Report Data Breach

An obligation to report a personal data breach has been included in the General Data Protection Regulation (GDPR). Organizations are obliged to notify their data protection authority (in the Netherlands this is the Dutch Data Protection Authority) about serious personal data breaches, and, in some cases, also the data subjects (the persons involved).

Via this webpage employees, hired employees, clients and research partners of CentERdata and CentERdata’s data processors can easily report a personal data breach.

A personal data breach must be reported as quickly as possible to the Data Protection Officer (DPO) of CentERdata (privacy@centerdata.nl). Employees and temporary staff of CentERdata are obliged to report a personal data breach within 6 hours. Please note: this concerns clock hours not working hours!

Frequently Asked Questions

What is a personal data breach?

A breach of security that accidentally or unlawfully leads to unauthorized or unintended access to personal data. This includes the destruction, the loss, the change or the disclosure of the data.

There are three types of personal data breaches:

  • Confidentiality: unauthorized or unintentional disclosure of or access to personal data;
  • Integrity: unauthorized or unintentional change of personal data;
  • Availability: unauthorized or accidental loss of access to or destruction of personal data.

Examples of personal data breaches are:

  • A lost USB stick;
  • A stolen laptop
  • An e-mail is sent with all e-mail addresses in the CC instead of the BCC;
  • A hacker burglary;
  • A malware infection;
  • A calamity (such as a fire) in the data center.

What is personal data?

Personal data is any data that can be used to identify a person. You can think of:

  • Names and addresses
  • Telephone numbers and e-mail addresses
  • Login credentials
  • Social security number
  • Gender
  • Special categories of personal data (e.g. race, ethnicity, religion, and health data)
  • A combination of background information from respondents

What if I’m not sure if a personal data breach has occurred?

Every breach of security must be registered internally. In case of doubt, act as if there is a serious personal data breach. Better safe than sorry!

Why must a personal data breach be reported within 6 hours?

A personal data breach must be reported to the supervisory authority within 72 hours. By reporting a personal data breach within 6 hours, CentERdata still has more than enough time to investigate the circumstances of the personal data breach.

If CentERdata has the role of processor, we can report the personal data breach to the controller in time.

What happens after my report?

CentERdata’s DPO examines the report and subsequently determines whether the controller, the supervisory authority and/or the data subjects must be informed. The DPO can also request additional information.

Employees, temporary staff, clients, research partners, and suppliers are expected to provide all information necessary to inform the right authorities and people.