|A data date|
|In story-telling tradition, no-one has been|
better-known for dealing with breaches
than the Dutch (see here)
What is a security breach? Article 4 of the Proposal for the Regulation defines "personal data breach" as "the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". However, the duty of notification requires that such a breach must have serious adverse consequences. In this regard, the Dutch Act sets forth some parameters to help assess the consequence of a breach. These include the nature and scope of the breach, the nature of the personal data, the extent of the technical protective measures activated and the impact on the privacy of the individuals affected by the breach.
|Reporting a breach? You|
may need to exchange your
clogs for running shoes ...
Liability for violation of the Dutch Data Protection Act can be ascribed jointly to the data controller and the data processor, if the latter is also involved in the breach. The data controller and the data processor may agree to cooperate in fulfilling the obligation of notification. Incidentally, personal liability is also placed on company executives under the Dutch reform.
Liability will be punished with a fine of between 20,250 and 810,00 euros, depending on the seriousness of the violation. In extreme cases an administrative fine of 10% of the net annual turnover may be imposed, if the violation is not rectified after the Data Protection Authority sends its 'binding instruction'.