Under the General Data Protection Regulation (GDPR), where a personal data breach occurs, controllers must notify:
the competent authority, where the breach may result in a risk to the right and freedom of the data subjects
the individuals concerned, where the personal data breach may result in a high risk to their rights and freedoms.
1. What is a personal data breach?
According to the GDPR, ‘personal data breach‘ is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In broad words, where a security breach concerning personal data occurs, it may be considered as a personal data breach.
2. Notification of the Supervisory Authority
2.1. When do controllers have to notify their supervisory authority?
A notification is required unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subjects and should be done within 72 hours of having been made aware of the breach.
2.1.1. A risk to the rights and freedoms of the data subjects
A risk is defined as follows under the GDPR:
The risk to the rights and freedoms of natural persons may result from personal data processing which could lead to physical, material or non-material damage, in particular, where:
- processing involves a large amount of personal data and affects a large number of data subjects.
- processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage;
- data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data;
- sensitive data are processed (e.g. they reveals racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, health data or data concerning sex life or criminal convictions and offences);
- where personal aspects are evaluated as well as location or movements tracked, in order to create or use personal profiles;
- where personal data of vulnerable natural persons, in particular of children, are processed
2.1.2. The Supervisory Authority should be notified within 72 hours (where feasible)
In the case of a personal data breach, the controller must notify the concerned supervisory authority without undue delay and, where feasible, no later than 72 hours after having become aware of it.
Where the notification is not made within the 72 hours period, controllers will have to justify the delay.
2.2. Content of the notification to the Supervisory Authority
The notification should contain the following:
- Description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or another contact point where more information can be obtained;
- Description of the likely consequences of the data breach;
- Description of the Measures taken or proposed to be taken including measures to mitigate its possible adverse effects.
The controller shall document any data breaches in order for the Authority to verify the compliance with the regulation.
If the controller does not have all the information required, it can provide it as and when it is made aware of it.
2.3. What about the Data Processor?
Where a data processor is concerned, it must notify the controller without undue delay after becoming aware of a personal data breach.
The contractual obligation of the processor shall provide that it must cooperate with the controller and provide any necessary information. It is also possible to provide that processor will notify personal data breach on the controllers’ behalf. However, controllers would remain responsible.
3. Communication to the data subjects
3.1. When do controllers have to notify data subjects?
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must notify the personal data breach to the data subjects without undue delay.
In practice, such notification should not undermine the investigation and therefore, the notification should be done as soon as reasonably feasible taking into consideration the kind of risk to mitigate.
“High risk” is not defined in the GDPR but controllers should refer to the notion of risk as defined above and assess the gravity of the consequences of the personal data breach for the data subjects.
If the controller has not communicated the personal data breach to the data subject when notifying the authority, the supervisory authority may require it to do so.
Communication is not required if any of the following conditions are met:
- Appropriate technical and organizational protection measures were applied to the personal data affected and have rendered the personal data unintelligible, such as encryption
- Subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise have been taken
- It would involve a disproportionate effort. A public communication or similar measure should be made so that data subjects are informed in an equally effective manner.
3.2. Content of the notification to the data subjects
The notification shall describe in clear and plain language the nature of the personal data breach, the information and measures taken.
It should also include any recommendation to mitigate the adverse effect of the data breach.