A data breach is a breach of security that results in the destruction, loss, alteration or unauthorised disclosure of or access to personal data that has been transmitted, stored or otherwise processed. It is not important whether the data leak results from malicious intent or otherwise.
In principle, data breaches must be reported to the Dutch Data Protection Authority within 72 hours of detection. Only data breaches where it is unlikely that the breach poses a risk to people’s rights and freedoms are exempted from the reporting obligation.
If the personal data breach poses a high risk to data subjects, data subjects must also be notified of the data breach.
The data subject does not have to be notified if:
A data breach can take various forms. Examples of data breaches include (this is not an exhaustive list):
Data breaches must be reported to ICTS immediately: firstname.lastname@example.org, +31 (0)20 525 1402
Outside office hours: CERTUvA: email@example.com, +31 (0)20 525 3322
Explain clearly what has happened and how you detected the data breach, and indicate the extent of the breach.
* Source: Handleiding Algemene Verordening Gegevensbescherming [Guidance on the General Data Protection Regulation], p.64. The latest version can be consulted at www.rijksoverheid.nl/avg.