Actions of data controllers in the event of a personal data breach – Articles 33 and 34 of Regulation (EU) 2016/679
What to do in the event of a personal data breach?
We bring to the attention of data controllers and processors a short document containing answers to questions such as: When is a data breach in place and what are the types of breaches? What actions should be taken when a personal data breach occurs? Why is a notification under Article 33 of Regulation (EU) 2016/679 an important tool to strengthen compliance with the data protection requirements of the Regulation? When a notification to the supervisory authority and when a notification to the affected data subjects is required, in accordance with Article 34 of Regulation (EU) 2016/679? What is the minimum content of a notification? What technical and organisational measures should be taken to minimise the likelihood of occurrence of a breach, and what technical and organisational measures are taken to address the consequences of any breach? Risk assessment and its role in cases of breach. What and how to document in the event of a data breach.
1. Personal data breaches.
1.1. A notification of a personal data breach under Article 33 of Regulation (EU) 2016/679 (GDPR, the Regulation) is a completely new issue introduced by the Regulation and it is binding on all data controllers (the controller). Processors (the processor) have an obligation to notify their respective controller of a data breach. In certain situations referred to in Article 34 of the GDPR, controllers also notify the data subjects. A notification under Article 33 and/or Article 34 of the GDPR must be regarded as an important tool for reporting compliance with the Regulation.
1.2. Each controller/processor should plan its actions beforehand and put procedures in place to ensure that it swiftly detects and mitigates a personal data breach, in order to be able to assess the risk to data subjects in a timely manner and to take the binding actions set out in the GDPR.
1.3. The legal definition is set out in Article 4, paragraph 12 of the GDPR – “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Important! A key point is the assessment that the controller/processor will make of the event occurred and of its possible effects.
2. Notification to the supervisory authority under Article 33 of the GDPR.
2.1. A controller notifies the CPDP of a breach without undue delay, no later than 72 hours after having become aware of its occurrence (Article 33, paragraph 1 of the GDPR), and a processor notifies its controller without undue delay after becoming aware of the breach (Article 33, paragraph 2 of the GDPR). In the case of joint controllers, the responsibilities of each of them for compliance with the obligations under Article 33 GDPR should be defined in advance.
2.2. If necessary, the controller may provide additional information (Article 33, paragraph 4 of the GDPR), and in case of late notification (later than 72 hours) the reasons must be given.
3. Communication to data subjects under Article 34 GDPR.
3.1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to the data subjects in a clear and plain language, providing them with information on the risks posed by the breach and the steps they can take to protect themselves from its possible negative consequences (Article 34, paragraph 1 and 2 of the GDPR).
Important! In the event of a data breach, the controller must share information with data subjects so that individuals themselves can take additional and adequate measures to protect their personal data, complementing the technical and organisational measures already taken by the controller to deal with the consequences of the breach.
3.2. The GDPR allows the controller to choose at its sole discretion how to notify the data subjects, such as (without limitation) sending emails, personal contacts, communication on the controller’s website or through the media, and other appropriate means, in accordance with the controller’s activities, however with due regard for the principle of accountability.
3.3. The GDPR allows the controller not to notify the data subjects, if any of the conditions explicitly set out in Article 34, paragraph 3 of the GDPR is met.
3.4. If the controller has not already communicated the personal data breach to the data subject, the GDPR provides for the possibility for the CPDP, after considering that the breach is likely to result in a high risk to the rights and freedoms of natural persons, to require the controller to communicate the breach to the data subjects (Article 34, paragraph 4 of the GDPR).
4. Content of the notification to the supervisory authority.
4.1. As regards the content of the notification, the requirements of Article 33, paragraph 3 of Regulation (EU) 2016/679 must be complied with. For further methodological clarifications, we recommend using the “Guidelines on Personal data breach notification under Regulation (EU) 2016/679” of the Article 29 Data Protection Working Party adopted on 3 October 2017, last revised and adopted on 6 February 2018 (WP250, rev.01), subsequently confirmed by the European Data Protection Board on 25 May 2018. The guidelines are published on the CPDP website here.
4.2. A form for notification under Article 33 of the GDPR is also available on the CPDP website, which, without being mandatory, has been drawn up to support controllers so that they can better know the information they need to submit in connection with the breach and to facilitate the fulfilment of this controllers’ obligation. The form is available here.
5. Assessment of the risk to the rights and freedoms of data subjects made by controllers.
5.1. A risk to the rights and freedoms of data subjects within the meaning of the Regulation is the possibility of an event which itself constitutes damage (including unjustified interference with the rights and freedoms of natural persons) or which may result in additional damage to one or more natural persons.
5.2. First, the controller must determine the nature of the breach – the categories and the approximate number of data subjects affected, and the categories and the approximate quantity of personal data records affected (Article 33, paragraph 3, letter “a” of the GDPR).
