New notification obligation for data security breaches as of 1 January 2016

Suppose your company laptop is stolen. As of 1 January 2016 you should be extra alert. All organizations that process personal data, are required to report data security breaches that have or are likely to have serious adverse consequences for the protection of personal data with effect from 1 January 2016. The fines involved for violating the notification obligation are sky high.

Careful management

The Dutch Data Protection Authority, which changes name from 1 January 2016 to the Personal Data Authority, can impose an administrative penalty on violators of Dutch privacy legislation. This includes for example the situation that personal data is not processed in a proper and careful manner or is kept longer than is necessary, if the data security is lacking, the management of personal data is poorly organized or sensitive information about individuals is abused.

Data security breaches

A data security breach can involve matters such as:

  • A lost USB stick.
  • A stolen laptop.
  • Sending email where the private email addresses of all recipients are visible to all other recipients.
  • A malware infection.
  • A calamity such as a fire in a data center.

Please note that a data security breach is defined not only as a situation where there is a risk that an unauthorized person has gotten access to the data, but also the situation where the organization looses the data (i.e. the original data and back-ups are both lost).

If there is a serious data security breach you need to make a notification to the Personal Authority within two working days. You also need to inform the affected individuals if there is a reason to believe that the breach could lead to adverse consequences for them, unless the compromised data is encrypted or otherwise unintelligible to third parties.

Maximum penalty of 10% annual revenue

Failure to provide notification of data security breaches will be subject to a fine of up to € 810,000 or 10% of the organization’s annual net turnover.

Notifications are not made public

Notifications made to the Personal Authority about data security breaches are entered into a non-public register. Information can still become public insofar this is necessary in connection with investigation reports of the Personal Data Authority.