Personal Data Breach

Notification of a personal data breach to the supervisory authority (Art. 33 GDPR)

Data breaches are on the rise. Passwords or firewalls to keep out unauthorized users, are no longer sufficient for proper security of personal data. A (personal) data breach occurs when a security incident results in a loss of confidentiality, availability or integrity. Breaches are very common, and the question is not if an organization will suffer from such an incident, but when.

Under the GDPR, data controllers and processors are required to have sufficient technical and organizational measures in place to prevent their personal data from being compromised. However, such measures do no guarantee success and the inevitable can always happen. It is then very important for the organization to be prepared and know what they must do.

If the personal data breach is likely to result in a risk to the rights and freedoms of data subjects, the data controller must notify the supervisory authority (SA) of the breach without undue delay and no later than 72 hours after becoming aware of the breach.

 

Example

The computer systems of a small company were attacked by ransomware. All the accessed data were encrypted, and the key was not compromised. The company had a backup of the data available, and the attacker could not access the data. This breach did not result in a risk to the right and freedoms of data subjects. Therefore, no notification was necessary. However, the company is still obliged to investigate the breach and document the facts. If the company in the previous example did not have a backup of the data, or if the data was not encrypted, the breach would then have to be notified to the supervisory authority.

The following information must be included in the notification to the SA:

  • A description of the nature of the breach, the categories of personal data and data subjects where possible, and an approximate number of data subjects involved and the personal data records.
  • The data protection officer’s name and contact details or another contact point for obtaining information
  • A description of the likely consequences of the breach.
  • A declaration of the measures taken or planned to be taken by the organization to address the breach and where possible alleviate the consequences.

It is essential for organizations to document any personal data breaches that have occurred and the steps that have been taken. This documentation can be used to demonstrate compliance.

Communication of a personal data breach to the data subject (Art. 34 GDPR)

When the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the data controller must also notify the data subjects in addition to the supervisory authority. The emphasis is on high risk here.

Example

A hospital has accidentally leaked patients’ medical records, resulting in a personal data breach. Due to the sensitivity of the personal data and the content of the records, this breach may have a significant impact on the affected individuals. This is likely to cause a high risk to their rights and freedoms. Therefore, the data subjects must be informed about the breach. This notification must be sent in clear and simple language, explaining the nature of the breach, and it must contain the same content as the notification to the SA.

However, if any of the following conditions are met, the notification is no longer required:

  • The controller has enforced proper organizational and technical measures (i.e. encryption) and they were applied to the affected personal data.
  • The organization has taken steps ensuring that the high risk to the rights and freedoms of data subjects no longer unfolds.
  • If such notification would be disproportionate, then a public communication or a similar measure will suffice in this case.