As of 1 January 2016 a number of important amendments of the Dutch Data Protection Act (“DDPA”) will enter into effect. Primarily, as of that date the obligation to notify a data leak will enter into effect. Furthermore, the authority of the Dutch Data Protection Authority to impose fines will be broadened. Moreover, as of 1 January 2016 the name of the Authority will change to ‘Autoriteit Persoonsgegevens’ (“Authority for Personal Data”, hereinafter “APD”).
What do these amendments imply?
Notification obligation data leak
As of 1 January 2016 significant data leaks must be notified to the APD. Furthermore, in some cases also the data subject (the person to whom the personal data relates) must be notified as well.
What qualifies as a data leak? A data leak implies exposure of the personal data to lose or unlawful processing. It concerns a breach of the security of personal data. Examples of data leaks are a stolen laptop, a hacker who gained access to the database or the loss of an usb stick. However, a fire in a datacenter can also qualify as a data leak.
Not every failure or vulnerability with respect to the security of personal data must be notified. The aforementioned obligation to notify a data leak only applies if you cannot exclude that the personal data is processed unlawfully. The notification obligation for example does not apply if your database is destroyed by a mistake of your system administrator, but you have a backup of the database in place. However, the obligation in principle does apply if one of your employees provides a third party with his/her username and password and this third party is able to collect personal data from your system before you were able to change the password.
We used the words ‘in principle’, since the obligation to notify a data leak only applies if the leak resulted in ‘severe detrimental effects for the protection of personal data’ or a significant possibility thereto. For example in case of large amounts of personal data or in case of sensitive data, like financial information, email addresses or medical data.
As mentioned above, a data leak must be notified immediately. It will depend on all circumstances of the case what will be deemed immediately. However, the term for notification will start as of the moment the data leak is discovered. Ultimately two days after this discovery the notification to the APD must be made.
In some cases the data leak must also be notified to the data subject. However, this is only the case if:
- informing the data subject does not fall within your duty of care as a financial institution (this only applies if you are a financial institution);
- the technical security measures of your organization do not provide sufficient protection (this is a strict standard);
- the data leak will possibly have adverse consequences for the data subject; and
- there are no compelling reasons not to notify the data subject.
The obligation to notify also applies if your organization, being the controller of the personal data, has engaged a processor for the processing of the personal data. Since your organization will remain the controller of, and thus responsible for, the data it is important to make sure that the processor(s) will notify any possible data leak to your organization.
A violation of the obligation to notify a data leak can lead to a fine imposed by the APD, in some cases preceded by a binding instruction (please referred to the paragraph below).
What does this obligation to notify imply for you?
First of all you should provide for sufficient security with regard to the processing of personal data within your organization. Secondly, we advise you to implement a procedure for the detection and notification of data leaks. If you have engaged processors, we advise you to monitor the security of the personal data (that the processor processes on behalf of your organization) by inquiring after their procedures for detection and notification of data leaks and by amending (if necessary) the processor agreements you concluded with these processors.
Authority of the APD to impose a fine
As of 1 January 2016 the APD has the authority to impose a maximum fine of EUR 810,000 or 10% of the annual turnover of the legal entity concerned for each violation of the Dutch Personal Data Protection Act (“PDPA”). The amount of the fine can be higher in case of several violations.
The APD may immediately impose a fine in case of an intentional violation of the PDPA or in case the violation is the result of seriously culpable negligence. In all other cases the DDPA will issue a binding instruction beforehand. Furthermore, the AP retains the authority to impose an order subject to a (unlimited) penalty for non-compliance and/or a criminal fine (EUR 8.100 or EUR 20.250 in case of an omission).