Personal Data Breach Regulation

27th Jul 2021

Article 33 of the General Data Protection Regulation 2016/679 (GDPR) requires that, as soon as the data controller becomes aware that a personal data breach has occurred, it should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the controller can demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. “Personal data breach” is defined in Article 4(12) GDPR as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data transmitted, stored or otherwise processed.” Where this cannot be achieved within 72 hours, an explanation of the reasons for the delay should accompany the notification to the supervisory authority and information may be provided in phases without undue further delay.

Furthermore, data subjects should be notified without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms, to allow them to take the necessary precautions accordingly with Article 34 GDPR. This notification should describe the nature of the personal data breach as well as recommendations for the individual concerned to mitigate potential adverse effects. This should be done as soon as reasonably feasible and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities.

SPARTA project will look closer at the regulation of the situations where personal data security breach has not yet formally occurred, but potentially large-scale vulnerabilities are already known. The authors of the research within WP2 argue that the regulation should include the obligation to report a disclosed vulnerability, potentially leading to a compromission of personal data. A supervisory authority might act as the intermediary, much like a national CSIRT/CERT does for state institutions. Similarly, a supervisory authority could inform and coordinate assessment and supervise that the problem is fixed.