The Netherlands - Data Breach Guide

The Netherlands

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

The General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") obliges controllers to notify affected individuals and the competent data protection authority in the event of a personal data breach which is likely to result in a risk or high risk to the rights and freedoms of natural persons (Articles 33 and 34 GDPR). In addition to the obligations pursuant to Articles 33 and 34 GDPR, sector specific legislation additionally governs notification obligations, such as telecommunications law for providers of publicly available telecommunications services. If the breach has a cross-border impact, the controller must notify the lead authority within the meaning of Article 56 GDPR.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

1.2.1 Obligations under the GDPR

(a) Obligations of controllers

Pursuant to Article 33 (1) GDPR, controllers have to notify every personal data breach to the competent data protection authority unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 4 (12) GDPR defines a "personal data breach" as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The GDPR's notification obligations only apply where there is a breach concerning personal data, however irrespective of the affected type of personal data.

In addition, the controller has to notify affected data subjects when the breach is likely to result in a high risk to the rights and freedoms of natural persons, Article 34 (1) GDPR. A communication to the affected data subjects is not required if any of the following conditions that derive from Article 34 (3) GDPR are met:

1. The controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
2. The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.
3. It would involve disproportionate effect. In such a case, there should instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

When assessing the risks for the rights and freedoms of natural persons, the controller should consider, inter alia, (i) the type of breach, (ii) the nature, sensitivity, and volume of personal data affected, (iii) the ease of identification of individuals, (iv) the severity of consequences for individuals, (v) potential special characteristics of the individual or the controller, and (vi) the number of affected individuals.

A high risk for the affected individuals exists if the breach may lead to physical, material or non-material damage. For example, such high risk is given in cases of discrimination, identity theft or fraud, or if the breach involves special categories of data, such as e.g. health data.

It should further be considered that pursuant to Article 34 (4) GDPR, the authority may also demand that the controller notifies the affected individuals.

In addition to the notification obligations, controllers are obliged to document breaches pursuant to Article 33 (5) GDPR, including facts relating to the breach, its effects and the remedial action taken.

(b) Obligations of processors

Pursuant to Article 33 (2) GDPR, processors have to notify the controller without undue delay after becoming aware of a personal data breach. The notification obligation also applies irrespective of the affected type of personal data. In addition to its own notification obligation towards the controller, and considering the mandatory conclusion of a data processing agreement between controller and processor, the processor is obliged to assist the controller with its notification obligations towards authorities and affected individuals, according to Article 28 (3) lit. (f) GDPR.

1.2.2 Sector specific notification obligations

(a) Providers of publicly available telecommunications services

ePrivacy Directive

Pursuant to Directive 2002/58/EC ("ePrivacy Directive"), providers of publicly available electronic communications services are obliged to notify the competent national authorities of data breaches. In addition, providers also have to notify their subscribers or the affected individuals of a breach, if the breach is likely to adversely affect their personal data and / or privacy. The European Commission has adopted Commission Regulation (EU) No 611/2013 ("Regulation 611/2013") to harmonise the notification procedure both for notifications towards the competent authorities and the affected individuals.

Dutch Telecommunications Act

Article 3, 4 and 5 of the e-Privacy Directive have been implemented in the Dutch Telecommunications Act. Pursuant to Article 11.3 a (1) Dutch Telecommunications Act ("TA", in Dutch: Telecommunicatiewet), providers of publicly available communications services must notify the Dutch Data Protection Authority ("DDPA", in Dutch: Autoriteit Persoonsgegevens,) of any breach of security which affects the protection of personal data processed in connection with the provision of a publicly available electronic communications service in the European Union, without delay. If the breach is likely to adversely affect the privacy of a natural person, the provider must also notify the affected persons based on Article 11.3 a (2) TA. This notification shall, according to Article 11.3 a (5) TA, not be required if, in the opinion of the DDPA, the provider has taken appropriate technical protection measures so that the personal data in question are encrypted or otherwise incomprehensible to anyone who is not entitled to access them. If the provider of a publicly available communications service does not notify the affected persons, the DDPA can still decide that such notification is necessary, if it considers that the personal data breach is likely to adversely affect the privacy of the person whose personal data it concerns based on Article 11.3 (4) TA.

