Dutch Data Breach Reporting: 72-Hour Decision Tree

Data breach reporting in the Netherlands has a 72-hour deadline under Article 33 of the GDPR. The clock starts the moment you become aware of the incident, not when it happened. This guide is a decision tree that walks Dutch small businesses through whether to notify the Autoriteit Persoonsgegevens (AP), what to put in the form and when to also tell the people affected.

A breach does not need a hacker. An employee forwarding a spreadsheet of customer email addresses to the wrong person is a breach. Ransomware encrypting your files is a breach. A laptop with unencrypted client data stolen from a car is a breach. If you are not sure whether your site is exposed, run a free scan of your website before you read on.

The Decision Tree at a Glance

The flow below maps the three questions you need to answer. Work through them in order.

<svg viewBox="0 0 720 420" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Decision tree for whether to report a data breach to the Dutch AP within 72 hours" style={{ maxWidth: '100%', height: 'auto', border: '1px solid #e5e7eb', borderRadius: '8px', background: '#ffffff' }}>

<title>72-hour data breach decision tree</title> <defs> <marker id="arrow" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="6" markerHeight="6" orient="auto-start-reverse"> <path d="M0,0 L10,5 L0,10 z" fill="#374151" /> </marker> </defs> <rect x="260" y="20" width="200" height="56" rx="8" fill="#eff6ff" stroke="#1d4ed8" strokeWidth="1.5" /> <text x="360" y="44" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="700" fill="#1e3a8a" textAnchor="middle">Step 1</text> <text x="360" y="62" fontFamily="system-ui, sans-serif" fontSize="12" fill="#1e3a8a" textAnchor="middle">Personal data involved?</text> <line x1="360" y1="76" x2="360" y2="106" stroke="#374151" strokeWidth="1.5" markerEnd="url(#arrow)" /> <rect x="40" y="110" width="200" height="56" rx="8" fill="#f0fdf4" stroke="#15803d" strokeWidth="1.5" /> <text x="140" y="134" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="600" fill="#14532d" textAnchor="middle">No</text> <text x="140" y="152" fontFamily="system-ui, sans-serif" fontSize="11" fill="#14532d" textAnchor="middle">Log internally. No report.</text> <line x1="260" y1="138" x2="240" y2="138" stroke="#374151" strokeWidth="1.5" markerEnd="url(#arrow)" /> <rect x="260" y="110" width="200" height="56" rx="8" fill="#eff6ff" stroke="#1d4ed8" strokeWidth="1.5" /> <text x="360" y="134" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="700" fill="#1e3a8a" textAnchor="middle">Step 2</text> <text x="360" y="152" fontFamily="system-ui, sans-serif" fontSize="12" fill="#1e3a8a" textAnchor="middle">Risk to rights and freedoms?</text> <line x1="360" y1="166" x2="360" y2="196" stroke="#374151" strokeWidth="1.5" markerEnd="url(#arrow)" /> <rect x="480" y="110" width="200" height="56" rx="8" fill="#f0fdf4" stroke="#15803d" strokeWidth="1.5" /> <text x="580" y="134" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="600" fill="#14532d" textAnchor="middle">No likely risk</text> <text x="580" y="152" fontFamily="system-ui, sans-serif" fontSize="11" fill="#14532d" textAnchor="middle">Document. No AP notice.</text> <line x1="460" y1="138" x2="480" y2="138" stroke="#374151" strokeWidth="1.5" markerEnd="url(#arrow)" /> <rect x="260" y="200" width="200" height="56" rx="8" fill="#eff6ff" stroke="#1d4ed8" strokeWidth="1.5" /> <text x="360" y="224" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="700" fill="#1e3a8a" textAnchor="middle">Step 3</text> <text x="360" y="242" fontFamily="system-ui, sans-serif" fontSize="12" fill="#1e3a8a" textAnchor="middle">High risk to individuals?</text> <line x1="260" y1="228" x2="240" y2="228" stroke="#374151" strokeWidth="1.5" markerEnd="url(#arrow)" /> <rect x="40" y="200" width="200" height="56" rx="8" fill="#fef3c7" stroke="#b45309" strokeWidth="1.5" /> <text x="140" y="224" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="600" fill="#78350f" textAnchor="middle">Risk but not high</text> <text x="140" y="242" fontFamily="system-ui, sans-serif" fontSize="11" fill="#78350f" textAnchor="middle">Notify AP within 72h</text> <line x1="460" y1="228" x2="480" y2="228" stroke="#374151" strokeWidth="1.5" markerEnd="url(#arrow)" /> <rect x="480" y="200" width="200" height="56" rx="8" fill="#fee2e2" stroke="#b91c1c" strokeWidth="1.5" /> <text x="580" y="224" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="600" fill="#7f1d1d" textAnchor="middle">High risk</text> <text x="580" y="242" fontFamily="system-ui, sans-serif" fontSize="11" fill="#7f1d1d" textAnchor="middle">Notify AP and individuals</text> <text x="360" y="300" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Article 33 GDPR sets the AP duty. Article 34 sets the duty to inform individuals.</text> <text x="360" y="320" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">EDPB Guidelines 9/2022 on personal data breach notification under GDPR set out how each test applies.</text> <text x="360" y="360" fontFamily="system-ui, sans-serif" fontSize="10" fill="#6b7280" textAnchor="middle">Source: EUR-Lex Regulation (EU) 2016/679 Articles 33 and 34. EDPB Guidelines 9/2022.</text> </svg>

