This bill introduces a duty to notify the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, the "CBP") and the relevant data subject(s) in the event of a breach of security measures for the protection of personal data. The duty will apply to businesses, governmental bodies and others, provided in all cases that they constitute a "data controller" within the meaning of the Personal Data Protection Act (Wet bescherming persoonsgegevens, the "PDPA"). The rule imposing the duty will be set out in a new provision of the PDPA (Article 34a).
The penalty for non-compliance with this duty will be a fine of up to EUR 450,000. A similar fine can be imposed for failure to co-operate in an investigation by the CBP into a breach/possible breach (of the above duty to notify) pursuant to article 5:20 of the General Administrative Law Act (Algemene wet bestuursrecht). This article lays down a general duty to co-operate and therefore such a fine can also be imposed in cases where the CBP is conducting an investigation other than in connection with article 34a of the PDPA.
To whom must a notification be made?
1. The CBP must immediately be notified of a breach of security measures which has serious adverse consequences for the protection of the processed personal data.
2. The data subject must immediately be notified of a breach as described above if the breach will probably have unfavourable consequences for his/her individual privacy.
What information must be given in the notification?
1. Both the CBP and the data subject(s) must in any event be notified of the following: i) the nature of the breach, ii) the parties from which more information about the breach can be obtained and iii) the recommended measures for limiting the negative consequences of the breach.
2. The notification to the CBP must, in addition, contain a description of i) the consequences of the breach for the processed personal data and ii) the measures that the data controller has taken or proposes to take in order to remedy those consequences.
This information will mostly be of a technical nature. In some cases, the information required to be notified may include technical details of a confidential nature. According to the explanatory memorandum, the relevant business can, if it so wishes, explicitly designate such data as "company-confidential" (bedrijfsvertrouwelijk) within the meaning of article 10(1)(c) of the Open Government Act (Wet openbaarheid van bestuur).
Manner of notification to data subject(s)
1. The notification to the data subject(s) must be such as to ensure that the provision of information is carried out in a proper and careful manner, taking into account the nature of the breach, the detected consequences and the factual consequences of the breach for the processing of personal data, the circle of data subjects affected and the costs.
1. Notification to the CBP and the data subject(s) is not required if appropriate technological protection measures have been taken to ensure that the personal data in question are unintelligible or unaccessible to parties that are not entitled to access those data.
2. If no notification has been made to the data subject(s), the CBP may demand that the data subject(s) be notified if it is of the opinion that the breach is likely to have unfavourable consequences for the individual privacy of the data subject(s).
3. The notification requirement does not apply if the data controller is a provider of public electronic communications services and, in that capacity, has made a notification as referred to in article 11.3a(1) and (2) of the Telecommunications Act (Telecommunicatiewet). The latter provision sets out a specific notification requirement for providers of public electronic communications services (in connection with the provision of public electronic communications services).
Currently such providers need to notify the Authority for Consumers and Markets. If the bill is adopted they will have to notify the CBP instead of the Authority for Consumers and Markets.
The described exception does not apply in situations where the data controller is a different party than the provider of the public electronic communications services (for example, where the provider is a data processor within the meaning of the PDPA). In such a case, each of the two parties will be subject to a notification duty (under article 34a of the PDPA and under article11.3a of the Telecommunications Act, respectively). If the provider is itself the data controller, its notification duty will be pursuant to article 11.3a of the Telecommunications Act.
4. Financial institutions within the meaning of the Financial Supervision Act (Wet op het financieel toezicht, the "FSA") will not be required to notify a breach to the relevant data subject(s), but will still have to notify it to the CBP.
Such institutions are subject to a notification duty under the FSA, as well as the Prudential Rules (Financial Supervision Act) Decree and the Financial Institutions Business Conduct Supervision Decree. According to the explanatory memorandum, in the financial sector it would be too risky (partly in view of the financial crisis) to make public notifications to data subjects mandatory. A financial institution's duty of care provides a sufficient guarantee that the institution will carry out its responsibility towards its clients by contacting them directly.
A financial institution will only be subject to a double notification requirement (to both the CBP and the Dutch Central Bank/Authority for the Financial Markets) if a data leak also constitutes an incident within the meaning of the FSA (and the Decrees mentioned above). Such an incident is conduct or an event that poses a serious threat to the sound conduct of the financial institution's business.
If your enterprise (as a data controller of personal data) engages one or more parties (data processors) to process such personal data on the instruction of, and on behalf of, the data controller, it is important that the notification duty is taken into account in the (data processor) agreement(s). The data processor must, at a minimum, be required to notify the data controller of any breach of security which has serious adverse consequences for the protection of the personal data processed by that data processor.
As the wording of the above rule could give rise to many questions, it is probably preferable to make the notification requirement in the agreement more comprehensive and to include additional safeguards. The CBP has set out a checklist in this regard in its guidelines on the protection of personal data (see our earlier newsletter on this subject).
Expected future developments
It has been announced that amendments to the bill will be submitted, consisting of rules aimed at strengthening the enforcement of the PDPA by broadening the powers of the CBP (e.g. to impose fines).
To be continued.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.