Effective 1 January, Dutch data protection law requires organizations to notify the Dutch Data Protection Authority within 72 hours of “a breach of security […] which results in a significant chance of severe detrimental effects or has severe detrimental effects for the protection of the private life.”
The data subject must also be informed if “the breach probably will result in adverse effects on their private life.”
These data breach notification obligations only apply if the Dutch Data Protection Act applies, for instance in situations wherein a Dutch entity is data controller.
It’s important to remember that it is not just data breaches that have severe consequences that must be reported; data breaches that may result in a significant chance of severe consequences also must be reported. So the new requirements cover all data breaches from which it can be determined that there is a significant chance that the security incident results in the loss of personal data or in the unauthorized or unlawful use of it.
The Dutch legislature has left it to the data controller to decide what is sufficiently severe. The scope and nature of the data breach should be the guiding principle. It is important to focus on the effects or likely effects of the breach, not whether the security of the breached data was appropriate.
Each breach will have to be assessed individually before deciding whether it is worthy of notification. A striking example is the loss of a laptop that contains personal data. When a laptop is stolen, it will be have to reported to the DPA if there is a significant chance of severe detrimental effects for the protection of the private life, for example, a laptop containing customer financial information. If the laptop (or the data on that laptop) is not encrypted, the theft will also have to be reported to the persons concerned, as it will be considered likely to have adverse effects on their private life. On the other hand, the loss of a laptop with encrypted customer information does not have to be reported to the DPA or to the person concerned if the consequences of the security incident do not appear to be severe.
The mandatory data breach notification regime entails the following:
- many breaches of personal data will have to be reported to the DPA;
- if the breach probably has privacy consequences for the person concerned, the person concerned must also be notified, unless the data was sufficiently encrypted;
- companies have to keep an overview of the data breaches that have occurred; and
- obligations regarding security breaches are incorporated into processor agreements.
Update processor agreements
The DPA also requires that contractual obligations between the data controller and service providers are documented in a written processor’s agreement.
The DPA requires that a processor’s agreement describes at least:
- what acts the service provider may perform (for example, payroll services);
- that the service provider only performs acts with personal data as instructed by the data controller;
- that the service provider keeps the data confidential; and
- that the service provider takes appropriate technical and organizational security measures.
It is the data controller’s responsibility to ensure the service provider complies with these agreements.
With the introduction of the mandatory data breach notification, it is recommended that existing processor agreements are updated. After all, a data controller can only fulfill their obligation to report data breaches if their service providers notify them of any breaches. It is therefore recommended to adopt into the processor’s agreement obligations that require the service provider to inform the data controller immediately when it becomes aware of a security incident in which personal data might have been breached.
In addition, the processor’s agreement should include that the service provider informs the data controller about:
- the nature and extent of the security incident;
- the measures that the service provider has taken in order to prevent the breach; and, if possible,
- the measures a person concerned can take in order to reduce any adverse effects.
The DPA can impose fines
As part of the January 2016 changes, the DPA was granted an enormous boost to its powers; It can now impose a fine up to €820,000 or 10 percent of the annual turnover on companies for non-compliance of the data breach notification requirement and several other provisions of the Dutch Data Protection Act. The DPA must first serve the data controller with a "binding instruction" granting the company in breach a reasonable period of time to make changes in order to be compliant. If the company fails to make the changes in time however, the DPA may issue the fine, adding to the inventible costs of a data breach.
If you want to comment on this post, you need to login.