Security concept - Locks on digital screen

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach?

A personal data breach is security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. Personal data breaches can include:

  • access by an unauthorized third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen; 
  • alteration of personal data without permission; and
  • loss of availability of personal data.

According to GDPR article 33, data controller has to report certain types of personal data breaches to the Data Protection Authority (DPA) within 72 hours after becoming aware of the breach.

In what circumstances do you need to report a data breach?

If you experience a personal data breach you need to consider whether this poses a risk to affected individuals. You need to consider the likelihood and severity of the risk to individual’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the DPA. If the risk is unlikely to happen then you don’t have to report, but you have to record the breach in your Breach Register.

Breach Register will be launched soon

Let us know if you would like to be notified and see the demo.
Days
Hours
Minutes
Seconds

Reporting the breach to Data Protection Authority

A notifiable breach must be reported to the DPA without undue delay, but not later than 72 hours after becoming aware of it. If you will notify DPA later than 72 hours, you must provide reasons for the delay. 

When reporting a personal data breach, you will have to provide following information::

  • a description of the nature of the breach including, where possible:
  • the categories and approximate number of individuals concerned; and
  • the categories and approximate number of personal data records concerned;
  • the name and contact details of the DPO (if your organisation has one) or another contact point to obtain information;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken or proposed to be taken, to deal with the personal data breach. Also, including, where appropriate, the measures taken to mitigate any possible adverse effects.

It may happen that it’s not possible to provide immediately all information listed above. You may provide such information in phases. 

The notification has to be done to Data Protection Authority of the location of controller company. Contacts of EU Data Protection Authorities by countries can be found here.

Notifying Data Subjects about the Data Breach

Some breaches are likely to result a high risk to the rights and freedoms of individuals. In such situation, controller must inform affected individuals directly and without undue delay. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of the breach. You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of your data protection officer (if your organisation has one) or another contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

Should Processor report a Data Breach?

If your organisation is a data processor, and your suffer a data breach, you have to inform your controller without undue delay as soon as you become aware of the breach. There may be special conditions of reporting defined by data controller. The requirements for breach reporting should be detailed in the Data Processing Agreement between you and your controller.

Stop wasting time on spreadsheets and get into control of your compliance documentation

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss,...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR Article 30 requires companies to keep an...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Why businesses need Data Processing Agreement (DPA)? It’s practically not possible to run a business without processing personal data and...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data