Mervinskiy 491

Versionhistory

Version1.0 10October2022 AdoptionoftheGuidelines(updatedversionoftheprevious guidelinesWP250(rev.01)adoptedbytheWorkingParty29 andendorsedbytheEDPBon25May2018)foratargeted publicconsultation.

TheEuropeanDataProtectionBoard

HavingregardtoArticle70(1)(e)and(l)oftheRegulation2016/679/EUoftheEuropeanParliament andoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessing ofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC, (hereinafterGDPR),

HavingregardtotheEEAAgreementandinparticulartoAnnexXIandProtocol37thereof,asamended bytheDecisionoftheEEAjointCommitteeNo154/2018of6July20181 ,

HavingregardtoArticle12andArticle22ofitsRulesofProcedure,

HavingregardtotheArticle29WorkingPartyGuidelinesonPersonaldatabreachnotificationunder Regulation2016/679,WP250rev.01,

HASADOPTEDTHEFOLLOWINGGUIDELINES

0 PREFACE

1.On3October2017,theWorkingParty29(hereinafterWP29)adopteditsGuidelinesonPersonal databreachnotificationunderRegulation2016/679(WP250rev.01)2,whichwereendorsedbythe EuropeanDataProtectionBoard(hereinafterEDPB)atitsfirstPlenarymeeting3.Thisdocumentisa slightlyupdatedversionofthoseguidelines.AnyreferencetotheWP29GuidelinesonPersonaldata breachnotificationunderRegulation2016/679(WP250rev.01)should,fromnowon,beinterpreted asareferencetotheseEDPBGuidelines9/2022

2.TheEDPBnoticedthattherewasaneedtoclarifythenotificationrequirementsconcerningthe personaldatabreachesatnonEUestablishments.Theparagraphconcerningthismatterhasbeen revisedandupdated,whiletherestofthedocumentwasleftunchanged,exceptforeditorialchanges. Therevisionconcerns,morespecifically,paragraph73inSectionII.C.2ofthisdocument.

INTRODUCTION

3.TheGDPRintroducedtherequirementforapersonaldatabreach(henceforthbreach)tobenotified tothecompetentnationalsupervisoryauthority4(orinthecaseofacrossborderbreach,tothelead authority)and,incertaincases,tocommunicatethebreachtotheindividualswhosepersonaldata havebeenaffectedbythebreach.

4.Obligationstonotifyincasesofbreachesexistedforcertainorganisations,suchasprovidersof publiclyavailableelectroniccommunicationsservices(asspecifiedinDirective2009/136/ECand Regulation(EU)No611/2013)5.TherewerealsosomeMemberStatesthatalreadyhadtheirown

1ReferencestoMemberStatesmadethroughoutthisdocumentshouldbeunderstoodasreferencestoEEA MemberStates.

2WP29GuidelinesonPersonaldatabreachnotificationunderRegulation2016/679(WP250rev.01)(lastrevised andupdatedon6February2018),availableathttps://ec.europa.eu/newsroom/article29/items/612052.

3Seehttps://edpb.europa.eu/news/news/2018/endorsementgdprwp29guidelinesedpb_en

SeeArticle4(21)GDPR.

5Seehttp://eurlex.europa.eu/legalcontent/EN/TXT/?uri=celex:32009L0136andhttp://eur lex.europa.eu/legalcontent/EN/TXT/?uri=CELEX%3A32013R0611

nationalbreachnotificationobligation.Thismightincludedtheobligationtonotifybreachesinvolving categoriesofcontrollersinadditiontoprovidersofpubliclyavailableelectroniccommunication services(forexampleinGermanyandItaly),oranobligationtoreportallbreachesinvolvingpersonal data(suchasintheNetherlands).OtherMemberStatesmighthadrelevantCodesofPractice(for example,inIreland6).WhilstanumberofEUdataprotectionauthoritiesencouragedcontrollersto reportbreaches,theDataProtectionDirective95/46/EC7,whichtheGDPRreplaced,didnotcontaina specificbreachnotificationobligationandthereforesucharequirementwasnewformany organisations.TheGDPRmakesnotificationmandatoryforallcontrollersunlessabreachisunlikelyto resultinarisktotherightsandfreedomsofindividuals8.Processorsalsohaveanimportantroleto playandtheymustnotifyanybreachtotheircontroller9

