Duty to report data leaks

The duty to report a data breach was introduced on 1 January 2016 and also applies under the GDPR. This duty to give notice entails that an organisation is required to report a serious ‘data breach’ to the Dutch Data Protection Authority ('Autoriteit Persoonsgegevens' or AP). In some cases the organisation also needs to report a data breach to the data subject(s) (anyone whose personal data has leaked). In order to be able to report data breaches to the AP and the data subject(s) where applicable, the breach would naturally first need to be reported internally.

In the case of a data breach we have to contend with a breakdown of the protection of personal data. The definition of a data breach is 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data'. As such, a data breach not only includes the actual disclosure of personal data but also the existence of any potential for this to occur. For example, an email with sensitive personal data sent to the wrong address is a data breach, even if we don't think it was read by the recipient.

Here are several examples of data breaches:

1. the loss of a memory stick containing personal data that is not encrypted;
2. documents containing personal data which have been printed and left alone at the photocopier;
3. anonymous survey results which nevertheless turn out to be traceable to the respondents;
4. gaining access to personal data to which you are supposed to be denied access based on your position;
5. transmitting sensitive data (personal or otherwise) via an insecure route or to the wrong email address (hence to someone to whom you did not intend to send it);
6. a computer containing personal data being hacked by a hacker.

Overview of data breach reports to the AP

Every quarter the AP publishes a comprehensive overview of all data breaches  that have been reported. In addition, the AP considers data leaks in specific sectors in greater detail in the form of a number of sector-specific lists. See List of data breach reports (Dutch only).