Contributed By Vondst Advocaten N V
A personal data breach is defined in Article 4(12) of the GDPR. Depending on the risk to the rights and freedoms of natural persons of the personal data breach concerned, controllers must notify personal data breaches to the AP and data subjects (Articles 33 and 34 of the GDPR). In the Netherlands, the obligation to notify data subjects about such breaches does not apply to financial enterprises within the meaning of the Dutch Financial Supervision Act.
Article 33(5) of the GDPR requires controllers to document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
Sector-specific legislation contains further data breach notification requirements. The Wbni also contains notification requirements with respect to incidents affecting the security of their network and information systems. The Dutch authority that is competent under the Wbni shall work in close co-operation with the AP when addressing incidents resulting in personal data breaches in the Netherlands (Article 15 of the NIS Directive).
The notification requirement under the GDPR applies to breaches concerning personal data. The notification requirement under the NIS Directive applies to incidents, meaning “any event having an actual adverse effect on the security of network and information systems” affecting the security of network and information systems used by digital service providers or operators of essential services.
The notification requirement under the GDPR applies to any breaches concerning personal data, irrespective of the system used to process personal data.
The notification requirement under the GDPR applies (in brief) to network and information systems used by digital service providers or operators of essential services.
General data protection principles and standards concerning security apply to (personal data processed in the context of) medical devices. In addition, medical devices and in vitro diagnostic medical devices must have CE markings, to signify that they have been assessed to meet high safety, health and environmental protection requirements.
Currently, medical devices are governed by the Dutch Act on medical devices. The Act implements European legislation on medical devices, active implantable medical devices and in vitro diagnostic medical devices.
It should be noted that Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices that are directly applicable in the Netherlands entered into force in 2017 and will apply after a transitional period of three and five years respectively. Both Regulations require that in the case of devices that incorporate software or for software that are devices in themselves, the software must be developed and manufactured in accordance with the state of the art, taking into account the principles of development lifecycles, risk management, including information security, verification and validation. Also, both Regulations require manufacturers of devices to set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended. Moreover, sponsors of applications for clinical investigation applications or devices intended to be used in the context of interventional clinical performance studies or other performance studies involving risks for the subjects of the studies, shall draw up certain documentation, including a signed statement by the natural or legal person responsible for the manufacture of the investigational device, that the device in question conforms to the general safety and performance requirements and a description of the arrangements to comply with the applicable rules on the protection and confidentiality of personal data.
The Dutch National Institute for Public Health and the Environment (RIVM) has recently published a letter report on apps under the medical devices legislation on its website, in which it elaborates on the upcoming Regulations for medical devices.
Where personal data concerning health will be processed on a large scale in the context of the medical device, the controller must conduct a DPIA (Article 35 of the GDPR).
The ArtWP29, provided guidance on processing in the context of smart devices in general in its 2013 opinion on apps on smart devices (WP 202). Although this document is not explicitly endorsed by the EDPB, it is still relevant in daily practice.
General data protection principles and standards concerning security apply to Industrial Control Systems, including SCADA systems.
ENISA has published a report listing most of the applicable standards on its website.
General data protection principles and standards concerning security apply to (personal data processed in the context of) the Internet of Things.
The ArtWP29 has issued guidance on this topic in Opinion 8/2014 on Recent Developments on the Internet of Things (WP 223). The ArtWP29 stressed that the IoT raises important security challenges and concerns, due to the substantial privacy risks that security breaches relating to IoT devices and platforms can entail. Security related recommendations include:
The opinion is not explicitly endorsed by the EDPB, but can still be useful in daily practice.
In addition, ENISA has published several guidance documents on IoT security on its website, including the 2019 study ‘IoT Security Standards Gap Analysis.’
The GDPR and the Dutch Telecommunications Act primarily regulate the notification of personal data breaches to Dutch government authorities.
Controllers must notify personal data breaches to the AP, without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33 of the GDPR).
Providers of public electronic communication services have to notify a breach of the technical and organisational measures taken for the safety and security of their networks and services to the AP, if such breach has negative consequences for the protection of personal data processed in connection with the provision of public electronic communication services (Article 11.3a (1) of the Dutch Telecommunications Act).
The GDPR, the Implementation Act and the Dutch Telecommunications Act primarily regulate the notification of personal data breaches to individuals.
Controllers must notify a personal data breach in clear and plain language to data subjects, without undue delay, if a breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34 of the GDPR). They can refrain from notifying data subjects in the event that any of the conditions set forth in Article 34(3) of the GDPR are met.
Controllers that are financial institutions are exempted from this notification requirement, as they are already subject to a notification requirement laid down in sector-specific rules (Article 42 of the Implementation Act).
Providers of public electronic communication services must immediately notify a breach of the technical and organisational measures taken for the safety and security of their networks and services to individuals concerned, if the breach is likely to have unfavourable consequences for the individual’s personal privacy (Article 11.3a(2) of the Dutch Telecommunications Act).
The GDPR primarily regulates the notification of personal data breaches to other companies or organisations.
Companies or organisations acting as processors must report personal data breaches to the controller without undue delay after becoming aware of a personal data breach, in order to let the controller examine the breach and, if required, timely notify the AP and data subjects (Article 33(2) of the GDPR).
Furthermore, the notification of personal data breaches to other companies or organisations can be required by contract.