Duty to report data breaches

The Personal Data Protection Act was amended on 1 January 2016. On that date, a notification obligation for data leaks was added. A manual on this notification obligation with a step-by-step plan and FAQ section was created.

High fines for non-compliance with the notification obligation

The notification obligation requires that in some cases a breach of security measures involving personal data must be reported to the Dutch Data Protection Authority (formerly the Dutch DPA) and the data subject(s). Fines can run up to EUR 820,000.

Step-by-step plan and FAQ section

SURFnet has outsourced this work package to Project Moore solicitors. They have drawn up a concise manual specifically for higher education institutions with a step-by-step plan. This step-by-step plan allows institutions to take measures to prevent data leaks and to act appropriately in case of a data leak. The manual also contains a FAQ section. The manual was completed in June 2014 and was updated in June 2018.

Deliverables and planning

More information