New Dutch law includes a general obligation for data controllers to notify the Data Protection Authority of data security breaches, and authorizes said Authority to impose direct fines for violations of the Data Protection Act.

On January 1, 2016, a Dutch law anticipating some of the obligations provided by the General Data Protection Regulation, entered into force. Under such law, data controllers are required to immediately notify the Data Protection Authority (hereinafter, “DPA”) of any data security breaches that have, or are likely to have, serious adverse consequences to the protection of personal data. In addition, data controllers are required to notify affected individuals if there is reason to believe the breach could lead to detrimental consequences to those individuals, unless the compromised data is encrypted or otherwise unintelligible to third parties.

Moreover, the new Dutch law also empowers the DPA to impose fines of up to Euro 820,000.00 for violations of the Data Protection Act, including failure to report data security breaches.