New Data Protection Authority in the Netherlands

By Berend Van Der Eijk, Paul Waszink, Frank Simons, Wilfred Steenbruggen


As of 1 January 2016, the former "College Bescherming Persoonsgegevens" (CBP) will be rebranded into the "Autoriteit Persoonsgegevens". Not just a change of name for the Dutch Data Protection Authority (DPA), but also with the ability to impose substantially higher fines for a broader range of violations of the Dutch Data Protection Act. Another important change is the introduction of various data breach obligations into the Act, including the obligation to notify such breaches to the DPA and affected individuals.

In this practical update we highlight the recent legislative changes and provide you with some practical tips to prepare your organisation. Feel free to contact any member of our data protection team below if you have further questions.

Data breaches

The highlights

Recent amendments to the Dutch Data Protection Act will introduce various obligations regarding personal data breaches for data controllers. Data controllers are required to notify any data breach:

  • to the DPA if such breach has serious adverse consequences for the protection of personal data; and
  • to affected individuals to the extent the breach is likely to have unfavorable consequences for the privacy of these individuals.

If the personal data is encrypted or otherwise made incomprehensible for third parties, a notification to such individuals is not required. Often overlooked, the changes in the Data Protection Act also introduce the obligation for data controllers to sufficiently address data breaches in their contractual relationship with data processors. Lastly, the existing similar notification duty for personal data breaches in the Dutch Telecommunications Act will be amended to the effect that such notifications must now be done at the address of the DPA instead of the telecoms regulator.

DPA Guidance

The DPA recently published a guidance document related to the data breach obligations which can be found here. The examples in the document for what constitutes a "personal data breach" highlight the broad scope of the new rules: they include lost USB sticks, stolen laptops, hacker intrusions, malware infections, and even calamities (e.g., fires and floods in data centers). The document gives practical guidance on how to qualify data breaches, how to deal with processors (such as service providers) and in which cases such breaches should be notified to the DPA and individuals. Generally speaking, a notification to the DPA should be done"immediately” and in any case within 72 hours. This period is explicitly inspired by the recently adopted and upcoming European General Data Protection Regulation, which includes a similar duty to notify personal data breaches. This Regulation is set to replace the Dutch Data Protection Act early 2018. You can find our further coverage of the Regulation here.

Preparing your organisation

These days, large parts of the value of your organisation are enshrined in datasets and databases with valuable business information. Proper prevention, awareness and dealing with data breaches and security incidents is paramount for your business operations and the trust of customers, and the proper instrument to safeguard compliance with legal and contractual obligations. Below are some considerations for your organisation dealing with security incidents and related data breach obligations:

  • Prevention. Having a robust system of prevention of data breaches and security incidents might be the best starting point. Make sure your organisation has appropriate technical and organisational security measures, including specific measures to prevent security incidents. It is worth exploring relevant certifications and security audits for your organisation.
  • Awareness. Make sure that both your systems as well as your employees are able to recognize security incidents when they happen. Implement a security incident policy with clear examples of the incidents your employees should notify within the organisation. Give appropriate security incident training and use e-learning tools so employees know what to look for and how to respond.
  • Appropriate response. After your company has been made aware of a security incident, it is important to swiftly (i.e. with a set response team) assess next steps: further investigate the incident, see if the incident qualifies as a personal data breach or is otherwise subject to contractual or legal obligations, take mitigating steps. It can be advised to include external parties in your company’s response team such as a forensic expert or an attorney. Attorneys in the Netherlands have legal privilege, which often gives an important benefit in dealing with sensitive matters such as security incidents.
  • Contractual relations. As mentioned above, it is a legal obligation for data controllers to address the matter of data breaches in contractual relations. It is strongly advised to revisit current contracts and take this obligation into account when concluding new contracts. Vice versa, also be aware of any other contractual obligations your company might have: your company might have a contractual obligation to notify a counterparty in case of certain security incidents.
Supervision of the DPA

Currently, the DPA's powers to impose fines were limited: a maximum fine of EUR 4.500,- which could have only be imposed for a limited set of violations of the Dutch Data Protection Act (among other things, the failure of an organisation to notify the processing of personal data to the DPA). That changed on 1 January 2016. From that date, the DPA has the power to impose fines for non-compliance with a large set of provisions of the Data Protection Act (among which the aforementioned obligation to notify the processing of personal data ánd the brand new obligation to notify data breaches). Importantly, also the maximum amount increases: violations can lead to a maximum fine of EUR 820,000, or even 10% of the annual net turnover of a company (although imposition of the latter will be exceptional and is limited to cases in which imposition of the maximum amount cannot be considered to be an 'appropriate' sanction). However, before it can impose a fine, the DPA is required to give a binding instruction (most likely: aimed at a swift remediation of the non-compliance). The DPA can only directly impose a fine in case where a violation was done on purpose or in cases of gross negligence.