December 14, 2015

Late publication of CBP policies, Netherlands ICT calls for leniency

The Dutch Data Protection Authority has published its new policies for the new data leaks reporting requirement. The reporting requirements is effective as of January 1, 2016, which means companies now have three weeks to align their internal policies and contracts with processors with the final policies. Nederland ICT believes this term is way too tight and hopes for leniency from the CBP in enforcing the law.

The Data Leaks Reporting Requirement Act was adopted by the Senate in June 2015. The law obliges companies to report violations of personal data protection that may have serious adverse consequences for those involved. In addition, the CBP will be granted the power to impose fines amounting to up to € 810,000. The law is a means of preventing data leakages, emphasises CBP chairman Jacob Konhstamm during the presentation of the policies.

Nederland ICT supports the government’s intention to improve the protection of personal data and believes the requirement act is a good way of achieving this. However, this does require clear rules and thus legal certainty for companies. The legal text did not provide this clarity, which would be further explained in policies. CBP has given Nederland ICT the opportunity to comment on earlier versions of these policies.

The definitive policies are still being studied by Nederland ICT at the time of this publication. Based on this, in the near future we will be creating an exemplary processing agreements, serving as a tool for ICT companies to tailor their agreements with customers on these new reporting requirements.

The policies can be downloaded from the CBP’s website.


back to news overview