You are here


Survey Answer:

1. Telecommunication Act (Telecommunicatiewet).
- Telecommunication Act, Section 11.3:
The providers referred to in Section 11.2 shall take appropriate technical and organizational measures for the safety and security of the networks and services offered by them in the interest of the protection of personal data and the protection of the privacy of subscribers and users. The measures shall, taking into account the state of the art and the costs of implementation, ensure an appropriate level of security that is proportionate to the risk involved.
2 The measures referred to in the first paragraph include in any case:
a. ensure that only authorized personnel have access to the personal data for legally permitted purposes,
b. the protection of stored or transmitted personal data against unintentional or unauthorized storage, processing, access, provision, modification, loss, destruction, and
c. the introduction of a security policy with regard to the processing of personal data.
- Telecommunication Act , Section 11.3a:
The provider of a publicly available electronic communications service shall immediately inform the Dutch Data Protection Authority (DPA) of a breach of security, as referred to in Section 11.3, which has adverse effects on the protection of personal data processed in connection with the provision of a public electronic communications service in the Netherlands.
2 The provider, referred to in the first paragraph, immediately informs the person whose personal data is related to a personal data breach if the infringement is likely to have adverse consequences for his / her personal privacy.
3 The notification to DPA and the person whose personal data is concerned shall in any case include the nature of the personal data breach, the authorities where more information about the infringement can be obtained and the recommended measures to minimize the negative consequences of the to limit infringement.
- Telecommunication Act, Section 13.5:
Providers of public telecommunications networks and public telecommunication services are obliged to provide data relating to a special charge or permission pursuant to the Intelligence and Security Services Act 2017 as referred to in Section 13.2 or a claim or request as referred to in Section 13.2b or to secure Section 13.4, first, second or third paragraph against unauthorized access and to maintain confidentiality with regard to these data.
2 Providers of public telecommunication networks and public telecommunications services shall take appropriate technical and organizational measures with regard to the data retained pursuant to Section 13.2a, second paragraph in order to:
a. to secure the data against destruction, against loss or alteration and unauthorized storage, processing, access or disclosure;
b. to guarantee that access to the data referred to in part a is only effected by specially authorized persons;
c. to be able to destroy the data at the end of the period referred to in Section 13.2a, third paragraph.
- The Electronic Data Processing Decree by healthcare providers. The decree deals with the exchange of patient data and security in healthcare. The Decree explains what is meant by "appropriate technical and organizational measures" in healthcare. More specifically, the requirements that apply to the security of a healthcare information system (and an electronic exchange system) are discussed. A healthcare information system is an electronic system of a care provider for the processing of personal data in a patient file. It is explicitly not an exchange system.
The Decree specifically requires compliance with standards:
• NEN 7510: Information security in healthcare
• NEN 7512: Confidence base for data exchange
• NEN 7513: Logging of access to the patient file
Under the Decree, the healthcare information system applies that the healthcare provider must comply with the NEN 7510 and NEN 7512 standards when using the system. Furthermore, the healthcare provider must ensure that the system's logging complies with NEN 7513.

Provided By:
Dennis B. ZIEREN, Ploum