A new Dutch privacy law imposes a general obligation for data controllers to notify the Dutch Data Protection Authority ("DPA") of data security breaches and provides increased sanctions for violations of the Dutch Data Protection Act. The data breach notification will be enforced as of 1 January 2016.
This law provides that the data controller is required to make sure that any hired data processor also complies with the obligation the data controller has to notify a breach of security measures. Vattenfall obligates data processors to report a data breach concerning within 24 hours after detection via the online form below.
Should you have any questions regarding the data breach notification form, please send an e-mail to firstname.lastname@example.org.
Under this new Dutch law, data controllers will be required to notify immediately the Dutch DPA of any data security breaches that have or are likely to have serious adverse consequences for the protection of personal data.
In addition to notifying the DPA, data controllers will be required to notify affected individuals if there is a reason to believe that the breach could lead to adverse consequences for them, unless the compromised data is encrypted or otherwise unintelligible to third parties.
Following an amendment of the Personal Data Protection Act (Wbp), the reporting of data leaks will be mandatory as of 1 January 2016. Under this statutory duty to report, companies that process personal data must report data leaks to the Data Protection Authority. More information on the policy guidelines and the statutory duty to report is available on the DPA's website.
Vattenfall and your company have concluded an agreement regarding the processing of personal data. This agreement requires your company to notify Vattenfall immediately in the event of a security breach or data leak. In such an event, you are also required to assist with notifying the customers or individuals concerned in an appropriate manner.
A data leak is a breach of security involving personal data. If a data leak occurs, personal data is exposed to loss or unlawful processing, i.e. to situations from which the technical or organisational security measures are designed to protect them. Unlawful processing encompasses deterioration of personal data, unauthorised access, alteration or provision.
In the event of a data leak, personal data within a company is unintentionally accessed, destroyed, modified or released. In short, if your company cannot be certain that a breach of security has not resulted in the unlawful processing of personal data which you are processing on Vattenfall's behalf, the data leak must be reported to Vattenfall.
Examples of breaches of security which must be reported to Vattenfall include:
i) the loss of unprotected USBs/DVDs/CDs containing personal data, ii) hackers breaking into a database, iii) an email sent in which the email addresses of all the recipients can be seen by all the other recipients, iv) data has been lost and there is no back-up available and v) a malware infection.
Yes, that is correct. The statutory duty to report data leaks applies to the party responsible for the processing of personal data (in this case Vattenfall).
It is therefore Vattenfall's prerogative to decide whether a breach of security has occurred leading to a significant risk of serious, harmful consequences or which has actually led to serious harmful consequences for the protection of personal data. Whether or not a data leak must be reported to the DPA (the regulator) and whether or not the individuals concerned must be informed is a decision to be taken by Vattenfall on the basis of the information supplied by your company and Vattenfall's assessment of it.
If your company contracts third parties (sub-processors) to process personal data on behalf of Vattenfall, the content of this letter is pertinent to these parties as well. Vattenfall and your company have agreed that the obligations arising from the processor agreement also apply to any third parties contracted by your company.
The obligations regarding the statutory duty to report data leaks therefore also apply to these third parties. You must ensure that you conclude effective (written) agreements with any third parties, so that you are adequately informed in good time of any breaches of security or data leaks.
In the event of failure to comply with the statutory duty to report data leaks as specified in the Personal Data Protection Act (Wbp), the DPA may impose an administrative fine of a maximum of EUR 820,000 or 10% of a company's annual turnover.
The agreement between Vattenfall and your company contains a provision which permits Vattenfall to impose a fine if your company fails to comply with the statutory duty to report. In addition, Vattenfall is entitled to compensation for any loss incurred or that will be incurred as a result. If detailed information regarding a breach of security is supplied in good time, Vattenfall and your company can avoid or minimise any such fines and/or losses.