• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
easy GDPR - we make compliance with GDPR easy

easyGDPR

We make implementing General Data Protection Regulation Easy

  • Home
  • Services
    • Software
      • easyGDPR Quickcheck
      • (DEP) easyGDPR lite
      • (DEP) easyGDPR Standard
      • Data Subject Requests
      • Sophos
    • IT Security
    • network checkup
    • SME digitization funding
    • Data protection consulting
      • Data protection
      • Cybersecurity
    • Training
      • Data protection
      • Cybersecurity
  • Partner
    • Resellerprogramm
    • Affiliate programm
  • GDPR
    • GDPR News
    • FAQ
    • GDPR Decisions
    • GDPR penalties
    • GDPR legal text
  • Shop
  • Contact
    • Contact
    • Newsletter registration
  • Login
    • Shop / Affiliate Program
    • easyGDPR Software
  • German
  • English

33. Notification of a personal data breach to the supervisory authority

19/12/2016 by Andreas Schindler

« 32. Security of processing34. Communication of a personal data breach to the data subject »

CHAPTER IV Controller and processor Section 2 Security of Personal data

33. Notification of a personal data breach to the supervisory authority

In the case of a personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12, the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 to the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 competent in accordance with Article 55, unless the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 is not made within 72 hours, it shall be accompanied by reasons for the delay.

The processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 shall notify the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 without undue delay after becoming aware of a personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12.

The notification referred to in paragraph 1 shall at least:
describe the nature of the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12;
describe the measures taken or proposed to be taken by the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 to address the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

The controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 shall document any personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12es, comprising the facts relating to the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12, its effects and the remedial action taken. That documentation shall enable the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 to verify compliance with this Article.

Recitals

Recital 85

A personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. GDPR Article 4 Paragraph 5, damage to reputation, loss of confidentiality of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 becomes aware that a personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 has occurred, the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 should notify the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 to the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 is able to demonstrate, in accordance with the accountability principle, that the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.

Recital 87

It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 has taken place and to inform promptly the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 in accordance with its tasks and powers laid down in this Regulation.

Recital 88

In setting detailed rules concerning the format and procedures applicable to the notification of personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12es, due consideration should be given to the circumstances of that breach, including whether or not personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12.

FAQs regarding this GDPR Article:

  • What to do in case of a data breach?

GDPR Fines based on this article

TitleGDPR CountryNumber of involved data recordsGDPR Fine
Unintentional posting of personal data at Covid-19 test center.Germany11,800 €
Disposal of delivery bills in waste paper containersGermanyunknown0 €
Disregard of the duty to inform after data theftGermanyunknown9,000 €
Hora Credit IFN SA – 14,000 euros fineRomaniaunknown14,000 €
Vreau Credit S.R.L fined for not reporting a Data BreachRomania117720,000 €
Penalty against Life at Parliament View LimitedGreat Britain1861090,000 €
Lithuania: Data Breach at a payment service providerLithuania9.00061,500 €
Penalty for late notification of a data breachGermanyunknown20,000 €
Penalty against Uber (NL)Netherlands174 000600,000 €
Penalty against UberGreat Britain2 700 000440,000 €

Category iconUncategorized

Primary Sidebar

IT-Security Whitepaper Downloaden
  • German
  • English
  • Data Protection Statement
  • Terms and Conditions
  • Imprint
  • Licence terms for easyGDPR
  • GDPR terms
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept", you consent to the use of ALL the cookies.
SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non Necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

functionality

Diese Art von Cookies erhöht die Benutzerfreundlichkeit unserer Website. Beispielsweise wird darin die von Ihnen ausgewählte Sprache gespeichert. Auch die Verfügbarkeit von Videostreams und sonstigem Inhalt kann von diesen Cookies abhängig sein. Wenn Sie diese Cookies ablehnen, ist die Benutzerfreundlichkeit eingeschränkt.

Save & Accept