Contributed By Vondst Advocaten N V
Cyber-security is most importantly addressed in theWbni, which implements the NIS Directive in the Netherlands. Cyber-security breaches should be notified to the Dutch Minister of Security and Justice, and, in most cases, to the competent regulator, which differs per sector.
Data breaches are primarily regulated by the GDPR and the Implementation Act. In addition, sector-specific legislation applies.
Article 34 of the GDPR provides for a notification requirement in the event of data breaches relating to personal data. In the Netherlands, personal data breaches should be notified to the AP, and, depending on the severity of the breach, the data subjects involved. Pursuant to Article 42 of the Implementation Act, financial institutions are exempted from this notification requirement, as they are already subject to a notification requirement laid down in sector-specific rules.
Article 11.3a of the Dutch Telecommunications Act sets out the notification requirement for providers of public electronic communication services. These providers have to notify security breaches that have adverse effects on the personal data processed in connection with the provision of their services to the AP, and, depending on the severity of the breach, to the individuals involved.
The EDBP has provided guidance on the notification requirement in its 2018 guidelines on personal data breach notification under the GDPR (WP 250 rev 01). The AP publishes statistics of all reported data breaches on its website.
The Wbni applies to certain services provided by digital service-providers, operators of essential services and operators of other vital services. Relevant operators and services are assigned in the Bbni. The providers and operators concerned are required to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems that they use in their operations or in the context of offering their services as referred to in the NIS Directive.
The Wbni contains a notification requirement for digital service providers to notify the competent authority or the CSIRT without undue delay of any incident having a substantial impact on the provision of the service they offer as referred to in the Directive. Operators should notify the competent authority and the Dutch National Cyber Security Centre (‘Nationaal cyber security centrum’) (NCSC), part of the Dutch Ministry of Security and Justice, of incidents having a significant impact on the continuity of the essential services they provide.
Pursuant to Article 4 of the Bbni, the security and notification requirements set forth in the Wbni are not applicable to certain credit institutions, central counterparties and operators of trading venues, as they are already subject to similar security and notification requirements set forth in sector-specific laws.
Security and notification requirements with respect to personal data are set forth in the GDPR, as well as in the Dutch Telecommunications Act. Security and notification requirements applicable to financial institutions are also set forth in sector-specific laws and regulations.
The overarching national cyber-security agency in the Netherlands is the NCSC. The NCSC is the Computer Emergency Response Team (CERT), also known as CSIRT, for the Dutch government. The primary focus groups are the vital infrastructure (eg, for energy, water and telecom) and the government. The NCSC publishes guidance on cyber-security-related topics on its website, including recently on co-ordinated vulnerability disclosure.
The NCSC co-operates with ENISA, which is the centre of expertise for cyber-security in Europe.
Personal data breaches within the meaning of the GDPR should be notified to the AP, using the online data breach notification web form that is available on its website (in Dutch only).
The AP has stated in its principles for supervision for 2018-2019 that it will focus on unreported data breaches and data breaches' causes by or related to serious shortcomings in security. All principles for supervision are published on the AP’s website.
Article 4 of the Wbni assigns the competent regulators per sector for cyber-security incidents.
Financial institutions as referred to in the Dutch Financial Supervision Act (‘Wft’) should notify supervision incidents, including cyber-security incidents and data breaches, to financial supervisor DNB. Certain types of supervision incidents should be notified to another financial regulator, the AFM.
Within the DNB, a separate expert centre named ‘Expertisecentrum Operationale & IT-risico’s’ is established, which specialises in the operational and IT risks at pension funds and insurance companies. Last year’s focus point of this expert centre was cyber-security.
Under the former Data Protection Act, the AP published a guideline on data security on the internet in which it makes reference to commonly deployed, technology-neutral security standards, including the Code of Information security (nen-iso/iec 27002/2007 and nen/iso/iec 27001:2005). For the healthcare sector, it refers to standard nen 7510. Examples given of commonly deployed, technology-specific security standards are the Data Security Standard of the Payment Card Industry (PCI), the National Institute of Standards and Technology (NIST) standard for cloud computing and the NCSC guidelines for IT security for web applications and for mobile devices. Also, the NCSC has published its 2018 whitepaper on the development of secure software.
