The General Data Protection Regulation (‘GDPR’) entered into force over three years ago. At the time, in our GDPR blog series, we explained the most important changes the GDPR would bring about for organisations, including changes relating to the personal data breach notification and the competence of the national supervisory authorities to impose fines.
In the meantime, quite a few personal data breaches have occurred in the Netherlands. By no means all of these breaches have been reported (on time) to the Dutch Data Protection Authority (‘DPA’) and the data subjects. In a number of cases this has resulted in administrative fines. This was also the case with Booking.com (a fine for late reporting of a data breach) and the PVV Overijssel, a local branch of a Dutch political party (a fine for failure to notify a personal data breach). A number of lessons can be drawn from the recently published fining decisions in these two cases. These will be discussed here. First, we will discuss the recently updated notification form for data breaches.
On Monday 31 May 2021, the DPA published an amended data breach notification form on its website. Changes have been made to the form in response to the comments and observations that the DPA has received in recent years from organisations that have used the notification form.
In the form, organizations are now able to submit bulk reports if there are several similar personal data breaches as a result of a large-scale mailing. However, this currently only applies to a very limited number of organisations. At the moment, there is a pilot in which only pension funds, insurers and banks are allowed to report personal data breaches in bulk. In the future other organisations may also be allowed to apply for permission to the DPA to submit bulk reports.
It is also noteworthy that the form no longer shows all the questions at once, but that new questions are presented each time on the basis of the answers given by the submitter. A number of questions and sections have also been added, including an optional option to attach relevant accompanying documentation and reports, such as investigation reports and a copy of the notification to the person(s) involved.
Another welcome addition is the save button, which finally makes it possible to save the form and to complete it later. The download button is also new. Previously it was not possible to download a copy of the report form once it had been submitted (except by pressing the print button immediately after submission and saving the form as a PDF file). This has now been changed.
Please note that saving the form in the meantime (session) does not mean that a report has been sent to the DPA. When saving and loading a session, previously selected attachments are not saved. These will therefore need be added again.
Finally, the DPA states that a template could be created for common personal data breaches or a breach that occurs frequently in a short period of time, so that certain parts of the form do not have to be filled in again for each report. It is possible that the DPA is referring to the submission of a provisional notification that can be supplemented later, because there does not appear to be a separate template button in the notification form.
Provisional notification and taking notice
By submitting such a provisional notification – also referred to as a pro forma notification or conditional notification – Booking.com (hereinafter “Booking”) could very likely have saved itself an administrative fine of 475,000 EUR. This fine was imposed because Booking had failed to notify the DPA of the personal data breach in time.
In this case the discussion about the moment at which an organisation is deemed to have taken notice of a personal data breach played an important role. This is because this moment is decisive for the moment at which the 72-hour term starts to run, within which a personal data breach must, in principle, be reported to the supervisory authority.
According to the DPA and other European supervisors, a data controller should be deemed to have become aware of a personal data breach when it has a reasonable degree of certainty that a security incident has occurred that has resulted in the compromise of personal data.
Booking considered that it had that reasonable degree of certainty on 4 February 2019 after its Security Team reported the results of its investigation into the incident back to its Privacy Team. As a result of that investigation report, the Privacy Team determined on 6 February 2019 that there was a notifiable personal data breach. That notification was made to the DPA on 7 February 2019 – and thus, according to Booking – on time.
The DPA is of the opinion that Booking had already become aware of the personal data breach on 13 January 2019. Indeed, at that time Booking received a second signal that a security incident had occurred that had led to the compromise of personal data processed by Booking. It was informed that a data subject had been asked by telephone for his or her personal data by someone purporting to be a Booking employee, who was aware of the reservation made by the data subject via the Booking platform. Moreover, previously Booking had received a similar signal.
In this respect, Booking had argued that it is not always possible to report within 72 hours, because an investigation into the scope and exact merits of a security incident may take longer than 72 hours. The DPA endorses this view, but draws Booking’s attention to the possibility to make a notification in stages. Therefore, according to the DPA, the thorough investigation referred to by Booking does not justify the delay of the (initial) notification.
The GDPR offers the possibility to notify after 72 hours, but in that case a justification for the delay must be given. From the fining decision concerning Booking it can be concluded that the DPA will critically examine such motivation.
In conclusion, according to the DPA Booking should have made a provisional notification within 72 hours after the security indicent. Booking could then have supplemented the notification later with additional information from the investigatory report. If the security incident did not turned out to be personal data breach after all, Booking could have withdrawn the report afterwards.
External and internal causes
In the case of Booking, the personal data breach was caused by an unknown third party gaining access to Booking’s Extranet. Various personal data of guests that were stored in the Extranet were compromised, such as name and address details, information relating to bookings, correspondence between accommodations and guests and credit card details of guests.
This the breach was caused by an external unknown party. Although the number of notification in response to hacking, malware and phishing incidents rose sharply in 2020 – by 30% compared to 2019 – most personal data breaches are still caused internally. This is because most breachers occur because personal data are sent or handed over to the wrong recipient, according to the DPA’s annual report.
