Victim of a data breach? This is what you can do
Did you receive a message from an organisation that your data have been leaked? Or do you suspect that there has been a data breach at a specific organisation? Then you can read on this page what you can do.
Is there a data breach in your own organisation? Or have you identified a data breach somewhere else in your environment and do you want to give the Dutch DPA a tip-off about it?
Directly reporting a data breach or giving a data breach tip-off
On this page
This is what you can do if you are a victim
Do you receive a message from an organisation that your personal data have become involved in a data breach? For example, at your bank or telecom provider? This may have unpleasant consequences for you. Nevertheless, often there are things that you can do to protect yourself from the consequences of the data breach. And in this way limit the damage.
What exactly you can do depends on which data of you have been leaked and who has (had) access to these data. The organisation will usually inform you about this in a warning message. You can also request additional information from the organisation.
A data breach may be caused by a hack. But the (unintended) destruction, loss, alteration or provision of personal data can also be a data breach. Think of a lost file or an incorrectly addressed letter. It is good to know that a data breach is not always a violation of the GDPR. But it is if the organisation did not have its security in good order. Or if the organisation does not report the data breach to the Dutch DPA and victims, if the organisation should have done this.
What can you do? Below you will find some tips.
Email address and password leaked? Change your password
Have your email address and password been leaked? Then change your password, just to be sure. Do you use the same password on different websites? Then change the password on these websites as well.
Email address or telephone number leaked? Be alert to phishing
Phishing is a form of fraud using which criminals try to find out information about you. Such as login details, credit card information, PIN codes or information on your identity document. They do this, for example, by sending a fake email. The more personal data criminals have of you, the more real it may seem.
Therefore, be very careful when you receive emails, WhatsApp messages, text messages or phone calls in which someone says that they contact you on behalf of a specific organisation. And in which that person, for example, asks you to pass on data. Or to click on a link and then enter your data on a website that seems trustworthy.
Always check if you are indeed dealing with this organisation. Do you not trust it? Then hang up or remove the message. You can subsequently also contact the organisation yourself. And do not click on a link without a good reason, but go to the organisation's website yourself.
You can find out whether an email that you have received may be a phishing mail by taking a good look at what is in the mail:
- Does the email address correspond with the name of the organisation? What is behind the @ sign?
- Is there a general salutation in the mail, such as ‘Dear Sir/Madam’, or is your (full) name actually used? Note: your name may also have been derived from your email address. So even an email with your name in the salutation can still be a phishing mail.
- Is there a request in the mail to click on a link to ‘supplement’ or ‘check’ your data?
- Are you put under pressure to take swift action? Or are you promised something that is too good to be true?
Identity document leaked? This is how you recognise and prevent identification fraud
One of the risks after a data breach is identity fraud. In the case of identity fraud, criminals abuse your data to impersonate you. For example, by:
- buying things in your name without paying;
- taking out a loan in your name;
- taking out a telephone subscription in your name.
Tip: After a data breach, keep an eye on your bank account to check for irregularities and on your emails about purchases that you did not make at all.
ID document
Not all data breaches enable identity fraud. There is not much that a fraudster can do with isolated data (e.g. only a BSN). It is about the combination of data. That is why it is a risk, for example, if a copy of your identity card has been leaked.
To reduce the risk of identity fraud, you report your identity document stolen to your municipality. You can apply to the municipality for a new identity document.
Tip: Be careful with what you post on social media and in other places on the Internet. The more information of you is publicly available, the easier it is for a fraudster to find additional data of you and combine them with the leaked data.
Victim of identity fraud
Have you become the victim of identity fraud?
- Report this to the Central Identity Theft and Error Reporting Centre (CMI). The CMI helps you resolve the consequences of identity fraud.
- In addition, report the identity fraud to the police.
More information about identity fraud
If you want to know more about identity fraud, read:
- the brochure Do not give fraudsters a chance: Identity fraud of the Dutch Ministry of the Interior and Kingdom Relations (in Dutch).
- Identity fraud on the website of the police (in Dutch).
- Identity fraud on the website of the Dutch central government.
Compensation for a data breach
Have your data been affected by a data breach? And have you suffered damage as a result? Then you may be entitled to compensation.
Under Article 82 of the GDPR privacy law, you are entitled to compensation if you suffer damage because an organisation acts contrary to the GDPR and the organisation can be blamed for this.
An organisation is not liable if the organisation proves that it is not in any way responsible for the data breach as a result of which you have suffered damage.
That a data breach has taken place does not automatically mean that the organisation has acted contrary to the GDPR. Not every data breach can be attributed to the organisation within which the data breach has taken place.
Types of damage
You can claim compensation for both financial damage and immaterial damage. The law does not say in concrete terms what exactly immaterial damage is. You may suffer immaterial damage, for example, if your honour has been harmed or your reputation has been tarnished.
Claiming compensation
A claim for compensation is assessed by a civil court. The Dutch DPA does not play a role in this. The Dutch DPA cannot give you information or advice on assessing the damage and on the amount of the compensation.
Tip off the Dutch DPA about the data breach
Do you suspect that there has been a data breach at a certain organisation? Then you can submit a data breach tip-off to the Dutch DPA about this possible data breach. But first it is important that you inform the organisation itself of the possible data breach.
An organisation will only be able to do something about a data breach if the organisation knows that there is one. And only after the organisation has become aware of the data breach can the organisation be obliged to report the data breach to the Dutch DPA and to the victims.
This is how you keep a grip on your data
Organisations are responsible for the proper security of your personal data. All the same, a data breach can happen to every organisation. Due to a human error, for example. Fortunately, there are also things that you can do yourself to prevent (as much as possible) your data becoming public knowledge in the event of a data breach. This is what you can do:
- Use a different password everywhere. You can use a password manager for this purpose. A password manager keeps your passwords and can also create strong passwords for you.
- Does an organisation offer an extra secure login method? Then use this method. In that case you have to enter, for example, a code that you receive through your telephone, in addition to your user name and password. This is called multifactor authentication or MFA.
- Pay proper attention to who is asking for your data and how this is done. Be in control of your data. Does a company, for example, ask for data that it does not need for providing a service to you? Then do not provide your data.
- Use your privacy rights. Ask organisations, for example, to erase certain data of you. If you no longer use an account for a webshop, for example. The fewer data organisations have of you, the less risk you run.