Report a data breach

The duty to report data breaches is introduced on 1 January 2016. This duty to report entails that organisations, upon encountering a serious data breach, must issue a report to the Autoriteit Persoonsgegevens (the Dutch Personal Data Authority) within 72 hours.

Using this web page, employees, payroll employees, interviewers and freelancers ("Staff") of TNS NIPO and suppliers who process personal data for TNS NIPO can report a data breach in an easy manner.
 
Employees and suppliers must report a data breach as soon as possible and no later than six hours after discovery to the Data Breach Coordinators of TNS NIPO. Please note: these are clock hours and not working hours!

To file a report, download the Data breach Notification Questionnaire here, answer the questions (see instructions in the questionnaire) and email it to:
 
Data Breach Coordinators

Bern Kreleger
Bern.Kreleger@tns-nipo.com
+31 (0) 6 2392 5157

Remco van ‘t Hoff
Remco.van.t.Hoff@tns-nipo.com
+31 (0) 6 2049 0923

FAQs

What is a data breach?

There is a data breach if:
  • Personal data has been lost in a security incident, or
  • You cannot reasonably exclude unlawful processing of personal data.
Some elements of this definition may require an explanation:
 
Security Incident
There is a security breach, whereby confidential information is or may become at risk. For example:
  • The loss or theft of USB storage media, DVD or CD-ROM.
  • The loss or theft of a laptop, smartphone or tablet.
  • Sending e-mails in which e-mail addresses of recipients are visible to other recipients (other than reply to all).
  • A directory accidentally left open for a whole weekend.
  • A malware infection.
  • A disaster such as a fire or burglary at the data centre.
  • An attack by a hacker.
Personal data
Personal data is any data that can identify a person, for example:
  • Name, address and place of residence.
  • Telephone numbers.
  • Email addresses or other addresses for electronic communication.
  • Access or identification data (e.g. login name / password or customer number or panel ID / respondent number of TNS NIPO base members).
  • Financial data (e.g. account number, credit card number).
  • Dutch Citizen Service Number (BSN) or social security number.
  • Passport copies or copies of other identity documents.
  • Gender, date of birth and/or age.
  • Sensitive personal data (e.g. race, ethnicity, criminal records, political beliefs, trade union membership, religion, sexual orientation, medical data).
  • A combination of background information of respondents.
Unlawful processing
This includes the impairment of personal data and noting, modifying or disclosing personal data without consent.

What if I'm not sure if there has been a data breach?

When in doubt (for example, because it is unclear if any personal data has been lost) act if there has indeed been a data breach. It is better to report once too many times than once too few!  

Why do I have to report the data breach within six hours?

Staff and suppliers must indeed report a data breach at TNS NIPO within a shorter period than the 72 hours prescribed by the Autoriteit Persoonsgegevens. The reason for this is that TNS NIPO needs the time to determine if:
  • there is a data breach that needs to be reported to the Autoriteit Persoonsgegevens;
  • the data breach concerns the personal data of its customers, who in turn must be informed within 24 hours, because our customers need time to file a report to the Autoriteit Persoonsgegevens..

What happens after I filed my report?

The Data Breach Coordinators will look into the report. They will then decide if they should inform the Autoriteit Persoonsgegevens, the client or the person whose personal data has been breached. The Data Breach Coordinator can halt the processing of personal data (both internally and with the supplier) and ask for additional information.
 
Staff and suppliers are expected to provide all information to inform the proper authorities and persons, but they themselves do not report to the Autoriteit Persoonsgegevens and do not inform any clients or other concerned parties.