Did you receive a message from an organisation that they have become the victim of a data breach? And that bank account numbers have been leaked as a result? This is what you can do in such case:

• Be alert to phone calls or messages by email, text or WhatsApp in which people try to obtain information from you, such as your PIN code. Your bank will never ask you to provide a certain code or to send your bank card to a certain address, and certainly not in this way.
• Pay frequently attention to any debits from your bank accounts. Criminals may use your bank account for buying things.
• For more information see Veiligbankieren.nl (in Dutch).

No, you cannot. The GDPR stipulates that you have to report each data breach separately. Only when you are affiliated with the Federation of the Dutch Pension Funds, the Dutch Association of Insurers or the Netherlands Bankers' Association can you submit a bulk notification in the event of a data breach in postal dispatch. 

Bulk notification

In the case of a bulk notification, you submit 1 notification to the Dutch DPA for multiple, similar data breaches arisen during large-scale postal dispatch. It does not matter whether you structurally or incidentally send postal items on a large scale.

Requirements for bulk notification

You are only permitted to submit a bulk notification if you meet all these conditions:

1. Incident type

The incidents:

• are the same type of incident;
• are the same type of breach;
• are about the same type of personal data;
• affect the same group of data subjects, and you inform all data subjects in the same manner (all of them or none of them).

2. Registration

You record for which breaches you have submitted a bulk notification.

3. Authorisation

You designate employees who are the sole persons authorised to submit bulk notifications. 

4. Informing the Dutch DPA

You inform the Dutch DPA about:

• how many breaches you report in bulk;
• how many data subjects in total have been affected;
• how many data subjects you inform.

Time of the bulk notification

You have to submit the bulk notification within 1 month after you have become aware of the first incident within the bulk.

In the data breach notification form you are asked to indicate how many data records (data registers) have been affected by the breach. A data record is a record of information about a specific person. A data record may comprise multiple (categories of) personal data.

Is a data record part of a table? Then the term 'data record' usually means a row in a list. For example a row in an Excel file: in that case, 1 row in the list is 1 data record.

Examples of data records

• A purchase at an online shop is 1 data record. The data record may consist of, among other things: product or products ordered, purchase amount, time of ordering, name and address details, email address and any other data about the purchase. Does the customer make a purchase at an online shop at various times? Then the online shop records each purchase in a separate data record. An online shop may therefore have multiple data records on the same customer. 
• A copy of a passport is 1 data record. Apart from someone's name and date of birth, this passport also contains other personal data, such as someone's passport number.
• Does a hospital use logfiles for recording who had access to a medical file at what time? Then every log is 1 data record.

Does an online shop use logfiles for recording who added a product to a shopping cart at what time? Then every log entry is 1 data record.

Do you want to ask the Dutch DPA a question about reporting data breaches? Then you can call 088 - 1805 255. You pay your usual telephone costs.

Note: This number is only intended for organisations that have questions about the data breach notification obligation.