Article 33, 34 – Data Breach

What is a data breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

This includes a wide range of incidents that involve personal data. It includes both intentional and accidental breaches, as well as incidents resulting from external factors (e.g., cyberattacks) or internal factors (e.g., employee errors). The breach can occur in various forms, such as unauthorized access to a database, accidental loss of physical documents, or a cyberattack that compromises personal data.

Georgine Berger

“The assessment of whether an incident constitutes a data breach depends on the specific circumstances. It must be evaluated on a case-by-case basis to determine whether it qualifies as a data breach, and appropriate action must be taken in accordance with the law.”

Examples for Data Breaches

Data breaches can occur in various ways, such as:

• Hacking: Cybercriminals exploit vulnerabilities in computer systems or networks to gain unauthorized access and steal data.
• Phishing: Attackers use deceptive tactics, often via email or fraudulent websites, to trick individuals into revealing sensitive information like login credentials or financial details.
• Malware: Malicious software, such as viruses or ransomware, infects computer systems, allowing unauthorized access or control over data.
• Physical theft: Data breaches can also happen when physical devices like laptops, hard drives, or paper documents containing sensitive information are stolen or lost.

If personal data is intentionally unlawfully transferred from the controller to a third party, it is not a data breach. In this case, the controller may be guilty of unlawful data processing.

Also, the loss of technical data that cannot be traced back to a natural person does not constitute a data breach.

Peter Harlander

“The consequences of a data breach can be severe. It can lead to financial loss, reputational damage, legal and regulatory penalties, identity theft, and harm to individuals whose personal information is compromised. It is essential to implement appropriate technical and organizational measures (TOMs) in order to prevent a data breach.”

When do I have to notify the supervisory authority?

In the case of a personal data breach, the controller must without undue delay and where feasible, not later than 72 hours after having become aware of it, notify the supervisory authority.

The notification can be waived, if it is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay.

If the processor becomes aware of a data breach, the processor must notify the controller without undue delay.

When do I have to communicate the data breach to the data subject?

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the data breach to the data subject without undue delay.

The nature of the data breach must be communicated to the data subject in clear and plain language.

There are exceptions to this obligation. The communication to the data subject is not required if any of the following conditions are met:

• the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach
• the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise
• it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

FAQs

When is a data breach occurred?

A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Examples for a data breach are:

• erroneous modification/deletion of files
• cyber-attack
• encryption Trojan
• phishing emails
• access by unauthorized employees
• discovery of passwords or password systems
• failure to escort external visitors to buildings where personal data may be viewed
• flood
• power failure
• fire in the server room
• theft of laptop, PC, briefcase, or USB sticks
• non-compliance with data security instructions by employees
• delivery of information to the wrong recipient (e.g., via e-mail or post)
• encrypted data can no longer be decrypted (e.g., loss of key to decrypt the data)

When do I have to notify the data breach to the supervisory authority?

In general, there is an obligation to notify the supervisory authority. The controller must notify the supervisory authority if there is a risk for the rights and freedoms of natural persons.

The GDPR provides an exception to this general rule. If, the data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the notification obligation does not apply. This would, for example, be the case if the data was encrypted and the required cryptographic key was neither compromised nor could it be guessed or calculated.

If the controller is obligated to notify the supervisory authority, it must do so without undue delay, and, where feasible, not later than 72 hours after having become aware of it. Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay.

When do I have to communicate the data breach to the data subjects?

The controller must communicate the data breach to the data subject when it is likely to result in a high risk to the rights and freedoms of natural persons. Therefore, the data subject does not need to be notified in all cases of a data breach.

There is no general definition for when a data breach leads to a high risk. However, it can be assumed that a notification to the data subject must be made in the following cases:

• if the data breach involves sensitive data or personal data relating to criminal convictions and offences,
• in the case of a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling,
• in the case of automated decision-making in individual cases, or
• if the processing activity consists of a systematic monitoring of a publicly accessible area on a large scale.