The AP refers to commonly deployed standards in the context of its investigations into security measures taken by controllers, including in its investigation report on the use by the Employee Insurance Agency (‘UWV’) of greater factor authentication for accessing the UWV’s online employers portal.
There is no statutory requirement to implement a written information security plan or programme, incident response plan, or insider threat programme under Dutch law. In addition, there is no statutory requirement to appoint a chief information security officer, or the equivalent, to involve the board of directors in privacy-related matters, to conduct vulnerability scanning, penetration tests, or vendor and service provider due diligence or to provide training on handling personal data. Nevertheless, it is best practice in the Netherlands to do so. For example, implementing a written information security plan and conducting vulnerability scanning and penetration tests could be part of the appropriate security measures taken to comply with the GDPR, and, if applicable, the Wbni or other sector-specific laws and regulations. The implementation of an incident response plan could help to comply with data breach and cyber-security notification requirements under Dutch and EU laws.
The GDPR requires controllers, however, to conduct a DPIA for certain types of processing operations. The EDPB has provided guidance on this matter in its 2017 guidelines on DPIA and determining whether processing is “likely to result in a high risk for the purposes of the GDPR” (WP 248). Moreover, the GDPR requires certain categories of controllers to appoint a DPO.
Being a member of the EU, EU Directives and Regulations apply in the Netherlands, including the GDPR, the NIS Directive, Regulation 45/2001, and Directive 2016/680. In addition, Dutch companies can rely on the EU-US Privacy Shield Framework for trans-Atlantic transfers of personal data to participating US companies.
The chair of the AP participates in EDPB, an EU body with legal personality that consists of chairs of national DPAs and the European Data Protection Supervisor. Key tasks of the EDPB are to determine disputes between national DPAs, and to give advice on key concepts of the GDPR and the Police Directive, including by adopting guidelines.
In addition, a representative of the AP participates in the International Working Group on Data Protection in Telecommunications (IWGDPT), which consists of national DPAs worldwide, scientists and international organisations. The IWGDPT aims to improve the protection of personal data in new (communication) technology, including the internet.
The GDPR, Implementation Act and Wbni do not provide for affirmative security requirements, such as certification or external audits.
In general, Member States, the supervisory authorities, the EDPB and the European Commission must encourage the establishment of voluntary data protection certification mechanisms and of data protection seals and marks, to demonstrate that processing operations are in compliance with the GDPR, and appropriate safeguards exist in the context of data transfers (Article 42 of the GDPR). There are as yet no GDPR certification bodies accredited in the Netherlands. Applications for accreditation should be submitted to the Dutch Council for Accreditation (‘Raad voor Accreditatie’) (RvA), which is appointed as an accreditation body (within the meaning of Article 43 of the GDPR, pursuant to Article 21 of the Implementation Act).
Member States, supervisory authorities, the EDPB and the European Commission must encourage the drawing up of codes of conduct for the purpose of specifying the application of the GDPR (Article 40). The AP has published requirements that submitted codes of conduct must comply with on its website. The EDPB is expected to provide further guidance on codes of conduct under the GDPR.
Furthermore, Article 30 of the GDPR requires parties to implement adequate technical and organisational measures, such as a process for regularly testing, assessing and evaluating the effectiveness of the measures implemented and the ability to ensure confidentiality, integrity, availability and resilience of processing systems and services.
Under the former Data Protection Act, the AP provided guidance on adequate security measures that are still relevant in daily practice, such as in its 2017 guidance on patient data in the cloud, and its 2013 policy guidelines on data security on the internet. In this latter guideline, the AP encourages controllers to pay close attention to security and to implement a ‘plan-do-check-act’ cycle. Guidance can also be derived from the AP’s 2007 guidance document ‘Publication of personal data on the Internet.’
