Meldplicht Datalekken / Reporting data breaches

The Netherlands has a new obligation to report data breaches, called the meldplicht datalekken. This new a law applies to all companies that process personal data and comes with severe penalties. A lot of information is available but mostly in Dutch. We are providing this English summary.

Note: this article was written in 2016, when the Netherlands introduced an obligation to report data breaches, ahead of GDPR. As of May 2018, all EU countries have the same regulation to report data breaches. This article has been updated (feb 2021) to reflect the new GDPR situation.

Background

Since May 2018, all EU countries enforce the data protection regulation GDPR. Iimportant aspects of GDPR are:

• Restricting collection and storage (only for specific purposes)
• Giving rights to data subjects (e.g. removal or correction)
• Ensuring sufficient security (organisation and technical)
• Obligation to report data breaches

This article explains what to do in case of a data breach in practical terms.

How to comply?

The following questions must be answered whenever a security incident occurs.

• Is personal data involved? The privacy law applies to any data that is potentially linkable to individuals. This includes names, birth days, phone numbers, IP addresses etc.
• Who is the responsible company? Whenever companies are exchanging personal data, only one company is the official responsible (controller) and all other companies are only data processors (Dutch: verwerker). The data processors must report the incident to the controller and the management of the responsible controller should take further action.
• How sensitive is the data? Whether a data breach must be reported depends on size of the data breach and sensitivity of the data. If the data is sensitive, even a single record should be reported to the Dutch Autoriteit Persoonsgegevens.
• Are data subjects be informed? If stolen data is not encrypted, the people who the data is about (the data subjects) must be informed so that they can take preventive actions. They might need to change passwords for instance.
• What other steps are needed? It is prudent to improve security after each breach. Think of technical measures, awareness training, data removal, better monitoring.

Data breaches must be reported to the Data Protection Authority by the controller, in the country of the controller. For The Netherlands, this is the Autoriteit Persoonsgegevens. The data breach must be reported ‘without delay’ and within 72 hours after discovery. Reporting a data breach does not result in a fine, since having a data breach is not illegal. Having many data breaches can however lead to an investigation into the security measures taken. Therefore it is a good idea to evaluate your information security after data breaches have occurred.

Help with a data breach

If you would like professional assistance in assessing a security incident, you can call us directly. We have a small team of specialists with the legal knowledge, technical skills and Dutch language skills to help you file the report. For general inquiries, send an email via the form below. If an incident has occurred and you would like direct help, please call us directly on +31 6 1050 9674.

Further reading

The following website provide more information about the newest privacy law.

• The official website of the Autoriteit Persoonsgegevens provides more information.
• The Autoriteit Persoonsgegevens has a data breach reporting page where you have to report a data breach.
• A good process for information security incident management is necessary to report data breaches
• Every organisation must have a register of data processing activities. It can be found here.
• For more articles about privacy, visit our page with all privacy articles.

image: CC Alan Cleaver