Whether there is actually a high risk must be assessed on a case-by-case basis. Our team will be happy to assist you with such assessment.

In what form do I have to notify the data breach to the supervisory authority?

The notification to the supervisory authority must at least:

• describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• describe the likely consequences of the personal data breach;
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Does the notification to the supervisory authority have to pass through a lawyer or legal representative?

No, under the GDPR, there is no explicit requirement for the notification to the supervisory authority to pass through a lawyer or legal representative. However, it is recommended to seek legal advice on the data breach incident and to involve legal professionals, to assist with the notification process. Engaging legal expertise can help ensure compliance with the GDPR requirements and provide guidance on handling the breach effectively.

Our team is happy to assist you.

Who is responsible for the risk assessment?

The controller is responsible for the risk assessment, and it bears the burden of proving that the personal data breach is unlikely to result in a high risk to the rights and freedoms of natural persons.

What are the possible consequences of a data breach?

A data breach can have various consequences. Some possible consequences of a data breach include:

• Financial loss: Data breaches can result in significant financial costs for organizations. This may include expenses related to investigating the breach, implementing security measures to prevent future incidents, legal fees, regulatory fines or penalties, potential litigation, and damage to the organization’s reputation that could impact business operations and revenue.
• Legal and regulatory consequences: Organizations that experience a data breach may face legal and regulatory consequences. This can include investigations by data protection authorities, enforcement actions, fines, or other penalties imposed for non-compliance with data protection laws. The GDPR allows for fines of up to 4% of annual global turnover or €20 million, whichever is higher.
• Reputational damage: A data breach can lead to reputational harm for the organization. News of a breach can erode customer trust and confidence in the organization’s ability to protect their personal data. Reputational damage may result in the loss of customers, partners, and business opportunities, impacting the long-term viability and success of the organization.
• Operational disruptions: Data breaches can cause operational disruptions within an organization. This may include temporary or prolonged system downtime, loss of data integrity, compromised business processes, and the need for remediation efforts to restore normal operations. The time and resources required to address the breach and its aftermath can divert attention from regular business activities.
• Damage to business relationships: A data breach can strain relationships with business partners, suppliers, and other stakeholders. Organizations may face challenges in maintaining or establishing trust with these parties, impacting collaborations, contracts, and overall business relationships.
• Increased security measures and compliance requirements: Following a data breach, organizations often need to enhance their security measures to prevent future incidents. This may involve investing in stronger security protocols, implementing stricter access controls, conducting regular security audits, and adopting advanced technologies.

It is crucial for organizations to implement robust security measures, establish effective incident response plans, and prioritize data protection to minimize the potential consequences of a data breach and protect both their own interests and the individuals whose data they process.

What information must be provided to the supervisory authority?

The notification to the supervisory authority must at least

• describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned,
• communicate the name and contact details of the data protection officer or other contact point where more information can be obtained,
• describe the likely consequences of the personal data breach, and
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The above points are the mandatory minimum components of the notification. The controller can include additional information with the notification.

What information must be provided to the data subject?

The communication must describe in clear and plain language the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. In addition, the notification to the data subject must at least:

• communicate the name and contact details of the data protection officer or other contact point where more information can be obtained,
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

In the event of a data breach, will proceedings automatically be initiated against me?

In the event of a data breach, proceedings are not automatically initiated against the data controller or processor. However, the supervisory authorities have the power to investigate and take enforcement actions if they determine that there has been a breach of the GDPR.

In case of a joint controller agreement, who is responsible for the notification?

In the case of a joint controller agreement, where multiple entities jointly determine the purposes and means of processing personal data, the responsibility for data breach notification typically lies with each individual joint controller.

In case of a processor agreement, who is responsible for the notification?

In the case of a processor agreement, where a data controller engages a third-party processor to process personal data on its behalf, the responsibility for data breach notification typically lies with the data controller.

The ultimate obligation to notify the supervisory authority or/and the data subjects rests with the data controller.

However, the processor must notify the controller without undue delay after becoming aware of a data breach.