On the heels of the enactment of the Dutch breach notice law, the Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands. Under the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to the affected individuals. This obligation will take effect on January 1, 2016. The guidelines define a data breach as a security incident that has, or poses a significant risk of having, serious adverse consequences for the protection of personal data.
In its guidelines, the CBP addresses a variety of general questions relating to the notification requirement. It also sets out which information will need to be included in the notification form to be submitted to the CBP when notifying the agency of a data breach. The draft guidelines aim to offer guidance in answering questions such as:
- Does the breach notification requirement apply to my organization?
- What measures should my organization take if a data processor processes personal data for my organization?
- What constitutes a data breach?
- Is my organization required to notify CPB and/or affected individuals of data breaches?
- How should data breach notice be provided?
- What records must be retained to document a data breach?
The draft guidelines currently do not contain an example of the notification form that will need to be used when notifying the CBP, but they do list the following information that will need to be included in the notification (besides general information on and contact details of the notifying party):
- The nature and legal basis of the notification;
- Information about the data breach (i.e., a summary of the security incident, description of the affected individual(s), the time and place of the breach, the type of personal data involved and the expected consequences of the breach);
- A description of technical and organizational measures which have been taken to prevent further data breaches;
- Whether the affected personal data is encrypted, hashed or made inaccessible by other means; and
- Whether individuals in other EU Member States have been affected by the breach.
The CBP has invited interested parties to share their comments on the draft guidelines ultimately by October 19, 2015. The final version of the guidelines will become effective on January 1, 2016.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.
