Reporting or not reporting a data breach
Whether you have or do not have to report a data breach to the Dutch Data Protection Authority (Dutch DPA) depends on the possible impact of the data breach on the victims. The question of whether you have to inform the victims about the data breach also depends on the risks for the rights and freedoms of individuals as a result of a data breach.
Is there a data breach in your own organisation? Or have you identified a data breach somewhere else in your environment and do you want to give the Dutch DPA a tip-off about it?
Directly reporting a data breach or giving a data breach tip-off
On this page you will find information on how you can determine the risk for the victims. You will also find specific information and tools that help you assess whether you have to report a data breach to the Dutch DPA and whether you have to inform the victims.
On this page
Assessing the risk of a data breach
The General Data Protection Regulation (GDPR) says that you:
- Have to report a data breach to the Dutch DPA, unless the data breach is not likely to result in a risk for 'the rights and freedoms of data subjects'. Such as the protection of their personal data and privacy.
- Have to inform the victims if a data breach is likely to result in a high risk for them.
You therefore have to make a risk assessment to decide whether you will report a data breach to the Dutch DPA and whether you will inform the victims.
When assessing the risk of a data breach, you look at the specific circumstances of the data breach, including the severity of the potential impact and the likelihood of this occurring.
Sometimes, the risk is very clear. For example, when medical files have been leaked. Or when personal data have been stolen by a hacker. But more often, it is a weighing of several factors.
Criteria to be taken into account when assessing the risk of a data breach
The next factors will help you make your weighing objective:
- the type of breach;
- the nature, sensitivity and volume of the personal data;
- the ease of identification of individuals;
- the severity of the consequences for the individuals;
- characteristics of the unauthorised recipient;
- special characteristics of the individual;
- special characteristics of your organisation;
- number of victims.
Tip: The EDPB data protection guide for small businesses offers a flowchart that can help you make an objective assessment.
Type of breach
The type of breach may have an influence on the risk. For example: have personal data been erased, altered or leaked? Leaking personal data to an unauthorised person has other consequences than losing personal data.
Nature, sensitivity and volume of the personal data
The more sensitive the leaked data, the higher the risk of damage. In addition, the context may lead to a higher risk. For example, when the name and the address of an adoptive parent are disclosed to a biological parent. The amount of information leaked from a victim also influences the risk.
Take a high risk in any case into account for the following types of personal data:
- Special personal data, such as data about health.
- Criminal personal data.
- Information about personal aspects, intended for drawing up or using profiles. Especially if it concerns profiling based on information about professional performance, economic situation, personal preferences or interests, reliability, behaviour and location.
Other examples of sensitive data are:
- credit card details;
- (copies of) identity documents;
- citizen service number (Dutch BSN) in combination with other data, such as name and address details.
If these data end up in the wrong hands, they may be abused for fraud, such as identity fraud.
Some categories of personal data may not seem sensitive at first glance. Such as a telephone number and an email address. But in the hands of (cyber)criminals, these data may be abused for targeted phishing attacks.
Ease of identification of individuals
The easier the leaked data can be used to identify a specific individual, the higher the risk.
The risk may be reduced by the measures you have taken to make it more difficult or impossible to identify persons. Such as encryption and pseudonymisation of data.
Also consider personal data that are already (publicly) available. A combination of the leaked data with public data may increase the impact.
Severity of the consequences for the victims
Can the data breach result in financial damage, identity fraud, physical harm, psychological distress, humiliation or damage to reputation? If yes, the damage for the victim can be very serious. You then have to consider that there is a high risk.
Damage for the victim can be physical, material and immaterial:
Physical (bodily) damage
For example, when crucial medical data have been erased, resulting in a risk that someone (temporarily) does not receive the necessary care.
Material (financial) damage
For example, in the case of a data breach with credit card details. This results in the possibility that someone can place online orders at someone else's expense. Or other forms of financial loss, identity theft or identity fraud.
For example, in the case of a data breach:
- with complete copies of identity documents;
- with the BSN in combination with other personal data;
- where (cyber)criminals have stolen personal data.
Immaterial damage
Such as the chance of:
- discrimination (e.g. in the case of a data breach with data about race/ethnicity, religion or sexual orientation);
- reputational damage (e.g. in the case of a data breach with data about problematic debts, addiction or performance at work);
- infringement of someone's privacy.
Characteristics of the unauthorised recipient
Have you provided personal data to a wrong (unauthorised) recipient, but can you objectively determine that this person is reliable? You can then take this into consideration when assessing the risks of the data breach. This may eliminate or reduce the severity of the consequences for the victim. Whether this applies varies from case to case.
Reliable recipients can be, for example:
- a wrong colleague or department within your own organisation;
- parties with which you have a business relationship, such as a regular supplier;
- parties that have a statutory professional duty of confidentiality, such as a GP or another care provider.
