On 26 May 2015, a number of amendments to the Dutch Data Protection Act (Wet bescherming persoonsgegevens) were passed in Parliament. Most notably, the new requirements introduce a general notification duty for personal data breaches and a steep increase of the fines the Data Protection Authority (DPA) may impose, which can be as high as 10% of a company’s annual net turnover. With the higher penalties also comes increased powers for the DPA to impose fines on individuals within an organisation (e.g. directors).
These changes are likely to come into effect in January 2016 and will directly affect any company subject to Dutch law. Companies must be aware of the new supervisory powers of the DPA and are further advised to make the necessary amendments to their internal data protection and security policies. The latter particularly includes drafting or reviewing policies related to personal data breaches, as well as verifying that contracts with third parties adequately address these obligations.
Click a link below to jump to that section.
- Increase in administrative fines and powers
- General notification duty for personal data breaches
- Other changes
1. Increase in administrative fines and powers
Currently, the DPA has limited capability to impose fines, and can only impose administrative fines up to a maximum of EUR 4.500 for the violation of the (administrative) requirements to notify processing activities to the regulator. In other cases, the DPA may give an order under penalty to end or repair a violation of the Data Protection Act, but it may not impose an administrative fine as such.
Administrative fines up to 10% of the annual net turnover
This bill finally introduces the proverbial stick the DPA has requested for some time. The administrative fines the DPA will be able to impose for violations of the Data Protection Act can be as high as EUR 810.000, in the highest category, or 10% of a company’s annual net turnover when it concerns a legal entity and the highest category is not deemed sufficient for the violations at hand. The new rules further introduce fines of up to EUR 20.250, for all non-EU entities that are processing personal data in the Netherlands without having designated a local representative to oversee compliance with the Dutch Data Protection Act. Lastly, it is introduced the possibility for the DPA to also impose separate fines (up to EUR 810.000) on individuals within the organisation, including directors and managers.
Generally, the DPA may not impose these fines right away, but must first issue a so-called “binding instruction” after an investigation into non-compliance. This is a recovery-oriented corrective measure, in which the DPA specifies exactly what actions must be taken in order to remedy the non-compliance. If the instruction is not performed within a certain period, then the DPA may resort to imposing the punitive fines set out above. Note however, that in cases where the DPA can construe “wilful intent” or “culpable negligence” with respect to the non-compliance, it may impose the fines right away, without the need to first issue binding instructions.
The new rules also introduce the ability for the DPA to publish binding guidelines on material aspects of the Data Protection Act. After the publication of these guidelines, it will be easier for the DPA to construe “wilful intent” or “culpable negligence” in cases of non-compliance, allowing it to directly impose an administrative fine as described above. Before such guidelines may be issued however, they require the prior approval of the Minister of Security and the Minister of Justice and Internal Affairs, to secure a healthy system of checks and balances on this increase of the DPA’s power. It is expected that this will generally also involve consultation with relevant industry stakeholders.
2. General notification duty for personal data breaches
(also see our earlier coverage of the proposal)
The other substantial change is the introduction of a notification duty for personal data breaches. Though the upcoming General Data Protection Regulation is likely to also include specific rules for data breaches, the Dutch legislator - as other countries - was not willing to wait and decided to introduce national rules on this topic.
The notification duty in a nutshell
The notification duty follows similar principles as seen across Europe and the rest of the world. Controllers will have to notify the DPA of any personal data breaches that have or are likely to have serious adverse consequences for the protection of personal data. Further to that, controllers will be obligated to inform affected individuals in case such breach is likely to have negative effects on their privacy. The latter is not required in cases where compromised personal data is sufficiently encrypted, or otherwise made unintelligible for the unauthorised party. Additional exceptions to the obligation to notify affected individuals may also apply (e.g. state security, prevention of crimes and criminal investigations, important economic and financial state interests, protection of data subjects and the rights and freedoms of others).
Further to this, controllers must keep a record of all such notifications made to the DPA, and include any relevant details related to such breaches. It is worth noting that the new regime also obligates controllers to specifically address this requirement in their contracts with processors. Companies are therefore strongly advised to review their contractual relationship with their processors to ensure that this has been appropriately addressed.
Telecom- and banking sectors
It must be further noted that the duty to notify individuals does not apply to financial institutions such as banks, insurance companies and the like. This is because a specific regulation for such institutions exists and includes a separate notification duty to the financial authority (i.e. AFM). In addition, a duty for financial institutions to notify individuals of a breach is thought to have potential adverse and unexpected effects on the financial market, justifying the exemption to notify individuals. Note that those institutions do however have the obligation to report such breaches to the DPA (and AFM) and must keep a record of said breaches.
Further to the above, there are also some minor changes for the telecommunication sector. The Dutch Telecommunications Act (DTA) has had a notification duty for security breaches with “electronic communication providers” (such as telecom operators) for some time. The DTA included a duty for said providers to notify “any security breach which has an adverse effect on the privacy of individuals involved” to the telecom regulator (ACM) and individuals. Following the new rules, all notifications will have to be addressed to the DPA instead of ACM.
Further guidance to be expected
As with the new supervisory powers mentioned above, the notification duty has been heavily debated in Parliament. Important aspects of the obligation to notify beg for further clarification: what exactly qualifies as a breach? How to assess whether a breach is “likely to have serious adverse consequences”? And what are “negative effects to an individual's privacy”?
The DPA is expected to publish binding guidelines addressing the new notification duty shortly. It is expected that these guidelines will stay close to the Article 29 Working Party’s opinion on personal data breach notification (WP213). Further to that, the explanatory note to the new rules gives some guidance, for example by listing data breaches that might be covered by the new regime: successful hacking attempts, theft of laptops and mobile devices, but also lost memory sticks or emails containing personal data which are sent to wrong recipients.
3. Other changes
Other amendments include the improved means the DPA has to share and request information from other supervisors, making it mandatory for supervisors to provide any information to other supervisors insofar as this is necessary for performing its supervisory tasks. The new bill also introduces a new name for the DPA (i.e. College bescherming persoonsgegevens), which will be rebranded into the “Personal Data Authority” (i.e.Autoriteit Persoonsgegevens).