Skip to content
Vectel
Support/Security

When do I have to report a data breach to the Dutch DPA?

GDPR requires reporting within 72 hours of discovery if there is likely risk to data subjects. Not every breach must, but do not underestimate.

Try this first

  1. 1Step 1, first 24 hours: determine if personal data is involved (names, mail addresses, citizen numbers, customer data). No personal data = no DPA report needed.
  2. 2Step 2: assess risk. A customer mail address leaked is different from medical data or citizen numbers. When in doubt: report, do not skip.
  3. 3Step 3: document. What happened, when discovered, how many people, what are the possible consequences. You must keep this in your internal breach register anyway, even if not reported.
  4. 4Step 4: report via autoriteitpersoonsgegevens.nl > 'Datalek melden'. Online form, around 30 minutes.
  5. 5Step 5: decide if you must also inform data subjects directly (mandatory for high risk). Mail or letter, not a social-media post.

When to bring us in

In doubt about reporting or communication to data subjects? Call us, we work with a GDPR lawyer for the hard cases. 72 hours is short, do not delay.

See also

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.

Who are you?

For the AI question we need your email and company, so we can follow up if the AI gets stuck, and to prevent abuse.

Limited to 2 questions per hour and 5 per day, kept lean so the AI stays useful. For more, contacting us directly works better for you and us.

Or skip the DIY entirely

Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.

Bring us inHow Managed IT works