On January 1, 2016, a Dutch law became effective that (1) includes a general obligation for data controllers to notify the Data Protection Authority (“DPA”) of data security breaches, and (2) authorizes the DPA to impose direct fines for violations of the Data Protection Act.

Under the law, data controllers are required to immediately notify the DPA of any data security breaches that have, or are likely to have, serious adverse consequences to the protection of personal data. In addition, data controllers are required to notify affected individuals if there is reason to believe the breach could lead to adverse consequences to those individuals, unless the compromised data is encrypted or otherwise unintelligible to third parties. On December 9, 2015, the DPA published practical guidance to help organizations identify cases when data security breaches must be reported to the DPA and data subjects.

The new Dutch law also empowers the DPA to impose fines of up to €820,000 for violations of the Data Protection Act, including failure to report data security breaches. Last October, the DPA published draft guidance that defines the different violations, the categories of sanctions and the level of fines.

Read the Dutch DPA’s press release.