On 1 January 2016, the Dutch Law on Data Breach Notifications ("Data Breach Notification Law"), being part of the Dutch Data Protection Act, entered into force. The Data Breach Notification Law applies to all data processing to which the Dutch Data Protection Act ("DPA") applies.
The Data Breach Notification Law imposes a general obligation of the data controller:
-
to notify the Dutch Data Protection Authority ("Authority") in the event that the data breach will have 'serious adverse consequences' for the protection of personal data; and
-
to notify affected data subjects when it is likely that the data breach will have negative consequences for the private lives of the data subjects.
Failure to comply with the Data Breach Notification Law may lead to administrative fines up to EUR 820.000,--. The Data Breach Notification Law also increases the competence of the Authority to impose administrative fines for non-compliance with other obligations of the DPA (art. 66).
Summary of policy rules
Recently, the Authority has published Policy Rules on the interpretation of the Data Breach Notification Law ("Policy Rules"). Because the Policy Rules are not available in English (yet), please find below a brief summary of the Policy Rules.
1. Does the Data Breach Notification Law apply to my company?
-
The Data Breach Notification Law applies to the processing of personal data only. The use of cryptographic processing such as an encryption or hashing might lead to a pseudonym but does not lead to anonymity, so that this processing still falls under the scope of the DPA.
-
Directed towards the Controller: The Data Breach Notification Law is directed towards the data controller party determining purpose and means of the processing of personal data ('Controller').
-
The Data Breach Notification Law applies to data processing that falls under the scope of the DPA.
- First of all the DPA applies to data processing carried out "in the context of the activities of an establishment of the Controller in the Netherlands".
- Second, the DPA applies to data processing where the Controller is not established in EU/EEA territory but where the processing is in some way connected with the Netherlands by making "use of equipment, situated in the Netherlands unless such equipment is used only for purposes of transiât". For more detailed information on applicable law reference is made to the Opinion of the Article 29 Working Party.
-
Data processing for domestic, journalism, literary or artistic expression purposes do not fall under the scope of the DPA.
2. What measures should be taken when a data Processor is involved?
The Controller might engage data processors ('Processor(s)') processing personal data on behalf of the Controller. In principle the Data Breach Notification Law applies to the Controller of the data processing (it is irrelevant where the Processor is located). The Processor has a duty of care to notify its Controller when a data leak is discovered. The processing agreement to be concluded between the Controller and the Processor should contain an obligation for the Processor to timely and adequately inform the Controller of a data breach. In principle the Controller is subsequently responsible to notify the Authority of the data breach, but parties may agree that the Processor shall notify the Authority itself. In all cases the Controller remains the responsible party for the notification.
3. When does an incident qualify as a 'data breach'?
The question whether an incident is considered a data breach depends on the following questions:
i. Has there been a breach in the security system?
According to the DPA, the Controller has the obligation to implement appropriate technical and organizational measures to protect personal data against loss or any other form of unauthorized use. A breach in the security system implies that a security incident has taken place. Not all incidents are automatically considered a 'data breach'. This is only the case when it is likely that the breach will have consequences for the personal data that the Controller processes or when the Controller cannot rule out that personal data has been used unlawfully. As long as personal data is compromised, it is not relevant whether the measures taken by the Controller were appropriate to secure the personal data against the breach.
Examples of incidents likely considered data breaches are:
ii. Did personal data get lost in the incident?
When the loss of personal data is involved, the incident is considered a data breach. The loss of personal data means that the data are no longer in the possession of the Controller. It is also considered a data breach when personal data was lost as a result of an incident and the Controller does not have a recent back up of these data. However, when it is possible to recover data with a (recent) back up, the incident does not automatically qualify as a data breach (depending on the answer to question iii).
iii. Can it be reasonably excluded that personal data has been processed in an unlawful manner?
Unlawful use of personal data includes loss, alteration, unauthorized disclosure or access to personal data. If the Controller cannot rule out that unlawful processing of personal data has took place, then the incident is considered a data breach.
