Dutch DPA publishes annual report on data breach notifications in 2022 | Fieldfisher
Skip to main content

Dutch DPA publishes annual report on data breach notifications in 2022



Statistics show the majority of data breach notifications came from a handful of sectors while the most common type of breaches still occur offline.

On 6 June 2023, the Dutch Data Protection Authority (Dutch DPA) published its annual report on mandatory data breach notifications in 2022.

In the report, the Dutch DPA emphasises the serious impact of data breaches on people and need for digital resilience.

In this blog, we highlight:

(i) Facts and figures of enforcement in 2022; and
(ii) The Dutch DPA's supervision of both reported and unreported data breaches.

Enforcement in 2022: Facts and figures

In the past five years, the Dutch DPA received over 114,000 reports of data breaches. Because the Netherlands is highly digitised, the risk of large or serious data breaches is relatively high.

(1) Number of data breach reports by sector

In 2022, the Dutch DPA received 21,151 data breach notifications through their online notification form.

Most of these were reported in the following sectors:

  • Health and wellbeing (41%);
  • Public administration (23%)l and
  • Financial services (9%).

(2) Type of data breach

The most common type of data breach is still one that happens offline: when letter or postal packages containing personal data are lost or sent or delivered to wrong recipient(s).

Followed by a similar problem online: sending email containing personal data to wrong recipient(s) or with wrong recipient(s) in cc.

(3) Number of cyberattacks by sector

In 2022, most received notifications of cyberattacks were from the health and wellbeing sector. The majority of these notifications were in response to cyberattacks at healthcare ICT providers.

The three largest cyberattacks at healthcare ICT providers affected medical personal data of about 900,000 patients or clients.

Supervision of data breaches

The Dutch DPA supervises both reported and unreported data breaches, their supervision is risk based with a focus on those data breaches that pose the greatest risks to victims.

(1) Supervision of reported data breaches

The greater the risks the Dutch DPA identifies, the more intensive the supervision of the data breach.

In cases where it has been notified of a data breach, the Dutch DPA (a) monitors, (b) applies more in-depth supervision or (c) initiates an investigation.

In 2022, most of the reported data breaches required no further action after an initial assessment.

In 6,552 data breach notifications, the Dutch DPA performed additional supervisory actions. During such additional supervision, the Dutch DPA may contact organisations to ask questions about the data breach, send a letter or have a conversation in which they emphasize the rules.

In only 35 cases, the Dutch DPA launched an investigation in response to data breach notifications. These notifications posed the greatest risks to victims.

They mainly involved situations in which an organisation did not inform the victims of a cyberattack when it should have, and situations where insufficient new security measures to prevent additional data breaches taken.

(2) Supervision of unreported data breaches

Lastly, the Dutch DPA supervises unreported data breach in response to known cyberattacks and tips from citizens.

Sign up to our email digest

Click to subscribe or manage your email preferences.


Areas of Expertise

Data and Privacy