s of 1 January 2016 companies, public bodies and other organisations that process personal data have an obligation to immediately report personal data breaches to the Dutch Data Protection Authority (College Bescherming Persoonsgegevens ("CBP")). Yesterday, the CBP published its Policy Rules on the duty to notify personal data breaches ("Policy Rules"). The Policy Rules are intended to support businesses in complying with the notification duty and also serve as the CBP's point of departure when applying enforcement measures.

This Update provides an overview of what you need know about the breach notification duty.

As of one January 2016 the CBP will change its name to Autoriteit Persoonsgegevens. This Update therefore makes reference to Autoriteit Persoonsgegevens, rather than the CBP.

What is a personal data breach?

A personal data breach is a breach of the legally required protection of personal data. A personal data breach only arises if personal data have been lost or unlawfully processed. According to Autoriteit Persoonsgegevens a personal data breach obtains, for example, in the event of a lost USB flash drive, a stolen laptop or intrusion by a hacker.

Should every data breach be notified?

No, only if one of the following two situations applies.

  1. If the data breach has serious adverse consequences for the protection of personal data: here it is in any case necessary to consider the nature of the data affected (does it concern sensitive personal data or other data of a sensitive nature?).
  2. If the breach is considerably likely to have adverse effects (does it for example concern large volumes of data that are attractive to criminals?).

When should I notify a personal data breach to Autoriteit Persoonsgegevens?

According to the law, you must do so immediately after discovering a breach. It is permissible to take some time to investigate whether it concerns a personal data breach that requires notification. In the Policy Rules, Autoriteit Persoonsgegevens applies a time limit of 72 hours after discovering the incident (the consultation version of the policy rules mentioned an in most situations unfeasible limit of two days). The Policy Rules mention the possibility of reporting the incident later, but in such case an explanation of the lateness – in the opinion of Autoriteit Persoonsgegevens – of the report may be demanded.

How do I make a notification?

The notification can be made by means of a web form on the website of Autoriteit Persoonsgegevens. The notification can also be made by fax. An example has been included in an annex to the Policy Rules.

Do I need to notify the data subject of the personal data breach?

The data subject needs to be informed without delay if the breach is likely to have adverse effects in respect of his/her privacy.

The data breach does not need to be reported to the data subject in the following two situations:

  1. If appropriate technical security measures have been taken which cause the personal data concerned to be incomprehensible or inaccessible to any person who is not authorised to access it (for example by means of encryption).
  2. If this is necessary with a view to certain interests specified in the law, such as the protection of the data subject or the prevention of criminal acts.

When should I report a data breach to the data subject?

Immediately after discovering a data breach. The Policy Rules do not mention the 72 hour time limit in this context. It is necessary to take account of the fact that the data subject will need to take measures to protect against the consequences of the data breach. The notification to Autoriteit Persoonsgegevens must state whether and when data subjects are being informed.

How do I report the data breach to a data subject?

If possible, a notification is made individually to each data subject. The notice needs to disclose: the nature of the breach, the instances where the data subject can obtain more information about the breach and recommended measures to mitigate the effects.

What else is important?

A party subject to a breach notification duty must keep a record of the data leaks covered by the notification duty.

When a data processor is involved and the leak occurs with the data processor, the notification duty continues to apply to the data controller. As a result, the data processor agreement needs to contain provisions with respect to the breach notification duty.

Special notification duties in the event of personal data breaches apply to financial companies and providers of electronic communication services.

Failure to comply with the notification duty can result in a binding order and/or an administrative fine being imposed (to a maximum of EUR 820,000).