On February 6, 2018, Working Party 29 (WP29) adopted the Guidelines on Personal data breach notification under Regulation 2016/679, wp250rev.01
Regulation 2016/679, the s.c. General Data Protection Regulation (GDPR) introduces the requirement for a personal data breach to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected.
The Guidelines explain what is a personal data breach notification under the GDPR and it investigates the content of Article 33 and 34 of the GDPR, which include:
– when to notify the DPA;
– when to notify the data subject;
– and which information should be provided.
Interestingly WP29 explains that there is a data breach not only every time personal data are destructed, lost, alterated, disclose or accessed without authorization, but also when the data still exist, “but the controller has lost control or access to it.” Meaning that a data breach might occur even if the personal data was on an USB pen lost in the deepest sea to which no one could have access. In this case, the data breach notification obligation would not automatically be triggered, but it should be assessed whether it is required.
The document also explains that when there is cross-border processing of personal data and the breach affects data subjects in more than one Member State, the controller will need to notify the “lead supervisory authority”.
If the personal data are processed by a controller or processor not established in the EU but still subject to the GDPR’s scope of application, the notification obligations under Articles 33 and 34 still apply.
Article 27, GDPR, requires controllers (and processors) not established in the EU but under its scope of application, to designate a representative in the EU. In case of breach, WP29 recommends that “notification should be made to the supervisory authority in the Member State where the controller’s representative in the EU is established. Similarly, where a processor is subject to Article 3(2), it will be bound by the obligations on processors, of particular relevance here, the duty to notify a breach to the controller under Article 33(2).”
The Guidelines proceed explaining when notification is not required. An example might be where personal data are already publicly available and a disclosure of such data does not constitute a likely risk to the individual.
The document also provides guidance in assessing risk and high risk that might trigger for notification.
To conclude, the Guidelines explain how the notification requirement intermingles with the accountability principle of Article 5(2), GDPR.
WP29 attaches two very helpful annexes to the Guidelines.
One is a flowchart showing notification requirements, which we reproduce here.
The second contains several examples of personal data breaches and indicates who should be notified.
The Guidelines on Personal data breach notification under Regulation 2016/679, wp250rev.01 are available at http://ec.europa.eu… Open PDF
Originally published on Technethics on March 2018