A data breach is a most serious event with potential serious repercussions both for the firm and any of the persons affected. Your company has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. If your company is a data processor it must also notify every data breach to the data controller.

The notification of personal data breach should:

  • describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained
  • describe the likely consequences of the personal data breach
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

Personal data breach – documentation

Additionally the controller is required to document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with its breach notification requirements.

If the data breach poses a high risk to those individuals affected then those affected individuals should all also be informed, unless there are effective technical and organisational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialise.