Data Breach Protocol

A data breach occurs when there is a breach of security that accidentally or unlawfully leads to the destruction, loss, alteration or the unauthorized disclosure of or access to data transmitted, stored or otherwise processed.

The Eurekaweek has appointed the Eurekaweek Board to be responsible for reporting a data breach. This person responsible is the Eurekaweek Board, email address: eureka@eur.nl, hereinafter referred to as: ‘internal responsible’

Anyone who discovers a data breach at the Eurekaweek is obliged to report this immediately to the internal responsible. If possible, the person who discovered the data breach simultaneously ensures that the leaked data is immediately deleted or made inaccessible.

The internal responsible examines amongst other things:

• Whether personal data has been lost or can be unlawfully used
• Who or which departments within the organization are involved in the data breach
• Whether a third party is involved in the incident

If possible, the internal responsible stops the data breach and will take the necessary measures to withstand the data breach as effectively as possible.

The internal responsible investigates the possible consequences of the data breach on the basis of the nature of the breach and the size of the data that has been leaked and determines what the negative consequences for those involved could be.

The reporter of the data breach offers full cooperation to the internal responsible by answering the following questions (in writing) as quickly and adequately as possible:

• What happened? (description of the incident)
• Was it by accident or caused by someone with malicious intentions (think of hacked data)?
• When did it happen? (date and time)
• When was it discovered? (date and time)
• What kind of data(registers) have been leaked?
• Is the data encrypted, and if so how?
• Could the data be remotely deleted or made inaccessible, and if so, was this done?
• What are the possible consequences for those involved?
• How many people are (approximately) affected by this?
• Have technical and/or organizational measures been taken as a result of the incident?

The person in charge of the department from where the data breach took place as well as the discoverer of the data breach and anyone who, based on their position or knowledge, is able to take organizational and/or technical measures to limit the consequences of the data breach, adhere to the first available 24 hours after discovery of the data breach for consultation with the internal responsible or any experts assigned by the internal responsible and for carrying out assigned work as a result of the data breach if necessary.

The internal responsible will decide as quickly as possible, but in any event with 72 hours after the data breach discovery – whether or not in consultation with the responsible of the department from which the data breach was discovered and/or experts assigned by the internal responsible – whether the data breach must be reported to the Dutch Data Protection Authority and/or the people affected.

A data breach is always reported to the Dutch Data Protection Authority, unless it is unlikely that the data breach poses a risk to the rights and freedom of the people affected.

Notification of the data breach is accompanied by an answer to the questions as described in section 7.

A data breach that has been reported to the Dutch Data Protection Authority will also be reported to the people affected if it poses a high risk to the rights and freedom of natural persons unless appropriate measures have been taken I the meantime to avert the high risk.

If necessary, the internal responsible is responsible for reporting the data breach to the Dutch Data Protection Authority.

Notification shall be made as quickly as possible and at the latest within 72 hours after discovery of the data breach.

Any employee other than the internal responsible is not permitted to report the (possible) data breach to the Dutch Data Protection Authority and/or people affected.

If an employee does not agree with the decision of the internal responsible regarding whether or not to report the Dutch Data Protection Authority and/or people affected, he/she can make his/her complaints known to the management.

If requested to do so, an employee will fully cooperate with the internal responsible in order to be able to inform the affected persons in accordance with Article 34 of the GDPR about the data breach.

1. In the data breach has negative consequences for the people affected, then the internal responsible will do everything possible to limit these consequences as much as possible.
2. Depending on the nature and the scope of the data breach for the people affected, the internal responsible determines:
   1. How the people affected are informed (including in any case notifications are made of which types of personal data have been affected, what the possible consequences are, what measure the Eurekaweek takes and how the people affected can prevent or limit the damage)
   2. What aftercare the people involved receive
   3. What actions are necessary in the interest of the organization
3. If a data breach has occurred – regardless of whether it has been reported or not – adequate technical and/or organizational measures will be taken as soon as possible to prevent similar data breaches in the future.

The internal responsible keeps a register of all data breaches, in which all data surrounding the dtaa breach is registered, such as:

• A description of the incident
• Date and time of the data breach
• Date and time of the discovery of the data breach
• Description of the type of personal data leaked
• Description of the categories of the people affected
• Description of the number of people affected (approximate)
• Whether personal data has been leaked to other EU countries
• Whether the incident has been reported to the Dutch Data Protection Authority and, if so, date and time of the notification
• Whether the incident has been reported to the people affected and if so, date and time of the notification
• How the people affected have been informed
• The consequences of the data breach, stating the date and time if possible
• Which technical and/or organizational measures have been taken after the data breach, stating the date and time