Please note: as of May 25th, 2018, the General Data Protection Regulation (GDPR) applies. The GDPR is the most extensive EU-Privacy Legislation up to now. The statutory obligation to report data breaches still applies. Read more about our GDPR commitment.
When you process or share personal data with third parties, the Data Breach Notifications Bill applies. As of 1 January 2016, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) that monitors compliance, can issue fines that can run as high as € 820,000 or 10% of the annual turnover for each violation. The Responsible Party - responsible for the processing of the personal data - is fined, regardless of the location of the data breach. A breach can occur anywhere, also at the data room provider or the adviser.
Virtual Vaults can withstand an audit by the Dutch Data Protection Authority. You are safe with us because we have the following affairs in order:
The security of our platform is the foundation for everything we do. We achieve this thanks to a combination of steps; for more information, please read here.
We focus on the prevention of incidents. Should an incident unexpectedly occur, our incident management procedure will go into effect, and this procedure corresponds perfectly with the guidelines set by the Dutch Data Protection Authority. Within 12 hours of discovering the incident, you will be sent a notification. You will, therefore, have ample time to determine for yourself whether an actual data breach has occurred which must be reported.
A Data Processing Agreement has been included in our general terms and conditions, and together with our Incident Management Procedure, it describes how we will notify you when a data breach occurs.
The Bill refers to a data breach when personal data is lost, or the unlawful processing of the data cannot be reasonably excluded. Unlawful processing is also meant to include unauthorised access or issuance of the data. So a data breach is not limited to when a hacker gains access to personal data. The loss of a USB stick in the train, or sending a mailing with addresses in the CC field instead of the BCC field are also considered to be data breaches.
Responsible Party and Processor
The Bill refers to you as the processor of the personal data as the Responsible Party. Every third party, including buyers and advisers, whom you allow working with this personal data is considered to be a so-called Processor. As a data room provider, Virtual Vaults is also a Processor.
The Bill refers to those people whose data has been breached as Parties Involved. When a data breach is likely to have adverse effects on the private life of the Parties Involved, then you are required to notify those individuals about the breach immediately.
The Responsible Party - as the processor of the personal data - is required to report any possible data breaches to the Dutch Data Protection Authority within 72 hours after discovery and also when the incident occurs with the Processor. That is why you must conclude with the Processor that he/she reports an incident within 12 hours after discovery by the Processor. The latter will give you sufficient time to carry out the necessary research to determine whether this a data breach that must be reported. Please also see the "Data Processors Agreement" below.
Once you have officially reported a possible data breach, the Dutch Data Protection Authority will always carry out an audit. This inspection of the Responsible Party and the Processors will examine whether their processes are in order and therefore under control. When the Authority determines that the processes of either the Responsible Party or the Processor are unsatisfactory, it will hold the Responsible Party liable for the data breach and can issue a considerable fine.
Data Processors Agreement
A processor is not required to report a data breach to the supervisor. The processor is, however, required to make sure that his/her clients can report this to the supervisor in a timely fashion. That is why written agreements must be made that establish how the clients will be notified by the processor when a data breach is discovered. These agreements can then be included in a Data Processors Agreement.
This text is based on: