Welcome to Penrose Personal data breach
Penrose specialises in Dutch and European Union privacy laws. We advise and assist Dutch companies and institutions regarding privacy, security and personal data protection matters pursuant to Dutch and European laws and regulations. In the event of a data breach we offer immediate assistance with regard to measures and potential liabilities claims. Please read more about this in the section hereafter.
Others also searched for:
Notification obligations
The Netherlands requires a notification obligation for personal data breaches since 1 January 2016. With the arrival of the GDPR in 2018, this obligation now applies to all EU member states. A personal data breach can be defined as a breach of security that leads to the accidental or unlawful destruction, loss, alteration or unauthorised access to personal data.
Data breaches must be reported to the national Data Protection Authority (for the Netherlands, the Autoriteit Persoonsgegevens), unless it is unlikely that the data breach will negatively impact the privacy of the person(s) involved. The notification to the Data Protection Authority must be made within 72 hours of the controller becoming aware of the data breach. In the Netherlands, personal data breach notifications must be filed through the Dutch DPA’s reporting desk.
The personal data breach should also be reported to the person or persons whose personal data it concerns, if it is likely that the data breach (potentially) poses a high risk to the privacy of that person or those persons. This is the case, for example, where there is a threat of discrimination, identity theft, identity fraud or financial loss, or where special categories of personal data (such as data on ethnic origin, religion, health, sexual orientation or criminal convictions) have been leaked.
Registration
In addition to the notification obligation, the GDPR also requires the registration of each and all personal data breaches. This registration obligation falls under the accountability principle of the controller. All data breaches (including unreported data breaches) that occur within an organisation must be properly documented. The Dutch Data Protection Authority must be granted access to this register upon request.
Liability in the event of a personal data breach
If the controller fails to report or timely report a data breach, the Data Protection Authority may, among other things, impose a fine.
The individual whose personal data has been leaked and who has suffered (material or immaterial) damages as a result of the personal data breach, may be entitled to compensation from the controller. Where the data breach has occurred through or at the premises of a processor, the individual may hold both the controller and the processor liable for the damages.
The controller and the processor may agree to a different division of liability with limitations and exclusions, for example in processing agreement.
Dutch personal data specialist
Penrose employs lawyers specialised in data breaches, who are pleased to assist you and answer your questions. The contact details of our Privacy specialist is given here.