The Dutch State Secretary of Security and Justice submitted a revised draft bill (source document in Dutch) to Parliament on February 10, 2014, regarding notification obligations for data breaches. Under the new draft, controllers will be required to notify the Dutch Data Protection Authority only if a data breach has serious adverse consequences for the protection of the personal data that is being processed. Under the original language of the draft bill, notification was required if a data breach could reasonably be assumed to lead to a substantial risk of adverse consequences for the personal data. Notably, the Dutch Data Protection Agency in a February 20, 2014, letter (source document in Dutch) raised concerns that this change raises the threshold for notification too high.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
