Recently, the Dutch Data Protection Authority (DDPA) issued guidelines on the technical and organisational security measures to be implemented when processing personal data (Guidelines). These Guidelines came into force on 1 March 2013 and replaced the DDPA’s previous publication on security of personal data (also known as A&V 23).

Although the DDPA emphasises that the appropriateness of the required technical and organisational security measures must be assessed on a case-by-case basis, some guidance is provided on how to achieve such an appropriate level of security in accordance with Article 13 of the Dutch Data Protection Act.

In this respect, the DDPA refers to the “plan-do-check-actcycle”, also known as the “circle of quality”, and gives the following recommendations:

  1. Assess the risks that the nature of both personal data and the processing thereof entails;
  2. Use commonly accepted security standards; and
  3. Constantly check compliance of the security measures and their level.

According to the data protection authority, it is necessary to take measures based on a thorough risk-assessment, as well as to apply security standards to achieve an appropriate security level. In addition, the data controller must convert the (potential) risks attached to the processing of personal data to the requirements of availability, integrity and confidentiality of the information system. According to the DDPA, no general rule can be given for such conversion. The DDPA, however, provided guidance as to consider the high-risk categories of personal data.

Furthermore, the DDPA devoted a separate chapter to security of data processed by a data processor. Particularly interesting in this context is that the DDPA indicated which topics it will always involve in the assessment of any processing agreement. Mentioned are inter alia: the services provided by the processor, the transparency about security incidents that may have occurred and the processing outside of the Netherlands and/or by sub-processors.

It is interesting to note that the DDPA indicated that it will be unable to examine all cases that may be brought to its attention because of their complexity and their large amount.

Finally the DDPA announced its intention to cooperate with fellow supervisory authorities in case of cross-border data breaches, as well as to revise the Guidelines once the future European Data Protection Regulation will be enacted. (MD)

The Guidelines can be found on