The security of network and information systems of operators of essential services and digital service providers is primarily governed by the NIS Directive, which has been implemented in the Wbni.
Articles 14 and 16 of the NIS Directive do not prescribe specific technical and organisational measures to be taken to secure network and information systems. Operators of essential services and digital service providers must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems that they use, as well as to prevent and minimise the impact of incidents. What is appropriate and proportionate depends on the state of the art, and the risk posed. The aforementioned requirements are implemented in Articles 7 and 8 of the Wbni.
Sector-specific legislation contains further security requirements.
The ENISA and the NCSC regularly publish analyses and recommendations relating to critical networks and systems.
A personal data breach is defined in Article 4(12) of the GDPR. Depending on the risk to the rights and freedoms of natural persons of the personal data breach concerned, controllers must notify personal data breaches to the AP and data subjects (Articles 33 and 34 of the GDPR). In the Netherlands, the obligation to notify data subjects about such breaches does not apply to financial enterprises within the meaning of the Dutch Financial Supervision Act.
Article 33(5) of the GDPR requires controllers to document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
Sector-specific legislation contains further data breach notification requirements. The Wbni also contains notification requirements with respect to incidents affecting the security of their network and information systems. The Dutch authority that is competent under the Wbni shall work in close co-operation with the AP when addressing incidents resulting in personal data breaches in the Netherlands (Article 15 of the NIS Directive).
The notification requirement under the GDPR applies to breaches concerning personal data. The notification requirement under the NIS Directive applies to incidents, meaning “any event having an actual adverse effect on the security of network and information systems” affecting the security of network and information systems used by digital service providers or operators of essential services.
The notification requirement under the GDPR applies to any breaches concerning personal data, irrespective of the system used to process personal data.
The notification requirement under the GDPR applies (in brief) to network and information systems used by digital service providers or operators of essential services.
General data protection principles and standards concerning security apply to (personal data processed in the context of) medical devices. In addition, medical devices and in vitro diagnostic medical devices must have CE markings, to signify that they have been assessed to meet high safety, health and environmental protection requirements.
Currently, medical devices are governed by the Dutch Act on medical devices. The Act implements European legislation on medical devices, active implantable medical devices and in vitro diagnostic medical devices.
It should be noted that Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices that are directly applicable in the Netherlands entered into force in 2017 and will apply after a transitional period of three and five years respectively. Both Regulations require that in the case of devices that incorporate software or for software that are devices in themselves, the software must be developed and manufactured in accordance with the state of the art, taking into account the principles of development lifecycles, risk management, including information security, verification and validation. Also, both Regulations require manufacturers of devices to set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended. Moreover, sponsors of applications for clinical investigation applications or devices intended to be used in the context of interventional clinical performance studies or other performance studies involving risks for the subjects of the studies, shall draw up certain documentation, including a signed statement by the natural or legal person responsible for the manufacture of the investigational device, that the device in question conforms to the general safety and performance requirements and a description of the arrangements to comply with the applicable rules on the protection and confidentiality of personal data.
The Dutch National Institute for Public Health and the Environment (RIVM) has recently published a letter report on apps under the medical devices legislation on its website, in which it elaborates on the upcoming Regulations for medical devices.
Where personal data concerning health will be processed on a large scale in the context of the medical device, the controller must conduct a DPIA (Article 35 of the GDPR).
The ArtWP29, provided guidance on processing in the context of smart devices in general in its 2013 opinion on apps on smart devices (WP 202). Although this document is not explicitly endorsed by the EDPB, it is still relevant in daily practice.
General data protection principles and standards concerning security apply to Industrial Control Systems, including SCADA systems.
ENISA has published a report listing most of the applicable standards on its website.
General data protection principles and standards concerning security apply to (personal data processed in the context of) the Internet of Things.
