Obligation to report data leaks and CBP power to impose fines in effect from 1 January 2016

Effective 1 January 2016, both private and public organisations processing personal data will be obliged to report any security breaches resulting in, inter alia, theft, loss or misuse of personal data. So this will include more organisations than providers of electronic communications networks and services which, under the Telecommunications Act, are already subject to an obligation to report theft, loss or misuse of personal data of subscribers or users. The purpose of the obligation to report is to have a better protection of personal data. The Data Leaks (Reporting Obligation) Act Implementation Decree and the extension of the power to impose fines were published in the Bulletin of Acts and Decrees today.

In addition, the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, CBP) may soon impose administrative fines in more cases of violations of privacy legislation. Right now the CBP may only impose an administrative fine in the event of violation of an administrative regulation, like the obligation to notify when processing personal data. Starting 1 January 2016, imposition of a fine will also be possible for violations pertaining to more general obligations under the law for the use and processing of personal data. For example, when personal data is not processed properly and carefully, or is kept for a longer period than necessary, but also in the case of insufficient security, poor organisation of the management of personal data or if sensitive information such as political preferences and religious beliefs is violated.