The TA defines a personal data breach as a breach of security resulting in the unintentional or unlawful destruction, loss or alteration of, or unauthorized access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the European Union, Article 11.1 (j) TA. This security must, as stated in Article 11.3 (1) TA, ensure an appropriate level of security commensurate with the risk involved, taking into account the state of the art and the cost of implementation.

The Commission Regulation (EU) No 611/2013 ("Regulation 611/2013") contains further details on the notification obligation.

(b) Trust service providers

Electronic identification and trust service providers ("TSPs") such as e.g. providers of electronic signatures, seals, time stamps and authentication certificates, are subject to notification obligations under (mostly) the Dutch TA. Moreover, also a few provisions in the Dutch Civil Code (in Dutch: Burgerlijk Wetboek) and the General Administrative Law Act (in Dutch: Algemene wet bestuursrecht) are relevant. These acts transpose Regulation (EU) no 910/2014 ("eIDAS Regulation") into Dutch law.

Reportable breach

Pursuant to Article 19 (2) eIDAS Regulation, a reportable breach is any breach of security or loss of integrity that has a significant impact on a trust service provided or on the personal data maintained therein.

The Minister of Economic Affairs is, in principle, the "supervisory body" for the purposes of the Regulation. However, the Minister has in turn delegated his powers to the Radiocommunications Agency Netherlands ("RA", in Dutch: Agentschap Telecom). A breach must therefore be reported to the RA.

Where the breach of security or loss of integrity is likely to adversely affect a natural or legal person for whom the trusted service has been performed, the TSP shall also notify the natural or legal person of the breach of security or loss of integrity without undue delay, Article 19 (2) eIDAS Regulation.

Competent authorities

As appears from the above, the RA is the most important competent authority. Where appropriate, also other authorities may have to be notified, such as the DDPA and the National Cyber Security Centre ("NCSC"). It should be pointed out, however, that unlike the RA and the DDPA, the NCSC is not a supervising entity. Instead, the NCSC is providing support and assistance in ensuring and restoring the availability and reliability of products and services that are vital to Dutch society, for example in response to a voluntary notification. Where necessary, the RA is prepared to forward notifications to other competent entities (DDPA and/or NCSC).

(c) Operators of essential services and providers of digital services

The Network and Information Systems Security Act ("NISSA", in Dutch: Wet beveiliging network- en informatiesystemen,), which implements the NIS Directive (EU) 2016/1148, in combination with the Network and Information Systems Security Decree ("NISSD", in Dutch: Besluit beveiliging network- en informatiesystemen) designates incident-report requirements for designated vital operators. They must implement appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and information systems and the possible impacts of security incidents. They must also implement appropriate measures to prevent and mitigate the impact of such security incidents.

Competent and supervisory authority

Notification

Providers that can be considered vital operators within the meaning of Article 5 (1) (a) and Article 5 (1) (b) of the NISSA must notify the NCSC of:

• any incident with a significant impact on the continuity of the essential services;
• any security incident in their network and information systems which may have serious adverse effects on the continuity of their service.

They must also notify the competent authority of any incident with a significant impact on the continuity of the essential services and if an operator of an essential service uses a digital service provider, an incident at such digital service provider must be notified by such operator to the competent authority for the sector of such operator if the incident has a significant impact on the continuity of the service.

Digital service providers must notify the CSIRT for digital service providers (CSIRT-DSP) and the RA of any incident with a significant impact on the provision of the services it provides.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

1.3.1 Notification under the GDPR

(a) Content of the notice

Pursuant to Article 33 (3) GDPR, the notification to the data protection authority (in The Netherlands this is the DDPA) shall include the following information:

• A description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• The name and contact details of the data protection officer or other contact point where more information ca be obtained;
• The likely consequences of the personal data breach;
• The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible effects.

The notification to data subjects shall include the following information in clear and plain language according to Article 34 (2) GDPR:

• The name and contact details of the data protection officer or other contact point where more information can be obtained;
• The likely consequences of the personal data breach;
• The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible effects.

