Under the General Data Protection Regulation (GDPR), where a personal data breach occurs, data controllers may have to notify:
the concerned authority where the breach may result in a risk to the right and freedom of the data subjects
the individuals concerned where the personal data breach may result in a high risk to their rights and freedoms.
1. What is a personal data breach?
According to the GDPR, ‘personal data breach‘ is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In broad word, where a security breach concerning personal data occurs, it may be considered as a personal data breach.
2. Notification of the Supervisory Authority
2.1. When Do controllers have to notify its supervisory authority?
A notification is required if the breach may result in a risk to the rights and freedoms of the data subjects and should be done within 72 hours of having been made aware of the breach.
A Risk to the Rights and Freedom of the Data Subjects is Necessary:
It is required to notify the authority only where the personal data breach is likely to result in a risk to the rights and freedoms of natural persons
A risk is defined as follow under the GDPR:
The risk to the rights and freedoms of natural persons may result from personal data processing which could lead to physical, material or non-material damage, in particular where:
- processing involves a large amount of personal data and affects a large number of data subjects.
- processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage;
- data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data;
- sensitive data data are processed (e.g. they reveals racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, health data or data concerning sex life or criminal convictions and offences);
- where personal aspects are evaluated as well as location or movements tracked, in order to create or use personal profiles;
- where personal data of vulnerable natural persons, in particular of children, are processed
That Supervisory Authority Should be Notified Within 72 hours
In the case of a personal data security breach, the controller must notify the concerned supervisory authority without undue delay and in any events no later than 72 hours after having become aware of it.
Under certain circumstances, it may notify the authority after the 72 hours time period. However, it will have to justify the delay in the notification.
2.2. Content of the notification to the Supervisory Authority
The notification should contain the following:
- Description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- the name and contact details of the data protection officer or other contact point where more information can be obtained
- Description of the likely consequences of the data breach
- Description of the Measures taken or proposed to be taken including measures to mitigate its possible adverse effects
The controller shall document any data breaches in order for the Authority to verify compliance with the regulation.
If the controller does not have all the information required, it can provide it as and when it is made aware of it.
2.3. What about the Data Processor?
Where a data processor is concerned, it must notify the controller without undue delay after becoming aware of a personal data breach.
3. Communication to the data subjects
3.1. When do controllers have to notify the data subjects?
Where Personal data breach is likely to result in high risk to the rights and freedoms of natural persons, the controller must notify the personal data breach to the data subject without undue delay.
However, in practice such notification should not undermine the investigation and therefore, the notification should be done as soon as reasonably feasible taking in consideration the kind of risk to mitigate.
The notion of “high risk” is not defined in the GDPR but controllers should refer to the notion of risk as defined above and assess the gravity of the consequences of the personal data breach for the data subjects.
If the controller has not communicated the personal data breach to the data subject when notifying the authority, the supervisory authority may require it to do so.
Further guidance has been released by the Authorities on this point.
A Communication is not required if any of the following conditions are met:
- Appropriate technical and organizational protection measures were applied to the personal data affected and has rendered the personal data unintelligible, such as encryption
- Subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise have been taken
- It would involve disproportionate effort. A public communication or similar measure should be made so that data sujects are informed in an equally effective manner.
3.2. Content of the notification to the data subjects
The notification shall describe in clear and plain language the nature of the personal data breach, the information and measures taken.
It should also include any recommendation to mitigate the adverse effect of the data breach.
This post is also available in fr_FR.