Information about GDPR
Informing data subjects of personal data breaches
In some cases, companies must inform data subjects of a personal data breach that has occurred and concerns them, in accordance with the GDPR. In addition, in some cases, companies must notify the personal data breach to the national or responsible data protection authority. Therefore, it is important to always analyze what happened and educate the staff about what can constitute a personal data breach under GDPR.
Companies must inform data subjects in the event of personal data breaches in certain cases
Under the GDPR, companies must in some cases inform data subjects of a personal data breach that has occurred. This shall be done if there is a high probability that the personal data breach risks the rights and freedoms of data subjects. For example, if there is a data breach and thousands of credit card details leak. By informing the data subjects of the incident, they can have an opportunity to protect themselves by taking action. For example, by blocking their credit card whose data has been leaked.
Information to be provided to data subjects:
- Reason: The reason for the personal data breach;
- Contact details: The contact details of someone at the company who data subjects can contact. If the company has a data protection officer, his or her contact details must be stated.
- Consequences: Description of the consequences that may arise as a result of the personal data breach.
- Measures: What measures the company has taken to minimize the risks and manage the personal data breach.
When companies do not need to inform data subjects
Measures taken
It is always good for companies to take action as quickly as possible to minimize the consequences of the personal data breach. For example, if the company renders personal data unintelligible, such as through encryption, they do not need to inform the data subjects. The same applies if the company minimizes the consequences of a personal data breach that results in that there is no longer a high risk to the rights and freedoms of the data subjects.
Unreasonable inconvenience
In some cases, a company may not know who the data subjects are, and in such cases it may be impossible to contact them personally. In this case, the company must make a public announcement in order to inform the data subjects in an effective manner. For example, by informing about the personal data breach at the top of their website on the home page.
Report a personal data breach to a data protection authority
Some personal data breaches are notifiable. Companies shall notify such a personal data breach to the national data protection authority within 72 hours of its detection. If notification is not made in time, it constitutes a violation of the GDPR that can have major consequences. For example, one company received a fine of 100 000 Polish złoty from the Polish Data Protection Authority for, inter alia, late notification.
When submitting a personal data breach notification, please bear in mind the following
It is important to make an assessment of the seriousness of the personal data breach and the seriousness of its consequences. Please note that the company should assess the impact on the data subjects concerned, not the impact on the company.
When a personal data breach to be reported occurs, the company may not have all the information about the breach yet. In such cases, the company may submit a preliminary notification and subsequently complete it.
If the company making the notification to the responsible data protection authority fills in that the severity of the consequences that the personal data breach may entail is significant, or very significant, the company must, as a general rule, inform the data subjects concerned.
If a personal data breach occurs at a company that is the data processor
Companies that are processors, process personal data on behalf of and under the instructions of a controller. The instructions and other information about the processing are set out in a data processing agreement, which must be concluded in writing between the parties in accordance with the requirements of Article 28 of the GDPR.
In the event of a personal data breach at the processor, relating to personal data covered by the data processing agreement, the controller shall be informed thereof without undue delay.
In addition, it is beneficial if it is stated in the data processing agreement how the data processor should act in the event of a personal data breach. It is possible to include a competence in the agreement for the processor to be able to notify a personal data breach to the national data protection authority directly. The same applies to information about the situation to the relevant data subjects.
More information about Data Breaches
Cross-border personal data breaches
When a company processes personal data related to several countries within the EU, it is a cross-border personal data processing. If there is a personal data breach related to several countries in the Union, it is a cross-border personal data breach. Companies carrying out cross-border processing operations need to find out which data protection authority is responsible. If a personal data breach is to be notified, that is where the company must notify them. However, data subjects may lodge a complaint with their national data protection authority or someone else within the EU/EEA area. If the data protection authority considers that another authority is responsible for the company because, for example, they have their headquarters there, they transfer the case to the national data protection authority of that country.