(b) Time period for the notice

Article 33 (1) GDPR stipulates that the controller must notify the data protection authority without undue delay, not later than 72 hours after having become aware of the data breach. Where the notification to the authority is not made within 72 hours, it shall be accompanied by the reasons for the delay. The controller may also, if it is not possible to provide the information at the same time, provide the information in phases without undue further delay, Article 33 (4) GDPR. In addition, the controller must communicate the data breach to the data subjects without undue delay, Article 34 (1) GDPR.

The processor shall notify the controller of a data breach without undue delay, Article 33 (2) GDPR.

(c) Method of giving notice

There are no mandatory requirements for the method of notifying the data protection authority and the controller can thus notify the authority by email. However, the DDPA provides an online form for data breach notifications (link here).

For the notification of the affected individuals, the controller must notify them in clear and plain language. As regards the communication channel, the controller may for example use means of (i) direct messaging (e.g. email or SMS), (ii) prominent website banners, (iii) postal communications or (iv) prominent advertisements in print media.

1.3.2 Notifications under Telecommunications Act, eIDAS and NISSA

(a) Notification under Telecommunications Act

(i) Content of the notice

Pursuant to Article 11.3 a (3) TA, the notification to the affected individuals must at least contain the following details:

• the nature of the personal data breach;
• the entities from which more information about the breach can be obtained;
• the recommended measures to mitigate the negative effects of the breach.
• the consequences of the personal data breach;
• the measures proposed or taken by the provider to address the breach.

In addition, pursuant to Article 11.3 a (6) TA, providers must keep records of breaches of personal data.

Regulation 611/2013 contains further details on the notification obligation.

(ii) Time period for the notice

Pursuant to Article 11.3 a (1) and (2) TA, both the DDPA and the affected individuals must be notified without undue delay.

Based on Article 2 (2) of Regulation 611/2013 the provider shall notify the personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, where feasible. In accordance with Article 2 (3) of Regulation 611/2013 it may be permissible for the provider to make a first notification within 24 hours and a second notification within three days following the initial notification, if not all information are immediately available and further investigation of the breach is necessary.

The notification to the subscribers or affected individuals shall be made without undue delay after the detection of the personal data breach, Article 3 (2) of Regulation 611/2013. Pursuant to Article 3 (5) of Regulation 611/2013, in exceptional circumstances, where the notification to the subscriber or individual may put at risk the proper investigation of the personal data breach, the provider shall be permitted, after having obtained the agreement of the competent national authority, to delay the notification to the subscriber or individual until such time as the competent national authority deems it possible to notify the personal data breach in accordance with Article 3 of Regulation 611/2013.

(iii) Method of giving notice

In principle, breaches are notified via the self-explanatory web form process available here (only available in Dutch). However, there may be exceptional circumstances where the use of the web form is impractical or even impossible (for example where one needs to submit a comprehensive letter or in case one faces technical errors with the web form). Therefore, it is common practice in the Netherlands for the authority to also accepts notifications made via its regular contact details, available here.

Pursuant to Article 3 (6) of Regulation 611/2013, the provider shall notify the subscriber or individual of the personal data breach by means of communication that ensure prompt receipt of information and that are appropriately secured according to the state of the art. The information about the breach shall be dedicated to the breach and not associated with information about another topic. If the provider is unable to identify all individuals who are likely to be adversely affected by the personal data breach, the provider may notify those individuals through advertisements in major national or regional media.

(b) Notification under eIDAS

(i) Content of the notice

The RA has not provided any clarification as to what information needs to be included in the incident report. However, depending on the circumstances of the breach, the notification could include (at least) the following information:

• a description of the incident;
• total duration of the security incident; and
• the impact of the incident, for example what percentage of subscribers were / are affected.

(ii) Time period for the notice

Pursuant to Article 19 (2) eIDAS Regulation, the notification must be submitted without undue delay but in any event within 24 hours.

(iii) Method of giving notice

There is no specific eIDAS breach notification form. The RA as the competent authority can be contacted by email (tsp@agentschaptelecom.nl) and phone (+ 31 90 0770 0027).