4. Do I have to notify the Authority of the data breach?
The Data Breach Notification Law determines that the data Controller has to notify the Authority when (there is a significant risk that) the data breach will have 'serious adverse consequences' for the protection of personal data (art. 34a sub 1 DPA).
According to the Policy Rules, this is the case when the data breach involves personal data with a sensitive nature. The following categories of personal data are qualified as sensitive personal data:
-
data concerning the data subject's religious or philosophical beliefs, ethnic origin, political opinions, health, sexual life and trade-union membership (art. 16 DPA);
-
data regarding the financial or economic situation of the data subject;
-
data which may lead to stigmatization or exclusion of the data subject;
-
usernames, passwords and other login-information;
-
data which may be used for identity theft;
-
data from a DNA-database or other data on which a duty of confidentiality is applicable by virtue of one's office or profession or by statutory regulation (e.g. medical confidentiality).
In addition, when the incident does not qualify as sensitive data, the data breach may still considered to have serious adverse consequences for the protection of personal data considering the nature and size of the data breach. The Policy Rules contain descriptions of situations where the data breach involves many personal data per data subject or data of a large group.
There is also an obligation to notify the Authority where data processing is extensive and the impact of the loss or the unlawful processing will therefore be significant. For example this may be the case if the data breach involves the data of vulnerable groups such as children or people with a mental disability.
5. How does a notification work?
The Authority has made a web form available on www.autoriteitpersoonsgegevens.nl that can be used to make the notification. It is also possible to send the Authority a completely filled in form per fax.
Where a data breach occurs and it is necessary to notify the Authority, such notification should include the following information (by using the web form or the attachment with the Policy Rules):
-
the nature of the infringement;
-
the institution that can provide more information concerning the breach;
-
recommendations to mitigate any negative effects of the breach;
-
technical details and background of the breach;
-
possible consequences of the infringement on the processing of personal data;
-
measures taken or proposed to be taken by the data Controller in order to remedy the consequences;
-
the question whether and/or when data subjects will be notified.
6. Timeframe notification obligation
The Policy Rules indicate that the Authority has to be notified 'without delay', and at least within 72 hours from the day that the data breach has been discovered by either the Controller or the Processor. The Controller may take some time to investigate the breach. However, if the notification has exceeded the 72 hours, the Controller might be requested to clarify the delay.
7. Do I have to notify the data subject of the data breach?
In the event that the data breach is likely to have negative consequences for the private life of the data subjects, it is also necessary to notify the data subjects (art. 34a sub 2 DPA). According to the Policy Rules a notification is necessary where the data breach involves sensitive data. In other situations, the Controller has to assess the likely negative consequences for the data subjects on a case to case basis. It is not necessary to notify the data subject when the responsible party is a financial enterprise that falls under the scope of the Act on Financial Supervision (in Dutch: Wet op het financieel toezicht, Wft).
The following questions may be of help to determine whether and how a data subject must be notified:
i) Did the applied cryptology provide a sufficient protection of the personal data as a result of which a notification may be omitted?
Methods of cryptology are, for example, encryption or hashing. The Policy Rules explicitly note that a strict norm applies to cryptology. First of all, it is necessary that the data was encrypted when the data breach took place.
Whether the cryptology is sufficient in the specific situation, is strongly dependent on the current state of the art of technology. Besides, also encryptions could be hacked. Therefore a further interpretation is given of what qualifies as 'adequate cryptology'.
-
The data has been encrypted with a standard algorithm[1] and the key for decryption was not jeopardized with the data breach;
-
The data is replaced with a hash value based upon a cryptologic encrypted hash function and the key was not jeopardized with the data breach;
-
The Controller should take notice that an algorithm might be vulnerable on some points;
-
The Controller should take notice that the algorithm has been applied correctly, which can be determined by an expert.
Since cryptology can always be 'hacked', it never gives a 100% guarantee of protection. Therefore it is also necessary to assess if the remaining risk is acceptable in the specific situation. If this is not the case, then a notification of the data subject might be necessary, depending on the other questions below.
