Data breaches

A data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data that has been transmitted, stored or otherwise processed. For an incident to be classified as a ‘personal data breach’, the involvement of malicious intent is irrelevant.

In principle, all data breaches must be reported to the Dutch Data Protection Authority within 72 hours of being identified. Only those data breaches which are unlikely to result in a risk to the rights and freedoms of natural persons are exempt from the notification requirement.

If it has been determined that the personal data breach is likely to result in a high risk to data subjects, then these data subjects must also be notified of the data breach.

The data subject does not need to be notified if:

  • appropriate technical and organisational protection measures have been taken, for example in the form of data encryption;
  • subsequent measures have been taken which eliminate the identified risks to data subjects;
  • communication to data subjects would involve disproportionate effort. In that case, a public communication is sufficient.

Source: Handleiding Algemene verordening gegevensbescherming, p.64 (in Dutch). You can consult the latest version via

A data breach can take various forms. For an incident to be classified as a data breach, it does not matter whether or not malicious intent is involved. Sending a letter/email containing personal data to the wrong person can also be regarded as a data breach by the Dutch Data Protection Authority.

Examples of data breaches include (not an exhaustive list):

  • Sending a letter/email containing personal data to the wrong person;
  • loss of data carriers/documents containing personal data (including when these are secured with a password);
  • theft of data carriers/documents containing personal data;
  • unauthorised access to personal data, e.g. employees who access students' personal data without authorisation or malicious hackers who gain access themselves;
  • documents/files containing personal data that can be accessed due to carelessness.

Data breaches can be reported to the ICTS Service Desk by emailing or calling 020- 5951402. Outside office hours, please email

Records are kept of all incidents and their handling.

Published by  Communication 24 October 2022