What is a data breach?
A data breach is a breach of security that results in the destruction, loss, alteration or unauthorised disclosure of or access to personal data that has been transmitted, stored or otherwise processed. It is not important whether the data leak results from malicious intent or otherwise.
In principle, data breaches must be reported to the Dutch Data Protection Authority within 72 hours of detection. Only data breaches where it is unlikely that the breach poses a risk to people’s rights and freedoms are exempted from the reporting obligation.
If the personal data breach poses a high risk to data subjects, data subjects must also be notified of the data breach.
The data subject does not have to be notified if:
- appropriate technical and organisational protection measures have been implemented, e.g. encryption of the data;
- measures have been taken subsequently as a result of which the identified risks to data subjects have been removed;
- the notification of data subjects would involve disproportionate effort. In this case, a public communication will suffice.
Examples of data breaches
A data breach can take various forms. Examples of data breaches include (this is not an exhaustive list):
- sending a letter/email containing personal data to the wrong person;
- loss of data carriers/documents containing personal data (NB: even if they are password protected);
- theft of data carriers/documents containing personal data;
- unauthorised access to personal data, e.g. employees who view students’ personal data without the authority to do so or malicious hackers who gain access to personal data;
- documents/files containing personal data that can be accessed due to lack of care.
Reporting data breaches
Data breaches must be reported to ICTS immediately: firstname.lastname@example.org, +31 (0)20 525 1402
Outside office hours: CERTUvA: email@example.com, +31 (0)20 525 3322
Explain clearly what has happened and how you detected the data breach, and indicate the extent of the breach.
* Source: Handleiding Algemene Verordening Gegevensbescherming [Guidance on the General Data Protection Regulation], p.64. The latest version can be consulted at www.rijksoverheid.nl/avg.