GDPR Learning Hub

login/sign up
Menu
login/sign up
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Article 5(1)(d) of the GDPR

Definition of a personal data breach

The definition of a personal data breach is set out in Article 4(12) of the GDPR. A personal data breach is a type of security incident that leads to unlawful or accidental destruction, alteration or loss of personal data. Alternatively, the security incident results in unauthorised access or disclosure of personal data stored, transmitted or otherwise processed. Something that is important to keep in mind, is that it constitutes a personal data breach regardless of whether it occurred due to intentional or unintentional action.

Companies must prevent personal data breaches

Companies shall take appropriate technical and organisational measures to protect personal data. In other words, companies should take various measures to try to prevent personal data breaches. Here are some tips on how to avoid personal data breaches and minimize the risks after a personal data breach has occurred: 

  • Always double check that the recipient of an SMS, letter or email is correct, before sending the message containing personal data. 
  • Regularly check users’ permissions to the systems used in the business and process personal data. Remove access rights for users when they no longer need access. 
  • Use multi-factor authentication (MFA) when logging in to systems that contain personal data, whenever possible. 
  • Use different and complex passwords for applications/systems, work computers, mobile phones, etc. 
  • Install virus protection on devices that process personal data, such as work computers. 
  • Ensure that devices containing personal information are kept up to date with the latest version of the software.

Possible consequences for data subjects in the event of a personal data breach

Personal data breaches can lead to serious consequences for data subjects. For example: 

  • Fraud or other financial damage. 
  • Identity theft. 
  • Harmful spread of rumours.

Examples of personal data breaches

There are many different types of incidents that can be considered as personal data breaches. Here are some examples of common personal data breaches:

theme_placeholder

Data breach

If there is a data breach where someone unauthorized accesses personal data. Data breaches may occur internally within a workplace or externally by third parties.

theme_placeholder

Misdirected emails

When a person at a company sends an email containing personal data to the wrong recipient, it is a personal data breach.

theme_placeholder

Virus attack

If there is a virus attack that leads to the deletion of personal data. Therefore, it is good to have backup files, if necessary, to be able to recover data that was accidentally lost or destroyed.

theme_placeholder

Theft of a work computer or mobile phone

If a work computer or mobile phone contains personal data and is stolen, it is a personal data breach. This is due to the fact that the company in such situations has lost control of the personal data that was on the stolen device.

Documenting personal data breaches

Companies must document all personal data breaches that have occurred. This applies regardless of whether the company needs to inform the data subjects or/and notify the personal data breach to the national data protection authority. Therefore, it is important that the company has internal procedures, logbooks and other necessary documentation in order to be able to compile personal data breaches in writing.  

Informing data subjects and/or notifying the national data protection authority of an occurred personal data breach

When a personal data breach occurs, the controller shall, in certain cases, inform the data subjects concerned about it. For example, if credit card details have been leaked, which can lead to very negative consequences for the data subjects. By informing data subjects of a personal data breach that has occurred involving their personal data, they can take steps to try to minimise the risks. In addition, companies that are data controllers must notify the national data protection authority of occurred personal data breaches in certain cases as well.

Penalty for companies that reported a personal data breach late

Instead, a company should consider verifying the identity of the data subject requesting their rights by other means. For example, by asking control questions that only the data subject could answer. Such as information on other contact details of the data subject held by the company.

Data breaches

Cross-border personal data breaches

It is not uncommon for companies to sell services or products to other countries within the EU/EEA area. In addition, many companies operate in several countries of the European Union. Thus, it is common to process personal data belonging to persons in different countries. In some cases, therefore, a personal data breach may be related to several countries, and in such cases it is a cross-border personal data breach. Therefore, it is important for companies to know which data protection authority is the lead supervisory authority. 

Want to learn more?

Read more
Scroll to Top