On May 26, the Dutch Senate adopted the legislative bill on Data Breach Notifications, thereby amending the Dutch Data Protection Act and the Telecommunications Act (Wetsvoorstel meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp).
The bill introduces the mandatory obligation for all types of data controllers to notify data breaches to the Dutch Data Protection Authority (“DPA”) and under circumstances also the obligation to notify the individuals affected by the data breach. Also, the DPA will have the authority to impose increased fines for noncompliance with this obligation.
The obligation to immediately notify the DPA arises in case of a security breach that has or is likely to have serious adverse effects on the protection of personal data. The severity of the potential consequences of the data breach is key when assessing the impact of the data breach. The government’s explanatory memorandum specifically states some factors that have to be taken into account in this assessment, namely: (i) the nature and scope of the data breach; (ii) the nature of the breached personal data; (iii) the extent to which technical measures have been put in place; and (iv) the consequences to the privacy of the individuals affected.
Additionally, data controllers will have the obligation to notify individuals affected by the data breach, but only in case the breach is likely to have adverse effects on the data subject’s privacy. In any case, data controllers will be required to maintain an internal register recording all data breaches that have or could possibly have serious adverse consequences on the protection of personal data.
It should also be noted that the obligation to notify should be separated from the obligation to implement adequate technical security measures , since both serve a different purpose. The DPA is expected to issue guidelines specifying the requirements for the obligation to notify in further detail.
In addition, the bill introduces increased regulatory and investigative powers for the Dutch DPA, thereby becoming the regulatory authority responsible for the oversight based on the Data Protection Act as well as the Telecommunications Act. Under the new bill, in case of a failure to notify or other violations of specific articles of the Data Protection Act the Dutch DPA will be authorized to impose increased fines up to EUR 810,000 or 10% of the company’s annual net turnover per violation, which could also be calculated based on global revenues. Fines will only be imposed following a binding instruction from the DPA, except in case of deliberate violations or violations as a result of serious culpable negligence. The intended purpose of the binding instruction is to offer the alleged offender a chance to restore the suspected data breach and to avoid a serious fine.
At this moment it is unknown when the adopted legislation will enter into force. It is expected that the bill will enter into force on 1 January 2016.
Companies are advised to review whether they comply with the newly imposed notification requirements for data controllers, especially in relation to current data processors’ agreements.