Enhance Contrast

Data breach notification obligation

Since 1 January 2016, the data breach notification obligation has entered into force. This obligation means that organisations (companies as well as governments) must immediately notify the Dutch Data Protection Authority as soon as they experience a serious data breach. And in some cases, they must also report the data breach to the data subjects (the persons whose personal data have been affected).

Policy rules

The Dutch Data Protection Authority has published policy rules which can help organisations determine whether a data breach is in order and if so, whether they must report this breach to the Dutch Data Protection Authority and possibly to the data subjects.


In case of violation of the data breach notification obligation, the Dutch Data Protection Authority may impose an administrative penalty. The maximum amount of the penalty is € 820,000.