External DPO Cost
External DPO Cost

How are data breaches reported under the GDPR?

Reporting data breaches:

The General Data Protection Regulation (GDPR) requires controllers to report data breaches to the competent supervisory authority without delay and, if possible, within 72 hours of becoming aware of the breach. This requirement is intended to ensure that data breaches are remedied quickly and that the data subjects and the public are adequately informed. Here are the key aspects and requirements for reporting data breaches explained in detail:

Definition of a data breach:

A data breach is a breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This can affect both physical and electronic data and includes, but is not limited to:

  • Loss of devices: The loss of laptops, smartphones or USB sticks containing personal data.
  • Hacking attacks: Unauthorized access to IT systems in which personal data is stolen or manipulated.
  • Human error: Inadvertent disclosure of personal data, for example by sending emails to the wrong recipients.
  • Malware: Infections with viruses, Trojans or ransomware that compromise data integrity or availability.

Reporting obligations:

  1. Notification to the supervisory authority (Article 33 GDPR):
    • The controller must inform the competent supervisory authority immediately and, if possible, within 72 hours of becoming aware of the data protection breach.
    • The notification must contain at least the following information:
      • the nature of the data breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected;
      • the name and contact details of the data protection officer or other contact point for further information;
      • the likely consequences of the data breach;
      • the measures taken or proposed to address the data breach and, where appropriate, measures to mitigate its possible adverse effects.
    • If all information cannot be provided at the same time, the information may be provided incrementally without undue further delay.
  2. Notification to the data subjects (Article 34 GDPR):
    • If the breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must inform the data subjects of the breach without undue delay.
    • The communication to the data subjects must be made in clear and plain language and contain at least the following information:
      • the nature of the data breach;
      • the name and contact details of the data protection officer or other contact point for further information;
      • the likely consequences of the data breach;
      • the measures taken or proposed to address the data breach and, where appropriate, measures to mitigate its possible adverse effects.

Relevant articles of the GDPR:

  • Article 33: Notification of data protection breaches to the supervisory authority
  • Article 34: Notification of a data breach to the person affected
  • Recital 85: Risk to the rights and freedoms of data subjects
  • Recital 88: Communication measures in the event of a data breach

Examples of damage limitation measures:

  • Immediate response: Taking immediate action to stop the incident and prevent further damage, such as locking accounts or systems.
  • Informing data subjects: Communicate quickly and transparently with data subjects to inform them about the data breach and provide them with recommendations on how to protect themselves from potential harm.
  • Technical and organizational measures: Implementing additional security measures to prevent similar incidents in the future, such as introducing encryption, two-factor authentication or regular security audits.
  • Cooperation with the authorities: Work closely with the supervisory authorities to investigate the incident and take appropriate action.

Documentation requirements:

The controller is obliged to document all data protection breaches, regardless of whether they are reportable or not. This documentation must include the following:

  • Description of the nature of the data breach: Detailed information about the incident, including the data and systems affected.
  • Consequences of the data breach: assessment of the impact on the data subjects and potential risks.
  • Actions taken: Description of the immediate actions taken to resolve the incident and mitigate its impact.
  • Results of the investigations: Findings from the investigations and analyses carried out.

This documentation must be made available to the supervisory authority upon request and serves as proof of compliance with the GDPR.

Summary:

Reporting data breaches is a key requirement of the GDPR to ensure that data protection incidents are resolved quickly and that data subjects and the public are adequately informed. Controllers must report data breaches to the supervisory authority without delay and, if necessary, also inform the data subjects. Compliance with these obligations requires careful preparation and a clear communication strategy to minimize risks to data subjects and maintain trust in data processing.

Globeria Consulting GmbH zeichnet sich als einer der führenden DSGVO-Dienstleister in Deutschland aus und bietet umfassende Lösungen durch zertifizierte Datenschutzbeauftragte (DSB). Unsere Dienstleistungen decken das gesamte Spektrum der DSGVO-Compliance ab und stellen sicher, dass Ihr Unternehmen alle rechtlichen Anforderungen effizient erfüllt. Vertrauen Sie auf unsere Expertise für ein beispielloses Datenschutz- und Privacy-Management.

Wir bedienen Berlin, Frankfurt, München, Magdeburg, Sachsen-Anhalt, Hamburg und ganz Deutschland.
+4939155721388
info@globeriadatenschutz.de
Arbeitszeiten: Montag-Freitag, 09:00-17:00
© 2024 Globeria Consulting GmbH. Alle Rechte vorbehalten.