The ArtWP29 has issued guidance on this topic in Opinion 8/2014 on Recent Developments on the Internet of Things (WP 223). The ArtWP29 stressed that the IoT raises important security challenges and concerns, due to the substantial privacy risks that security breaches relating to IoT devices and platforms can entail. Security related recommendations include:
The opinion is not explicitly endorsed by the EDPB, but can still be useful in daily practice.
In addition, ENISA has published several guidance documents on IoT security on its website, including the 2019 study ‘IoT Security Standards Gap Analysis.’
The GDPR and the Dutch Telecommunications Act primarily regulate the notification of personal data breaches to Dutch government authorities.
Controllers must notify personal data breaches to the AP, without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33 of the GDPR).
Providers of public electronic communication services have to notify a breach of the technical and organisational measures taken for the safety and security of their networks and services to the AP, if such breach has negative consequences for the protection of personal data processed in connection with the provision of public electronic communication services (Article 11.3a (1) of the Dutch Telecommunications Act).
The GDPR, the Implementation Act and the Dutch Telecommunications Act primarily regulate the notification of personal data breaches to individuals.
Controllers must notify a personal data breach in clear and plain language to data subjects, without undue delay, if a breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34 of the GDPR). They can refrain from notifying data subjects in the event that any of the conditions set forth in Article 34(3) of the GDPR are met.
Controllers that are financial institutions are exempted from this notification requirement, as they are already subject to a notification requirement laid down in sector-specific rules (Article 42 of the Implementation Act).
Providers of public electronic communication services must immediately notify a breach of the technical and organisational measures taken for the safety and security of their networks and services to individuals concerned, if the breach is likely to have unfavourable consequences for the individual’s personal privacy (Article 11.3a(2) of the Dutch Telecommunications Act).
The GDPR primarily regulates the notification of personal data breaches to other companies or organisations.
Companies or organisations acting as processors must report personal data breaches to the controller without undue delay after becoming aware of a personal data breach, in order to let the controller examine the breach and, if required, timely notify the AP and data subjects (Article 33(2) of the GDPR).
Furthermore, the notification of personal data breaches to other companies or organisations can be required by contract.
Network monitoring and other cyber-security defensive measures are generally permitted in accordance with the applicable rules laid down in the GDPR. Where the monitoring takes place in the workplace, applicable employment law should be taken into account as well. Moreover, applicable sector-specific law should be complied with, including the Dutch Telecommunications Act.
The AP has investigated the use of deep packet inspection by several Dutch mobile operators. Deep packet inspection is used to analyse data traffic on the mobile network, such as data on visited websites and used apps, inter alia to detect and solve network problems. In its 2013 reports, the AP clarified that collected traffic data should be deleted as soon as possible after collection or irreversibly anonymised, and that the principle of transparency should be adhered to.
As discussed above, the AP has developed guidelines for monitoring the internet and email usage of employees, and the ArtWP29 has published several guidelines on the use of monitoring measures in the employment context that may still serve as a useful starting point when dealing with monitoring related questions.
In accordance with the NIS Directive, as implemented in the Wbni, competent authorities and CERTs are in charge of receiving and spreading information on cyber threats and attacks.
Discuss any significant audits, investigations or penalties imposed for alleged cyber-security violations or data security incidents or breaches.
As discussed above, the AP imposed a penalty on Uber for violating data breach notification obligations in 2018.
Pursuant to a report of the AP on personal data breach notifications received in 2018, it received 20,881 personal data breach notifications in 2018, and information on 62 cross-border personal data breaches from other DPAs. The AP has announced that personal data breaches that are not notified in accordance with the GDPR are a focus point for 2019, and that violation of the notification requirement will more often result in sanctions. In its report the AP indicates what actions it has taken in follow-up to data breach notifications, including giving advice to companies (eg, about security measures to be implemented), requesting additional information concerning the personal data breach reported, sending a letter to explain the applicable rules, initiating discussions with companies on the applicable rules and initiating an investigation in follow-up to a data breach notification.