nlSwitch to Dutch

Data Breach Procedure
Private Holding B.V.

1. Introduction

Private Holding B.V. processes personal data and has the responsibility to protect this data. In the event of a breach of personal data security (a data breach), it is necessary to act appropriately and comply with the reporting obligation as set out in the General Data Protection Regulation (GDPR). This procedure describes how Private Holding B.V. handles a data breach.

2. Identification of a Data Breach

2.1 Definition

A data breach is a security incident in which personal data has been accidentally or unlawfully destroyed, lost, altered, disclosed, or made accessible without authorization.

2.2 Examples of Data Breaches

  • Loss or theft of a laptop, USB stick, or smartphone containing personal data.
  • An email containing personal data sent to the wrong recipient.
  • A hack of a database containing customer information.
  • Unauthorized access to systems containing personal data.
  • Accidental public disclosure of sensitive customer data.

3. Reporting Procedure

3.1 Internal Reporting

When a (potential) data breach is discovered, it must be immediately reported to the Data Protection Officer (DPO):
Mr. G.B. van de Kraats
Email: contact@privateholding.company

3.2 Documentation

The following details must be recorded:

  • Date and time of discovery of the data breach.
  • Nature and scope of the breach (which data is involved?).
  • Cause and potential consequences.
  • Actions taken to mitigate the damage.

4. Assessment of the Data Breach

4.1 Risk Analysis

The impact of the data breach is assessed based on the following questions:

  • Which personal data has been leaked?
  • How sensitive is this data?
  • How many individuals are affected?
  • Can the data be misused?

4.2 Decision to Report

Based on the risk analysis, it is determined whether reporting to the Data Protection Authority (DPA) and/or the affected individuals is necessary.

5. Reporting to the Data Protection Authority

5.1 Reporting Obligation

If the data breach poses a risk to the rights and freedoms of the individuals involved, it must be reported to the DPA within 72 hours of discovery.

5.2 Contents of the Report

The report to the DPA includes:

  • The nature of the data breach and the affected personal data.
  • The likely consequences of the data breach.
  • The measures taken or proposed to mitigate the consequences.
  • Contact details of the DPO.

6. Informing the Affected Individuals

6.1 Communication Obligation

If the data breach is likely to result in a high risk to the rights and freedoms of the affected individuals, they must be informed immediately.

6.2 Contents of the Notification

The affected individuals are informed about:

  • The nature of the data breach.
  • The possible consequences.
  • The measures they can take to mitigate the consequences.

7. Preventive Measures

7.1 Evaluation

After handling the data breach, an evaluation is conducted to determine the cause and what measures can be taken to prevent recurrence.

7.2 Security Measures

  • Use of strong passwords and two-factor authentication.
  • Regular software updates and security audits.
  • Encryption of sensitive data.
  • Regular backups.

8. Documentation and Retention

All data breaches are documented, regardless of whether they require reporting. This register includes:

  • Description of the incident.
  • Risk assessment.
  • Decision-making regarding reporting.
  • Mitigating measures.

Last updated: 08-02-2025