Data breach notification bill and the expansion of the powers of the Dutch DPA passed the Dutch Senate

Back to articles

26 May, 2015

Abstract identity theft, money outflow, fraud theft protection, phishing, leakage information, economic crisis poster, financial bankruptcy flat icon modern design, vector illustration isolated

Today, the Dutch Senate passed the Data breach notification bill and the expansion of the powers of the Dutch DPA. The bill will amend the Dutch Data Protection Act (in Dutch: Wet bescherming persoonsgegevens) on several points, which will be discussed below.

Data breach notification obligation
Firstly, organizations must inform the Dutch DPA if they suffer from a security breach that has, or could have an impact on the protection of personal data, this is called the ‘data breach notification obligation’. Sometimes, informing the Dutch DPA is not enough. If the breach will probably have a negative impact on the privacy of customers, these customers must also be informed about the breach.

Expansion of the power to impose fines by the Dutch DPA
The second element of the amended law is the expansion of the power to impose fines by the Dutch DPA. Currently, the DPA is allowed to impose fines with a maximum of €4500,-. Under the amended law the DPA can impose fines up to €810.000,-. Before the DPA imposes a fine, a ‘binding indication’ is given. This ‘binding indication’ allows organizations to manage their business in such a way that they become compliant with the relevant legislation. If businesses do not sufficiently change their behavior, the Dutch DPA is allowed to impose a fine.

Change of name
At the moment the Dutch DPA is called ‘College Bescherming Persoonsgegevens’. This will be changed into ‘Autoriteit Persoonsgegevens’ (Personal Data Authority) in order to be more in line with the upcoming Data Protection Regulation and to tie with the names of the other Dutch regulators, such as the Authority on Consumers and Markets.

Our expectation is that the change of law will enter into force on January 1st 2016.

Do you want to know more about the impact of this law on your organization? Do not hesitate to contact the privacy experts of Considerati.

, ,

Related blogs

The return of data retention obligations

Several European countries have recently embarked upon new initiatives regarding data retention....

Read more

Bart Schermer at HSD Café on Privacy and Security

Bart Schermer, partner at Considerati, will take part in the first “HSD Café on Privacy and...

Read more

Like to be emailed about Considerati news?

Then subscribe to the Considerati Newsletter! See our privacy statement.