Effective 2016, Netherlands' businesses must notify the Dutch data protection authority ("DPA") and sometimes individuals if they suffer certain data breaches that involve personal data under their control. Companies will have to take this seriously, as failure to notify may lead to fines up to €500,000 (or potentially higher).
Who Is Affected?
The notification duty applies to data controllers that have an establishment in the Netherlands and process personal data in the context of that establishment. It also applies to data controllers outside the EEA that process personal data using equipment on Netherlands' soil.
Data processors are not subject to the data breach notification duty, regardless of whether they are located in the Netherlands and whether they process personal data of Dutch residents. They should, however, realise that incidents at their end may trigger notification duties of their customers operating in the Netherlands and that these will need to be reflected in the controller/ processor contracts.
What Incidents Must Be Reported?
A data breach must be notified if it has, or is likely to have, a serious adverse impact on the protection of personal data. The meaning of a "data breach" is quite broad: it is understood to be every "failure in the technical and organisational measures to secure personal data against loss or against any form of unlawful processing".
Clear examples of data breaches are laptops being stolen or hackers claiming to have accessed customer data. However, much less obvious incidents may fall under the notification requirement such as where a former employee's user account is not blocked after he left the company or where an organisation mistakenly sends out an e-mail message to 50 customers rather than sending it to 50 undisclosed recipients. Whether or not a data breach has to be reported will depend on the consequences it will have on the protection of personal data which will need to be considered on a case-by-case basis.
Do I Always Have To Inform The Data Subjects As Well?
No. Data subjects do only have to be informed if it is likely that the breach has serious adverse effects on their privacy. The DPA will particularly assess whether notification of data subjects will help mitigate the risks they are exposed to as a result of the data breach. For instance, if passwords were hacked, the controller should inform the affected data subjects and recommend that they also change identical passwords on other services / accounts they may have.
How Much Time Do I Have?
Data breaches must be notified to the DPA within two business days of discovery. Often it will not be possible to provide full details on the incident within this timeframe. This is not an excuse to postpone the notification. It is, however, permitted to file a temporary notification. At a later stage, such temporary notification can be completed or withdrawn, depending on the results of the investigation of the incident.
What Should Businesses Do?
Data breach notification obligations are on the rise in the EU and elsewhere. While the EU Data Protection Directive does not contain data breach notification obligations, some European countries’ national laws do (eg, Germany and Austria), and once the GDPR will come into force, mandatory data breach obligations will apply across the EU.
Designing and implementing a sound data breach response plan to ensure compliance with the new law will be indispensable for many businesses operating in the Netherlands. They should do so with an eye on the GDPR as it will replace the Dutch law once it comes into force. Further, data processor agreements will need to be updated to reflect the reporting obligations. If you would like assistance, please contact Wouter Seinen or your usual Baker & McKenzie contact.