News Update Data & Privacy Protection
30 May 2023
Notifying 'data breaches' that involve personal data has been a legal obligation in the Netherlands since 2016. This obligation was introduced for the entire EU when the General Data Protection Regulation (GDPR) came into force. Still, the exact rules are not always entirely clear to everyone. The Dutch Data Protection Authority (Dutch DPA) recently indicated that it receives many questions(in Dutch) about data breaches. In this News Update, we look at some of the legal obligations for organisations.
GDPR and data breaches
The GDPR uses the more specific term 'personal data breach', which is defined as follows:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The GDPR does not apply if no personal data is processed. There are also other reasons why the GDPR might not apply, for example due to exempt activities. For argument's sake, we will assume the GDPR does apply and will use 'data breach' to refer to personal data breaches. A few examples of data breaches are misdirected emails with personal data, hacker attacks on databases and the theft of documents from an orderly filing cabinet.
Discovering a data breach
The moment that an organisation discovers a data breach is key. As from that moment, the organisation may be required to notify the incident. Importantly, the organisation should determine in what capacity it processes the personal data affected. If it is a controller, the organisation may be legally required to notify the breach (see following paragraph). But if it is a processor (i.e. working for a different party), the organisation is not required to notify any supervisory authority or data subjects of the data breach. Processors are, however, obliged to inform the controller of all data breaches to enable them to comply with their legal obligations. In addition, a data processing agreement must provide how the processor is to assist the controller in this, where possible.
Notifying data breaches to the supervisory authority
Controllers are legally required to notify all data breaches to the supervisory authority without undue delay and, where feasible, within 72 hours of their discovery. The supervisory authority for the Netherlands is the Dutch DPA, which has set up the Data Breach Notification Desk (in Dutch) for this purpose. A data breach does not need to be notified if it is unlikely to result in a risk to the rights and freedoms of natural persons. Whether or not this is the case will depend on the actual situation. There may be all sorts of circumstances that reduce or even altogether eliminate the risk, even if there is in fact a data breach according to the letter of the law. The Dutch DPA does not publish the notifications.
Notifying data breaches to data subjects
In some cases, the data subjects whose personal data has been breached must also be informed. The requirements applicable are stricter than those for notification to the supervisory authority: a high risk to the rights and freedoms of natural persons must be likely.
A number of key exceptions apply to the obligation to notify data subjects. Notification is not required if:
- The controller is a 'financial undertaking' (financiële onderneming) within the meaning of the Financial Supervision Act (Wet op het financieel toezicht).
- The data concerned is adequately protected (e.g. encrypted) to prevent access by third parties.
- Subsequent measures are taken to reduce the likely high risk (e.g. remote wiping).
- Notifying all data subjects individually would require disproportionate effort.
- Specific interests justify not notifying a data subject, for example when collecting a civil claim, investigating criminal offences or protecting the data subject or other people's rights and freedoms
Documenting all data breaches
Controllers must document all data breaches identified by them, including data breaches that are not notified.
Failure to notify a data breach when it is required, or notifying it too late, may carry an administrative penalty or other supervisory measure. The Dutch DPA imposed penalties on several occasions for the mere reason that a data breach had not been notified on time, or not at all. One such example is the penalty imposed on the Overijssel chapter of the Freedom Party (PVV).
Other notification requirements
In addition to the GDPR notification requirement, organisations may also have other duties to notify. In other words, one single security incident may have to be notified to several authorities on different grounds:
- The NIS Directive (2016/1148) and its Dutch Implementation Act require operators of essential services and digital service providers to notify security incidents (not necessarily limited to incidents involving personal data). Operators of essential services are identified in a separate decree (in Dutch). Digital services under this regime are online marketplaces, online search engines and cloud computing services.
- The Telecommunications Act (Telecommunicatiewet) lays down notification requirements for providers of public electronic communication services and networks, including in relation to personal data.
- Other notification requirements may apply under sector-specific legislation, such as the obligation to notify incidents under the Financial Supervision Act and other rules of financial law. A serious data breach could be this type of 'incident'.