This is how you inform victims about a data breach

Are the risks of a data breach high? Then you have to inform the victims as soon as possible. The most important objectives of this are that people understand what has happened to their personal data and that they know what they can do to protect themselves.

On this page you can read which questions you have to answer in any case in the information you provide to the victims. You are, of course, always free to give extra information. You can also read in which manner you can give the information.

On this page

1. What happened?

Answer the following questions, among others:

  • Which data does it concern? What happened to these data?
  • Have the data fallen into the hands of an unauthorised person? Or have the personal data become temporarily or permanently inaccessible (you can no longer access them) or lost (you have lost the data)?
  • Were the personal data entered or stored incorrectly or incompletely in the system? Or a combination thereof?

2. What are the probable consequences?

Answer the following questions, among others:

  • Has only the privacy of the victims been infringed? Or is there also (a high risk of) physical or material (financial) damage? If so, also indicate in concrete terms which damage.
  • Have the personal data fallen into the hands of a malicious person? For example a hacker? If so, is there a (high) risk that the victims will receive phishing mails as a result of the data breach? Or become the victims of (identity) fraud?
  • Have the personal data meanwhile been returned or destroyed by the party that has wrongly received the data?

3. What measures do you suggest or did you already take?

This includes any measures for reducing the risks or limiting the adverse consequences. Here you also have to state whether you have asked external parties for advice. And if so, what that advice is.

4. Is there anything that the victims can do themselves?

Indicate what the victims can do themselves. For example, change their password. You can also refer to the page Victim of a data breach? This is what you can do on the website of the Dutch DPA.

Does your data breach entail a risk of identity fraud? Then indicate that the victims have to be alert to identity fraud. You can refer to:

These pages provide information about how victims can recognise identity fraud and what they can do.

5. Who can the victims turn to if they have questions?

State the name and contact details of the Data Protection Officer (DPO), if your organisation has one. Or of someone in your organisation to whom the victims can turn for more information. For example the director or a privacy contact person.

This is how you provide the information

You have to inform the victims directly. This can be done in various ways, such as by email, text message, with a letter or by telephone. Choose a manner that is suitable for your target group. Do you send a letter? Then you can choose to send it by registered post, but this is not mandatory.

You can read more about the manner in which you inform the victims in chapter III of the Guidelines on personal data breach notification under GDPR of the EDPB.