Skip main navigation

Dealing with data breach

Notification and communication obligations under the GDPR in case of a data breach. Dr Bo Zhao discussed the topic.
Warning on computer screen
© University of Groningen

The news often reports about companies being targeted by cybercrime, hacked websites and databases, but also of ‘human errors’ and loss of data by employees who leave behind USB sticks in trains or restaurants for example. These are all forms of a data breach: an intentional or unintentional release of secure or private information.

Notification of the supervisory authority

When a data breach occurs, a controller has the obligation under Article 33 to notify the competent supervisory authority within 72 hours after becoming aware of the data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the supervisory authority is not notified within 72 hours, the controller needs to provide reasons for the delay.

The notification should be accompanied by the relevant information. If it is not possible to provide the information at the same time as the notification, the information may be provided in phases without undue further delay. The notification should include the following information:

  • Nature of the data breach, categories and number of data subjects and personal records concerned;
  • Name and contact details of the data protection officer or other contact point;
  • The likely consequences and measures taken or proposed to be taken.

The controller should document any breaches and related issues. These documents can be used to demonstrate legal compliance to supervisory authority.

Notification of the data subject

Furthermore, the controller has the obligation to communicate without undue delay the personal data breach to the data subject under Article 34 if the breach is likely to result in a high risk to the rights and freedoms of natural persons. The communication to the data subject needs to be described in clear, plain and understandable language and should include the same information given to the supervisory authority as listed above. The controller is exempted from this obligation if:

  • Appropriate measures have been implemented and applied (for example encryption;
  • Subsequent measures have been taken to prevent high risk to rights and freedoms of data subjects;
  • The effort is disproportionate (if that is the case, a public communication or similar measure to inform data subjects will be sufficient).
© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education