On 1 January 2016, two important changes were made to Dutch data protection law. Under the revised law, Data processors are required to notify the Dutch Data Protection Authority (“DDPA”) (and on some occasions the data subjects concerned) in the case of a personal data security breach. As of the same date, administrative fines can be imposed in case of a breach of the Dutch Data Protection Act. These fines can be up to EUR 810,000 or 10 percent of the annual turnover in case of a legal entity. Employers can be data processors so they should make sure that they meet the Dutch employee data protection rules, particularly if data are stored in, transferred to, or accessible from locations abroad or if they are shared with third parties.
Considering the new risk of fines, employers should ensure that their internal privacy policies are in line with the guidelines provided by the DDPA.