Duty of data breach notification:
the Netherlands take a head start

As of January 1st 2016, data controllers in the Netherlands
are obliged to notify serious data breaches to the Dutch
Dataprotection Authority (www.cbpweb.nl)
and to the affected individuals.

Data controllers are the persons or companies that determine the purposes for which and the manner in which any personal data are or are to be processed.

1.  On an European level: already an obligation for providers of publicly available electronic communications

On a European level, such an obligation to notify personal data breaches already existed for providers of publicly available electronic communications. Pursuant to the Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches, provides that providers shall notify all personal data breaches to the competent national authority no later than 24 hours after the detection of the personal data breach, were feasible.

2.    Upcoming obligation for all data controllers in Europe: draft text of the new EU General Data Protection Regulation

The draft text of the new EU General Data Protection Regulation provides the same obligation to all EU member state data controllers, but has not entered into force yet.

3.   Already an obligation in the Netherlands for all data controllers as of 1 January 2016

The Dutch government did not wait for the EU General Data Protection Regulation to be enforceable (which also contains a data breach notification duty).

The Dutch legislator has now implemented in article 34a of its Data Privacy Act (enforceable as from 1 January 2016) the obligation for the data controller to notify the Dutch dataprotection commission (www.cbpweb.nl) immediately upon the occurrence of any security breach where there exists a considerable risk to any negative consequences or where there are negative consequences for the protection of personal data. The Dutch legislator has also increased fines for violations of the Dutch Dataprotection Act to up to € 820,000.00 or up to 10% of the company's net annual turnover.

The Dutch Dataprotection Act may require data controllers to update their agreements with the data processors to account for breach notice obligations. Both data controllers and data processors may be subject to these fines. Also company directors may be subject to the sanctions.

Controllers need to notify the CBP of a security breach that has or poses a significant risk of having serious adverse consequences for the protection of personal data. The controllers may also be required to notify the affected individuals, if the security breach has or may have serious adverse consequences for the individuals’ privacy.

The obligation to notify the data subject depends on the potential negative consequences for the data subject due to the breach and the other protection measures in place. For instance, if there are appropriate cryptographic measures foreseen by the controller who suffered the breach, which make the personal data inaccessible or unreadable, a notification to the data subject might not be necessary.

Notification does not only encompass a "leak" of data, but all sorts of situations where personal data is being compromised (including for example, the loss of an USB stick with personal data on it, a stolen laptop, a hacking of a database).

In case of a security breach, the data controller must be able to rapidly make an assessment whether such breach has or is likely to have serious adverse consequences of the protection of personal data. If this is the case, the data controller will have to notify the Dutch privacy authority and the affected individuals.

The Dutch privacy commission issued guidelines to ensure compliance with the relevant provisions. These guidelines provide that any breach must be notified immediately after the discovery, and no later than within 72 hours.

Failure to notify correctly or timely can result in rather severe penalties. The amount of the penalty will depend on whether or not the violation of Article 34a of the Dutch law on the protection of personal information is committed willfully or if it is the result of gross negligence. The maximum penalty, which can be imposed by the authorities, amounts to € 820,000.00.

A notification of a data breach must at least contain the following information:

the nature of the breach

the offices where more information concerning the breach can be obtained

the recommended measures to limit the negative consequences of the breach.

4.  Data controllers in the whole EU have to prepare themselves in case of data breach

The Dutch legislator runs ahead of its European colleagues, but this duty of notification of a data leak is an obligation that will soon be enforceable in Belgium under the newly signed EU General Data Protection Regulation.

In order to be ready for these new provisions and to be able to respond quickly to any data breach within a limited timeframe, controllers will have to have tools and policies in place, which allow them to take the right and necessary steps immediately.

➢  First of all a proper data leak prevention strategy should be in place. However purchasing and implementing a "data loss prevention tool" will of course not be the only remedy, a company should prior to implementing a system, make a data inventory and audit (risk analysis). 

It is important that a company knows:

where its data resides

who its owners are

whether the data it stores is critical or non-critical

the data flows in the IT environment

what data regulatory requirements must be met

privileges on a need-to-know basis

➢  Secondly, employees should be educated to the dangers of fraud, on what to look for, what not to click on and when to call for intervention. Education and awareness of scams is just as important than technology.

➢  Once a breach does occur, controllers must be able to determine quickly the consequences and be able to give the requested information to the data protection authority. Therefore implementing a clear data breach response plan is also a must.

We will keep you updated from the moment the new European Regulation on data protection will come into force.

In any case, we advise you to anticipate and to ensure that your company is ready to answer adequately to a potential data breach.

22 December 2015

Griet Verfaillie - griet.verfaillie@peeters-law.be
Lynn Pype - lynn.pype@peeters-law.be

Learn more about this topic: subscribe to our newsletter!

E-mail *