5.3. Next, the risk of adverse consequences for data subjects – physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned – is determined (Recital 85 of the GDPR). The risk may consist of profiling, denying rights and freedoms or exercising control over their personal data, as well as violated security measures when processing sensitive data, processing data of vulnerable categories of persons or large numbers of data and individuals.
5.4. Finally, the controller must make a risk assessment which has two dimensions: the severity of the damage and the likelihood of the event and the resulting damage.
5.4.1. In order to determine the severity, account must be taken of:
• Categories of data affected – basic/profiling/financial/sensitive/biometric/enabling identity theft/life-threatening;
• Possibility for identification of data subjects –identification is not possible/ additional data or access to other systems/ direct identification are needed;
• Categories of data subjects affected – adults/children/disadvantaged persons;
• Number of data subjects affected;
• Repeatability vis-à-vis data subjects and data.
5.4.2. In order to determine the likelihood of the event occurring, account must be taken of:
• the nature of the breach – intentional/reckless/accidental;
• actions of the controller – the impact cannot be limited/certain actions limit the impact/the consequences are limited.
5.5. Once the severity (under point 5.4.1) and the probability (under point 5.4.2) have been determined by the controller, the risk assessment is obtained, which may be:
• low risk, i.e. there is no risk to the rights and freedoms of data subjects although a breach has been identified;
• medium risk – the CPDP must be notified;
• high risk – the CPDP and the data subjects affected must be notified.
5.6. The notification submitted by the controller is analysed in accordance with the Methodology for determining the level of risk of personal data breaches (the Methodology) adopted by the CPDP. The Methodology is an internal document supporting the handling of notifications received by the CPDP, and was adopted on the basis of Article 62(2), letter “c” of the CPDP Rules of Procedure and is available on the Commission’s website here.
6. Applicable measures to minimise adverse impacts on the rights and freedoms of data subjects.
6.1. Preliminary technical and organisational measures must be taken by the controller to minimise the likelihood of a data breach occurring: these are the various aspects of information security, which, for example, are listed in ISO 27 001 – personal security, asset management, access management, physical security, communication security, cryptographic security, operational security, incident management, supplier management, operational continuity management and ongoing compliance maintenance.
6.2. In the event of a data breach, the technical and organisational measures are divided as follows:
6.2.1. Actions taken to minimise damage to data subjects within 72 hours of the occurrence/becoming aware of the data breach:
• identifying the type of the breach – confidentiality, integrity, availability;
• stopping vulnerability;
• recovery of the service;
• communicating the breach to the data subjects affected;
• recommendations by the controller to minimise damage to data subjects affected by the breach.
6.2.2. Actions to minimise damage to data subjects after the 72-hour period of the occurrence/becoming aware of the breach: these are the applicable measures to minimise the likelihood of a similar data breach occurring (under point 6.1) without undue delay.
7. Data breach documenting by controllers/processors – Article 33, paragraph 5 of the GDPR.
7.1. The controller must document any personal data breach, including the facts relating to the breach, its effects and the actions taken to address it. Internal documentation is the responsibility of the controller regardless of the level of risks associated with the breach, which is also linked to the principle of accountability. A controller must keep the records up to date and if the supervisory authority requires access to such documentation.
7.2. Procedure for documenting data breaches.
A controller must have written plans and procedures in place to address security breaches, and the reporting channels and the responsible persons must be clearly specified. Training and familiarising staff with these procedures is essential, paying particular attention to the latest trends and examples of cyber-attacks or other incidents.
7.3. Content of the register of personal data breaches.
This register is part of the processing operation records that controllers/processors are required to maintain under Article 30 of the GDPR. There is no obligation to have a separate register of data breaches, provided that the information is easily recognisable and can be provided on request.
The key elements to be included in the register of data breaches are all the details related to the breach: the reasons for the breach; what exactly happened; the personal data that have been affected; the consequences of the breach, and the actions taken to address it.
7.4. Documenting decisions taken by controllers/processors.
When addressing a breach, the controller must document its decisions, as well as the reasons for taking such decisions. If a breach is not to be notified to the supervisory authority, the basis for that decision must also be documented. Similarly, the grounds on the basis of which the controller considers that the breach is unlikely to result in a risk to the rights and freedoms of the persons who have been affected by the breach and have not been informed of the breach, must also be documented, including in the case of Article 34, paragraph 3 of the GDPR.
7.5. Record storage period.
The Regulation does not specify a time limit for storage of records, but the principle of limiting the storage of personal data for as long as necessary must be respected.
Each controller/processor must take notice of the circumstance that failure to comply with the obligations under Articles 33 and 34 of the GDPR in relation to a data breach may serve as grounds for the supervisory authority to exercise any of its powers under Article 58 of the GDPR: either its investigate powers (Article 58, paragraph 1 of the GDPR), or its corrective powers (Article 58, paragraph 2 of the GDPR), and/or to impose an administrative fine/pecuniary penalty in accordance with Article 83 of the Regulation.