This was also the case with the PVV Overijssel. On 10 January 2019, one of its staff members emailed an invitation to a supporters’ evening to a group of 101 addressees, referred to therein as “friends of the PVV”. The e-mail addresses of the addressees were visible to all invitees in the address line of the e-mail. When the PVV Overijssel subsequently failed to notify this personal data breach to the DPA, this ultimately resulted in a fine. The DPA had been informed of this incident by one of the recipients of the e-mail.
Bear in mind that the DPA may be informed by external parties about a possible personal data breach within your organisation. Therefore, always properly document why you did or did not proceed to notify a breach, so that the DPA is able to check your organisation’s compliance with the personal data breach notification. Your organisation is also obliged to do this under the GDPR.
Amounts of the fines
In the event of a violation of the personal data breach notification, national supervisory authorities may impose administrative fines of up to 10,000,000 EUR or 2% of the total worldwide annual turnover in the preceding financial year, whichever is higher.
The DPA has adopted fining policy rules, in which a violation of the personal data breach notification (Article 33 (1) GDPR) is classified in the third category. The basic fine set by the DPA in this category is 525,000 EUR.
Thus, the same basic fine of 525,000 EUR applied to the violation of the personal data breach notification by Booking (late notification of a personal data breach) as to the violation by PVV Overijssel (failure to notify a personal data breach). Both fines were eventually reduced.
The fine of Booking was eventually reduced because of the damage mitigating measures it had taken. The DPA considers it to be to Booking’s credit that it took mitigating measures and declared itself willing to compensate any damage suffered by the data subjects. The fact that Booking ultimately acted resolutely in this respect, as a result of which the harmful consequences for the data subjects most likely remained limited, is in the opinion of the DPA a reason to reduce the basic fine to 475,000 EUR.
PVV Overijssel had also argued that it had taken measures to mitigate the damages. In its own words, it had immediately adjusted its working methods and processes to prevent such an incident from happening again. The DPA does not consider this a reason to reduce the basic fine. However, the financial circumstances of PVV Overijssel were taken into account. Because of its financial strength, the fine was reduced to an amount of 7,500 EUR. This was despite the fact that the information concerned was about the political preferences of the invitees (and therefore a special category of personal data) and the DPA considered discrimination and damage to reputation to be likely consequences of the personal data breach.
Incident response plan
It follows from the fining decision in the PVV Overijssel case that the political party had indicated towards the DPA that someone would be trained internally about the GDPR. Apparently, this had not yet happened before the security incident. The DPA finds this objectionable, particularly because it involves personal data that reveal political views.
The DPA prefers to see organisations familiarise themselves with the GDPR before the occurrence of a personal data breach. This can be done by drawing up an incident response plan (also called a data breach plan or protocol). In the guidelines on data breaches, the European privacy supervisory authorities explicitly encourage organisations to draw up such a plan.
An incident response plan generally stipulates how to act (internally) when there is a suspicion of a data breach. This might include informing the Data Protection Officer, obtaining legal advice, taking damage mitigating measures, launching an investigation into the nature and scope of the data breach, assessing the risks and reporting to the DPA and possibly also to the data subjects.
Also consider less obvious matters, such as informing the insurer in good time, appointing a press officer or instructing receptionists and customer service staff in the event they are approached with questions about the personal data breach. These are matters that are easily overlooked in the heat of the moment and therefore belong in an incident response plan.
It follows from the fining decision imposed on Booking that it had a so-called “Data Incident Response Policy”. However, Booking had not followed its own policy. The suspicion of the persona data breach had not been immediately forwarded to Booking’s Security Team as described in the policy. The DPA ultimately found that this was no reason to increase the basic fine.
As far as we are aware, neither Booking nor PVV Overijssel have lodged an objection or appeal against the fining decisions. As a result, we will not learn how a judge views these decisions and legal interpretation of the personal data breach notification under the GDPR by the DPA. Although it is not certain that the DPA applied the rules correctly, a number of lessons can be drawn from the fining decisions. Lessons that are particularly important if your organisation wants to avoid any discussions with the DPA.
- Does your organisation strongly suspect the occurrence of a personal data breach, but can this not be established with certainty within 72 hours? Then make a pro forma notification to the DPA.
- Interim storage of the Dutch notification form does not mean that a notification has been sent to the DPA. Storing the form therefore does not qualify as a pro forma notification.
- Be careful with any communications to data subjects and others. Bear in mind that they may lodge a complaint about your organisation with the DPA.
- Make sure that your organisation has a list of contact persons and telephone numbers ready, so that you can quickly reach the right people in case of a personal data breach or a suspicion thereof.
- Draw up an incident response plan, so that you can respond quickly and adequately to a personal data breach and make sure that no important matters are overlooked.
- If your organisation already has an incident response plan in place, act in accordance with it and regularly check whether the plan is still up to date.
- Seek timely legal advice when you receive a request for information from the DPA. Please note that communications with an attorney-at-law (‘advocaat’) are always legal priviliged and cannot be retrieved by the DPA afterwards. This does not apply to communications with all lawyers.
- When communicating with your attorney-at-law, make sure that all written material, including e-mails, is marked “confidential”.
- If a fine is imposed on your organisation anyway, always consider whether there are circumstances under which the basic fine can be reduced.