Data Breach Reporting in the Netherlands: The 72-Hour Decision Tree

A data breach does not have to involve a hacker. An employee accidentally forwarding a spreadsheet of customer email addresses to the wrong person is a data breach. Ransomware encrypting your files is a data breach. A laptop with unencrypted client data stolen from a car is a data breach.

Under Articles 33 and 34 of the GDPR, you may have to report the breach to the AP (Autoriteit Persoonsgegevens) within 72 hours. The clock starts when you become aware of the incident — not when it happened.

The Decision Tree

Work through these questions in order.

Step 1: Did a breach of personal data occur?

A breach means accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Yes if any of these happened:

• Hacking or unauthorized access to your systems
• Ransomware or malware that accessed customer data
• Accidentally emailing personal data to wrong recipients
• A device containing personal data (laptop, USB, phone) was lost or stolen
• A database containing personal data was publicly exposed
• A service provider you use suffered a breach affecting your customers' data
• Personal data was deleted by mistake and cannot be recovered

No if the event did not involve personal data (e.g., your website was defaced but no customer data was affected, or only your own company internal information was involved).

→ If No: No reporting obligation. Document the incident internally.

→ If Yes: Continue to Step 2.

Step 2: Is there likely a risk to the rights and freedoms of individuals?

Not every breach needs to be reported. A low-risk breach — for example, a single email address accidentally CC'd to a colleague — generally does not require AP notification.

Consider the risk level:

Likely no risk: A lost USB drive containing encrypted files with a strong password, where the encryption has not been compromised, poses minimal risk.

Likely risk: An unencrypted database of customer email addresses and passwords was accessed by an unauthorized third party.

→ If no likely risk: No AP notification required, but document the incident internally.

→ If likely risk: You must notify the AP within 72 hours. Continue to Step 3.

Step 3: Is the risk high?

If the breach is likely to result in a high risk to individuals — potential financial loss, discrimination, identity theft, or other serious consequences — you must also notify the affected individuals directly under Article 34 of the GDPR.

High risk indicators:

• Financial data (bank account numbers, card data) was compromised
• Health data or special category data was exposed
• Passwords or authentication credentials were leaked
• The data has already been misused (fraud detected)
• The breach affects vulnerable groups (children, medical patients)
• The data was published publicly or shared with many unauthorized parties

→ If high risk: Notify both the AP (within 72 hours) and the affected individuals (without undue delay).

→ If risk but not high: Notify the AP only. No individual notification required.

The 72-Hour Deadline

The deadline runs from the moment you become aware of the breach. "Aware" means you have sufficient certainty that a breach has occurred — you do not need full details of its scope.

If you cannot complete a full notification within 72 hours, submit an initial notification with what you know, and supplement it with additional information later. The AP accepts phased notifications.

What happens after 72 hours? The AP can impose a fine for late notification. Booking.com was fined €475,000 for reporting a breach 22 days late. The 72-hour rule is taken seriously.

What to Include in the AP Notification

Notify the AP via the data breach portal. You will need:

1. Nature of the breach — what happened, how it happened
2. Categories of data — what types of personal data were involved (names, email addresses, financial data, health data)
3. Number of affected individuals — approximate is acceptable in the initial notification
4. Number of affected records — approximate
5. Contact details of your data protection contact (you, or your DPO if you have one)
6. Likely consequences of the breach
7. Measures taken or proposed to address the breach and mitigate its effects

If some information is not yet available at the time of the initial notification, indicate when you expect to be able to provide it. The AP may follow up with questions.

Notifying Affected Individuals

When individual notification is required (high-risk breach), the notification must:

• Be clear and in plain language
• Describe the nature of the breach
• Include the contact details of your data protection contact
• Describe the likely consequences
• Describe the measures taken to address the breach
• Include specific advice to reduce the risk (e.g., "change your password immediately")

Contact individuals directly — by email if you have their address, or by postal mail if not. A generic website announcement is not sufficient unless direct contact is impossible.

Internal Documentation: Even When You Don't Report

The GDPR requires you to document all data breaches internally under Article 33(5), even those that do not meet the threshold for AP notification. This internal record must include:

• Date and time of discovery
• Description of the breach
• Types of data affected
• Number of individuals affected
• Impact assessment
• Measures taken
• Reason for not notifying the AP (if applicable)

This documentation protects you: if the AP later investigates the incident, you can demonstrate that you assessed it and made a reasoned decision.

Practical 72-Hour Checklist

When an incident occurs:

• Identify the scope: what data, how many people, how it happened
• Contain the breach: revoke access, reset passwords, isolate systems
• Assess the risk level using the decision tree above
• If reportable: open the AP breach portal and submit within 72 hours
• If high risk: prepare individual notification messages
• Document everything internally regardless of notification decision
• Investigate root cause and implement corrective measures
• Update your breach response procedure to prevent recurrence

For security measures to prevent breaches in the first place, see our secure website checklist.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.