Report Data Breach

The duty to report data breaches came into effect on 1 January 2016. This duty to report entails that organizations, upon encountering a serious data breach, must issue a report to the Autoriteit Persoonsgegevens (the Dutch Personal Data Authority) within 72 hours.

Using this web page and form, employees, payroll employees (hiring staff, freelancers), clients and research partners of CentERdata and suppliers who process personal data for CentERdata can report a data breach in an easy manner.

Employees, payroll employees, research partners and suppliers must report a data breach as soon as possible and no later than six hours after discovery to the CentERdata Information Security & Privacy Officer. Please note: these are clock hours and not working hours!

Click here to fill in the CentERdata form 'Report Data Breach'. The completed form will be sent to the CentERdata Information Security & Privacy Officer and the submitter.

Contact details CentERdata Information Security & Privacy Officer: Eric Balster

Frequently Asked Questions

What is a data breach?

There is a data breach if:

  • Personal data has been lost in a security incident, or
  • You cannot reasonably exclude unlawful processing of personal data.

Some elements of this definition may require an explanation:
 

Security Incident

There is a security breach, whereby confidential information is or may become at risk. For example:

  • The loss or theft of USB storage media, DVD or CD-ROM.
  • The loss or theft of a laptop, smartphone or tablet.
  • Sending e-mails in which e-mail addresses of recipients are visible to other recipients (other than reply to all).
  • A directory accidentally left open for a whole weekend.
  • A malware infection.
  • A disaster such as a fire or burglary at the data centre.
  • An attack by a hacker.

Personal data

Personal data is any data that can identify a person, for example:

  • Name, address and place of residence.
  • Telephone numbers.
  • Email addresses or other addresses for electronic communication.
  • Access or identification data (e.g. login name / password or customer number or panel ID / respondent number of TNS NIPO base members).
  • Financial data (e.g. account number, credit card number).
  • Dutch Citizen Service Number (BSN) or social security number.
  • Passport copies or copies of other identity documents.
  • Gender, date of birth and/or age.
  • Sensitive personal data (e.g. race, ethnicity, criminal records, political beliefs, trade union membership, religion, sexual orientation, medical data).
  • A combination of background information of respondents.

Unlawful processing

This includes the impairment of personal data and noting, modifying or disclosing personal data without consent.

What if I'm not sure if there has been a data breach?

When in doubt (for example, because it is unclear if any personal data has been lost) act if there has indeed been a data breach. It is better to report once too many times than once too few!  

Why do I have to report the data breach within six hours?

Employees, payroll employees, research partners and suppliers must indeed report a data breach at CentERdata within a shorter period than the 72 hours prescribed by the Autoriteit Persoonsgegevens. The reason for this is that CentERdata needs the time to determine if:

  • there is a data breach that needs to be reported to the Autoriteit Persoonsgegevens;
  • the data breach concerns the personal data of its clients, who in turn must be informed within 24 hours, because our clients need time to file a report to the Autoriteit Persoonsgegevens.

What happens after I filed my report?

The CentERdata Information Security & Privacy Officer will look into the report and will then decide if the Autoriteit Persoonsgegevens, the client or the person whose personal data has been breached should be informed. The CentERdata Information Security & Privacy Officer can halt the processing of personal data (both internally and with the supplier) and ask for additional information.

Employees, payroll employees, research partners and suppliers are expected to provide all information to inform the proper authorities and persons, but they themselves do not report to the Autoriteit Persoonsgegevens and do not inform any clients or other concerned parties.