The provider of a publicly available electronic communications service shall notify the Autoriteit persoonsgegevens without delay of any breach of security referred to in Article 11.3 that adversely affects the protection of personal data processed in connection with the provision of a publicly available electronic communications service in the European Union.
The provider referred to in the first paragraph shall immediately notify the person whose personal data is affected of a personal data breach if the breach is likely to adversely affect his or her privacy.
The notification to the Autoriteit persoonsgegevens and the person whose personal data is affected shall include at least the nature of the personal data breach, the authorities where more information on the breach can be obtained, and the recommended measures to mitigate the negative consequences of the breach.
The notification to the Autoriteit persoonsgegevens shall also include the consequences of the personal data breach and the measures the provider proposes or has taken to address the breach.
If the provider of a public electronic communications service does not give a notification as referred to in the second paragraph, the Autoriteit persoonsgegevens may, if it considers that the personal data breach is likely to adversely affect the privacy of the person whose personal data is affected, require the provider to still notify that person of the breach.
The notification referred to in the second paragraph shall not be required if, in the opinion of the Autoriteit persoonsgegevens Authority, the provider has implemented appropriate technical protection measures that make the personal data in question encrypted or otherwise unintelligible to any person not entitled to access that data.
The provider of a public electronic communications service shall keep a record of all breaches related to personal data. This record shall include at least the facts and the data referred to in the third paragraph.
Further rules may be issued by or pursuant to general order in council regarding the information and notification requirements referred to in this article.
Regulations based on this article (delegated regulations)
No
Policies and circulars that have this article as legal authority
No
Articles or similar text referring to this article
Besluit aanwijzing toezichthouders Telecommunicatiewet en eidas-verordening Autoriteit Persoonsgegevens
article: 1
Decree mandate, power of attorney and authorization Autoriteit Persoonsgegevens
article: 3
Data breach notification obligation Personal Data Protection Act
annex: 1
Telecommunications Act
article: 15.1
Amendments to the Personal Data Protection Act, etc. (mandatory data breach notification and extension of administrative fine power of Cbp)
Art: IV
(14-07-2020)
|
Effective date |
Retroactivity |
Subject |
Signature |
Announcement |
Chamber documents |
Signature |
Announcement |
Note |
|
through 25-05-2018 |
modification |
2018 |
2018 |
|||||
|
modification |
2015 |
2015 |
||||||
|
modification |
2013 |
2013 |
||||||
|
new |
2012 |
2012 |
||||||