In the case that the data Controller has doubts about the adequacy of the applied cryptology and the safety of the data, then the data subject should always be notified about the data breach.
ii) Did the Controller take other measures as a result of which a notification to the data subject may be omitted?
When other appropriate (technical) measures are taken that make the personal data incomprehensible or inaccessible for anyone that is not authorized to access the data, notifying the data subject is not necessary.
Examples of such measures are:
Remote wiping is the option to delete personal data on a device from a distance. Remote wiping is only an adequate solution when the process has been instituted in due time before the hackers have accessed the data.
Pseudonymization means that technical measures have been taken to prevent that personal data can be traced back to the data subject. The question whether pseudonymization has been applied adequately depends on the question whether the data breach has given unauthorized users the ability to trace the identity of the data subject.
iii) Is it likely that the data breach will have negative consequences for the private lives of the data subjects?
With the loss or the unauthorized use of personal data, data subjects can suffer material or emotional damage such as an unlawful publication, defamation of character, identity fraud or discrimination. On the basis of the possible negative consequences for the data subject(s) after the data breach, the Controller needs to assess if the data subject should be notified.
iv) Are pressing circumstances present to not notify the data subject?
The Controller may also decide to postpone notifying the data subject or decide not to notify at all in situations where pressing social circumstances exist. This is the case when this is necessary in the interest of:
-
the safety of the state;
-
the prevention, investigation and/or prosecution of delicts;
-
reasonable economic or financial interest of the state and other authorities;
-
the surveillance on the compliance of statutory provisions for the purpose of the abovementioned interests under a, b or c;
-
the protection of the data subject or rights and liberties of others.
8. What information must be included in the notification to the data subject?
In the notification the Controller should at least include information about:
-
the nature of the breach;
-
the institution that can provide more information concerning the breach;
-
measures taken or proposed to be taken by the Controller in order to remedy the consequences;
-
contact details of the Controller;
-
measures that the data subject could undertake to reduce the negative consequences.
In case of an extensive data breach, the Controller has the option to notify the specific data subjects individually and in addition provide general information to all data subjects.
9. When does the data subject have to be notified?
The data subject must be notified without delay. This means that after the discovery of the data breach, the Controller may take some time for an investigation with the purpose to be able to sufficiently and properly notify the data subject.
The Controller may also choose to notify the data subject directly after the breach with the available information. The notification can always be modified after an investigation has been carried out. The advantage of directly notifying the data subject is that the data subject will be able to immediately take measures against further loss, such as changing passwords / user names.
10. What data do I have to retain after the data breach?
Obligation to retain
The Controller is obliged to record all data breaches that fall under his responsibility. Every data breach should at least contain all facts and information regarding the nature of the breach. If the data subject is notified, then the text of the notification should be included as well. The information must be stored for at least one year. In case the Controller has chosen not to notify the data subject because of the existence of pressing circumstances, then the information should be stored for at least three years.
11. How does the Authority treat my notification?
After the Controller has notified the Authority, the Authority sends an acknowledgement receipt. If the notification gives cause for further actions, then the Authority will contact the Controller. The Authority keeps a non-public register of all data breaches which have been notified.
Enforcement
When the Controller does not comply with the notification requirement of the Data Breach Notification Law, the consequences may be severe. The Authority has the ability to impose an administrative fine with a maximum EUR 820.000,--.[2] When the breach was not intentional and there has not been a 'serious culpable negligence'-situation, then the Authority will firstly impose a binding indication before imposing an administrative fine.
For further information on this topic, please contact Eliette Vaal
[1] More information on standard algorithms can be found in the publications of the European Union Agency for Network and Information Security (ENISA) and the National Cyber Security Centre (NCSC).
[2] Art. 23 sub 4 Dutch Penalty Code a fine of the sixth category with the amount of maximum EUR 820.000,-- (in 2016).
