This is how you report a data breach

Is there a data breach in your own organisation? Or have you identified a data breach somewhere else in your environment and do you want to give the Dutch DPA a tip-off about it? 

Directly reporting a data breach or giving a data breach tip-off

Do you, as an organisation, have questions about the data breach notification procedure? Call 088 - 1805 255.

The steps for reporting a data breach

1. You report a data breach to the Dutch DPA.
2. You have to do this within 72 hours after becoming aware of the breach.
3. The controller has to report the data breach.
4. You can supplement, adjust or withdraw your notification if desired.
5. The Dutch DPA will usually not give you a response to your notification.
6. You may also be obliged to inform the victims of the data breach.

1. This is where you report a data breach

You can only report a data breach to the Dutch DPA using the Data breach notification form. You can therefore not call us to report your data breach. Nor can you send your data breach notification to us by post or email.

Does it concern a cross-border data breach? Then you report this to the data protection agency in the European member state in which you have your head office.

Note: You cannot report a data breach to the DPO of your organisation. It is useful, however, to involve the DPO in the handling of the data breach. The DPO may, for example, advise you on informing the victims.

You can read in the Privacy statement on reporting a data breach how the Dutch DPA handles your personal data when you report a data breach.

Data breach notification obligation under the Dutch Telecommunications Act

Do you offer public communication services? Then you also report your data breach to the Dutch DPA. You use the same Data breach notification form that you also use for reporting the other data breaches.

Preparing a data breach notification

Do you want to take a look at the questions from the notification form before you fill in the form? And collect the required information in advance? Then take a look at the Questionnaire for the data breach notification form.

Tip: You can also use the questionnaire for making a step-by-step plan using which you can report a (future) data breach as timely and completely as possible.

Explanation of the notification form

In the data breach notification form you can find an explanation on what you have to fill in. In addition, there are the following tips:

• You are asked how many data records (data registers) have been affected by the breach. A data record is a record of information about a specific person. A data record may contain several (categories of) personal data. View examples of what 1 data record is.
• Do you want to keep the notification for your own records? Then save or print out the notification. You do this as soon as you have sent the notification. You will be shown a confirmation of receipt on your screen immediately. You can save or print out your notification using the buttons below the confirmation of receipt. Note: once you have sent the notification, you can no longer access it online.
• The confirmation of receipt also contains your notification number. If you do not retain your notification, note down the notification number. You need the notification number for supplementing, adjusting or withdrawing your notification. Also state the notification number in any correspondence about your notification with the Dutch DPA.
• Do you receive an error notification or see an empty screen after sending the form? Then your notification may not have been processed due to a technical problem. You will have to fill in and send the notification again in that case.

2. These are the deadlines for reporting a data breach

You have to report a data breach to the Dutch DPA within 72 hours after becoming aware of the breach. Have you discovered a possible data breach? Then you do not have to report the data breach immediately. You only have to do this after becoming aware of the data breach.

‘Aware’ means that you can be reasonably certain that a security incident has resulted in the infringement of the reliability, integrity and/or availability of personal data. In that case, you may be obliged to report the data breach.

The moment of becoming aware can sometimes be quite clear. At other times, it may take a while before it can be established whether personal data have been affected by the incident. However, you have to investigate the incident immediately to determine whether there is a data breach. And if this is the case:

• take measures to put a stop to the data breach;
• report the data breach if you are required to do so.

Follow-up notification in the case of a complex breach

Does it concern a complex breach, such as an incident caused by ransomware or phishing? And do you not have all information yet? Then you still have to submit your first notification within 72 hours. So do not wait until the investigation into the data breach has been concluded. If new information turns up, you can submit a follow-up notification.

Late notification

Are you late with your data breach notification? Then you have to give a reason for this. The Dutch DPA accepts a late notification (after 72 hours) in exceptional cases only. Reasons that are not valid are for example: weekend, holiday, illness or being (too) busy.

‘The DPO was informed too late about the data breach’ is not a valid reason either. The DPO of an organisation is not responsible for reporting a data breach in a timely fashion. This is always the responsibility of the organisation itself. This is why it is your responsibility to ensure that your employees report incidents in a timely fashion to the right person within your organisation.

Consequences of no or late notification

If you fail to respond adequately to a data breach, the adverse consequences for the victims may become greater. In addition, it may have consequences for the image of your organisation. If you do not take action fast enough or if you do not take any action at all if there is data breach, you run the risk that:

• You are guilty of an offence. Because you possibly fail to report a data breach to the Dutch DPA and to the victims, or fail to report it in time, while you have a legal obligation to do so. The Dutch DPA may receive tip-offs from your customers, citizens, employees, etc. that there has been a data breach in your organisation. Did you not report this data breach, while you may have been obliged to do so? Then the Dutch DPA may initiate an investigation.
• Your customers, citizens or employees discover that you wrongly did not inform them about a serious data breach of their personal data. This may harm the trust in your organisation.

3. Who has to report a data breach

Under the General Data Protection Regulation (GDPR), the controller is the person who has to report a data breach.

Multiple controllers

Do you work in a partnership? Then there may be joint responsibility with multiple controllers. In that case, you agree in joint consultation who reports the data breach to the Dutch DPA and who informs the victims.

You can use the existing arrangements you have made about compliance with the GDPR, apart from the data breach notification obligation. Which partner ensures, for example, that data subjects can exercise their privacy rights, such as the right of access and the right to rectification?

