Created: May 9, 2021

Protocol Reporting Data Breach

Considerations :

1 - Definition of data breach

A data breach occurs when a breach of security occurs that accidentally or unlawfully results in the destruction, loss, alteration, or unauthorized disclosure or access to transmitted, stored, or otherwise processed data.

2 - Internal responsible for reporting data leaks

  1. Milkfish has an internal controller recruited for processing data leaks responsibility is for reporting a data breach.
  2. This responsible is : T Salud , telephone number: +31 629300768 ; e-mail address:, hereinafter referred to as: ' internal responsible '.

3 - Internal report when a data breach is discovered

  1. Anyone who discovers a data breach at Milkfish will immediately report this to the internal responsible.
  2. If possible, the person who discovered the data breach will simultaneously ensure that the leaked data is immediately remotely deleted or made inaccessible.

4 - Investigation by the internal responsible

The internal responsible investigates, among other things:

5 - Fight against data breach

The internal responsible will stop the data breach if that is still possible and also take the necessary measures to combat the data breach as effectively as possible.

6 - Determining the consequences of a data breach

The internal controller investigates the possible consequences of the data breach based on the nature and extent of the data that have been leaked and determines what the adverse consequences of the data subjects may be.

7 - Cooperation with the provision of information regarding the data breach

The discoverer / reporter of the data breach fully cooperates with the internal responsible by answering the following questions as quickly and as well as possible (in writing):

8 - Availability of staff after discovery of data breach

The person responsible for the department from where the data breach took place, as well as the discoverer of the data breach and anyone who, based on their position or knowledge, is able to take organizational and / or technical measures to limit the consequences of the data breach, observe the 1st Available 24 hours after discovery of the data breach for consultation with the internal responsible person or any experts appointed by him, and for carrying out tasks assigned to them as a result of the data breach if necessary.

9 - Decision on reporting data leaks

  1. The internal responsible party decides as soon as possible, but in any case within 60 hours after discovery of the data breach - whether or not in consultation with the person responsible of the department from which the data breach was discovered and / or experts appointed by him - whether the data breach should be are reported to the Dutch Data Protection Authority and / or the parties involved.
  2. In principle, a data breach is always reported to the Dutch Data Protection Authority, unless it is unlikely that the data breach poses a risk to the rights and freedoms of the data subjects.
  3. The notification of the data breach is accompanied by answers to the questions as described in section 7.
  4. A data breach that has been reported to the Dutch Data Protection Authority will also be reported to the data subjects if it involves a high risk to the rights and freedoms of natural persons, unless appropriate measures have now been taken to avert the high risk.

10 - Reporting data leaks to the Dutch Data Protection Authority and / or those involved

  1. If necessary, the internal responsible is responsible for reporting to the Dutch Data Protection Authority and / or the person (s) involved.
  2. Reporting will take place as soon as possible after the discovery and no later than 72 hours after the discovery of the data breach.
  3. Any employee other than the internal responsible person is not allowed to report the (possible) data breach to the Dutch Data Protection Authority and / or the person (s) involved.
  4. If an employee does not agree with the decision of the internal responsible regarding whether or not to report the data breach to the Dutch Data Protection Authority and / or the person (s) involved, he can make his grievances known to the management.
  5. If requested, an employee will cooperate fully with the controller in order to be able to inform the affected persons about the data breach in accordance with Article 34 GDPR.

11 - Consequences of reporting data leaks

  1. If the data breach has negative consequences for those involved, the internal responsible will do everything he can to limit these consequences as much as possible.
  2. Depending on the nature and extent of the data breach for the data subjects, the internal controller determines:
  3. how data subjects are informed (including at least the statements made about which types of personal data have been affected, what the possible consequences are, which measures Milkfish takes and how data subjects themselves can prevent or limit the damage)
  4. which aftercare those involved receive
  5. which actions are necessary in the interest of the organization
  6. If a data breach has occurred - regardless of whether it has been reported
  7. or not - adequate technical and / or organizational measures will be taken as soon as possible to prevent future similar data breaches.

12 - Keeping records of data leaks

The internal responsible person keeps a register of all data breaches, in which all data related to the data breach is registered, such as:

This protocol for reporting data breaches was drawn up on 1 March 2021 .