On 1 January 2016, the Dutch Law on Data Breach Notifications ("Data Breach Notification Law"), being part of the Dutch Data Protection Act, entered into force. The Data Breach Notification Law applies to all data processing to which the Dutch Data Protection Act ("DPA") applies.
The Data Breach Notification Law imposes a general obligation of the data controller:
-
to notify the Dutch Data Protection Authority ("Authority") in the event that the data breach will have 'serious adverse consequences' for the protection of personal data; and
-
to notify affected data subjects when it is likely that the data breach will have negative consequences for the private lives of the data subjects.
Failure to comply with the Data Breach Notification Law may lead to administrative fines up to EUR 820.000,--. The Data Breach Notification Law also increases the competence of the Authority to impose administrative fines for non-compliance with other obligations of the DPA (art. 66).
Summary of policy rules
Recently, the Authority has published Policy Rules on the interpretation of the Data Breach Notification Law ("Policy Rules"). Because the Policy Rules are not available in English (yet), please find below a brief summary of the Policy Rules.
1. Does the Data Breach Notification Law apply to my company?
-
The Data Breach Notification Law applies to the processing of personal data only. The use of cryptographic processing such as an encryption or hashing might lead to a pseudonym but does not lead to anonymity, so that this processing still falls under the scope of the DPA.
-
Directed towards the Controller: The Data Breach Notification Law is directed towards the data controller party determining purpose and means of the processing of personal data ('Controller').
-
The Data Breach Notification Law applies to data processing that falls under the scope of the DPA.
- First of all the DPA applies to data processing carried out "in the context of the activities of an establishment of the Controller in the Netherlands".
- Second, the DPA applies to data processing where the Controller is not established in EU/EEA territory but where the processing is in some way connected with the Netherlands by making "use of equipment, situated in the Netherlands unless such equipment is used only for purposes of transiât". For more detailed information on applicable law reference is made to the Opinion of the Article 29 Working Party.
-
Data processing for domestic, journalism, literary or artistic expression purposes do not fall under the scope of the DPA.
2. What measures should be taken when a data Processor is involved?
The Controller might engage data processors ('Processor(s)') processing personal data on behalf of the Controller. In principle the Data Breach Notification Law applies to the Controller of the data processing (it is irrelevant where the Processor is located). The Processor has a duty of care to notify its Controller when a data leak is discovered. The processing agreement to be concluded between the Controller and the Processor should contain an obligation for the Processor to timely and adequately inform the Controller of a data breach. In principle the Controller is subsequently responsible to notify the Authority of the data breach, but parties may agree that the Processor shall notify the Authority itself. In all cases the Controller remains the responsible party for the notification.
3. When does an incident qualify as a 'data breach'?
The question whether an incident is considered a data breach depends on the following questions:
i. Has there been a breach in the security system?
According to the DPA, the Controller has the obligation to implement appropriate technical and organizational measures to protect personal data against loss or any other form of unauthorized use. A breach in the security system implies that a security incident has taken place. Not all incidents are automatically considered a 'data breach'. This is only the case when it is likely that the breach will have consequences for the personal data that the Controller processes or when the Controller cannot rule out that personal data has been used unlawfully. As long as personal data is compromised, it is not relevant whether the measures taken by the Controller were appropriate to secure the personal data against the breach.
Examples of incidents likely considered data breaches are:
ii. Did personal data get lost in the incident?
When the loss of personal data is involved, the incident is considered a data breach. The loss of personal data means that the data are no longer in the possession of the Controller. It is also considered a data breach when personal data was lost as a result of an incident and the Controller does not have a recent back up of these data. However, when it is possible to recover data with a (recent) back up, the incident does not automatically qualify as a data breach (depending on the answer to question iii).
iii. Can it be reasonably excluded that personal data has been processed in an unlawful manner?
Unlawful use of personal data includes loss, alteration, unauthorized disclosure or access to personal data. If the Controller cannot rule out that unlawful processing of personal data has took place, then the incident is considered a data breach.
4. Do I have to notify the Authority of the data breach?
The Data Breach Notification Law determines that the data Controller has to notify the Authority when (there is a significant risk that) the data breach will have 'serious adverse consequences' for the protection of personal data (art. 34a sub 1 DPA).
According to the Policy Rules, this is the case when the data breach involves personal data with a sensitive nature. The following categories of personal data are qualified as sensitive personal data:
-
data concerning the data subject's religious or philosophical beliefs, ethnic origin, political opinions, health, sexual life and trade-union membership (art. 16 DPA);
-
data regarding the financial or economic situation of the data subject;
-
data which may lead to stigmatization or exclusion of the data subject;
-
usernames, passwords and other login-information;
-
data which may be used for identity theft;
-
data from a DNA-database or other data on which a duty of confidentiality is applicable by virtue of one's office or profession or by statutory regulation (e.g. medical confidentiality).
In addition, when the incident does not qualify as sensitive data, the data breach may still considered to have serious adverse consequences for the protection of personal data considering the nature and size of the data breach. The Policy Rules contain descriptions of situations where the data breach involves many personal data per data subject or data of a large group.
There is also an obligation to notify the Authority where data processing is extensive and the impact of the loss or the unlawful processing will therefore be significant. For example this may be the case if the data breach involves the data of vulnerable groups such as children or people with a mental disability.
5. How does a notification work?
The Authority has made a web form available on www.autoriteitpersoonsgegevens.nl that can be used to make the notification. It is also possible to send the Authority a completely filled in form per fax.
Where a data breach occurs and it is necessary to notify the Authority, such notification should include the following information (by using the web form or the attachment with the Policy Rules):
-
the nature of the infringement;
-
the institution that can provide more information concerning the breach;
-
recommendations to mitigate any negative effects of the breach;
-
technical details and background of the breach;
-
possible consequences of the infringement on the processing of personal data;
-
measures taken or proposed to be taken by the data Controller in order to remedy the consequences;
-
the question whether and/or when data subjects will be notified.
6. Timeframe notification obligation
The Policy Rules indicate that the Authority has to be notified 'without delay', and at least within 72 hours from the day that the data breach has been discovered by either the Controller or the Processor. The Controller may take some time to investigate the breach. However, if the notification has exceeded the 72 hours, the Controller might be requested to clarify the delay.
7. Do I have to notify the data subject of the data breach?
In the event that the data breach is likely to have negative consequences for the private life of the data subjects, it is also necessary to notify the data subjects (art. 34a sub 2 DPA). According to the Policy Rules a notification is necessary where the data breach involves sensitive data. In other situations, the Controller has to assess the likely negative consequences for the data subjects on a case to case basis. It is not necessary to notify the data subject when the responsible party is a financial enterprise that falls under the scope of the Act on Financial Supervision (in Dutch: Wet op het financieel toezicht, Wft).
The following questions may be of help to determine whether and how a data subject must be notified:
i) Did the applied cryptology provide a sufficient protection of the personal data as a result of which a notification may be omitted?
Methods of cryptology are, for example, encryption or hashing. The Policy Rules explicitly note that a strict norm applies to cryptology. First of all, it is necessary that the data was encrypted when the data breach took place.
Whether the cryptology is sufficient in the specific situation, is strongly dependent on the current state of the art of technology. Besides, also encryptions could be hacked. Therefore a further interpretation is given of what qualifies as 'adequate cryptology'.
-
The data has been encrypted with a standard algorithm[1] and the key for decryption was not jeopardized with the data breach;
-
The data is replaced with a hash value based upon a cryptologic encrypted hash function and the key was not jeopardized with the data breach;
-
The Controller should take notice that an algorithm might be vulnerable on some points;
-
The Controller should take notice that the algorithm has been applied correctly, which can be determined by an expert.
Since cryptology can always be 'hacked', it never gives a 100% guarantee of protection. Therefore it is also necessary to assess if the remaining risk is acceptable in the specific situation. If this is not the case, then a notification of the data subject might be necessary, depending on the other questions below.
