A new year brings about new opportunities. Also, it means a fresh start to new pieces of law, like the entry into force of the Dutch data breach laws. As of January the 1st of this brand new year, organizations are required to report data breaches to the Dutch Data Protection Authority, and in some cases to the involved data subjects as well. Given the variety of opinions and questions addressed to us, it appears that there is quite a bit of misunderstanding regarding this duty to report. Below you find five minsconceptions clarified.
1. Destruction of data can never be a data breach.
A common argument. After all, if the data is destroyed, they can no longer fall into the hands of malicious people. That’s right. However, destruction of personal data could be detrimental to parties concerned and is therefore considered by the regulator as a data breach.
2. The notification must be made within 24 hours / two business days.
This is incorrect. The period of 24 hours was expressed in another blog post I came across and the period of two business days was set out in the draft version of the guidelines of the regulator. The law states that the data breach should be notified immediately. In the final version of the guidelines, which are now indicated as policies, a 72-hour period is included. The regulator explains that immediately means that you may take some time for further investigation first. Incidentally, and if you can demonstrate why you needed more time, you may also report a leak after 72 hours,.
3. Failure to comply with the duty to report yieds a fine of € 810.000, -.
That is not entirely correct. Apart from the fact that the maximum penalty will be € 820.000, – (the penalties laid down in the Dutch Criminal Code will be increased per 1 January, 2016), the regulator has issued penalty policies in addition. In these policies, each violation of the Dutch Data Protection Act is classified in a separate category. The regulator is authorized to impose a maximum fine of € 820 000, -, but by not satisfying the reporting duty, a fine of the second category of the Dutch Criminal Code can be imposed. That equates to an amount between € 120.000, – and € 500.000, – per violation. You can expect two penalties if you “forget” to make a report to both the regulator and the data subjects involved.
Mind you, this is based on the consultation version of this policy. Perhaps the final version will introduce some changes.
4. The report can only be done in writing.
An often-heard argument is that the report can only be done in writing. Thankfully, this is also a misunderstanding. The regulator makes available a web form which can be used to make a report. If, for whatever reason, you cannot use that form, you may use fax (yes, really).
5. As a data processor, you also have a duty to report.
Only the data controller is obligated to report a data breach to the regulator and under circumstances to the involved data subjects as well. However, a processor plays a crucial role in making a report. A processor can be the one who discovers the leak in the first place. In that case, it is up to the controller to ensure that the processor is obligated to pass on such information as soon as needed. Such arrangements should be laid down in a processor’s agreement.
Would you like to know more? Please read the comprehensive policies of the Dutch Data Protection Authority (currently only available in Dutch).