Is an organisation obliged to inform me if my data have been leaked?

Usually, it is. It depends on what the consequences of the data breach are for you and other people.

Did hackers, for example, steal credit card data? Or was a copy of your identity document leaked? Then this results in a significant risk for you. Criminals may then, for example, make purchases in your name. But a leaked email address may also have consequences, because phishing is becoming an increasingly common occurrence.

If there is a risk of unpleasant consequences, the organisation will have to report the data breach to the AP. If there is a major risk, the organisation will have to tell you too what has happened. And what the consequences are for you.

Have you become the victim of a data breach? Depending on which data have been leaked, you can do various things. You can change your passwords, for example. Especially if you used the same password on multiple sites. And be alert to suspicious emails or unfamiliar debits from your bank account.

Do you suspect that your data have been leaked, but do you not receive a message about it? First contact the organisation concerned then. You can also submit a data breach tip-off to the AP.

Also read the story of Gerrit (72), who was confronted with a data breach as well as a car break-in.