Since January 1st 2016 reporting data leaks is required by law in the Netherlands. This obligation is laid down in Article 34a of the Dutch Personal Data Protection Act (Wet bescherming Persoonsgegevens).
Dutch law thus implements the EU data protection directive and anticipates the General Data Protection Regulation that enters into application 25 May 2018. When the GDPR takes effect regulations will become the same for the entire European Union.
The DPDA requires Erasmus University Rotterdam to report data leakage. Examples of such incidents are the loss of a USB stuck with medical research data or an incident in which students results are visible on the internet. An incident has to meet certain criteria to require reporting to the responsible Authority. Therefore, not all security incidents result in reporting a data breach.
When a breach could have serious consequences for those involved, the law also requires the University to inform them about the data breach.