The Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”) revealed that almost 5500 data breaches have been notified since the legislation on mandatory data breach notification duties entered into force on 1 January 2016. Pursuant to this legislation, it is mandatory for all types of data controllers to notify data breaches to the AP and, under circumstances, also the individuals affected by the data breach.

Remarkable fact is that many notifications relate to breaches whereby data were accidentally received by an unauthorized party, for example through an email that was sent to the wrong recipient. Also, the loss of a USB flash drive or a stolen laptop were frequently occurring breaches over the past year.

The AP confirmed that 4000 of the notifications have been examined in more detail, 100 data controllers received an official warning and tens of investigations are still pending. Earlier this year, the AP chairman already announced that the first serious fine is just a matter of time. Fines in case of an (unreported) data breach can go up to € 820,000 or 10% of the company’s annual turnover.