The obligation to notify the supervisory authority about data breaches and to communicate such breaches to data subjects lies primarily with the controller. It is obligated to document all data breaches, comprising the relevant facts relating to the breach, its effects and the undertaken remedial action. Also, when the processor learns about a data breach, it must notify the controller “without undue delay“.
Data-breach notification to the supervisory authority
When the controller becomes aware of a data breach, it has 72 hours to notify the relevant Supervisory Authority. If a SA has not been notified in time, the controller must provide reasons for the delay. This obligation does not apply only if the breach is not likely to result in a risk to the individual’s rights and freedoms.
Such a notification must meet the following minimum content requirements:
- description of the nature of the data breach (including the categories and approximate number of data subjects and data records concerned)
- name and contact details of the DPO/other contact point where more information can be obtained
- description of the likely consequences of the personal data breach
- description of the measures taken/proposed to be taken by the controller to address the personal data breach (including the measures to mitigate its possible adverse effects)
Data-breach communication to data subjects
Art. 34 GDPR applies to situations, where a data breach is likely to result in a high risk to the data subjects’ rights and freedoms. Such communication must describe the nature of such a breach in clear and plain language and contain at least the following content requirements:
- name and contact details of the DPO/other contact point where more information can be obtained
- description of the likely consequences of the personal data breach
- description of the measures taken/proposed to be taken by the controller to address the personal data breach (including the measures to mitigate its possible adverse effects)
The obligation of the data-breach communication to data subjects does not apply only if:
- the controller has implemented appropriate technical and organizational protection measures, which were applied to the personal data affected by the breach (i.e., encryption)
- the controller has taken subsequent measures which ensure that the risk to the data subject’s rights and freedoms is no longer likely to materialize
- it would involve disproportionate effort; in such cases, there must be a public communication/similar measure, whereby the data subjects are informed in an equally effective manner
- the controller has not already communicated the breach to the data subject; the supervisory authority may either require the controller to do so, or it may decide that any of the conditions referred in Art. 34(3) GDPR are met