Dutch Law Includes General Data Breach Notification Obligation and Larger Fines for Violations of the Data Protection Act
Time 1 Minute Read
Categories: Enforcement, European Union, Information Security, International, Security Breach

On January 1, 2016, a Dutch law became effective that (1) includes a general obligation for data controllers to notify the Data Protection Authority (“DPA”) of data security breaches, and (2) authorizes the DPA to impose direct fines for violations of the Data Protection Act.

Under the law, data controllers are required to immediately notify the DPA of any data security breaches that have, or are likely to have, serious adverse consequences to the protection of personal data. In addition, data controllers are required to notify affected individuals if there is reason to believe the breach could lead to adverse consequences to those individuals, unless the compromised data is encrypted or otherwise unintelligible to third parties. On December 9, 2015, the DPA published practical guidance to help organizations identify cases when data security breaches must be reported to the DPA and data subjects.

The new Dutch law also empowers the DPA to impose fines of up to €820,000 for violations of the Data Protection Act, including failure to report data security breaches. Last October, the DPA published draft guidance that defines the different violations, the categories of sanctions and the level of fines.

Read the Dutch DPA’s press release.

Tags: Compliance, Data Controller, Data Protection Act, Data Protection Authority, Encryption, EU Member States, Netherlands, Penalty, Personal Data
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
CalPrivacy Reaches Settlement with Ford Motor Company Over CCPA Opt-Out Right Violations

On March 5, 2026, the California Privacy Protection Agency announced that the agency had reached a settlement with Ford Motor Company resolving an enforcement action against the company that alleged noncompliance with the California Consumer Privacy Act’s opt-out of sale/sharing rights.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
Data Protection Authorities Globally Highlight Privacy Issues in AI Image Generation

On February 23, 2026, a Joint Statement on AI-Generated Imagery was published by 61 data protection authorities. The Joint Statement addresses concerns regarding AI systems capable of generating realistic images and videos depicting identifiable individuals without their knowledge or consent.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
Virginia AG to Enforce VCDPA Provisions Restricting Minors’ Use of Social Media

On February 18, 2026, Virginia Attorney General Jay Jones announced that his office intends to fully enforce new provisions of the Virginia Consumer Data Protection Act restricting minors’ use of social media.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page