The data breach notification requirement has become one of the most discussed parts of privacy legislation in recent years. Incidents involving ransomware, cyber attacks, but also human error make it clear that data breaches are no longer an exception. The obligation to report not only forces organizations to be transparent towards the regulator and stakeholders, but also forms an essential part of responsible data management within the digital society.

From Wbp to AVG

The former European Privacy Directive had no obligation to report data breaches. The Netherlands anticipated the arrival of the AVG in 2016 by including the reporting obligation in the Personal Data Protection Act (Wbp). Since the introduction of the AVG in 2018, this obligation applies directly from articles 33 and 34 AVG. Thus, the obligation to report is harmonized within the EU and the same rules and deadlines apply in all member states.

What is a data breach?

The AVG uses the term personal data breach. According to article 4(12) AVG , that is"a breach of security that results in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of or access to personal data." In practice, this is referred to as a data breach.
Examples include:

• A cyber attack or ransomware in which personal data is captured.

• A misdirected e-mail containing confidential customer information.

• Unauthorized access by employees to personal data within their organization.

Duty to report to Autoriteit Persoonsgegevens

Data controllers must report a data breach to the Autoriteit Persoonsgegevens (AP)within 72 hours of discovery, unless it is not likely that the incident poses a risk to the rights and freedoms of data subjects. If not all information is yet known, a preliminary report may be made first. The final information must then be completed within four weeks.

Duty to notify data subjects

If a data breach is likely to posea high risk to the rights and freedoms of natural persons, the data subjects must also be informed immediately (Article 34 AVG). This is the case, for example, with the loss of unencrypted medical data or log-in data.
A notification to data subjects may be omitted if:

• the data were effectively encrypted or otherwise unintelligible to unauthorized persons;

• measures have been taken that have eliminated the risk; or

• an individual notification requires a disproportionate effort in which case a public notice will suffice.

Responsibilities of processors

When a processor (such as a cloud service or IT provider) discovers a data breach, it mustreport the incident immediately to the controller, in accordance with article 33 paragraph 2 AVG. The processor itself does not report to the AP or to data subjects, but it must be contractually agreed within what period and in what way a notification is made.

Enforcement and monitoring

The Autoriteit Persoonsgegevens actively monitors compliance with the reporting obligation. Violation can lead to high fines: up to 10 million euros or 2% of the worldwide annual turnover (Article 83 paragraph 4 AVG). In addition to financial penalties, the AP can also impose other measures, such as directions or periodic penalty payments.

Current concerns

Anno 2025, organizations are seeing an increase in the number of reported data breaches, due in part to increased cybercrime, use of AI tools and more complex supply chain processing. Transparency and rapid internal follow-up are crucial. The reporting obligation is therefore not just a legal requirement, but a touchstone for the data awareness and resilience of organizations in an increasingly digital Europe.

Further learning

Data breach course: preparing, recognizing and responding