Step 1: Did a breach of personal data occur?

A breach means accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to personal data.

Yes if any of these happened:

• Hacking or unauthorised access to your systems
• Ransomware or malware that reached customer data
• Emailing personal data to the wrong recipients by mistake
• A device with personal data (laptop, USB, phone) was lost or stolen
• A database with personal data was publicly exposed
• A service provider you use suffered a breach affecting your customers
• Personal data was deleted by mistake and cannot be restored

No if the event did not involve personal data. Example: your website was defaced but no customer data was touched, or only your own company internal information was involved.

If No, there is no reporting duty. Document the incident internally and move on.

If Yes, continue to Step 2.

Step 2: Is there likely a risk to the rights and freedoms of individuals?

Not every breach needs to be reported. A low-risk breach, for example a single email address accidentally CC'd to a colleague, does not require AP notification. The risk test in Article 33(1) GDPR is what the EDPB Guidelines 9/2022 on personal data breach notification (adopted 28 March 2023) call the "risk assessment."

Consider the risk level:

Likely no risk: a lost USB drive with encrypted files behind a strong password, where the encryption has not been broken, poses minimal risk.

Likely risk: an unencrypted database of customer email addresses and passwords accessed by an unauthorised third party.

If no likely risk, no AP notification is required. Still document the incident internally.

If likely risk, you must notify the AP within 72 hours. Continue to Step 3.

Step 3: Is the risk high?

If the breach is likely to result in a high risk to individuals, you must also notify the affected individuals directly under Article 34 of the GDPR. High risk means consequences like financial loss, discrimination, identity theft or other serious harm.

High-risk indicators:

• Financial data (bank account numbers or card data) was compromised
• Health data or special category data was exposed
• Passwords or authentication credentials were leaked
• The data has already been misused (fraud detected)
• The breach affects vulnerable groups (children or medical patients)
• The data was published openly or shared with many unauthorised parties

If high risk, notify both the AP (within 72 hours) and the affected individuals (without undue delay).

If risk but not high, notify the AP only. No individual notification is required.

The 72-Hour Timeline

The 72 hours run from the moment you become aware. "Aware" means you have enough certainty that a breach has occurred. You do not need full details of its scope.

If you cannot complete a full notification in time, submit an initial notification with what you know and supplement it later. The AP accepts phased notifications. The visual below shows a typical breakdown.

<svg viewBox="0 0 760 220" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="72-hour data breach response timeline: detect, contain, prepare and file" style={{ maxWidth: '100%', height: 'auto', border: '1px solid #e5e7eb', borderRadius: '8px', background: '#ffffff' }}>

