Dealing with data breach
The news often reports about companies being targeted by cybercrime, hacked websites and databases, but also of ‘human errors’ and loss of data by employees who leave behind USB sticks in trains or restaurants for example. These are all forms of a data breach: an intentional or unintentional release of secure or private information.
Notification of the supervisory authority
When a data breach occurs, a controller has the obligation under Article 33 to notify the competent supervisory authority within 72 hours after becoming aware of the data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the supervisory authority is not notified within 72 hours, the controller needs to provide reasons for the delay.
The notification should be accompanied by the relevant information. If it is not possible to provide the information at the same time as the notification, the information may be provided in phases without undue further delay. The notification should include the following information:
- Nature of the data breach, categories and number of data subjects and personal records concerned;
- Name and contact details of the data protection officer or other contact point;
- The likely consequences and measures taken or proposed to be taken.
The controller should document any breaches and related issues. These documents can be used to demonstrate legal compliance to supervisory authority.
Notification of the data subject
Furthermore, the controller has the obligation to communicate without undue delay the personal data breach to the data subject under Article 34 if the breach is likely to result in a high risk to the rights and freedoms of natural persons. The communication to the data subject needs to be described in clear, plain and understandable language and should include the same information given to the supervisory authority as listed above. The controller is exempted from this obligation if:
- Appropriate measures have been implemented and applied (for example encryption;
- Subsequent measures have been taken to prevent high risk to rights and freedoms of data subjects;
- The effort is disproportionate (if that is the case, a public communication or similar measure to inform data subjects will be sufficient).
© University of Groningen