| « 32. Security of processing | 34. Communication of a personal data breach to the data subject » |
CHAPTER IV Controller and processor Section 2 Security of Personal data
33. Notification of a personal data breach to the supervisory authority
In the case of a personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12, the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 to the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 competent in accordance with Article 55, unless the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 is not made within 72 hours, it shall be accompanied by reasons for the delay.
The processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 shall notify the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 without undue delay after becoming aware of a personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12.
The notification referred to in paragraph 1 shall at least:
describe the nature of the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12;
describe the measures taken or proposed to be taken by the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 to address the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
The controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 shall document any personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12es, comprising the facts relating to the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12, its effects and the remedial action taken. That documentation shall enable the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 to verify compliance with this Article.
Recitals
Recital 85
A personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. GDPR Article 4 Paragraph 5, damage to reputation, loss of confidentiality of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 becomes aware that a personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 has occurred, the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 should notify the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 to the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 is able to demonstrate, in accordance with the accountability principle, that the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.
Recital 87
It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 has taken place and to inform promptly the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12 and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 in accordance with its tasks and powers laid down in this Regulation.
Recital 88
In setting detailed rules concerning the format and procedures applicable to the notification of personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12es, due consideration should be given to the circumstances of that breach, including whether or not personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Article 4 Paragraph 12.
FAQs regarding this GDPR Article:
GDPR Fines based on this article
| Title | GDPR Country | Number of involved data records | GDPR Fine |
|---|---|---|---|
| Unintentional posting of personal data at Covid-19 test center. | Germany | 1 | 1,800 € |
| Disposal of delivery bills in waste paper containers | Germany | unknown | 0 € |
| Disregard of the duty to inform after data theft | Germany | unknown | 9,000 € |
| Hora Credit IFN SA – 14,000 euros fine | Romania | unknown | 14,000 € |
| Vreau Credit S.R.L fined for not reporting a Data Breach | Romania | 1177 | 20,000 € |
| Penalty against Life at Parliament View Limited | Great Britain | 18610 | 90,000 € |
| Lithuania: Data Breach at a payment service provider | Lithuania | 9.000 | 61,500 € |
| Penalty for late notification of a data breach | Germany | unknown | 20,000 € |
| Penalty against Uber (NL) | Netherlands | 174 000 | 600,000 € |
| Penalty against Uber | Great Britain | 2 700 000 | 440,000 € |