Duty to Report Data Leaks
1. What is a data breach?
A “data breach” exists only if a security incident has actually occurred, with personal data being lost, or if unlawful processing of the personal data cannot be excluded. A security incident includes such things as the loss of a USB stick, the theft of a laptop, an intrusion by a hacker, contamination with malware, and emergencies such as a fire at a data centre.
At Melenhorst Accountants and Business Valuators B.V. (referred to below as “MABV” or “we”), we also work with personal data – perhaps even your own personal data – which we handle with great care. Should a security incident occur, our internal instructions for dealing with data breaches will take effect, so as to determine in good time whether or not there has been a (serious) data breach, as regarded from the point of view of the AVG.
3. Data breach notifications
If a security incident has occurred that falls within the scope of those instructions, the person concerned can notify MABV’s Management Board. That notification – whether it is by an internal or an external party – can only be made electronically via firstname.lastname@example.org and should at least include the following information:
a. the nature of the breach in connection to personal data, if possible, with indication of the categories of the personal data registers involved, and upon request, the number of personal
data registers involved;
b. the name and contact information of the Data Protection Officer or another contact in case more information is needed.
c. the probable effects of the breach in connection to personal data;
d. the measures proposed or implemented by the controller in connection to personal data, including, which is often the case, measures to limit the possible negative effects of these.
4. Internal procedure
In general, notification is only necessary if sensitive personal data has leaked. No notification is required if it is unlikely that the data breach poses a risk to the rights and freedoms of natural persons (i.e. ”data subjects”). If a data breach has taken place and there are adverse consequences for the party involved – or a significant likelihood of such consequences – then the Dutch Data Protection Authority [Autoriteit Persoonsgegevens] must be notified.
If we are acting as the “data controller” in respect of the personal data that has leaked, we will notify the Data Protection Authority of the data breach within 72 hours of the Management Board becoming aware of it. If the notification is not sent within 72 hours, we will state the reason for the delay. If we are acting as the “processor” in respect of the personal data that has leaked and a data breach has been detected, we will notify the controller (usually the client) as soon as possible.
5. Confidentiality/legal protection
a. All employees who are in any way involved in dealing with or complying with these regulations are obliged to maintain confidentiality in accordance with the rules that apply within our company, including these data protection regulations.
b. All communications made in the context of implementing these regulations must comprise no more information than is necessary for the investigation or for implementing these regulations.
c. MABV’s Management Board guarantees employees who pass on notifications pursuant to these regulations that doing so will in no way adversely affect MABV’s employees or their career.