Reporting a data breach to the AP 2026: obligations, 72 hours and step-by-step guide
Reporting a data breach to the Dutch Data Protection Authority (AP) is mandatory when it poses a risk to individuals' rights and freedoms (GDPR Art. 33). The deadline is 72 hours from discovery. Notifying affected individuals is required for high risk (GDPR Art. 34). This guide walks you through the notification process.
- Reporting a data breach to the AP is mandatory when the breach is likely to result in a risk to the rights and freedoms of individuals (GDPR Art. 33(1)). The deadline is 72 hours from discovery, not from confirmation. When in doubt about the notification duty, report anyway: a missed mandatory report carries far higher risk than an over-cautious one. Use the notification portal at meldportaal.autoriteitpersoonsgegevens.nl.
- Notifying affected individuals is required for high risk (GDPR Art. 34(1)): when the breach is likely to result in a high risk to individuals' rights and freedoms. Indicators of high risk: special categories of personal data (health, national ID (BSN), race, religion, sexual orientation, biometrics, criminal convictions), large numbers of data subjects, combinations enabling identity fraud or financial harm, or vulnerable groups (children, care patients).
- Documentation duty always applies (GDPR Art. 33(5)): even if you decide not to report the breach, you must record it in your internal data breach register, including the facts, its effects, and the remedial action taken. The AP may request this register during audits or following a complaint. Penalties for failing to meet the notification obligation: up to EUR 10 million or 2% of worldwide annual turnover (GDPR Art. 83(4)).
What is a data breach?
A data breach (GDPR Art. 4(12)) is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. There are three types: confidentiality breach (unauthorised access or disclosure), integrity breach (unauthorised alteration), and availability breach (loss or inaccessibility). Examples: ransomware encrypting patient records, an employee accidentally sending a customer list to the wrong recipient, or an intrusion into a CRM system. A lost unencrypted USB stick containing customer data also constitutes a notifiable breach. Not every security incident is a data breach: a DDoS attack on your website without a data breach is not.
Confidentiality breach
Unauthorised or unintended disclosure of or access to personal data. Examples: phishing attack giving an attacker access to a mailbox with customer data, email with a customer list sent to the wrong address, hacked CRM system, theft of laptop with unencrypted customer data.
Integrity breach
Unauthorised or unintended modification of personal data. Examples: malware altering medical records, an employee intentionally or accidentally changing customer data, a software bug overwriting records.
Availability breach
Unintended loss or inaccessibility of personal data. Examples: ransomware encrypting files without a backup, fire or flood destroying a server, accidental deletion of a database without a backup.
When is notification required?
Not every data breach needs to be reported to the AP. GDPR Art. 33 sets the reporting threshold at likely to result in a risk to the rights and freedoms of individuals. GDPR Art. 34 sets the higher threshold for notifying individuals at high risk. Practical rule of thumb: when in doubt, report.
AP notification threshold (Art. 33 GDPR): risk
Notification duty to the AP when the breach is likely to result in a risk to the rights and freedoms of individuals. No duty when risk is unlikely, e.g. encrypted data that was stolen (attacker cannot read the data), or an internal email sent accidentally to a colleague containing non-sensitive information. Deadline: 72 hours from discovery. Exceeded 72 hours? Report anyway and explain the delay.
Notification threshold to individuals (Art. 34 GDPR): high risk
Notification duty to individuals when there is high risk. High-risk indicators: special categories of personal data (health, BSN, race, religion, sexual orientation, biometrics, criminal convictions), large numbers of data subjects, combinations enabling identity fraud or financial harm, or vulnerable groups. Exceptions Art. 34(3) GDPR: data was encrypted or unintelligible, adequate measures were taken such that high risk no longer materialises, or notification would involve disproportionate effort (then: public communication).
Always: internal documentation duty (Art. 33(5) GDPR)
Even where the breach does not require reporting to the AP or individuals, GDPR Art. 33(5) requires you to document it in an internal data breach register: the facts of the breach, its effects, and remedial action taken. The AP may request this register during an audit or following a complaint.
