Data breach and security

The Dutch Data Breach (Reporting Obligation) Act (Wet meldplicht datalekken) entered into force on 1 January 2016. This act requires organizations to notify a data breach ‘without delay’ to the Dutch Data Protection Authority and in some circumstances, to the victims as well.


The Dutch Personal Data Protection Act (‘Wet bescherming persoonsgegevens’ or ‘Wbp’) requires organizations to take appropriate technical and organizational measures to protect personal data against loss or against any unlawful form of processing. The measures are also intended to prevent the unnecessary collection and further processing of personal data.

A data breach is deemed to exist if there is any breach of security that results in a substantial probability of serious adverse consequences for the protection of personal data.

Serious business

The failure to notify a data breach or to do so in a timely fashion is subject to stiff penalties. The maximum penalty may be as much as EUR 820,000 or even, in extreme cases, 10% of annual turnover.

In addition, the notification of a data breach may raise concern among your customers, suppliers and employees.

Be prepared

To act in a considered manner and expeditiously is necessary whenever a data breach occurs. A protocol is essential in this respect. But it should fit in with your organization.

As specialists, we will be able to offer you a tailor-made protocol and to advise you on any further measures to be taken in order to be well-prepared.