On July 1, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, (the “Dutch DPA”)) announced that it had expanded its guidance on data breaches. The updates aim to answer questions about data breaches received by the Dutch DPA from organizations since 2016.

In particular, the Dutch DPA expanded its Q&As section on the obligation to report data breaches and on how companies must react in the event of a data breach. The Dutch DPA also developed practical tools to help organizations understand what to do in the event of a data breach. Such tools include videos and information sheets with tips on how to maintain a data breach register, a step-by-step plan to take action in the event of a breach, and a list of examples indicating whether or not a data breach is notifiable.

In the Netherlands, a data breach notification regime has been in place since 2016.

The Dutch DPA indicated that it will continue to provide guidance on various topics related to the EU General Data Protection Regulation via a dedicated website, including guidance on how companies must comply with data subject rights requests.