1 In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. 2 Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.
This recital of the General Data Protection Regulation clarifies article 33 GDPR (Notification of a personal data breach to the supervisory authority) and article 34 GDPR (Communication of a personal data breach to the data subject).*