Data breaches

A data breach involves the destruction, loss, alteration or unauthorized disclosure of or access to personal data. A data breach must always be reported, unless there is no or little risk to the privacy of those affected.

This risk should be assessed based on the nature of the data (sensitive data, such as about religion, race, sexual life, etc. carry more weight), as well as the likely harm the data may cause (e.g., reputational damage). The extent to which data has been leaked also plays a role, as does whether or not there was negligence or bad intent.

The breach must be reported to the Data Protection Agency (DPA), and, if the risk for the privacy of the data subject is high, also the the person affected.

The breach must be reported as soon as possible - but no later than 72 hours after its discovery - to the notification portal of the DPA. If the data breach is not reported, or not reported in time, the DPA can impose fines. (Please note: the link in this paragraph directs to the notification portal of the Dutch DPA).

Laposta

The data processing agreement states that Laposta will notify its customers within 24 hours of the potential data breach. You will then have 48 hours to notify the DPA.

Read more about fines for data breaches here.