As of 1 January 2016, the former "College Bescherming Persoonsgegevens" (CBP) will be rebranded into the "Autoriteit Persoonsgegevens". Not just a change of name for the Dutch Data Protection Authority (DPA), but also with the ability to impose substantially higher fines for a broader range of violations of the Dutch Data Protection Act. Another important change is the introduction of various data breach obligations into the Act, including the obligation to notify such breaches to the DPA and affected individuals.
In this practical update we highlight the recent legislative changes and provide you with some practical tips to prepare your organisation. Feel free to contact any member of our data protection team below if you have further questions.
Recent amendments to the Dutch Data Protection Act will introduce various obligations regarding personal data breaches for data controllers. Data controllers are required to notify any data breach:
If the personal data is encrypted or otherwise made incomprehensible for third parties, a notification to such individuals is not required. Often overlooked, the changes in the Data Protection Act also introduce the obligation for data controllers to sufficiently address data breaches in their contractual relationship with data processors. Lastly, the existing similar notification duty for personal data breaches in the Dutch Telecommunications Act will be amended to the effect that such notifications must now be done at the address of the DPA instead of the telecoms regulator.
The DPA recently published a guidance document related to the data breach obligations which can be found here. The examples in the document for what constitutes a "personal data breach" highlight the broad scope of the new rules: they include lost USB sticks, stolen laptops, hacker intrusions, malware infections, and even calamities (e.g., fires and floods in data centers). The document gives practical guidance on how to qualify data breaches, how to deal with processors (such as service providers) and in which cases such breaches should be notified to the DPA and individuals. Generally speaking, a notification to the DPA should be done"immediately” and in any case within 72 hours. This period is explicitly inspired by the recently adopted and upcoming European General Data Protection Regulation, which includes a similar duty to notify personal data breaches. This Regulation is set to replace the Dutch Data Protection Act early 2018. You can find our further coverage of the Regulation here.
These days, large parts of the value of your organisation are enshrined in datasets and databases with valuable business information. Proper prevention, awareness and dealing with data breaches and security incidents is paramount for your business operations and the trust of customers, and the proper instrument to safeguard compliance with legal and contractual obligations. Below are some considerations for your organisation dealing with security incidents and related data breach obligations:
Currently, the DPA's powers to impose fines were limited: a maximum fine of EUR 4.500,- which could have only be imposed for a limited set of violations of the Dutch Data Protection Act (among other things, the failure of an organisation to notify the processing of personal data to the DPA). That changed on 1 January 2016. From that date, the DPA has the power to impose fines for non-compliance with a large set of provisions of the Data Protection Act (among which the aforementioned obligation to notify the processing of personal data ánd the brand new obligation to notify data breaches). Importantly, also the maximum amount increases: violations can lead to a maximum fine of EUR 820,000, or even 10% of the annual net turnover of a company (although imposition of the latter will be exceptional and is limited to cases in which imposition of the maximum amount cannot be considered to be an 'appropriate' sanction). However, before it can impose a fine, the DPA is required to give a binding instruction (most likely: aimed at a swift remediation of the non-compliance). The DPA can only directly impose a fine in case where a violation was done on purpose or in cases of gross negligence.