5.TheEDPBconsidersthatthenotificationrequirementhasanumberofbenefits.Whennotifyingthe supervisoryauthority,controllerscanobtainadviceonwhethertheaffectedindividualsneedtobe informed.Indeed,thesupervisoryauthoritymayorderthecontrollertoinformthoseindividualsabout thebreach10.Communicatingabreachtoindividualsallowsthecontrollertoprovideinformationon theriskspresentedasaresultofthebreachandthestepsthoseindividualscantaketoprotect themselvesfromitspotentialconsequences.Thefocusofanybreachresponseplanshouldbeon protectingindividualsandtheirpersonaldata.Consequently,breachnotificationshouldbeseenasa toolenhancingcomplianceinrelationtotheprotectionofpersonaldata.Atthesametime,itshould benotedthatfailuretoreportabreachtoeitheranindividualorasupervisoryauthoritymaymean thatunderArticle83GDPRapossiblesanctionisapplicabletothecontroller.

6.Controllersandprocessorsarethereforeencouragedtoplaninadvanceandputinplaceprocessesto beabletodetectandpromptlycontainabreach,toassesstherisktoindividuals11,andthento determinewhetheritisnecessarytonotifythecompetentsupervisoryauthority,andtocommunicate thebreachtotheindividualsconcernedwhennecessary.Notificationtothesupervisoryauthority shouldformapartofthatincidentresponseplan.

7.TheGDPRcontainsprovisionsonwhenabreachneedstobenotified,andtowhom,aswellaswhat informationshouldbeprovidedaspartofthenotification.Informationrequiredforthenotification canbeprovidedinphases,butinanyeventcontrollersshouldactonanybreachinatimelymanner.

8.InitsOpinion03/2014onpersonaldatabreachnotification12,WP29providedguidancetocontrollers inordertohelpthemtodecidewhethertonotifydatasubjectsincaseofabreach.Theopinion consideredtheobligationofprovidersofelectroniccommunicationsregardingDirective2002/58/EC andprovidedexamplesfrommultiplesectors,inthecontextofthethendraftGDPR,andpresented goodpracticesforallcontrollers.

9.ThecurrentGuidelinesexplainthemandatorybreachnotificationandcommunicationrequirements oftheGDPRandsomeofthestepscontrollersandprocessorscantaketomeettheseobligations.They

Seehttps://www.dataprotection.ie/docs/Data_Security_Breach_Code_of_Practice/1082.htm

7Seehttp://eurlex.europa.eu/legalcontent/EN/TXT/?uri=celex:31995L0046

8TherightsenshrinedintheCharterofFundamentalRightsoftheEU,availableathttp://eurlex.europa.eu/legal content/EN/TXT/?uri=CELEX:12012P/TXT

9SeeArticle33(2)GDPR.ThisissimilarinconcepttoArticle5ofRegulation(EU)No611/2013whichstatesthat aproviderthatiscontractedtodeliverpartofanelectroniccommunicationsservice(withouthavingadirect contractualrelationshipwithsubscribers)isobligedtonotifythecontractingproviderintheeventofapersonal databreach.

10SeeArticles34(4)and58(2)(e)GDPR.

11ThiscanbeensuredunderthemonitoringandreviewrequirementofaDPIA,whichisrequiredforprocessing operationslikelytoresultinahighrisktotherightsandfreedomsofnaturalpersons(Article35(1)and(11).

12 SeeWP29Opinion03/2014onPersonalDataBreachNotificationhttp://ec.europa.eu/justice/data protection/article29/documentation/opinionrecommendation/files/2014/wp213_en.pdf

alsogiveexamplesofvarioustypesofbreachesandwhowouldneedtobenotifiedindifferent scenarios.

IPERSONALDATABREACHNOTIFICATIONUNDERTHEGDPR

ABasicsecurityconsiderations

10.OneoftherequirementsoftheGDPRisthat,byusingappropriatetechnicalandorganisational measures,personaldatashallbeprocessedinamannertoensuretheappropriatesecurityofthe personaldata,includingprotectionagainstunauthorisedorunlawfulprocessingandagainstaccidental loss,destructionordamage13

11.Accordingly,theGDPRrequiresbothcontrollersandprocessorstohaveinplaceappropriatetechnical andorganisationalmeasurestoensurealevelofsecurityappropriatetotheriskposedtothepersonal databeingprocessed.Theyshouldtakeintoaccountthestateoftheart,thecostsofimplementation andthenature,thescope,contextandpurposesofprocessing,aswellastheriskofvaryinglikelihood andseverityfortherightsandfreedomsofnaturalpersons14.Also,theGDPRrequiresallappropriate technologicalprotectionanorganisationalmeasurestobeinplacetoestablishimmediatelywhether abreachhastakenplace,whichthendetermineswhetherthenotificationobligationisengaged15

12.Consequently,akeyelementofanydatasecuritypolicyisbeingable,wherepossible,topreventa breachand,whereitneverthelessoccurs,toreacttoitinatimelymanner.

