your personal data will not be transferred to countries outside the EEA (“third countries”), nor to international organizations. This means that your data remains fully protected under European legislation (data protection legislation and the Belgian Act of July 30, 2018).

Exceptions

Only if a legal obligation requires it, may a transfer to a third country occur. In that case, BSC ensures that this transfer is made in accordance with Chapter V of the GDPR, for example, by using standard contractual clauses or other safeguards approved by the European Commission.

Security Measures

BSC takes appropriate technical and organizational measures to protect your personal data and communication against unauthorized access, loss, or abuse. Specifically, this includes:

End-to-End Encryption

All messages, attachments, and conversations exchanged through the Beam application are end-to-end encrypted. This means that only the sender and the recipient(s) can decrypt and read the content. Therefore, BSC has no access to the content of this communication.Managed Keys The recovery key required for accessing the communication is known only to the user and not stored or retained by BSC.

Audits and Patch Management

The infrastructure and software of Beam are regularly subjected to internal and external security audits. Additionally, security updates and patches are proactively applied to address known vulnerabilities and maintain up-to-date security.

Access Restriction and Logging

Access to servers and management systems is strictly limited to authorized personnel based on the “least privilege” principle. Accesses and system activities are logged and monitored to quickly detect misuse.

Awareness and Procedures

All BSC personnel involved receive regular training on information security and data protection. Internal procedures are in place to intervene as quickly as possible in case of incidents and to mitigate the impact.

Decision-Making

Although notifications can be automatically generated through system rules, decisions to restrict, suspend, or terminate accounts are made exclusively manually by authorized administrators.

Your Rights

In accordance with the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

  1. Right of Access (Art. 15 GDPR): You can request information about which personal data of yours is being processed and for what purposes.

  2. Right to Rectification (Art. 16 GDPR): You can request the correction of inaccurate or incomplete data.

  3. Right to Erasure (Art. 17 GDPR): You can request the deletion of your data in certain cases (“right to be forgotten”).

  4. Right to Restrict Processing (Art. 18 GDPR): You can request that the use of your data be limited in specific situations.

  5. Right to Object (Art. 21 GDPR): You can object to the processing of your data on the grounds of your personal situation, particularly when it is based on a task carried out in the public interest.

  6. Right to Data Portability (Art. 20 GDPR): You can request to receive the data you have provided to us in a structured, commonly used, and machine-readable format, and/or to have this data transferred directly to another data controller.

How to Submit a Request

You can exercise the above rights by sending an email to: privacy@securecommunications.be

We will process your request free of charge and within the legal timeframe of one month, except in exceptional circumstances that justify an extension. In the case of an extension, you will be notified.

Filing a Complaint with the Supervisor

If you believe your rights are not being respected, you also have the right to file a complaint with the Belgian supervisory authority:

Data Protection Authority (GBA) Drukpersstraat 35, 1000 Brussels Website: https://www.gegevensbeschermingsautoriteit.be