The Dutch State Secretary for Security and Justice, Fred Teeven, introduced - on 21 June 2013 - a bill proposing mandatory data breach notification (the Bill) to the House of Representatives. The Bill proposes mandatory data breach notification for all public and private organisations processing personal data, and a maximum fine of 450,000 for failing to comply with the requirement.
The Bill follows the Dutch Government's consultation on an earlier draft Bill amending the Dutch Data Protection Act in February 2012, as DataGuidance previously reported.
"Currently, we do not have a general breach notification duty", Berend van der Eijk, Lawyer at Bird & Bird, told DataGuidance. "It is very likely that this proposal will be passed. The earliest date of [the Bill] entering into force would likely be 1 July 2014, or more realistically, 1 January 2015. Businesses should start to create awareness of the upcoming legislation, and subsequently have policies in place to capture and process all internal incidents properly and swiftly. This can take some time and effort, but is well worth investing in".
The earliest date of [the Bill] entering into force would likely be 1 July 2014, or more realistically, 1 January 2015.
All organisations processing personal data will be obliged to notify the Dutch Data Protection Authority (CBP) and the data subject of any data breach resulting in theft, loss or misuse, including electronic communications service providers who are obliged to report data breaches to the Dutch Telecommunications Regulator (OPTA) under the Telecommunications Act.
© 2013 Cecile Park Publishing Ltd. All rights reserved
Van der Eijk said: "The hardest thing is to create awareness in the organisation. We usually advise [clients] to notify 'pro forma' and fill in the details later but as soon as possible. In practice, I hope CBP can cope with all the expected notifications, especially since there is a big impulse to just notify any data breach. It must further be emphasised that the fine is only for not notifying properly, and not for non-compliance with the general data protection obligations".
DataGuidance has developed the Data Breach Notification At-a-glance Advisory; a powerful tool consisting of an easy to read comparative table which details the requirements for data breach notifications in jurisdictions around the globe.
To sign up for a free trial of the Advisory and the rest of DataGuidance, click here.