What is your study programme?
Information for
[ enrolled students ]
What is your study programme?

Report a data breach

Last modified on 15-02-2024 11:42
Have you found a data breach? Report it immediately.
Show information for your study programme
You're currently viewing general information. Choose your study programme to see additional information that's specific to your study programme, such as deadlines, regulations and contact details.
What is your study programme?

What is a data breach?

A data breach is a breach of security that results in the destruction, loss, alteration or unauthorised disclosure of or access to personal data that has been transmitted, stored or otherwise processed. It is not important whether the data leak results from malicious intent or otherwise.

In principle, data breaches must be reported to the Dutch Data Protection Authority within 72 hours of detection. Only data breaches where it is unlikely that the breach poses a risk to people’s rights and freedoms are exempted from the reporting obligation.

If the personal data breach poses a high risk to data subjects, data subjects must also be notified of the data breach. 
The data subject does not have to be notified if:

  • appropriate technical and organisational protection measures have been implemented, e.g. encryption of the data;
  • measures have been taken subsequently as a result of which the identified risks to data subjects have been removed;
  • the notification of data subjects would involve disproportionate effort. In this case, a public communication will suffice.

Reporting data breaches

Data breaches must be reported to ICTS immediately via the self serviceExternal link or via phone number +31 (0)20 525 1402

Outside office hours: CERTUvA: cert@uva.nlExternal link, +31 (0)20 525 3322

Report a data breachExternal link

Explain clearly what has happened and how you detected the data breach, and indicate the extent of the breach.

Examples of data breaches

A data breach can take various forms. Examples of data breaches include (this is not an exhaustive list):

  • sending a letter/email containing personal data to the wrong person;
  • loss of data carriers/documents containing personal data (NB: even if they are password protected);
  • theft of data carriers/documents containing personal data;
  • unauthorised access to personal data, e.g. employees who view students’ personal data without the authority to do so or malicious hackers who gain access to personal data; 
  • documents/files containing personal data that can be accessed due to lack of care. 

* Source: Handleiding Algemene Verordening Gegevensbescherming [Guidance on the General Data Protection Regulation], p.64. The latest version can be consulted at www.rijksoverheid.nl/avgExternal link.