All about the Meldplicht Datalekken in English
| Sieuwert van Otterloo |
The Netherlands has a new obligation to report data breaches, called the meldplicht datalekken. This new a law applies to all companies that process personal data and comes with severe penalties. A lot of information is available but mostly in Dutch. We are providing this English summary.
Like other European government, the Dutch government believes that protection of privacy and personal data is important. Companies collecting personal data must comply to a specific data privacy law. This law has been in place since 2001 and is regularly updated to reflect changes in society. The most important aspects of the law are:
- Restricting collection and storage (only for specific purposes)
- Giving rights to data subjects (e.g. removal or correction)
- Ensuring sufficient security (organisation and technical)
At some point in time, the Dutch law will be superseded by the European Privacy Directive. The directive has been in draft in 2012 but has progress in making this directive official has been slow. The Dutch government has therefore updated the law to make Dutch law already in line with the upcoming EU laws. The biggest change in the last update is that it has become mandatory for companies in The Netherlands to report data breaches. Any security incident that involves personal data must be report to the government, and to the people whose data is involved. Failure to report a breach within 72 hours can result in fines up to 820.000 euro.
How to comply?
The following questions must be answered whenever a security incident occurs.
- Is personal data involved? The privacy law applies to any data that is potentially linkable to individuals. This includes names, birth days, phone numbers, IP addresses etc.
- Who is the responsible company? Whenever companies are exchanging personal data, only one company is the official responsible and all other companies are only data processors. The data processors should report the incident to the responsible and the management of the responsible company should take further action.
- How sensitive is the data? Whether a data breach must be reported depends on size of the data breach and sensitivity of the data. If the data is sensitive, even a single record should be reported to the Dutch Autoriteit Persoonsgegevens.
- Should subjects be informed? If stolen data is not encrypted, subjects must be informed so that they can take preventive actions. They might need to change passwords for instance.
- What other steps are needed? Officially reporting a breach is enough. However it is prudent to improve security after each breach. Think of technical measures, awareness training, data removal, better monitoring.
Help with a data breach
If you would like professional assistance in assessing a security incident, you can call us directly. We have a small team of specialists with the legal knowledge, technical skills and Dutch language skills to help you file the report. For general inquiries, send an email via the form below. If an incident has occurred and you would like direct help, please call us directly on +31 6 1050 9674.
The following website provide more information about the newest privacy law.
- This article at SoftwareZaken provides more details on what to do in Dutch.
- StartupJuncture has an article on the impact of Dutch privacy law for startups.
- The official website of the Autoriteit Persoonsgegevens provides more information. This is the new address of the CBP: the CBP agency has changed name to Autoriteit Persoonsgegevens as part of their increased mandate to hand out fines.
- The Autoriteit Persoonsgegevens has a data breach reporting page where you have to report a data breach.
image: CC Alan Cleaver
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.