On January 1st 2016, the Dutch brought into effect a new law which makes it compulsory for Data Controllers to report a data breach to the Dutch Protection Authority. In addition, the DPA may also issue direct fines for violations of the Data Protection Act, up to €820,000.
Data Breach Notification will be mandatory where the loss of data could have adverse consequences on data subjects. An exception to this will be circumstances where the data is encrypted or otherwise unintelligible to third parties.
On the 9th December, 2015, the DPA published practical guidance, courtesy of Hunton Privacy Blog, on when a Data Breach Notification should occur.
Interestingly, the new fines may be triggered when there has been a failure to report a data breach to the DPA.
The Dutch DPA's press release may be read here.