No. You only need to notify data subjects (the individuals whose data you process) if a data breach is likely to pose a high risk to their rights and freedoms. Can you make it plausible that this is not the case? Then you do not have to report the data breach to the data subjects.
Please note that you may have to report the data breach to the Autoriteit Persoonsgegevens. If this is the case, you should indicate in your report that you did not report the data breach to those involved. As justification for this, you state the reasons for not informing those involved.
To determine whether a data breach poses a high risk to the data subjects, you must consider, among other things, whether the data breach could result in physical, material or immaterial damage to the data subjects. Such as: discrimination, (identity) fraud, financial damage and reputational damage.
More information can be found in Chapters III and IV of the Data Breach Notification Guidelines.
