On 26 May, the Netherlands First Chamber passed a bill requiring companies to notify the Dutch Data Protection Authority (DPA) and affected individuals of certain breaches of personal data. As we reported earlier this year, when the bill becomes law, it will be mandatory for all types of data controllers to provide these breach notifications. Failure to notify will be punishable by a maximum fine of 810,000 euros or 10% of the company’s annual turnover (i.e., revenue), whichever is greater. Importantly, the fines may not be limited only to a company’s revenue in the Netherlands, but could be calculated based on its global revenue. Companies should be aware of these increased sanctions and new mandatory notification requirements when addressing a data breach that may involve the personal data of Dutch citizens.
In brief, the bill requires data controllers to:
- Notify breaches immediately to the DPA if a breach is likely to have ‘serious adverse consequences for the protection of personal data’ (it is expected that the DPA will issue guidance defining what constitutes ‘serious adverse consequences’);
- Notify individuals, unless the personal data has been encrypted; and
- Maintain an internal data breach register recording all security breaches they experience that have or might have potential negative effects on individuals, including information about the breach, mitigating measures, and the text of notifications to the individuals affected. There is no obligation to make this register public.
It is not yet known when the bill will enter into force. Usually amendments to the Dutch Data Protection Act would enter into force immediately upon publication in the Dutch Government’s Gazette. However, a royal decree is required for laws to become effective, and it is not clear when this will happen: it could be at any time between the summer of 2015 and early 2016. The bill is a precursor to the data breach notification requirement in the EU General Data Protection Regulation, and will apply until the Regulation comes into force at some point in the future.
Companies are advised to consider how best to implement appropriate data compliance and data security policies.