The Netherlands introduces mandatory data breach notification

The Netherlands First Chamber passed a Bill on Data Breach Notification on 26 May, law firm De Brauw Blackstone Westbroek reports. It will be mandatory for all types of data controllers to notify breaches of personal data. Failure to notify is punishable by a maximum fine of 810,000 euros or 10% of the company's annual net turnover. Importantly, the fines may not be limited only to a company's establishment in the Netherlands but could be calculated according to global turnover.

Data controllers must notify breaches immediately to the Netherlands’ Data Protection Authority if a breach is likely to have serious adverse consequences for the protection of personal data. It is expected that the DPA will issue guidance defining a serious breach. Individuals may need to be notified too unless the data has been encrypted.

Data controllers will need to maintain an internal data breach register recording all security breaches they experience that have or might have potential negative effect on data subjects, including information about the breach, mitigating measures, and the text of notifications to the data subjects affected. There is no obligation to make this register public.

It is not yet known when the Bill will enter into force.