Report personal data breach to Vattenfall

Would you like to report a personal data breach? We really appreciate your help in this. Read all about de personal data breaches and the Dutch requirements.

Data breach notification as of 1-1-2016

A new Dutch privacy law imposes a general obligation for data controllers to notify the Dutch Data Protection Authority ("DPA") of data security breaches and provides increased sanctions for violations of the Dutch Data Protection Act. The data breach notification will be enforced as of 1 January 2016.

Data breach notification

This law provides that the data controller is required to make sure that any hired data processor also complies with the obligation the data controller has to notify a breach of security measures. Vattenfall obligates data processors to report a data breach concerning within 24 hours after detection via the online form below.

Data breach notification

Should you have any questions regarding the data breach notification form, please send an e-mail to


Under this new Dutch law, data controllers will be required to notify immediately the Dutch DPA of any data security breaches that have or are likely to have serious adverse consequences for the protection of personal data.

In addition to notifying the DPA, data controllers will be required to notify affected individuals if there is a reason to believe that the breach could lead to adverse consequences for them, unless the compromised data is encrypted or otherwise unintelligible to third parties.

Frequently asked questions about data breach

1. Why has my company received a letter about the statutory duty to report data leaks?

Following an amendment of the Personal Data Protection Act (Wbp), the reporting of data leaks will be mandatory as of 1 January 2016. Under this statutory duty to report, companies that process personal data must report data leaks to the Data Protection Authority. More information on the policy guidelines and the statutory duty to report is available on the DPA's website.

Vattenfall and your company have concluded an agreement regarding the processing of personal data. This agreement requires your company to notify Vattenfall immediately in the event of a security breach or data leak. In such an event, you are also required to assist with notifying the customers or individuals concerned in an appropriate manner.

2. What is a data leak?

A data leak is a breach of security involving personal data. If a data leak occurs, personal data is exposed to loss or unlawful processing, i.e. to situations from which the technical or organisational security measures are designed to protect them. Unlawful processing encompasses deterioration of personal data, unauthorised access, alteration or provision.

3. When does a data leak need to be reported?

In the event of a data leak, personal data within a company is unintentionally accessed, destroyed, modified or released. In short, if your company cannot be certain that a breach of security has not resulted in the unlawful processing of personal data which you are processing on Vattenfall's behalf, the data leak must be reported to Vattenfall.

Examples of breaches of security which must be reported to Vattenfall include:
i) the loss of unprotected USBs/DVDs/CDs containing personal data, ii) hackers breaking into a database, iii) an email sent in which the email addresses of all the recipients can be seen by all the other recipients, iv) data has been lost and there is no back-up available and v) a malware infection.

4. Is it correct that a processor/my company must report a data leak to Vattenfall earlier than Vattenfall has to report this to the DPA?

Yes, that is correct. The statutory duty to report data leaks applies to the party responsible for the processing of personal data (in this case Vattenfall).

It is therefore Vattenfall's prerogative to decide whether a breach of security has occurred leading to a significant risk of serious, harmful consequences or which has actually led to serious harmful consequences for the protection of personal data. Whether or not a data leak must be reported to the DPA (the regulator) and whether or not the individuals concerned must be informed is a decision to be taken by Vattenfall on the basis of the information supplied by your company and Vattenfall's assessment of it.

5. Does my company also have to forward this information to sub-processors?

If your company contracts third parties (sub-processors) to process personal data on behalf of Vattenfall, the content of this letter is pertinent to these parties as well. Vattenfall and your company have agreed that the obligations arising from the processor agreement also apply to any third parties contracted by your company.

The obligations regarding the statutory duty to report data leaks therefore also apply to these third parties. You must ensure that you conclude effective (written) agreements with any third parties, so that you are adequately informed in good time of any breaches of security or data leaks.

6. Are there penalties for not reporting a data leak or for not reporting a data leak by the deadline or in sufficient detail?

In the event of failure to comply with the statutory duty to report data leaks as specified in the Personal Data Protection Act (Wbp), the DPA may impose an administrative fine of a maximum of EUR 820,000 or 10% of a company's annual turnover.

The agreement between Vattenfall and your company contains a provision which permits Vattenfall to impose a fine if your company fails to comply with the statutory duty to report. In addition, Vattenfall is entitled to compensation for any loss incurred or that will be incurred as a result. If detailed information regarding a breach of security is supplied in good time, Vattenfall and your company can avoid or minimise any such fines and/or losses.