The Dutch DPA does not publish the notifications. There may be all sorts of circumstances that reduce or even altogether eliminate the risk, even if there is in fact a data breach according to the letter of the law. Whether or not this is the case will depend on the actual situation. A data breach does not need to be notified if it is unlikely to result in a risk to the rights and freedoms of natural persons. The supervisory authority for the Netherlands is the Dutch DPA, which has set up the Data Breach Notification Desk (in Dutch) for this purpose. Notifying data breaches to the supervisory authorityĬontrollers are legally required to notify all data breaches to the supervisory authority without undue delay and, where feasible, within 72 hours of their discovery. In addition, a data processing agreement must provide how the processor is to assist the controller in this, where possible. Processors are, however, obliged to inform the controller of all data breaches to enable them to comply with their legal obligations. working for a different party), the organisation is not required to notify any supervisory authority or data subjects of the data breach. If it is a controller, the organisation may be legally required to notify the breach (see following paragraph). Importantly, the organisation should determine in what capacity it processes the personal data affected. As from that moment, the organisation may be required to notify the incident. The moment that an organisation discovers a data breach is key. A few examples of data breaches are misdirected emails with personal data, hacker attacks on databases and the theft of documents from an orderly filing cabinet. For argument's sake, we will assume the GDPR does apply and will use 'data breach' to refer to personal data breaches. There are also other reasons why the GDPR might not apply, for example due to exempt activities. The GDPR does not apply if no personal data is processed. The GDPR uses the more specific term 'personal data breach', which is defined as follows:Ī breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In this News Update, we look at some of the legal obligations for organisations. The Dutch Data Protection Authority (Dutch DPA) recently indicated that it receives many questions(in Dutch) about data breaches. Still, the exact rules are not always entirely clear to everyone. This obligation was introduced for the entire EU when the General Data Protection Regulation (GDPR) came into force. 28 GDPR.Notifying 'data breaches' that involve personal data has been a legal obligation in the Netherlands since 2016. The requirements on breach reporting should also be detailed in the contract between the data controller and processor, as required under Art. This is of key importance in enabling the data controller to comply with their notification obligations in due time. 33(2) GDPR, if your SME is a data processor, processing personal data on behalf of another organisation, you must notify the data controller of any personal data breach without undue delay. The initial notification should be lodged and further information may be provided in phases. Where it is not possible to provide all of the relevant information to the DPA within the 72-hour period, the notification should be made in several steps. In order to be able to demonstrate to the relevant DPA when and how they became aware of a personal data breach, it is recommended that all organisations, as part of their internal procedures on personal data breaches, have a system in place for recording how and when they become aware of personal data breaches and how they assessed the potential risk posed by the breach.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |