A data leak?

A data breach can have disastrous consequences. Especially when it’s not addressed in a timely and appropriate manner, the breach can result in great physical, material or immaterial damage to natural persons. Think of loss of control over personal data or limitation of their rights, discrimination, identity theft or fraud, financial losses, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, or any other significant economic or social prejudice to the natural person in question.

Notification to supervisory authority

For this reason, once the controller becomes aware that a personal data breach has occurred, it must notify the personal data breach to the supervisory authority without undue delay and, where possible, not more than 72 hours after becoming aware of it.

However, if the controller can demonstrate, in accordance with the principle of accountability, that the personal data breach is unlikely to present risks to the rights and freedoms of natural persons, it may derogate from this obligation to notify. Where such notification cannot be made within 72 hours, the

notification shall be accompanied by an explanation of the delay and the information may be provided in stages without unreasonable further delay.

In the event that the processor has become aware of a personal data breach, it shall notify the controller without unreasonable delay.

The above notification shall describe or communicate at least the following:

• the nature of the personal data breach, specifying, where possible, the categories of data subjects and personal data records concerned and, approximately, the number of data subjects and personal data records concerned;
• the name and contact details of the data protection officer or other contact points where more information can be obtained;
• the likely consequences of the personal data breach;
• the measures proposed or taken by the controller to address the personal data breach, including, if applicable, the measures to mitigate its possible adverse effects.

The controller shall document all personal data breaches, including the facts surrounding the personal data breach, its effects and the remedial action taken. Such documentation shall enable the supervisory authority to verify compliance with this Article.

Notification of the data subject whose data have been leaked If the personal data breach is likely to present a high risk to the rights and freedoms of natural persons, the controller shall notify the personal data breach to the data subject without undue delay. In principle, you should first notify the persons affected by the data breach.

This notification shall contain a description in clear and simple language of the nature of the personal data breach and at least the name and contact details of the data protection officer or other contact points where more information can be obtained. In addition, the notification shall include a list of the likely consequences of the personal data breach, together with the measures proposed or taken by the controller to address the personal data breach.

However, the notification to the data subject is not required if one of the following conditions is met:

• the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the personal data concerned by the personal data breach, in particular those that render the personal data unintelligible to unauthorised persons, such as encryption;

• the controller has taken subsequent measures to ensure that the aforementioned high risk to the rights and freedoms of data subjects is unlikely to occur again;
• the notification would involve a disproportionate effort. In this case, a public notice or an equivalent measure that informs data subjects in an equally effective manner shall replace it.

If the controller has not yet notified the data subject of the personal data breach, the supervisory authority may oblige the controller to do so.