Higher privacy violation sanctions and duty to notify data breaches effective as of 1 January 2016

Earlier this year proposed amendments to the Dutch Data Protection Act ("DPA") were adopted that will enter into force on 1 January 2016. Amongst others, the amendments include a substantial increase of applicable sanctions (up to a maximum of EUR 810,000 or 10% of the annual (global) turnover of a company) and the introduction of an obligation to notify data breaches and leakages to the Dutch Data Protection Authority ("DDPA") and the data subjects involved.

Anticipating the increased sanctions and new data breach notification requirement, companies are advised to review compliance with the requirements of the DPA.

Increase of the applicable sanctions
The DPA applies to the protection of personal data, being any information relating to an identified or identifiable natural person. The DPA includes several requirements with respect to personal data including (amongst others):

• requirements with respect to the grounds for collecting and processing personal data;
• the obligation to notify data processing to the DDPA (unless an exemption applies);
• rules with respect to the information rights of data subject(s) and rights of the data subject to retrieve a copy of his personal data processed and have such data corrected;
• restrictions with respect to the processing of sensitive personal data (e.g. medical data, personal identification numbers and data relating to religion and race);
• rules regarding outsourcing the processing of personal data; and
• rules regarding the export of personal data to countries outside the European Union.

Please note that the DPA is also applicable with respect to intra-group transfers and processing of personal data (for example in connection with the centralized processing of salary payments and/or intra-group CRM systems).

Currently, the DDPA may impose relatively limited fines (EUR 4,500) and/or an order subject to a penalty in the event of a violation of a limited number of provisions of the DPA.

As of 1 January 2016, however, the DPA may impose fines up to EUR 810,000 or 10% of the annual turnover of companies (which may be calculated based on the global annual turnover) for breaches of a large number of requirements under the DPA, provided that fines will only be imposed after the DDPA has first given a binding instruction which was not (timely or properly) adhered to by the company (except in the event of serious culpable negligence or willful misconduct).

Further to the sanctions to be imposed by the DDPA, the DPA also provides for the civil enforcement by the data subjects and for certain criminal enforcements measures.

Duty to notify data breaches
As of 1 January 2016, companies have the duty to immediately notify the DDPA in the event of a data breach that has - or is likely to have - serious adverse effects on the protection of personal data. A data breach could occur as a result of a security breach of computer systems, but also when a USB-stick or laptop containing personal data is stolen. Under certain circumstances the company must also inform the data subjects.

A breach of the aforementioned notification duties may result in a fine being imposed with an amount up to EUR 810,000 or 10% of the annual turnover of the company.

Review compliance with the DPA
Companies are advised to review their data processing activities for compliance with the requirements of the DPA, especially given the substantial fines that may be imposed as of 1 January 2016. Amongst others, special attention is required for intra-group transfers and outsourcing of data processing (for example to certain SaaS providers or in connection with cloud services). Further, existing processor agreements may need to be revised in order to comply with the data breach notification requirements.

If you have any questions with respect to privacy and/or personal data protection, please do not hesitate to contact us.