On 26 May 2015, the Dutch First Chamber passed the Bill on Data Breach Notifications. This Bill introduces new mandatory notification of security breaches of personal data for all data controllers in the Netherlands and increases sanctions for violations of the Dutch Data Protection Act.

Failure to notify is subject to the newly introduced fine of a maximum of EUR 810,000 or 10% of the company’s annual net turnover per violation. In addition, the fine is not limited to the net turnover of a company’s establishment in the Netherlands and could include global revenues.

Companies are advised to be aware of the increased sanctions and new mandatory notification requirements and to make appropriate changes to their existing data compliance and data security policies.

The new provisions are highlighted below.

Mandatory notification of data security breaches

Under the Bill on Data Breach Notifications (Wetsvoorstel Meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp), the data controller will be obliged to immediately notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; “Dutch DPA”) of any security breaches that have or are likely to have serious adverse consequences for the protection of personal data.

The Bill does not specify when a security breach has serious adverse consequences for the protection of personal data; the Dutch DPA will issue its guidance once the Bill is adopted. The government’s response of 19 May 2015 to the Dutch parliament (in Dutch only) names the factors to be taken into account in assessing whether the consequences of the breach are serious:

  • the nature and scope of the breach
  • the nature of personal data disclosed
  • which technical measures of protection were implemented
  • the consequences to the privacy of the individuals affected.

The government also referred to the Article 29 Working Party’s Opinion 03/2014 on Personal data breach notification for guidance. In addition to notifying the Dutch DPA, the individuals whose personal data are compromised must also be notified if there is a reason to believe that the breach could lead to adverse consequences, unless the breached data are unintelligible to third parties or encrypted.

A notice to individuals should contain information regarding:

  • the nature of the breach
  • the bodies that can provide further information on the breach
  • proposed measures to mitigate the adverse consequences of the breach.

A notice to the Dutch DPA should in addition contain:

  • technical details and background of the breach
  • expected consequences of the data breach to the processing of personal data and the measures taken by the data controller to tackle those consequences.

Data controllers will have to maintain an internal data breach registerrecording all security breaches they experience that have or might have potential negative effect on data subjects, including information about the breach, mitigating measures, and the text of notifications to the data subjects affected. There is no obligation to make this register public.

Failure to notify is subject to the newly introduced fine of the Dutch DPA of a maximum of EUR 810,000 or 10% of the company’s annual net turnover per violation.

The background for this material change to the Dutch Data Protection Act (Wet bescherming persoonsgegevens; “Wbp”) includes that the Dutch legislature does not want to wait for the proposed EU Privacy Regulation to be finally adopted. Usually these amendments to the Wbp enter into force immediately upon publication in the Dutch Government’s Gazette. However, there are rumours that the Bill may enter into force at a later and unknown date.

The new provisions on general data breach notification obligation will apply until the new EU General Data Protection Regulation is adopted and comes into force, which is expected in 2018.

Increased investigative powers of the Dutch DPA and higher fines

Additionally, the Dutch DPA will replace the Authority for Consumers & Markets (Autoriteit Consument and Markt; ACM) as the regulatory authority for the oversight of the data breach obligations by telecom and ISP providers. The name of the Dutch DPA, currently College Bescherming Persoonsgevens, will be changed to Autoriteit Persoonsgegevens.

The Bill introduces the power of the Dutch DPA to impose higher fines for any other violations of the Wbp. The Dutch DPA can impose fines without issuing a binding instruction in case of deliberate violation or as a result of serious culpability.

A fine of EUR 20,250 can be imposed if:

  • a responsible party who is not established in the European Union, whereby use is made of automated or non-automated means situated in the Netherlands, omits to designate a person or body in the Netherlands (art. 4(3) Wbp)
  • personal data is transferred to a non-member country that, according to the Minister of Justice, does not provide guarantees for an adequate level of protection (art. 78(2a) Wbp).

Companies that do not comply with the Dutch DPA’s investigations or violate specific articles from the Wbp (click here for an overview of the specific articles) can be fined up to EUR 810,000 or 10% of their annual net turnover. The fine is not limited to the net turnover of a company’s establishment in the Netherlands and could include global revenues.

Companies are advised to be aware of the increased sanctions and new mandatory notification requirements and to make appropriate changes to their existing data compliance and data security policies.

Click here to view table.