1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
3. The notification referred to in paragraph 1 shall at least:
describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
To deal with a personal data breach, the controller must first be able to recognise a breach.
A security breach to the GDPR is a breach leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Only the events leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to personal data are covered by the GDPR’s definition of a personal data breach.
For example, a personal data breach may occur when the controller’s software is not sufficiently secured to allow outsiders to access personal data (e.g. hacking).
However, it may also be the controller’s handling of the personal data itself that may cause a breach, for example, if the controller unauthorisedly discloses or modifies the personal data.
Another example, the controller may also unlawfully or, as a result of an unanticipated event (e.g. fire or flood), not have access to the personal data or ends up destroying the personal data.
Examples of personal data breaches:
When a breach is not handled in an appropriate and timely manner, it may cause physical, material or immaterial harm to persons e.g.
Generally, one must report all personal data breaches to the Data Protection Authority. No notification is required if it is unlikely that the personal data breach risks the rights or freedoms of natural persons.
A risk to the rights and freedoms of natural persons includes:
The controller must assess the likelihood of the breach posing a risk to the rights of the individuals concerned immediately after becoming aware of the breach.
One should always take the following factors into account in the assessment of the risk to the rights and freedoms of data subjects resulting from a personal data breach:
The controller shall document all personal data breaches, including the facts of the personal data breach, its effects and the remedial measures taken.
In this context, it is irrelevant whether the controller is obliged to notify the breach to the Data Protection Authority.
This documentation obligation aims to enable the Data Protection Authority to check whether the obligation to notify certain breaches has been complied with.
The documentation must contain information about the breach,
including the facts of the breach, its effects and the remedial
measures. The requirements for documentation can also be as follows.
Learn the basics of GDPR in the course 1-Hour GDPR Introduction: The Basic Facts for Employees.