In the case that the data Controller has doubts about the adequacy of the applied cryptology and the safety of the data, then the data subject should always be notified about the data breach.
ii) Did the Controller take other measures as a result of which a notification to the data subject may be omitted?
When other appropriate (technical) measures are taken that make the personal data incomprehensible or inaccessible for anyone that is not authorized to access the data, notifying the data subject is not necessary.
Examples of such measures are:
Remote wiping is the option to delete personal data on a device from a distance. Remote wiping is only an adequate solution when the process has been instituted in due time before the hackers have accessed the data.
Pseudonymization means that technical measures have been taken to prevent that personal data can be traced back to the data subject. The question whether pseudonymization has been applied adequately depends on the question whether the data breach has given unauthorized users the ability to trace the identity of the data subject.
iii) Is it likely that the data breach will have negative consequences for the private lives of the data subjects?
With the loss or the unauthorized use of personal data, data subjects can suffer material or emotional damage such as an unlawful publication, defamation of character, identity fraud or discrimination. On the basis of the possible negative consequences for the data subject(s) after the data breach, the Controller needs to assess if the data subject should be notified.
iv) Are pressing circumstances present to not notify the data subject?
The Controller may also decide to postpone notifying the data subject or decide not to notify at all in situations where pressing social circumstances exist. This is the case when this is necessary in the interest of:
-
the safety of the state;
-
the prevention, investigation and/or prosecution of delicts;
-
reasonable economic or financial interest of the state and other authorities;
-
the surveillance on the compliance of statutory provisions for the purpose of the abovementioned interests under a, b or c;
-
the protection of the data subject or rights and liberties of others.
8. What information must be included in the notification to the data subject?
In the notification the Controller should at least include information about:
-
the nature of the breach;
-
the institution that can provide more information concerning the breach;
-
measures taken or proposed to be taken by the Controller in order to remedy the consequences;
-
contact details of the Controller;
-
measures that the data subject could undertake to reduce the negative consequences.
In case of an extensive data breach, the Controller has the option to notify the specific data subjects individually and in addition provide general information to all data subjects.
9. When does the data subject have to be notified?
The data subject must be notified without delay. This means that after the discovery of the data breach, the Controller may take some time for an investigation with the purpose to be able to sufficiently and properly notify the data subject.
The Controller may also choose to notify the data subject directly after the breach with the available information. The notification can always be modified after an investigation has been carried out. The advantage of directly notifying the data subject is that the data subject will be able to immediately take measures against further loss, such as changing passwords / user names.
10. What data do I have to retain after the data breach?
Obligation to retain
The Controller is obliged to record all data breaches that fall under his responsibility. Every data breach should at least contain all facts and information regarding the nature of the breach. If the data subject is notified, then the text of the notification should be included as well. The information must be stored for at least one year. In case the Controller has chosen not to notify the data subject because of the existence of pressing circumstances, then the information should be stored for at least three years.
11. How does the Authority treat my notification?
After the Controller has notified the Authority, the Authority sends an acknowledgement receipt. If the notification gives cause for further actions, then the Authority will contact the Controller. The Authority keeps a non-public register of all data breaches which have been notified.
Enforcement
When the Controller does not comply with the notification requirement of the Data Breach Notification Law, the consequences may be severe. The Authority has the ability to impose an administrative fine with a maximum EUR 820.000,--.[2] When the breach was not intentional and there has not been a 'serious culpable negligence'-situation, then the Authority will firstly impose a binding indication before imposing an administrative fine.
For further information on this topic, please contact Eliette Vaal
[1] More information on standard algorithms can be found in the publications of the European Union Agency for Network and Information Security (ENISA) and the National Cyber Security Centre (NCSC).
[2] Art. 23 sub 4 Dutch Penalty Code a fine of the sixth category with the amount of maximum EUR 820.000,-- (in 2016).