<title>72-hour breach response timeline</title> <line x1="60" y1="110" x2="700" y2="110" stroke="#cbd5e1" strokeWidth="3" /> <circle cx="90" cy="110" r="14" fill="#1d4ed8" /> <text x="90" y="115" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="700" fill="#ffffff" textAnchor="middle">0</text> <text x="90" y="80" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="700" fill="#111827" textAnchor="middle">Hour 0</text> <text x="90" y="150" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Detect</text> <text x="90" y="166" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Confirm awareness</text> <text x="90" y="182" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Start the clock</text> <circle cx="270" cy="110" r="14" fill="#1d4ed8" /> <text x="270" y="115" fontFamily="system-ui, sans-serif" fontSize="11" fontWeight="700" fill="#ffffff" textAnchor="middle">24</text> <text x="270" y="80" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="700" fill="#111827" textAnchor="middle">Hour 0 to 24</text> <text x="270" y="150" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Contain</text> <text x="270" y="166" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Revoke access</text> <text x="270" y="182" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Assess risk</text> <circle cx="450" cy="110" r="14" fill="#1d4ed8" /> <text x="450" y="115" fontFamily="system-ui, sans-serif" fontSize="11" fontWeight="700" fill="#ffffff" textAnchor="middle">48</text> <text x="450" y="80" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="700" fill="#111827" textAnchor="middle">Hour 24 to 48</text> <text x="450" y="150" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Prepare</text> <text x="450" y="166" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Draft AP notification</text> <text x="450" y="182" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Draft user message</text> <circle cx="660" cy="110" r="14" fill="#b91c1c" /> <text x="660" y="115" fontFamily="system-ui, sans-serif" fontSize="11" fontWeight="700" fill="#ffffff" textAnchor="middle">72</text> <text x="660" y="80" fontFamily="system-ui, sans-serif" fontSize="12" fontWeight="700" fill="#111827" textAnchor="middle">Hour 48 to 72</text> <text x="660" y="150" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">File</text> <text x="660" y="166" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Submit AP form</text> <text x="660" y="182" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151" textAnchor="middle">Inform individuals</text> </svg>

What happens after 72 hours? The AP can impose a fine for late notification. Booking.com was fined 475,000 euro for reporting a breach 22 days late. The 72-hour rule is taken seriously.

Case Study: The Booking.com Fine

AP enforcement decision: Booking.com, 31 March 2021

The AP fined Booking.com 475,000 euro for late breach notification. Criminals had stolen the data of 4,109 customers, including names, addresses, phone numbers and 283 credit card details. Booking.com discovered the breach on 13 January 2019 but did not notify the AP until 7 February 2019. That is 22 days late. The AP made clear that the 72-hour clock is a hard deadline. The decision is the most-cited Dutch breach reporting precedent for SMEs.

The takeaway for small businesses is simple. If in doubt, report. Underreporting is what the AP penalises. Overreporting is not.

What to Include in the AP Notification

Submit the breach via the AP breach reporting portal (the "meldloket datalekken"). For background on what the AP expects in each field, the AP guidance page on data breaches is the canonical reference. You will be asked for:

1. Nature of the breach. What happened, how it happened.
2. Categories of data. Names, email addresses, financial data, health data and so on.
3. Number of affected individuals. An approximate figure is acceptable in the first round.
4. Number of affected records. Also approximate at first.
5. Contact details of your data protection contact (you, or your DPO if you have one).
6. Likely consequences of the breach.
7. Measures taken or proposed to address the breach and reduce its effects.

If information is missing at the first round, indicate when you expect to provide it. The AP may follow up with questions in writing.

Notifying Affected Individuals

When individual notification is required (high-risk breach), the message must:

• Be clear and in plain language
• Describe what happened
• Include the contact details of your data protection contact
• Describe the likely consequences
• Describe the measures you have taken to address the breach
• Give specific advice to reduce the risk (for example "change your password immediately")

Contact people directly. Send email if you have an address. Send postal mail if not. A generic website notice is not enough unless direct contact is impossible.

Internal Documentation: Even When You Don't Report

The GDPR requires you to document all data breaches internally under Article 33(5), even those that do not meet the reporting threshold. Your internal record must include:

• Date and time of discovery
• Description of the breach
• Types of data affected
• Number of individuals affected
• Impact assessment
• Measures taken
• Reason for not notifying the AP (if applicable)

This documentation protects you. If the AP later investigates the incident, you can show that you assessed the risk and made a reasoned decision.

Practical 72-Hour Checklist

When an incident occurs:

• Identify the scope. What data, how many people, how it happened.
• Contain the breach. Revoke access, reset passwords, isolate systems.
• Assess the risk level using the decision tree above.
• If reportable, open the AP breach portal and submit within 72 hours.
• If high risk, prepare the individual notification messages.
• Document everything internally regardless of the notification decision.
• Investigate the root cause and put corrective measures in place.
• Update your breach response procedure so the same gap does not happen twice.

For security measures to prevent breaches in the first place, see our secure website checklist.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.