On 26 May 2015, the Dutch senate adopted the bill on the Notification of data breaches (pdf, 59 kB). The proposal will thus become law and is expected to enter into force on 1 January 2016. The Data Protection Act (Wet bescherming persoonsgegevens) ("Wbp") and Telecommunications Act (Telecommunicatiewet) ("Tw") will as a result be amended. The amendments will have major consequences for organisations that store personal data, for example client data. Below, the most important changes will be discussed.
Duty to notify data breaches
In response to various large incidents regarding the hacking of security systems as a result of which large amounts of personal data became public (for example the "Groene Hart hospital" affair), the bill on the Notification of data breaches has been introduced. 'Data breach' regards any breach of the security of personal data. Such a data breach does in principle have to be notified. An obligation to notify shall be without prejudice to the question of whether the security measures in place have been compliant or not. The main reason for introducing the obligation to notify is to limit the negative effects of any data breach and to maintain the public's trust in the processing of personal data in general.
Two variations of the obligation to notify will be introduced: a data breach had to be reported to the Data Protection Authority (College bescherming persoonsgegevens) ("CBP") when the chance exists that the data breach will have disadvantages for the protection of personal data. In addition, the persons whose data is involved should also be notified, if the data breach will probably have unfavourable consequences for the privacy of said persons.
Data breach and data processing agreement
A very important consequence for the business is that commencing 1 January 2016, all data processing agreements have to comply with the obligation to notify data breaches. Each organisation that 'outsources' the processing of personal data, must be sure to have arrangements with its service providers as to how to deal with a data breach and how to deal with the legal obligation to notify such breach.
Broadening of the CBP's power to impose penalties
The new law also broadens the CBP's power to impose penalties significantly. Currently, the privacy authority may only impose fines of up to € 4,500 where as of 1 January 2016, the maximum fine imposed by the CBP may amount up to € 810,000 or 10% of the annual turnover of the legal entity. Additionally, the CBP will as of 1 January 2016 be entitled to enforce compliance with more sections of the Wbp than currently is the case; including those sections regarding security and the obligation to notify. This makes the penalty all the more relevant.
Anticipating on the General Data Protection Regulation
By introducing the new obligation to notify data breaches and the broadening of the CBP's power to impose penalties, The Netherlands acts in anticipation of the General Data Protection Regulation ("GDPR"), the new EU regulation that will in the near future replace all national data protection law of member states (including the Wbp). The GDPR will also contain an obligation to notify data breaches and broaden the power of data protection authorities, the exact scope of which still has to be determined. The GDPR is expected to be adopted in 2016.
_840x420.jpg?v=3)
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.