Articles

The Dutch Senate agrees to higher privacy sanctions and mandatory data breach notification

The Dutch Senate agrees to higher privacy sanctions and mandatory data breach notification

The Dutch Senate agrees to higher privacy sanctions and mandatory data breach notification

29.05.2015 NL law

Recently the Dutch Senate passed the Bill on data breach notifications and sanctions. This Bill introduces higher sanctions for non-compliance with the Dutch Data Protection Act. In addition, companies will be obliged to immediately notify the Dutch Data Protection Authority ("Dutch DPA") of any data breach. 

Depending on the exact circumstances, persons will also have to be notified in the event their data are compromised. Non-compliance with the privacy legislation can lead to an administrative penalty for each violation up to a maximum of EUR 810,000 or 10% of the company's annual net turnover.

1. Data breach notification and mandatory internal data breach register

We increasingly see reports in the media about privacy sensitive information becoming publicly available due to a hack or security breach. Following this new legislation, companies will be obliged to notify the Dutch DPA of any security breach of the protection of personal data "that has or is likely to have serious adverse consequences for the protection of personal data" (new Article 34a(1) Dutch Data Protection Act). In addition to notifying the Dutch DPA, the individuals whose personal data have been compromised must also be notified if "there is reason to believe that the breach could have adverse consequences for their privacy" (new Article 34a(2) Dutch Data Protection Act). The practical implementation of these provisions will be worked out in specific guidelines from the Dutch DPA. In any case companies will be obliged to maintain an internal data breach register of the aforesaid breaches.

2. Sanctions

The amendment of the Dutch Data Protection Act will enable the Dutch DPA to impose fines for the violation of a large number of general obligations (see the amended Article 66 of the Dutch Data Protection Act). These fines vary from a maximum of EUR 20,250, for relatively minor violations, to a maximum of EUR 810,000, for deliberate or repeated violations. For legal entities the amount of the fine is flexible: if the highest fine category is not sufficiently punitive, the violation can be sanctioned with a fine equivalent to 10% of the company's annual net turnover.

Fines may only be imposed on the company following a binding instruction from the Dutch DPA. By way of such an instruction the DPA can inform the company what steps it should take to avoid paying a fine. However, if the violation concerned was either intentional or a matter of serious culpable negligence, the DPA is not obliged to issue such an instruction and can impose a fine directly.

3. Entry into force expected shortly

The new legislation is expected to enter into force shortly.

Related news

22.07.2019 NL law
HagaZiekenhuis beboet voor datalek

Short Reads - Enkele maanden geleden vierden we de eerste verjaardag van de Algemene Verordening Gegevensbescherming (AVG) met een uitgebreide beschouwing  over de belangrijkste  ontwikkelingen uit  het eerste jaar van de verordening. We concludeerden daarin onder meer dat de door sommigen voorspelde hoge bestuurlijke boetes voor overtredingen van de AVG tot dan toe  - zowel in Nederland als in de andere EU-lidstaten - grotendeels waren uitgebleven.

Read more

08.08.2019 BE law
Regulating online platforms: piece of the puzzle

Articles - The new Regulation no. 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services, applicable as of 12 July 2020, is another piece of the puzzle regulating online platforms, this time focussing on the supply side of the platforms.

Read more

15.07.2019 EU law
ICO to impose record-breaking fines for inadequate security measures and data breaches

Short Reads - Though the European data protection authorities have taken their time in enforcing the GDPR, two announcements by the ICO in the UK regarding proposed fines for British Airways and Marriott demonstrate that large fines are about to start landing regularly. Both of the substantial fines are to be handed out as a result of shortcomings in handling data breaches caused by cyber-attacks.

Read more

23.07.2019 LU law
The Revised CSSF Cloud Circular

Articles - On 27 March 2019, the Luxembourg supervisory authority for the financial sector (the Commission de surveillance du secteur financier or CSSF) published the long-awaited CSSF Circular 19/714 amending the CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure (the Revised Cloud Circular).

Read more

05.07.2019 EU law
The two sides of the ECS coin

Articles - The concept of ‘electronic communications service’ (“ECS”) defined in Article 2(c) of Directive 2002/21/EC (“Framework Directive”) has been interpreted in two decisions of the ECJ in June 2019: C‑142/18 Skype communications and C-193/18 Google LLC.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring