DEFINITION OF PERSONAL DATA BREACH
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” (Article 4(12))
Data Processor Article 33: must inform the Personal Data ‘without undue delay after becoming aware of a breach’.
Personal Data Article 34: must inform the supervisory authority of a Personal Data breach within 72 hours where ‘the breach is likely to result in a risk for the rights and freedoms of natural persons’.
Personal Data must keep documentation of the facts of the breach to be able to prove compliance to the supervisory authority and feed back the:
- categories of affected Data Subjects;
- a description of likely consequences of the breach, and measures that have been taken, or will be taken, in response to the breach;
- the approximate number of Data Subjects and data recorData Subject; and,
- the name and contact details of the Data ProcessorO or other point of contact.
Personal Data Article 34: must inform the Data Subjects of a Personal Data breach within 72 hours where ‘the breach is likely to result in a high risk to the rights and freedoms of those Data Subjects’.
Notification must be ‘without undue delay’ and ‘in clear and plain language’. Notification may not be necessary if:
- there was prior implementation of appropriate technical and organisational measures that rendered the Personal Data unintelligible or encrypted;
- post-breach actions greatly reduce the risk to the rights and freedoms of the Data Subjects; or,
- individual notice requires disproportionate effort.