Privacy & Information Security Law Blog

On January 29, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report (in Dutch) on the personal data breach notifications received in 2018 (the “Report”). The EU General Data Protection Regulation (the “GDPR”) requires data controllers to notify a personal data breach to the competent Data Protection Authority (“DPA”) within 72 hours after becoming aware of it. In the Netherlands, this breach notification requirement has been in place since January 1, 2016. However, the GDPR imposed additional requirements, including: providing certain information in a breach notification; data controllers’ mandatory obligation to notify affected individuals if the breach is likely to result in a high risk to the rights and freedoms of those individuals; companies duty to document any personal data breaches.

Facts and Figures

In 2018, the number of data breach notifications the Dutch DPA received doubled, totaling 20,881 breach notifications. The most affected sectors are the health and wellbeing sectors (29% of the breaches notified), the financial sector (26% of the breaches notified), and the public sector (17% of the breaches notified). In 63% of the cases, the breach involved personal data sent to the wrong email address. The remaining 37% of the cases were related to the loss of personal data (such as in the case of a lost laptop or lost USB sticks), hacking, phishing or malware. The types of affected personal data are, in most cases, the data subjects’ name and contact details, gender, health data and national identification number.

In the Report, the Dutch DPA indicates that companies did not provide notifications for all personal data breaches that were notifiable. For example, certain companies had informed the individuals affected by a personal data breach, but did not notify the competent DPA of the breach. As a result, more personal data breaches should have been notified to the Dutch DPA in 2018 and the Dutch DPA indicated that it will specifically focus on this in 2019.

Dutch DPA Actions

The Dutch DPA took several measures in response to the breach notifications it received in 2018. The Report indicates that in many cases, the Dutch DPA (1) provided advice to companies (including about the security measures to be implemented); (2) requested additional information about the personal data breach being reported; (3) sent a letter to the company providing notification to explain the applicable requirements; and (4) initiated discussions with those companies.

Since May 25, 2018, the Dutch DPA took action against reporting companies in 298 cases of the personal data breaches reported. Some of these cases are still pending. In general, these actions led to a warning which put an end to the violation. In four cases, the Dutch DPA conducted an investigation in response to the notification.