Personal Data Breach Notification

Personal Data Breach Notification

Under the General Data Protection Regulation (GDPR), controllers mustnotify:

the competent authority of any personal data breach likely to result in a risk to the right and freedoms of the data subjects;

the individuals concerned of any personal data breach likely to result in a high risk to their rights and freedoms.

It is therefore important for a controller to understand what a personal data breach is and to be ready to react promptly and appropriately when it happens.

Record of Processing Activities

Record of Processing Activities

Under the European General Data Protection Regulation (GDPR), organisations processing personal data must maintain a record of their processing activities (ROPA) unless an exemption applies.

However, the type of information to maintain in this record differs depending on whether the organisations act as a controller or as a processor with regard to a specific processing activity.

Besides, some of the processing activities recorded may also be subject to a data protection impact assessment (DPIA), which requires additional information (see here).

Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessment (DPIA)

Under the General Gata Protection Regulation (GDPR), controllers must now now: 

Keep a record of their processing activities (see here for more details); and
Carry out a Data Protection Impact Assessment (DPIA) where the data processing is likely to result in a high risk to the rights and freedoms of the data subjects.  

A DPIA is a process designed to describe the processing, assess its necessity and proportionality and manage the risks to the individuals’ rights and freedoms resulting from thereof.

Consent under the GDPR

Consent under the  GDPR

Under the European General Data Protection Regulation (GDPR), consent is one of the legal bases upon which controllers may rely to process personal data.

The GDPR defines a valid consent as a freely given, specific, informed and unambiguous indications of the individual’s wishes and restrictions apply to online services provided to children.