070 20 42 7 42
070 20 42 7 42

Everything defined with our

Data breach protocol

Considerations

  • Haagsch Recherchebureau attaches importance to the good security of its (electronic) systems in which personal data is stored and processed
  • Nevertheless, it is never completely preventable that a data breach will occur.
  • Under the General Data Protection Regulation (AVG), Haagsch Recherchebureau is obliged to report (serious) data breaches to the Data Protection Authority and to those involved
  • Haagsch Recherchebureau wishes to comply with its legal obligations.
  • Haagsch Recherchebureau has therefore formulated a policy to act as adequately as possible in the unlikely event of a data breach.

1. Data breach definition

A data breach occurs when a security breach occurs that accidentally or unlawfully leads to the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, transferred, stored or otherwise processed data.

2. Internal responsible data breach reporting

  1. Haagsch Detective Office has appointed an internal person responsible for processing data leaks who is responsible for reporting a data breach.
  2. This person responsible is: Jan-Paul Kreukniet, telephone number: 070 20 42 7 42; email address: security@haagschrecherchebureau.nl, hereinafter referred to as “internal responsible”.

3. Internal notification when a data breach is discovered

  1. Anyone who discovers a data breach at Haagsch Recherchebureau reports this immediately to the internal manager.
  2. If possible, the person who discovered the data breach simultaneously ensures that the leaked data is immediately deleted remotely or made inaccessible.

4. Investigation by the internal manager

The internal manager investigates, among other things:

  • whether personal data has been lost or can be used unlawfully
  • who or which departments within the organization are involved in the data breach
  • whether a processor is involved in the incident

5. Combating data breach

The internal manager stops the data breach if that is still possible and also takes the necessary measures to combat the data breach in the best possible way.

6. Determining the consequences of a data breach

The internal manager investigates the possible consequences of the data breach based on the nature and extent of the data that has been leaked and determines what the adverse consequences of those involved may be.

7. Cooperation in providing data regarding the data breach

The data breach reporter fully cooperates with the internal controller by answering the following questions as quickly and as well as possible (in writing):

  • what happened? (description of the incident)
  • was it accidental or was it caused by malicious intent (such as hacked data)?
  • when did it happen? (date and time)
  • when was it discovered?
  • what kind of data (registers) were leaked?
  • is the data encrypted, and if so how?
  • could the data be remotely deleted or made inaccessible, and if so, did that happen?
  • what are the possible consequences for those involved?
  • which group (s) of people is/are affected? (for example: students, patients, premium members)
  • how many people are (approximately) affected by this?
  • is data from people in other EU countries also affected by the data breach?
  • could technical and/or organizational measures already be taken as a result of the incident?

8. Staff availability after data breach discovery

The person responsible for the department from where the data breach occurred, as well as the discoverer of the data breach and anyone who, based on their function or knowledge, is able to take organizational and/or technical measures to limit the consequences of the data breach shall remain available the 1st 24 hours after discovery of the data breach to consult with the internal manager or any experts appointed by him and to carry out assigned activities as a result of the data breach if necessary..

9. Decision to report data breaches

  1. The internal controller decides as soon as possible but in any case within 60 hours of discovery of the data breach - whether or not in consultation with the person responsible for the department from which the data breach was discovered and/or experts appointed by him - whether or not the data breach should be reported to the Data Protection Authority and/or those involved.
  2. In principle, a data breach is always reported to the Data Protection Authority, unless it is not likely that the data breach poses a risk to the rights and freedoms of those involved.
  3. Reporting the data breach involves answering the questions as described in section 7.
  4. A data breach that has been reported to the Data Protection Authority will also be reported to those involved if it involves a high risk to the rights and freedoms of natural persons, unless appropriate measures have now been taken that have averted the high risk.

