Victim of a data breach? This is what you can do
Did you receive a message from an organisation that your data have been leaked? Or do you suspect that there has been a data breach at a specific organisation? Then you can read on this page what you can do.
Is there a data breach in your own organisation? Or have you identified a data breach somewhere else in your environment and do you want to give the Dutch DPA a tip-off about it?
Directly reporting a data breach or giving a data breach tip-off
On this page
This is what you can do if you are a victim
Do you receive a message from an organisation that your personal data have been affected by a data breach? For example, from your bank or telecom company? First take a good look at what exactly has been leaked about you. Next, you can do this:
Change your password
Have your email address and password been leaked? Then change your password, just to be sure. Do you use the same password on different websites? Then change the password on these websites as well.
Be alert to phishing
Phishing is a form of fraud using which criminals try to find out information about you. Such as login details, credit card information, PIN codes or information on your identity document. They do this, for example, by sending a fake email. The more personal data criminals have of you, the more real it may seem.
Therefore, be very careful when you receive emails, WhatsApp messages, text messages or phone calls in which someone says that they contact you on behalf of a specific organisation. And in which that person, for example, asks you to pass on data. Or to click on a link and then enter your data on a website that seems trustworthy.
Always check if you are indeed dealing with this organisation. Do you not trust it? Then hang up or remove the message. You can subsequently also contact the organisation yourself. And do not click on a link without a good reason, but go to the organisation's website yourself.
You can find out whether an email that you have received may be a phishing mail by taking a good look at what is in the mail:
- Does the email address correspond with the name of the organisation? What is behind the @ sign?
- Is there a general salutation in the mail, such as ‘Dear Sir/Madam’, or is your (full) name actually used? Note: your name may also have been derived from your email address. So even an email with your name in the salutation can still be a phishing mail.
- Is there a request in the mail to click on a link to ‘supplement’ or ‘check’ your data?
- Are you put under pressure to take swift action? Or are you promised something that is too good to be true?
This is how you recognise and prevent identity fraud
One of the risks after a data breach is identity fraud. In the case of identity fraud, criminals abuse your data to impersonate you. For example, by:
- buying things in your name without paying;
- taking out a loan in your name;
- taking out a telephone subscription in your name.
Tip: After a data breach, keep an eye on your bank account to check for irregularities and on your emails about purchases that you did not make at all.
Combination of data
Not all data breaches enable identity fraud. There is not much that a fraudster can do with isolated data (e.g. only a BSN). It is about the combination of data. That is why it is a risk, for example, if a copy of your identity card has been leaked.
Tip: Be careful with what you post on social media and in other places on the Internet. The more information of you is publicly available, the easier it is for a fraudster to find additional data of you and combine them with the leaked data.
Victim of identity fraud
Have you become the victim of identity fraud?
- Report this to the Central Identity Theft and Error Reporting Centre (CMI). The CMI helps you resolve the consequences of identity fraud.
- In addition, report the identity fraud to the police.
More information about identity fraud
If you want to know more about identity fraud, read:
- the brochure Do not give fraudsters a chance: Identity fraud of the Dutch Ministry of the Interior and Kingdom Relations (in Dutch).
- Identity fraud on the website of the police (in Dutch).
- Identity fraud on the website of the Dutch central government.
Compensation for a data breach
Have your data been affected by a data breach? And have you suffered damage as a result? Then you may be entitled to compensation.
Under Article 82 of the GDPR privacy law, you are entitled to compensation if you suffer damage because an organisation acts contrary to the GDPR and the organisation can be blamed for this.
An organisation is not liable if the organisation proves that it is not in any way responsible for the data breach as a result of which you have suffered damage.
That a data breach has taken place does not automatically mean that the organisation has acted contrary to the GDPR. Not every data breach can be attributed to the organisation within which the data breach has taken place.
Types of damage
You can claim compensation for both financial damage and immaterial damage. The law does not say in concrete terms what exactly immaterial damage is. You may suffer immaterial damage, for example, if your honour has been harmed or your reputation has been tarnished.
Claiming compensation
A claim for compensation is assessed by a civil court. The Dutch DPA does not play a role in this. The Dutch DPA cannot give you information or advice on assessing the damage and on the amount of the compensation.
Tip off the Dutch DPA about a data breach
Do you suspect that there has been a data breach at a specific organisation? Then you can submit a data breach tip-off to the Dutch DPA about this possible data breach. However, first it is important that you inform the organisation itself about the possible data breach.
An organisation will only be able to do something about a data breach if it knows that there is a data breach. And only after the organisation has become aware of the data breach can the organisation be obliged to report the data breach to the Dutch DPA and to the victims.
This is how you prevent a data breach
Organisations are responsible for the proper protection of your personal data. Nevertheless, a data breach may happen to every organisation. For example, as a result of a human error. Fortunately, there are also things that you can do yourself to prevent (as much as possible) your data becoming public knowledge in the event of a data breach. This is what you can do:
- Do not use the same password everywhere. You can use a password manager for this purpose. A password manager stores and protects your passwords and can also create strong passwords for you.
- Does an organisation offer a login method for which you have to enter not only your user name and password, but additionally a code sent by text message, for example? Then use this method. This is called multifactor authentication or MFA.
- Pay attention to who is asking for your data and how this is done. Be in control of your data yourself. Does a company, for example, ask for data that it does not need for providing a service to you? Do not give your data then.
- Use your privacy rights. Ask organisations, for example, to erase certain data of you. The fewer data organisations have of you, the less risk you run.