BG Beter Geregeld ICT
AVG & privacy · 2 min leestijd · 02 November 2025

Data Breach: When to Report, When Not To, Within 72 Hours

Not every incident is a data breach. Not every data breach needs to be reported to the AP. Here's the decision tree and a sample notification template.

A data breach is a security incident in which personal data has been destroyed, lost, altered, disclosed, or accessed by unauthorised parties. So when do you need to report it?

\n \n

Decision Tree

\n
    \n
  1. Is it a data breach? If in doubt: yes.
    2. \n
  2. Is there a risk to those affected? Is the data publicly exposed? Could it cause financial harm? Is there a risk of identity fraud?
    3. \n
  3. Low risk (e.g. lost encrypted device): no need to report to the AP, but do record it internally in your incident log.
    4. \n
  4. Significant risk: report to the AP within 72 hours.
    5. \n
  5. High risk to those affected: also notify the affected individuals directly.
    6. \n
\n \n

What to Report

\n
    \n
  • The nature of the data breach.
    • \n
  • Categories and number of individuals affected.
    • \n
  • Categories and number of personal data records involved.
    • \n
  • The consequences of the breach.
    • \n
  • Measures taken or proposed.
    • \n
  • Contact details of the DPO or designated contact person.
    • \n
\n \n

The 72-Hour Clock

\n

The clock starts from the moment you became aware of the breach — not from when it actually occurred. Weekends count. A partial report is allowed, with a follow-up submission later.

\n \n

Where to Report

\n

autoriteitpersoonsgegevens.nl — use the online data breach notification form. Keep a copy for your records.

\n \n

What to Do Within Your Organisation

\n
    \n
  • Assemble your team: security lead, director, communications.
    • \n
  • Investigate: what exactly happened?
    • \n
  • Containment: stop the breach.
    • \n
  • Forensic documentation: preserve evidence for the investigation.
    • \n
  • Prepare communications: internal, external, and media.
    • \n
\n \n

See also: setting up an incident log, incident response.

Onderwerpen

#avg #datalek #incident #ap

Volledige gids: Cumplimiento GDPR para pymes: el mínimo práctico

Dit artikel is onderdeel van onze uitgebreide AVG & privacy-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

AVG & privacy

GDPR Compliance for SMBs: The Practical Minimum

GDPR doesn't require a €10,000 project or a DPO for most small businesses. Here's what every SMB actually needs — based on what the Dutch DPA really checks for.

2 min
AVG & privacy

Logging IP addresses under GDPR: pseudonymous, personal data, and what's allowed?

An IP address is personal data under GDPR. Security logs often need to retain them for weeks or months. How do you reconcile that with data minimisation principles?

2 min
AVG & privacy

Data Retention Periods by Category for SMBs

How long should you keep customer data, job applicants, invoices, or CCTV footage? Here are the key categories in a clear overview table, with the source for each retention period.

2 min
AVG & privacy

Marketing consent: email, WhatsApp, retargeting — what are you still allowed to do?

Your newsletter, promotional emails, retargeting pixels — they all need a valid consent basis. Here are the concrete rules per channel.

2 min
AVG & privacy

Data subject rights: access, rectification, erasure — a workable procedure

A customer wants to see their data — or have it deleted. You have 30 days. Here's the procedure that gets it done without each request eating up half a week.

2 min
AVG & privacy

Sub-processors outside the EU: what Schrems II still requires

Using AWS, Google, or Microsoft? Then some of your data flows through the US. Since Schrems II, that's no longer a given. Here's what actually works today.

2 min
← Alle artikelen in "AVG & privacy"