(c) Notification under NISSA

(i) Content of the notice

For notifying the NCSC and the RA in accordance with the NISSA and NISSD:

• We refer to the notification form provided by the NCSC (link here);
• We refer to the notification form provided by the RA (link here);
• The DNB has not given any information on the notification obligation under NISSA;
• The Human Environment and Transport Inspectorate has not given any information on the notification obligation under NISSA;
• The Health Care and Youth Inspectorate has not given any information on the notification obligation under NISSA.

Furthermore, according to Article 11 NISSA, the notification to the supervisory authority shall in any case include:

(aa) the nature and extent of the incident;

(bb) the probable time of commencement of the incident;

(cc) the possible consequences of the incident in and outside the Netherlands;

(dd) a prognosis of the recovery time;

(ee) if possible, the measures taken or to be taken by the Provider to limit the consequences of the incident or to prevent its recurrence;

(ff) the contact details of the officer responsible for making the report.

(ii) Time period for the notice

Article 10 NISSA stipulates that the vital operator must report to the authority without delay.

(iii) Method of giving notice

There is no specific method of giving notice. We refer to the notification forms of the authorities (under (i)), where available.

1.4 What are the penalties, fines or risks in failing to notify, either by the DDPA or in litigation?

1.4.1 Fines and risks under the GDPR

The data protection authorities may levy administrative fines of up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83 (4) lit. a) GDPR). According to Article 58 (2) GDPR, the authorities may additionally impose other sanctions such as for example a ban of processing. Both controller and processor may be fined in the event that they violate their notification obligations.

In addition, affected data subjects may claim compensation for material or non-material damages because of the data breach, in accordance with Article 82 (1) GDPR.

1.4.2 Fines and risks under sector specific law

(a) Fines under the TA and eIDAS

Based on Article 15.1 (2) TA the DDPA may impose an administrative fine of no more than EUR 900,000 in the event of a violation of statutory regulation as mentioned in Article 15.4 (4) TA, including a violation of Article 11.3 a TA (personal data breach notification requirement for providers of public electronic communications services) and Article 19 (2) eIDAS (notification requirement for security breaches or losses of integrity for trusted service providers).

(b) Fines under NISSA

The competent authority is authorized to impose a fine, when one or more provisions of the NISSA are violated, Article 29 (1) NISSA. The fine shall, according to Article 29 (2) sub b NISSA, not exceed a maximum of EUR 5 million, or, according to Article 29 (2) sub a NISSA, in case the violation consists of not providing the requested information in accordance with Article 12 NISSA, a maximum of EUR 1 million.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

Whether notification of the data subjects is appropriate will have to be assessed on a case-by-case basis. In order to reduce exposure, it is advisable to consult external advisers and/ or the competent regulatory authority (DDPA or sector-specific authority) in such cases prior to notification.

1.6 What are the applicable (data protection) laws or guidelines within your country?

• General Data Protection Regulation (Regulation (EU) 2016/679, GDPR)
• Dutch Telecommunications Act (in Dutch: Wet van 19 oktober 1998, houdende regels inzake de telecommunicatie)
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, ePrivacy Directive)
• Dutch Civil Code (in Dutch: Burgerlijk Wetboek)
• General Administrative Law Act, (in Dutch: Wet van 4 juni 1992, houdende algemene regels van bestuursrecht (Algemene wet bestuursrecht))
• Dutch Financial Supervision Act, (in Dutch: Wet van 28 september 2006, houdende regels met betrekking tot de financiële markten en het toezicht daarop (Wet op het financieel toezicht))
• Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (Regulation 611/2013)
• Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Regulation)
• NISSA (Network and Information Systems Security Act): (in Dutch: Wet van 17 oktober 2018, houdende regels ter implementatie van richtlijn (EU) 2016/1148 (Wet beveiliging netwerk- en informatiesystemen)

1.7 Contact information for the local Data Protection Authority:

1.7.1 Data Protection Authority

The competent data protection authority is the Autoriteit persoonsgegevens:

1.7.2 The competent information telecommunication authority is the Radiocommunications Agency Netherlands (Agentschap Telecom):

1.7.3 The competent authorities in the financial sector are The Dutch Central Bank (De Nederlandsche Bank) and the Authority for Consumers & Markets (Autoriteit Consument & Markt):

1.7.4 The competent center for cyber security is the National Cyber Security Center (Nationaal Cyber Security Centrum):

For more information, contact: