On January 29, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report (in Dutch) on the personal data breach notifications received in 2018 (the “Report”). The EU General Data Protection Regulation (the “GDPR”) requires data controllers to notify a personal data breach to the competent Data Protection Authority (“DPA”) within 72 hours after becoming aware of it. In the Netherlands, this breach notification requirement has been in place since January 1, 2016. However, the GDPR imposed additional requirements, including: providing certain information in a breach notification; data controllers’ mandatory obligation to notify affected individuals if the breach is likely to result in a high risk to the rights and freedoms of those individuals; companies duty to document any personal data breaches.
Facts and Figures
In 2018, the number of data breach notifications the Dutch DPA received doubled, totaling 20,881 breach notifications. The most affected sectors are the health and wellbeing sectors (29% of the breaches notified), the financial sector (26% of the breaches notified), and the public sector (17% of the breaches notified). In 63% of the cases, the breach involved personal data sent to the wrong email address. The remaining 37% of the cases were related to the loss of personal data (such as in the case of a lost laptop or lost USB sticks), hacking, phishing or malware. The types of affected personal data are, in most cases, the data subjects’ name and contact details, gender, health data and national identification number.
Read more on Privacy & Information Security Law Blog.