Organisations are making more and more use of digital solutions, not only for various business processes, but also to connect all kinds of devices via the internet. It is very important that business processes are not disrupted and that no personal data is left where unauthorised personnel or third parties can access it.


The obligation to report data protection breaches and information security incidents came into force in the Netherlands on 1 January 2016. In addition, part of the Data Processing and Cybersecurity Notification Obligation Act came into force as of 1 October 2017. This Act also contains a notification obligation regarding security breaches or loss of integrity of electronic information systems. This notification obligation only applies to providers of products or services whose availability and reliability are of vital importance to Dutch society. Examples are hospitals, utility companies and banks.

Personal data security

Every organisation is obliged to adequately secure personal data against loss or unlawful processing. This obligation does not only mean that IT systems or connections must be secured technically, but also that organisational measures must be taken. Security of personal data is an enforcement priority for the Dutch Data Protection Authority.

Want to know more?

Our specialists are well informed about the legal cybersecurity framework and personal data security. A data breach or cyber-attack can lead to considerable costs, directors’ and officers’ liability, fines and claims for damages. Our specialists will gladly advise you on how to limit the risks.

If you have any questions or would you like more information, please feel free to contact us. We will be happy to help you.