Note: Does the unauthorised recipient personally contact you to report the data breach? And has this party returned the data or confirmed that the data will be erased? But does the party not fall in the 3 categories mentioned above? Then you cannot assume that there is a ‘reliable recipient’.
This is because you do not know the unauthorised recipient. You therefore do not have any certainty regarding the recipient. You cannot reasonably rest assured that this party will not do anything with the data received.
Special characteristics of the individual
When data of vulnerable persons have been leaked, these persons may run a greater risk of damage. For example, children, elderly people or people with a disability or illness.
Special characteristics of your organisation
The risks of a data leak at a hospital will be higher than that of a newspaper’s mailing list, for example.
Number of victims
Generally speaking, the more victims there are, the greater the consequences of a data breach can be. But a breach can also have serious consequences for only 1 person.
Reporting or not reporting a data breach to the Dutch DPA
When you have made the risk assessment, you decide for yourself if you have to report the data breach to the Dutch DPA. Do you doubt whether you have to report the data breach? Then it is better to be on the safe side and report the data breach.
You do not have to report the data breach to the Dutch DPA if you have taken appropriate measures before the data breach occurred, and thanks to these measures, the leaked personal data have become incomprehensible for unauthorised persons. For example, because the data have been encrypted properly or replaced by a hash value.
Note: This exception only applies if you meet the following 3 conditions:
- The data are still fully intact.
- You still have full control over the data (you have a recent backup).
- The key used for the encryption or for the hashing was not at risk at any time during the data breach. And this key cannot be found by unauthorised persons, not even with the technology available.
Informing or not informing victims about a data breach
Do you not have to report a data breach to the Dutch DPA? Then you do not have to report it to the victims either. You only have to inform the victims if a data breach is likely to result in a high risk for their rights and freedoms. You determine this yourself, based on your risk assessment.
Note: You may have to report the data breach to the Dutch DPA. If this is the case, you indicate in your report that you did not report the data breach to the data subjects (victims). You also have to indicate which reasons you have for not informing the data subjects.
Read which information about a data breach you have to provide to victims
Informing victims not necessary
There are 3 situations in the GDPR in which you may not have to inform the victims personally about the data breach:
1. Advance measures
You have taken appropriate advance measures that make the personal data incomprehensible for unauthorised persons, such as encryption.
2. Measures in hindsight
You have taken measures in hindsight that ensure that the data breach has been terminated and that the high risk for the victims is not likely to occur (anymore).
For example, when you have immediately identified the person who has had access to the personal data. And you have taken action before that person could do anything with the personal data.
Note: If the unauthorised person has already accessed the personal data, even the mere access may sometimes entail a high risk. For example, in the case of medical data. In that case, you will not be able to rely on this exception.
3. Disproportionate effort
Individually informing the victims requires a disproportionate effort from you. For example, because you have lost the contact details of the victims due to the data breach. Or because the contact details are unknown.
In that case, you can also inform the victims with a public announcement or a similar measure. For example, by posting a message on social media or in the local newspaper, in combination with an announcement on your website.
Note: The victims must be informed just as effectively if you use this method. That means that they must receive sufficient and timely information about the data breach.
Exceptions under the GDPR Implementation Act
In addition, the General Data Protection Regulation (Implementation) Act (GDPR Implementation Act) mentions 2 situations in which you do not have to inform the victims:
- If this is necessary and proportionate for safeguarding an important interest. Such as national or public security. Or the protection of the privacy of others. For example, when children have made a request for help without their parents' knowledge.
- Your organisation is a financial undertaking within the meaning of the Dutch Financial Supervision Act (Wft). In that case, the obligation to notify the victims does not apply to you. The obligation to notify the Dutch DPA does apply, though.
Tools for assessing whether or not to report a data breach
- There are several guidelines of the European Data Protection Board (EDPB) about the data breach notification obligation:
- Guidelines on personal data breach notification under GDPR of 28 March 2023.
In particular chapter IV helps you determine the risk of the data breach and whether you have to report the data breach to the Dutch DPA and to the victims. - Guidelines on Examples regarding Personal Data Breach Notification.
These guidelines contain concrete examples of situations in which you have or do not have to report a data breach to the Dutch DPA and to victims. Also see: Voorbeeldlijst wel/niet melden datalek (in Dutch).
- Guidelines on personal data breach notification under GDPR of 28 March 2023.
- The rules for the data breach notification obligation can be found in Article 33 GDPR and Article 34 GDPR.
- Exceptions to the data breach notification obligation can be found in Article 41 GDPR and Article 42 GDPR.
Infringement of the data breach notification obligation
Do you wrongfully fail to report a data breach to the Dutch DPA? Then the Dutch DPA may impose a fine on you. Do you wrongfully fail to report a data breach to the victims? Then the Dutch DPA may oblige you to inform the victims. And do you wrongfully keep silent about a data breach with a high risk for the victims? In that case, too, the Dutch DPA may impose a fine on you.