Under the Bill on Data Breach Notification (Wetsvoorstel Meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp), the data controller will be obliged to immediately notify the Dutch Data Protection Authority of any security breaches that have or are likely to have serious adverse consequences for the protection of personal data. A yet to be adopted royal decree will specify when the new law will enter into force, but the Dutch DPA anticipates that the effective date will be 1 January 2016.
Companies that do not comply with the Dutch DPA’s investigations or violate specific articles of the Dutch Data Protection Act can be fined up to EUR 810,000 or 10% of their annual net turnover. The fine is not limited to the net turnover of a company’s establishment in the Netherlands and could include global revenues. The explanatory memorandum to the Act on extension of possibilities to combat financial economic crimes states that the revenue of all goods produced or delivered or services provided by an enterprise are taken into account, irrespective where the revenue is realised.
The new provisions are further highlighted in our Legal Alert of 28 May 2015. Click here to download the Legal Alert about the mandatory data breach notification, increased investigative powers of the Dutch DPA and higher fines.