On 26 May 2015, the Dutch First Chamber passed a bill introducing new mandatory notification of security breaches of personal data for all data controllers in the Netherlands. The bill also increases sanctions for violations of the Dutch Data Protection Act.
Failure to notify is subject to a new fine of EUR 810,000 or 10% of the company’s annual net turnover per violation. Turnover is not limited to the company’s establishment in the Netherlands and could include global revenues.
Companies are advised to be aware of the increased sanctions and new mandatory notification requirements and to make appropriate changes to their existing data compliance and data security policies.
Under the Bill on Data Breach Notification (Wetsvoorstel Meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp), the data controller will be obliged to immediately notify the Dutch Data Protection Authority of any security breaches that have or are likely to have serious adverse consequences for the protection of personal data. A yet to be adopted royal decree will specify when the new law will enter into force, but the Dutch DPA anticipates that the effective date will be 1 January 2016.
Companies that do not comply with the Dutch DPA’s investigations or violate specific articles of the Dutch Data Protection Act can be fined up to EUR 810,000 or 10% of their annual net turnover. The fine is not limited to the net turnover of a company’s establishment in the Netherlands and could include global revenues. The explanatory memorandum to the Act on extension of possibilities to combat financial economic crimes states that the revenue of all goods produced or delivered or services provided by an enterprise are taken into account, irrespective where the revenue is realised.
The new provisions are further highlighted in our Legal Alert of 28 May 2015. Click here to download the Legal Alert about the mandatory data breach notification, increased investigative powers of the Dutch DPA and higher fines.