Five steps to correctly report a data breach
This step-by-step guide follows the GDPR requirements: discovery, risk assessment, AP notification within 72 hours, notifying individuals and internal documentation.
Step 1: Identify and contain the breach
As soon as you discover a possible data breach, act immediately to limit further damage: isolate affected systems (disconnect from the network, revoke active sessions), freeze logs and preserve digital evidence (do not overwrite or delete anything), note the date and time of discovery (the 72-hour clock starts here), and immediately notify your DPO (Data Protection Officer) or privacy contact internally.
Step 2: Assess risk and notification duty
Assess the severity: which categories and how many individuals are affected? Are special categories of personal data involved (health, BSN, financial)? What is the likelihood of misuse? Was the data encrypted? Use the ENISA risk scoring methodology or AP guidelines for the assessment. Record your assessment in writing, even if you conclude that reporting is not required.
Step 3: Report to the AP within 72 hours
Report via meldportaal.autoriteitpersoonsgegevens.nl. Include: the nature of the breach, categories and estimated number of data subjects, categories and estimated number of personal data records, contact details of the DPO or contact person, likely consequences of the breach, and measures taken or proposed. A preliminary report with subsequent additions is permitted if not all information is available within 72 hours; state this explicitly.
Step 4: Notify individuals (for high risk)
If there is a high risk, notify data subjects without undue delay via a direct communication channel: email, letter or phone. Use clear, non-technical language (GDPR Art. 34(2)): describe the nature of the breach, name and contact details of DPO, likely consequences, measures taken or proposed, and recommended actions for data subjects (change password, block credit card, report identity fraud).
Step 5: Document internally and evaluate
Record all details in your data breach register (mandatory under GDPR Art. 33(5)): facts, timeline, data involved, root cause analysis, effects, measures taken, and affected systems. Conduct a post-incident evaluation and update your security policy. Have your DPO validate the registration. Retain the file for at least 3 years, as AP investigations can arise years after an incident.
Penalties and enforcement by the AP
The AP applies two penalty categories under GDPR Art. 83. In addition to fines, the AP may also impose a processing ban or issue a public reprimand.
Failure to comply with notification duty (Art. 83(4) GDPR)
Maximum penalty for breach of the notification obligation (Art. 33 GDPR) or notification duty to individuals (Art. 34 GDPR): EUR 10,000,000 or 2% of worldwide annual turnover, whichever is higher. The AP assesses proportionality: nature, severity and duration of the breach, degree of fault, prior infringements and cooperation with the AP.
Serious infringements (Art. 83(5) GDPR)
Violations of core principles (Art. 5 GDPR), legal bases (Art. 6 GDPR) or data subjects' rights carry a higher penalty ceiling: EUR 20,000,000 or 4% of worldwide annual turnover. If the data breach also constitutes a violation of Art. 5 (integrity and confidentiality as principles), the AP may apply the higher category.
AP enforcement practice in the Netherlands
The AP has imposed fines on organisations for late or absent notifications, including Booking.com (EUR 475,000, 2020) and various healthcare organisations. Note: controllers who suffered a breach caused by a processor may also be liable. Always check your data processing agreements (Art. 28 GDPR): they should specify the processor's reporting deadline (in practice: 24 hours or earlier).
Frequently asked questions about reporting data breaches
Does the 72-hour deadline run from the breach or from discovery?
Must I report every data breach, including minor incidents?
What if the breach occurs at a processor's end?
What if the breach also requires a NIS2 notification?
How do I notify individuals if I do not have their contact details?
How long must I retain a data breach file?
Want your GDPR compliance reviewed to check if your processes are breach-ready?
Book a free call. We review your data processing agreements, breach response procedures and internal registers, and advise on the most urgent steps for your situation.
Book a free call →Free and without obligation · Reply within one business day · Fixed price up front, no surprises