The duty to report data breaches came into effect on 1 January 2016. This duty to report entails that organizations, upon encountering a serious data breach, must issue a report to the Autoriteit Persoonsgegevens (the Dutch Personal Data Authority) within 72 hours.
Using this web page and form, employees, payroll employees (hiring staff, freelancers), clients and research partners of CentERdata and suppliers who process personal data for CentERdata can report a data breach in an easy manner.
Employees, payroll employees, research partners and suppliers must report a data breach as soon as possible and no later than six hours after discovery to the CentERdata Information Security & Privacy Officer. Please note: these are clock hours and not working hours!
Click here to fill in the CentERdata form 'Report Data Breach'. The completed form will be sent to the CentERdata Information Security & Privacy Officer and the submitter.
Contact details CentERdata Information Security & Privacy Officer: Eric Balster
There is a data breach if:
Some elements of this definition may require an explanation:
There is a security breach, whereby confidential information is or may become at risk. For example:
Personal data is any data that can identify a person, for example:
This includes the impairment of personal data and noting, modifying or disclosing personal data without consent.
When in doubt (for example, because it is unclear if any personal data has been lost) act if there has indeed been a data breach. It is better to report once too many times than once too few!
Employees, payroll employees, research partners and suppliers must indeed report a data breach at CentERdata within a shorter period than the 72 hours prescribed by the Autoriteit Persoonsgegevens. The reason for this is that CentERdata needs the time to determine if:
The CentERdata Information Security & Privacy Officer will look into the report and will then decide if the Autoriteit Persoonsgegevens, the client or the person whose personal data has been breached should be informed. The CentERdata Information Security & Privacy Officer can halt the processing of personal data (both internally and with the supplier) and ask for additional information.
Employees, payroll employees, research partners and suppliers are expected to provide all information to inform the proper authorities and persons, but they themselves do not report to the Autoriteit Persoonsgegevens and do not inform any clients or other concerned parties.