It is also important that you look at what the joint data management looks like. Where could any data breaches occur, which partners need to know this, and how do you ensure that they will be informed in time? Make arrangements about these things as well.

Arrangement with processor

Do you as a controller use a service of another organisation to process personal data on your behalf? Then this organisation acts as your processor.

Is there a data breach at this processor? And are the data that the processor processes on your behalf (also) affected by this data breach? In principle you have to report the data breach to the Dutch DPA yourself.

You can also agree with your processor that this party reports data breaches to the Dutch DPA on your behalf. In that case, you will have to authorise the processor explicitly for this purpose and record the arrangements in writing, for example in the processing agreement.

You can also authorise your processor to inform the victims about the data breach. But the Dutch DPA does not recommend this. In most cases, the data subjects do not have a direct relationship with your processor. That is why it could be confusing for them if they are approached by a different organisation.

This is how you report a data breach as a processor

As a processor, you may have agreed with your client(s) that you will report data breaches to the Dutch DPA. In that case, the client(s) is/are the controller(s). Here you can read which rules apply.

Do you as a processor report a data breach on behalf of 1 controller? Pay attention to the following then:

• You report the data breach in the name of the controller.
• You state the name of your organisation under '3.3 Other organisation'.
• You state under ‘Explanation’ that you have been authorised in writing to report the breach on behalf of the controller.
• The details of the person making the report are those of an employee of the processor, i.e. of your own organisation.
• The contact person in the notification is an employee of the controller, i.e. a contact person of your client.

Do you as a processor report as data breach on behalf of multiple controllers? Then the following points apply additionally:

• You submit a separate data breach notification to the Dutch DPA on behalf of each controller.
• You submit each data breach notification in the name of the relevant controller.
• You also indicate for how many other controllers the data breach reported applies. For example, with a consecutive number.

4. Supplementing, adjusting or withdrawing a data breach notification

Do you want to change something in your data breach notification after you submitted it? For example, because you want to pass on additional information? That is possible. 

You can supplement, adjust or withdraw your original notification using the Data breach notification form. 

You need the notification number of your original report for this purpose. This number can be found in the copy of your report that you could save or print out when you submitted the notification.

Do you not have the notification number? Then you can request the number from the Dutch DPA by calling 070-8888 500. 

5. This is what the Dutch DPA does with your data breach notification

If the Dutch DPA has received your data breach notification, these are the steps that are taken next.

Response to your notification

In most cases, you do not receive a response from the Dutch DPA to your data breach notification. This means that you have submitted the notification correctly and that the Dutch DPA does not have any substantive questions. If there are questions, the Dutch DPA will contact you within 2 weeks.

This is what the Dutch DPA can do as a follow-up

The supervision by the Dutch DPA of the data breach notification obligation is risk-driven. This means that the Dutch DPA mainly focuses on those data breaches that entail the greatest risks for the victims. 

The Dutch DPA uses an algorithm for classifying data breach notifications according to seriousness: Risk-driven prioritisation of data breach notifications. This algorithm does not use personal data.

The more serious the data breach notification, the sooner and the more comprehensively the Dutch DPA will handle that notification. In the end, the Dutch DPA looks at all data breach notifications. Depending on your specific situation, the Dutch DPA may then:

• Oblige you to inform the victims when you wrongly failed to do this.
• Initiate an investigation in the case of a possible infringement of the notification obligation. For example, if you have failed to report a data breach. Or if you reported it too late.
• Make a request for information. For example, for requesting the report of your investigation into the data breach.
• Call you for more information about the data breach.
• Call you to provide you with additional explanation and advice.
• Send you a letter with additional explanation of the rules and what you have to do in the event of data breaches.
• Close the notification. We do this when your notification shows that you have correctly complied with the data breach notification obligation and have taken sufficient measures for preventing new breaches.

Your data breach notification may also be a reason for the Dutch DPA to initiate an investigation into compliance with the GDPR. This may also concern your notification in combination with other notifications.

Registering and sharing notifications

The Dutch DPA stores your notification in a register with all notifications received on data breaches. This register is not public because it is important that data about the security of the data processing or about leaked personal data remain confidential.

Sometimes the Dutch DPA may share data breach notifications, though:

• With organisations for scientific or statistic research. The Dutch DPA will then take measures to avoid needless provision of personal data and to safeguard the confidentiality of the data breach notifications.
• With other supervisory authorities with which the Dutch DPA has a collaboration agreement. The Dutch DPA will only do this when necessary.
• The Dutch DPA may pay attention to (individual) data breaches in annual reports or other publications.
• Is a data breach publicly known? Then the Dutch DPA will confirm any notification of the data breach if the media ask for it. The Dutch DPA does this to be transparent and to show that the reporting organisation complies with the data breach notification obligation. This is important, as it will allow the Dutch DPA to check if the victims of the data breach are sufficiently enabled to protect themselves against the consequences of the data breach. Conversely, the Dutch DPA will always communicate in response to questions from the press if an organisation has failed to report a data breach (if this has been confirmed) within the statutory period of 72 hours. The Dutch DPA will not discuss substantive details of the data breach.

6. Informing victims

Do you have to inform the victims as well? You can find information about this at: This is how you inform victims of a data breach.

This is how you contact us if you have any questions

Do you have a question about reporting data breaches? Then you can call 088 - 1805 255. You pay your usual telephone costs.

Note: This number is only intended for organisations that have questions about the data breach notification process. Are you a DPO with a general, substantive question about data breaches? Then you can contact us through our special DPO contact channels.