On May 26, 2015, the Upper House of the Dutch Parliament passed a bill that introduces a general obligation for data controllers to notify the Dutch Data Protection Authority (“DPA”) of data security breaches and provides increased sanctions for violations of the Dutch Data Protection Act. A Dutch Royal Decree still needs to be adopted to set the new law’s date of entry into force. According to the Dutch DPA, the new law is likely to come into force on January 1, 2016.
Currently, Dutch law includes data breach notification obligations for specific sectors in the Netherlands (e.g., the financial and healthcare sectors) or particular types of organizations (e.g., telecommunications and Internet service providers). The new law will extend that obligation to all data controllers subject to the Dutch Data Protection Act. In this respect, the new Dutch law anticipates the proposed EU General Data Protection Regulation, which will introduce such an obligation across the EU but not before 2017-2018.
Under the new Dutch law, data controllers will be required to notify immediately the Dutch DPA of any data security breaches that have or are likely to have serious adverse consequences for the protection of personal data. The DPA will likely issue practical guidance at a later stage to clarify the circumstances under which notification to the DPA is required. In addition, as a result of the new law, telecommunications and Internet service providers will be required to provide notification of data security breaches to the Dutch DPA (and no longer to the Dutch Authority for Consumers & Markets, which will be replaced by the Dutch DPA). Under the new law, notifications to the DPA should include at least the following information:
- the nature of the breach;
- the entities or bodies that can provide further information on the breach;
- the expected consequences of the breach for the data processing;
- the recommended measures to mitigate the adverse consequences of the breach; and
- the measures taken to deal with the breach.
In addition to notifying the DPA, data controllers will be required to notify affected individuals if there is a reason to believe that the breach could lead to adverse consequences for them, unless the compromised data is encrypted or otherwise unintelligible to third parties. Data controllers also will have to maintain an internal data breach register recording all data security breaches they experience that might affect individuals.
Failure to provide notification of data security breaches will be subject to a fine of up to € 810,000 or 10% of the organization’s annual net turnover. The new Law also will empower the DPA to impose higher fines for other violations of the Dutch Data Protection Act. The amount of administrative fines will be increased to:
- € 20,250 for violations already subject to a fine (e.g., failure for non-EU data controllers to appoint a local representative when using means of data processing in the Netherlands or failure to comply with cross-border data transfer restrictions), and
- a maximum of € 810,000 or 10 % of the organization’s annual net turnover for other violations of the Dutch Data Protection Act.