An update to the Dutch Data Protection Act enacted earlier this year goes into effect January 1, 2016, and extends data breach notification requirements in the Netherlands to all data controllers (as opposed to just those in the financial, healthcare, or telecom fields). Under the new rules, such data controllers must notify the Dutch Data Protection Authority of any breach of personal data that has (or creates a significant chance of) serious adverse consequences for the protection of personal data.
Notices have to be given “without delay.” The draft implementation guidelines prepared by the Dutch Data Protection Authority suggest this means no later than two business days after the data controller becomes aware of the data breach, although commentators have noted that this may change when the Guidelines are finalized. Affected individuals will also need to be notified if the breach is likely to have negative consequences for their privacy, unless the data was encrypted or otherwise unintelligible to third parties.
Such notifications should include information about (i) the nature of the breach, (ii) contact details for further information, and (iii) recommended measures to mitigate adverse consequences. The Dutch Data Protection Authority must further be informed about the consequences of the breach (both established and probable) and the proposed or actual measures taken to remedy those consequences. Data controllers must then maintain an internal record of any breaches that have led to a significant chance of or actual serious adverse consequences for the protection of personal data. Along with the enhanced notice requirements, substantially higher fines can be imposed for any violation – up to € 810,000, or 10% of the company’s annual net turnover for the most serious, deliberate, and/or repeated breaches.
Tip: Companies operating in Europe should assess if they are subject to this new law and, if so, evaluate both their existing data security measures and their current breach response plan.