Response to a data breach
In the event of a data breach, the following considerations should be considered:
Prepare a risk assessment
When the controller is aware of a data breach, it is important that he seeks both ways to limit the damage that may result from the breach and also evaluates the risks that the data breach may entail.
The risk assessment should take into account in particular the following:
Type of data breach
Nature, sensitivity and quantity of the personal data affected
How easy is it to identify individuals
How serious are the effects for individuals
Individuals’ special nature (like children or other vulnerable groups)
Number of individuals affected by the data breach
The specific nature of the controller
General issues
Add information about the breach to the list of data breaches or prepare a data breach list
The controller shall keep a record of any data breaches that occur in the processing of personal data. It shall identify the facts, effects and corrective actions taken.
It is also recommended that the controller also register the reason for decision-making when a data breach occurs and the measures taken. Such registration helps, for example, in communication with the Data Protection Authority, if notification is received too late.
Notify the data breach to the Data Protection Authority
Except if it is unlikely that the breach will result in a risk to the rights and freedoms of individuals
The breach shall be notified without undue delay, if possible within 72 hours of the occurrence of the breach.
If the Data Protection Authority is not notified of the breach within 72 hours, the reasons for the delay shall be attached to the notification
Evaluate whether a registered individual needs to be notified of the data breach
If a data breach in the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals, the controller shall notify the data subject without undue delay.
The notification shall be in a clear and simple language and contain a description of the nature of the breach.
At the same time, the notice shall contain information on the following:
the name and contact details of the data protection officer or other contact point where further information can be obtained,
the consequences of a data breach in the processing of personal data,
measures taken or planned by the controller in the event of a data breach in the processing of personal data, including, where appropriate, measures to mitigate its potentially adverse effects.
No notification is required for a registered individual if:
If appropriate measures have been taken, in particular to make the personal data illegible.
If measures have been taken that make it unlikely that there will be a return of the same level of risk to the rights and freedoms of the data subjects
This would result in excessive effort, but then information about the breach should be published in a general manner.