10. Report data leaks to the Data Protection Authority and/or those involved

  1. If necessary, the internal controller will ensure the notification to the Data Protection Authority and/or the person (s) concerned.
  2. Notification is made as soon as possible after discovery and no later than 72 hours after discovery of the data breach.
  3. Any employee other than the internal controller is not allowed to report the (possible) data breach to the Data Protection Authority and/or the person (s) concerned themselves.
  4. If an employee disagrees with the decision of the internal controller regarding whether or not to report the data breach to the Data Protection Authority and/or the data subject (s), he can express his complaints to the management.
  5. If requested, an employee will fully cooperate with the person responsible in order to be able to inform affected persons about the data breach in accordance with Article 34 GDPR.

11. Consequences of reporting data leaks

  1. If the data breach has negative consequences for those involved, the internal manager will do everything in his power to limit these consequences as much as possible.
  2. Depending on the nature and extent of the data breach for those involved, the internal controller decides:
  • how data subjects are informed (including at least announcements about what types of personal data have been affected, what the possible consequences are, what measures Haagsch Recherchebureau takes and how those involved can prevent or limit the damage themselves)
  • what aftercare stakeholders receive
  • what actions are necessary in the interests of the organization
  1. If a data breach has occurred - regardless of whether it has been reported or not - adequate technical and/or organizational measures will be taken as soon as possible to prevent future similar data leaks.

12. Maintaining a register of data breaches

The internal manager keeps a register of all data breaches, recording all data surrounding the data breach, such as:

  • a description of the incident
  • date and time of the data breach
  • date and time of discovery of the data breach
  • description of the type of leaked personal data
  • description of the category (s) of affected persons
  • description of the number of stakeholders (approximate)
  • whether data from people in other EU countries has also been leaked
  • whether the incident has been reported to the Data Protection Authority and, if so, date and time, report
  • whether the incident has been reported to those involved and, if so, the date and time of notification
  • how stakeholders have been informed
  • the consequences of the data breach, including the date and time if possible
  • what technical and/or organizational measures were taken after the data breach, stating the date and time

This data breach reporting protocol was last updated on May 1, 2024.

Recognized & licensed by
At Haagsch Recherchebureau, we have 8 detectives across The Netherlands at your service — from the first fraud advice to the convincing evidence you need to take action.

With care and attention to your case, we offer the certainty of independent evidence.
Jan-Paul is friendly, personable and thoughtful. Very pleasant cooperation and hopefully it will eventually lead to further police investigations. The free consultation where you honestly tell us what the expectations are is really very nice.
Jarno
Online fraud
Huge scam case in our family. Received a lot of support and help from JP and Haagsch Recherchebureau.
Leo
Crypto scam
An extremely nice company to work with, a lot of knowledge and good thoughts with us.
Matteo
Corporate theft
JP from Haagsch Recherchebureau assisted us during an investigation into theft, which also successfully completed this investigation.
Kirsten
Corporate theft
Haagsch Recherchebureau is a highly professional and experienced detective agency. They analyse the problem with possible legal outcomes and provide consultancy based on their experience. We recommend them to every company to overcome legal risks in their business operations.
Can
Absenteeism fraud

For employers

Integrity investigationFraud investigationCorporate theft investigationAbsenteeism investigationTransgressive behaviorCompetition clausePre-employment screeningPreventive surveillancePhysical pentestSME Risk Scan
For individuals
Alimony investigation(Online) scam investigationCosts private detective
For lawyers
Independent burden of proofFeitenonderzoek
For property owners
Tenant controlHousing fraud investigation
Work region
GroningenAmsterdamThe HagueUtrechtZwolleRotterdamEindhovenMaastricht
Detective agency
About usFAQsBranding guideBlogJobsPress
Detective academy
Haagsche Recherche Academie
Terms and ConditionsPrivacy StatementCookie StatementPrivacy Code of ConductDisclaimerAccessibility StatementComplaints ProcedureResponsible Disclosure
WhatsApp Logo
Yes, I want a free advice