Organisations that process personal data, risking a fine of up to € 450,000 if they fail to data breaches to report, in a bill that state secretary Teeven of Security and Justice Friday to the Second Room.
The reporting obligation according to the bill, both for private and public organisations that process personal data apply. They must report to the Cbp for any breach which can reasonably be assumed that that leads to a significant risk of loss or unlawful processing of personal data’. On the non-compliance of the reporting requirement is a fine of up to € 450,000, which the Cbp can impose. An earlier draft of the proposal last december for the obligation to report data breaches spoke of a maximum fine of 200,000 euros.
According to the secretary of state is not necessary that the infringement is the result of poor security. “For example, think of a hack of an it-system containing personal data or the theft of a laptop or mobile phone from a locked locker,” said Teeven. Other examples that the secretary of state refers to the lose of a mobile phone or usb stick, and sloppy handling of passwords.
The secretary of state has his proposal is deliberately quite wide held, to prevent data leakage outside of the reporting obligation will fall. Among other things, the advocate of the ict sector, ICT~Office, had urged a limited scope of the law, so that only for ‘severe cases’ should be considered. Bits of Freedom, wanted just a more general approach where each datalek under the reporting requirement, where this can be related to unauthorized access.
The disadvantage of the chosen scheme is that there are very many reports to expect. However, there comes a not further explained ‘provision to remove unnecessary notifications, in combination with enlightening action by Cbp’.