Under the General Data Protection Regulation (GDPR), controllers must notify:
- the competent authority of any personal data breach likely to result in a risk to the right and freedoms of the data subjects;
the individuals concerned of any personal data breach likely to result in a high risk to their rights and freedoms.
It is therefore important for a controller to understand what a personal data breach is and to be ready to react promptly and appropriately when it happens.
1. What is a personal data breach?
According to the GDPR, ‘personal data breach‘ is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
2. Conditions for notifying the Supervisory Authority of the personal data breach
2.1. When must the controllers notify their supervisory authority?
The controllers must notify the authority unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subjects. It must file the notification within 72 hours of having been made aware of the breach.
2.1.1. What is a risk to the rights and freedoms of the data subjects?
The GDPR defines risk as follows :
The risk to the rights and freedoms of natural persons may result from personal data processing which could lead to physical, material or non-material damage, in particular, where:
- processing involves a large amount of personal data and affects a large number of data subjects.
- processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage;
- data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data;
- sensitive data are processed (e.g. they reveals individuals’ racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, health data or data concerning sex life or criminal convictions and offences);
- where personal aspects are evaluated as well as location or movements tracked, in order to create or use personal profiles;
- where personal data of vulnerable natural persons, in particular of children, are processed
2.1.2. The Supervisory Authority should be notified within 72 hours (where feasible)
The controller must notify the concerned supervisory authority of a personal data breach without undue delay and, where feasible, no later than 72 hours after having become aware of it. The controllers will have to justify any delay.
2.2. Content of the notification to the Supervisory Authority
The notification should contain the following:
- A description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- The name and contact details of the data protection officer or another contact point where more information can be obtained;
- A description of the likely consequences of the data breach;
- A description of the measures taken or proposed to be taken including measures to mitigate its possible adverse effects.
The controller must document any data breaches so that the Authority can verify the controller’s compliance with the regulation.
If the controller does not have all the required information at the same time, it can provide additional information as and when it becomes aware of it.
2.3. What is the role of the Processor?
If a personal data breach occurs in the processor’s system or because of the processor’s actions, it will have to notify the controller without undue delay after becoming aware of it.
The contract between the controller and the processor should provide that the latter must cooperate with the controller and provide any necessary information in due time.
It is also possible to provide that the processor will notify personal data breach on the controllers’ behalf to the Authority and where applicable to the data subjects. However, controllers would remain legally responsible for the notification.
3. Communication to the data subjects
3.1. When must the controllers notify the data subjects?
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must notify the personal data breach to the data subjects without undue delay.
In practice, such notification should not undermine the investigation and therefore, the notification should be done as soon as reasonably feasible taking into consideration the kind of risk to mitigate.
“High risk” is not defined in the GDPR but controllers should refer to the notion of risk as defined above and assess the gravity of the consequences of the personal data breach for the data subjects.
If the controller has not communicated the personal data breach to the data subjects at the same time as its notification to the authority, the supervisory authority may require it to do so.
Controllers do not have to notify data subjects if any of the following conditions are met:
- Appropriate technical and organizational protection measures were applied to the personal data affected and have rendered the personal data unintelligible, such as encryption
- Subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise have been taken
- The notification would involve a disproportionate effort. A public communication or similar measure should be made so that data subjects are informed in an equally effective manner.
3.2. Content of the notification made the data subjects
The notification must describe in clear and plain language the nature of the personal data breach, the name and contact details of the data protection officer or any equivalent point of contact, a description of the likely consequence of the breach and information about the measures taken or proposed to be taken by the controller.
It should also include any recommendation to mitigate the adverse effect of the data breach.