Under Article 33, the GDPR requires controllers to handle every personal data breach in the context of the controllers’ obligations regarding the security of processing. In case the breach is likely to result in a risk to the rights and freedoms of the persons concerned, the controllers must notify the breach in question to the HDPA.
Such notification must be made without undue delay and, where feasible, not later than 72 hours after the controller has become aware of it. The notification must contain specific information (e.g. nature/scope of the breach, categories of persons affected, cause and consequences of the breach, measures taken to address it, etc.). Even if all the above information is not available at the time of submitting the notification, the latter should be submitted as an initial notification to be subsequently updated without undue delay (by submitting a supplementary notification).
To submit such notification to the HDPA, press here*.
It should be noted that, even if the data breach is unlikely to result in a risk to the natural persons concerned, and therefore it is not required to submit the above notification to the HDPA, the controller must record the data breach and keep his or her own internal record.
In addition, under Article 34 GDPR, when the data breach is likely to result in a high risk to the rights and freedoms of natural persons concerned, the controller must communicate the breach to those persons too without undue delay. Such communication is made regardless of the above mentioned notification to the HDPA (which must be submitted even if the relevant risk is not considered high). The communication to the natural persons should be made in the most appropriate and effective manner, in the form of personalised information and not by a communication of a general nature, insofar as this is possible.
It should be noted that the HDPA may in any case order the controller to communicate the data breach to the natural persons (Article 58 (2) (e) GDPR).
To find the Guidelines of the European Data Protection Board on how to handle data breaches, and on relevant obligations please see here.
(*) Warning, it concerns only notifications of personal data breaches submitted by controllers. To lodge a complaint, please see here.