A data breach is a most serious event with potential serious repercussions both for the firm and any of the persons affected.

Notification of personal data breach to the supervisory authority

Your company has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. If your company is a data processor it must also notify every data breach to the data controller.

Notification of personal data breach to affected individuals

If the data breach poses a high risk of physical, material or non-material damage to those individuals affected then they should all also be informed, unless there are effective technical (e.g. strong data encryption) and organisational protection measures (e.g. expiring keys) that have been put in place, or other measures that ensure that the risk is no longer likely to materialise.

Any evaluation of the risk to the individual’s rights and freedoms must be objective and take into account both the likelihood and severity. Taken into account should be the nature, sensitivity and volume of the personal data, the ease of identification within the breached data, the severity of the consequences and characteristics of the affected individual where particular consideration should be given where a breach may impact on children or other vulnerable individuals. When the breach involves personal data that reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions, such damage should be considered likely to occur.