As of 1 January 2016 companies, public bodies and other organisations that process personal data have an obligation to immediately report personal data breaches to the Dutch Data Protection Authority (College Bescherming Persoonsgegevens ("CBP")). Yesterday, the CBP published its Policy Rules on the duty to notify personal data breaches ("Policy Rules"). The Policy Rules are intended to support businesses in complying with the notification duty and also serve as the CBP's point of departure when applying enforcement measures. This Update provides an overview of what you need know about the breach notification duty. As of one January 2016 the CBP will change its name to Autoriteit Persoonsgegevens. This Update therefore makes reference to Autoriteit Persoonsgegevens, rather than the CBP.