Data Breach Notification Bill

Please note: as of May 25th, 2018, the General Data Protection Regulation (GDPR) applies. The GDPR is the most extensive EU-Privacy Legislation up to now. The statutory obligation to report data breaches still applies. Read more about our GDPR commitment.


Data Breach Notifications Bill: avoid fines


When you process or share personal data with third parties, the Data Breach Notifications Bill applies. As of 1 January 2016, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) that monitors compliance, can issue fines that can run as high as € 820,000 or 10% of the annual turnover for each violation. The Responsible Party - responsible for the processing of the personal data - is fined, regardless of the location of the data breach. A breach can occur anywhere, also at the data room provider or the adviser.

With Virtual Vaults you will be safe

Virtual Vaults can withstand an audit by the Dutch Data Protection Authority. You are safe with us because we have the following affairs in order: 

  • Our platform

The security of our platform is the foundation for everything we do. We achieve this thanks to a combination of steps; for more information, please read here. 

  • Prevention and Incident Management

We focus on the prevention of incidents. Should an incident unexpectedly occur, our incident management procedure will go into effect, and this procedure corresponds perfectly with the guidelines set by the Dutch Data Protection Authority. Within 12 hours of discovering the incident, you will be sent a notification. You will, therefore, have ample time to determine for yourself whether an actual data breach has occurred which must be reported.

  • Legal

A Data Processing Agreement has been included in our general terms and conditions, and together with our Incident Management Procedure, it describes how we will notify you when a data breach occurs.

Dolf Helmann Wet Datalekken

Are you interested in discussing this subject further?

Please contact Dolf Helmann.

  06 - 38 38 80 42

Explanation of the Data Breach Notification Bill

The Bill refers to a data breach when personal data is lost, or the unlawful processing of the data cannot be reasonably excluded. Unlawful processing is also meant to include unauthorised access or issuance of the data. So a data breach is not limited to when a hacker gains access to personal data. The loss of a USB stick in the train, or sending a mailing with addresses in the CC field instead of the BCC field are also considered to be data breaches.


Responsible Party and Processor 

The Bill refers to you as the processor of the personal data as the Responsible Party. Every third party, including buyers and advisers, whom you allow working with this personal data is considered to be a so-called Processor. As a data room provider, Virtual Vaults is also a Processor.


Parties Involved

The Bill refers to those people whose data has been breached as Parties Involved. When a data breach is likely to have adverse effects on the private life of the Parties Involved, then you are required to notify those individuals about the breach immediately.


Required reporting

The Responsible Party - as the processor of the personal data - is required to report any possible data breaches to the Dutch Data Protection Authority within 72 hours after discovery and also when the incident occurs with the Processor. That is why you must conclude with the Processor that he/she reports an incident within 12 hours after discovery by the Processor. The latter will give you sufficient time to carry out the necessary research to determine whether this a data breach that must be reported. Please also see the "Data Processors Agreement" below.



Once you have officially reported a possible data breach, the Dutch Data Protection Authority will always carry out an audit. This inspection of the Responsible Party and the Processors will examine whether their processes are in order and therefore under control. When the Authority determines that the processes of either the Responsible Party or the Processor are unsatisfactory, it will hold the Responsible Party liable for the data breach and can issue a considerable fine.


Data Processors Agreement

A processor is not required to report a data breach to the supervisor. The processor is, however, required to make sure that his/her clients can report this to the supervisor in a timely fashion. That is why written agreements must be made that establish how the clients will be notified by the processor when a data breach is discovered. These agreements can then be included in a Data Processors Agreement.


This text is based on: 

Policy regulations for the application of Article 34a of the Personal Data Protection Act (Dutch)

This website ( uses cookies and similar technologies for functional and analytical purposes. These are not linked to the Virtual Vaults data room platform. By closing this message, or by continuing to use this website, you agree to our Cookie Policy.