On 1 January 2016, the Dutch Data Leaks (Duty to Report) Act and the extension of the administrative authority of the Dutch Data Protection Authority (Cbp) to impose fines came into effect. The law introduces a duty to report data leaks to the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens – Wbp). In addition, the authority of the Cbp (the name of which will be changed to ‘Autoriteit persoonsgegevens’ on 1 January 2016) to impose fines was extended.
Data leaks
The Dutch Data Leaks (Duty to Report) Act adds a new obligation to the Dutch Personal Data Protection Act. Every breach of the measures to protect against loss or unlawful processing of personal details must be reported to the Data Protection Authority. In addition, the person involved must be informed.
Possible breaches include a hack or a technical failure, but also the loss of a flash drive or theft of a laptop on which personal details are stored. Even the loss of a printed list with personal details may qualify as a data leak. It is every situation in which third parties that should not have access to personal details, acquire this information anyway. However, the duty to report only applies if the breach leads to (a considerable risk of) serious negative consequences for the protection of personal details.
Responsibility for the duty to report
All those who are responsible for processing personal details, both in companies and in the government, have this duty to report. If the processing of details has been contracted out to a third party, this party is merely the processor of the details and, as such, does not have the duty to report.
Report
A report to the supervisory authority must at least describe the nature of the breach, the consequences of the breach and the measures that have been/will be taken to limit the negative consequences of the breach.
The information provided to the person involved must be such that proper and careful information provision is ensured. In addition, the responsible party is obliged to keep a record of all breaches.
Authority to impose fines
As of 1 January 2016, the Data Protection Authority will be authorised to impose fines if the duty to report is not met. If the violation of the Dutch Personal Data Protection Act was not intentional or due to serious culpable negligence, the supervisory authority will initially issue a binding instruction. This will give the responsible party the opportunity to remedy the situation by taking appropriate security measures after all. A failure to comply with a binding instruction may be subject to a fine. If the Dutch Personal Data Protection Act is deliberately violated, a fine may be imposed immediately.
Objective
The objective of the duty to report is to limit the consequences a data leak has for the parties involved as much as possible, and to make a contribution to maintaining and restoring confidence in the processing of personal details.
Consequences for you as an entrepreneur
In order to realise the objective of the legislative change, it is important for entrepreneurs to ensure that their processing of personal details is in order. If there is a data leak after all, this must be reported immediately. In practice, this means “as soon as possible”, which often makes it impossible to draw up a contingency plan. Therefore, drawing up an internal protocol describing the course of action in the event of a data leak is advisable. In addition, it is wise to enter into a (new) agreement with the processors of personal details that, as of 1 January 2016, provides for a contractual duty to report to the responsible party.
Further information
For additional information please feel free to contact Leoni van Westen.
