Location Amsterdam
Jollemanshof 12
1019 GW Amsterdam
Phone
020 663 1941
E-mail
info@ictrecht.nl
KvK
34216164
BTW
NL8223.30.040.B01
Location Groningen
Leonard Springerlaan 35
9727 KB Groningen
Phone
050 209 34 99
E-mail
info@ictrecht.nl
KvK
68038712
BTW
NL857275835.B01
Location Brussel
Avenue Louise 65
1000 Brussel
Phone
+32 (0)2 535 77 55.
E-mail
info@legalict.com
Ondernemingsnummer
0696.909.465
BTW
BE 0696.909.465
Back to home

Dutch privacy law gets teeth: 800k Euro fine for data breaches

25 August 2015 By

Starting January 1 the Dutch privacy law finally gets teeth: causing a data breach (or failing to report one) can be fined with up to 800.000 Euros per incident. And not just data breaches: virtually all violations of privacy law are now tied to fines. This includes processing data without permission (or other ground) or failing to inform persons about how their personal data is processed. With this new law, the privacy game suddenly became a lot more serious.

A data breach is not just a large-scale break-in where thousands of personal records are stolen by foreign hackers. The law defines any loss or unlawful processing as a “data breach” if some form of security is breached or circumvented.

Some people have argued that there would be no data breach if you have no security at all. After all, what’s there to breach if there is nothing? But that won’t fly: the law also imposes this fine on not having adequate data security in place.

Examples of what would constitute data breaches:

  • A messaging board that allows users to read each others’ messages by manipulating the URL.
  • A web shop that receives customer data through an unsecured channel – SSL must be used.
  • A company where any employee can access all customer records, regardless of need to know.

In addition to fines for data breaches, there is also a requirement to report data breaches to the supervisory authority, and in many cases also to the persons affected. This requirement applies if the data breach has a serious chance of negatively affecting the persons involved, e.g. through identity theft or fraud. No reporting needs however to take place if the data that ws misappropriated was protected through encryption.

The ability to issue a fine is coupled to a requirement on the supervisory authority to first issue an order on how to improve security. Only if the order is not complied with, can a fine be issued. However, a fine can be issued directly if the breach occurred through intentional misconduct or gross negligence.

The provisions on data breaches are going to be very important the coming years. Europe is working on similar legislation, but this will not take effect until somewhere in 2017 at the earliest.

Arnoud Engelfriet

General Director Legal ICT / ICTRecht
Arnoud Engelfriet is general director at Legal ICT / ICTRecht since june of 2008. He is specialized in internet law, the area he is working in since 1993. With a background in computer science he likes to focus on complex technical/legal IT issues and software licences (open source). His blog Ius mentis is one of the most popular legal blogs (about IT and law) in the Netherlands.

There are no comments yet

Leave a Reply

Your email address will not be published. Required fields are marked *

Your personal information will only be used to publish and process your response. Please read the privacy statement for more information