Guidelines for controllers>> Personal data breach notification



Personal data breach notification

According to article 33 of Regulation (EU) 2016/679, data controllers, in the case of a personal data breach which is likely to result in a risk to the rights and freedoms of natural persons, must notify this incident to the Authority.

The notification must be done without undue delay and, where feasible, not later than 72 hours after having become aware of the incident. The notification must contain all relevant information (nature/extent of the incident, categories of natural persons affected, its cause and consequences, measures taken to address the breach, et.c.). Even if all the relevant information is not available at the time of notification, an initial notification should be submitted, without undue delay, and more information should be provided in phases without undue further delay (by submitting a supplementary notification).

For submitting the aforementioned notification, press here.

Note that even if the incident cannot result in a risk to the natural persons concerned -where the submission of the aforementioned notification to the Authority is not required- the controller must in all cases keep an internal relevant record.

Furthermore, according to article 34 of the Regulation (EU) 2016/679, when the personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons concerned, then the controller must communicate the personal data breach to the data subject too without undue delay. This communication is separate from the aforementioned notification to the Authority (the notification to the Authority shall be submitted even if the risk is not considered high). Communication to natural persons should be carried out in the most appropriate and effective manner, in the form of personalized information and not by means of a general announcement, where feasible.

It is noted that the Authority can at any case order the controller to inform the natural persons about the incident (ar. 58 par. 2e of the Regulation).

For guidelines on personal data breach notification under Regulation 2016/679 see here.