The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, (the “Dutch DPA”)) announced that it had expanded its guidance on data breaches.

The update seeks to answer inquiries and questions about data breaches received by the Dutch DPA from organizations since 2016, says a news reportOutlined in the update is that both companies and governments must immediately report to the AP as soon as they have a serious data breach and that people affected by the data breach be notified as well. 

The Dutch DPA says it has developed practical tools to help organizations and government agencies understand what to do in the event of a data breach, including videos and information sheets with tips on how to maintain a data breach register, a guide on how to take action in the event of a breach and risks associated with data breaches and a list of examples indicating whether or not a data breach is notifiable, says the report. 

The Dutch DPA indicated that it will continue to provide guidance on various topics related to the EU General Data Protection Regulation, including guidance on how companies must comply with data subject rights requests,  processor agreements, processing of data from (sick) employees and the principles for processing personal data.