info@businessleaks.com

Data breach procedure

Version: 1.0
Date: April 8, 2025

  1. Purpose of the Data Breach Procedure

This procedure describes how BusinessLeaks handles (potential) data breaches to comply with the GDPR. The goal is to respond quickly and carefully to a security incident involving personal data.

  1. What Is a Data Breach?

A data breach is a security incident where personal data is lost or accessed by unauthorized persons.

Examples of data breaches:

  • Loss of a laptop containing sensitive information
  • Sending an email with personal data to the wrong recipient
  • System intrusion where whistleblower information is accessed
  • Ransomware attack or phishing resulting in data theft
  • Unsecured third-party access to the online platform
  1. Who Is Responsible?

The Data Protection Officer (DPO) or designated Privacy Officer coordinates the handling of the data breach. At BusinessLeaks, this is:
Name: De Koning
Email: support@businessleaks.com
Phone: +31 (0)85 060 3830

All employees are required to report a (suspected) data breach immediately (within 2 hours).

  1. Steps to Take in Case of a Data Breach

Step 1 – Report the Incident
Every employee reports a (potential) data breach to the DPO / Privacy Officer via:

  • Email: info@businessleaks.nl
  • Internal reporting form

Step 2 – Incident Assessment
The DPO investigates:

  • Is this a data breach under the GDPR?
  • Which data is involved?
  • How severe is the risk for the data subjects?

Step 3 – Decision on Notification to the Data Protection Authority (DPA)
If there is a likelihood of adverse effects (such as identity fraud or reputational damage), BusinessLeaks reports the breach within 72 hours to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Website: https://datalekken.autoriteitpersoonsgegevens.nl

Information provided includes:

  • What happened?
  • Which data was leaked?
  • Number of data subjects involved
  • Measures taken

Step 4 – Notification to Data Subjects (if necessary)
If the breach poses a high risk to the privacy of data subjects, they will be informed immediately. The communication will include:

  • What happened
  • Which data was involved
  • What they can do themselves (e.g., change passwords)
  • Contact information for questions

Step 5 – Documentation and Reporting
All data breaches (including those not subject to mandatory reporting) are recorded in a data breach register, containing:

  • Date of the incident
  • Description
  • Personal data involved
  • Risk assessment
  • Measures taken
  • Whether reported to the DPA
  • Date of resolution

Step 6 – Aftercare & Prevention

  • Internal evaluation with involved departments
  • Additional security measures if necessary
  • Awareness activities (e.g., training, procedure refreshers)
  1. Security Measures for Prevention
  • End-to-end encryption for whistleblower reports
  • Secure storage of personal data
  • Regular updates of systems and software
  • Logging and monitoring of suspicious activities
  • Strict access control (authorized personnel only)
  • Encrypted communication via HTTPS, VPN, and email security
  1. Supervision and Control

The DPO monitors the execution of this procedure and conducts annual audits.

Last updated: April 8, 2025
Contact for data breaches: support@businessleaks.com