The Dutch reform entered into force on the 1st of January 2016 and contains an obligation to notify data breaches in a maximum of 72 hours from the occurrence of the breach[i]. The obligation used to be valid only for data controllers of certain sectors [ii], while this new law extends the obligation to all data controllers[iii]. Besides the extension of the scope of the obligation, the reform also provides for higher penalties in case of non-compliance. If an undertaking failed to notify, the fine can reach up to 820 000€[iv].
Non-Dutch undertakings are bound by this obligation if: (a) the undertaking in which the breach occurred is not established in one of the member states of the EU and it uses automated or non-automated means located in the Netherlands, except when the means are exclusively used for the transit of data[v]; and (b) the non-member state of the EU must have in place a sufficient level of data protection[vi].
Hadewich van Alst
[i] Which is a broad concept as it includes all security breach with serious adverse consequences for the individuals subject to the breach, art. 34a(1) of the Dutch Data Protection Act (Wet bescherming persoonsgegevens).
[ii] Mainly financial sector or telecommunication sector.
[iii]Art. 2(1) of the Dutch Data Protection Act (Wet bescherming persoonsgegevens).
[iv]Art. 66 of the Dutch Data Protection Act (Wet bescherming persoonsgegevens).
[v] Art. 4 of the Dutch Data Protection Act (Wet bescherming persoonsgegevens).
[vi] Art. 76(1) of the Dutch Data Protection Act (Wet bescherming persoonsgegevens).