B.Whatisapersonaldatabreach?

1.Definition

13.Aspartofanyattempttoaddressabreachthecontrollershouldfirstbeabletorecogniseone.The GDPRdefinesapersonaldatabreachinArticle4(12)as:

abreachofsecurityleadingtotheaccidentalorunlawfuldestruction,loss,alteration,unauthorised disclosureof,oraccessto,personaldatatransmitted,storedorotherwiseprocessed.

14.Whatismeantbydestructionofpersonaldatashouldbequiteclear:thisiswherethedatanolonger exists,ornolongerexistsinaformthatisofanyusetothecontroller.Damageshouldalsobe relativelyclear:thisiswherepersonaldatahasbeenaltered,corrupted,orisnolongercomplete.In termsoflossofpersonaldata,thisshouldbeinterpretedasthedatamaystillexist,butthecontroller haslostcontroloraccesstoit,ornolongerhasitinitspossession.Finally,unauthorisedorunlawful processingmayincludedisclosureofpersonaldatato(oraccessby)recipientswhoarenotauthorised toreceive(oraccess)thedata,oranyotherformofprocessingwhichviolatestheGDPR.

Example

Anexampleoflossofpersonaldatacanincludewhereadevicecontainingacopyofacontrollers customerdatabasehasbeenlostorstolen.Afurtherexampleoflossmaybewheretheonlycopyof asetofpersonaldatahasbeenencryptedbyransomware,orhasbeenencryptedbythecontroller usingakeythatisnolongerinitspossession.

15.Whatshouldbeclearisthatabreachisatypeofsecurityincident.However,asindicatedbyArticle 4(12),theGDPRonlyapplieswherethereisabreachofpersonaldata.Theconsequenceofsucha breachisthatthecontrollerwillbeunabletoensurecompliancewiththeprinciplesrelatingtothe

processingofpersonaldataasoutlinedinArticle5GDPR.Thishighlightsthedifferencebetweena securityincidentandapersonaldatabreachinessence,whilstallpersonaldatabreachesaresecurity incidents,notallsecurityincidentsarenecessarilypersonaldatabreaches16

16.Thepotentialadverseeffectsofabreachonindividualsareconsideredbelow.

2.Typesofpersonaldatabreaches

17.InitsOpinion03/2014onbreachnotification,WP29explainedthatbreachescanbecategorised accordingtothefollowingthreewellknowninformationsecurityprinciples17:

Confidentialitybreach wherethereisanunauthorisedoraccidentaldisclosureof,oraccess to,personaldata.

Integritybreach wherethereisanunauthorisedoraccidentalalterationofpersonaldata.

Availabilitybreach wherethereisanaccidentalorunauthorisedlossofaccess18to,or destructionof,personaldata.

18.Itshouldalsobenotedthat,dependingonthecircumstances,abreachcanconcernconfidentiality, integrityandavailabilityofpersonaldataatthesametime,aswellasanycombinationofthese.

19.Whereasdeterminingiftherehasbeenabreachofconfidentialityorintegrityisrelativelyclear, whethertherehasbeenanavailabilitybreachmaybelessobvious.Abreachwillalwaysberegarded asanavailabilitybreachwhentherehasbeenapermanentlossof,ordestructionof,personaldata.

Example

Examplesofalossofavailabilityincludewheredatahasbeendeletedeitheraccidentallyorbyan unauthorisedperson,or,intheexampleofsecurelyencrypteddata,thedecryptionkeyhasbeenlost. Intheeventthatthecontrollercannotrestoreaccesstothedata,forexample,fromabackup,then thisisregardedasapermanentlossofavailability.

Alossofavailabilitymayalsooccurwheretherehasbeensignificantdisruptiontothenormalservice ofanorganisation,forexample,experiencingapowerfailureordenialofserviceattack,rendering personaldataunavailable.

20.Thequestionmaybeaskedwhetheratemporarylossofavailabilityofpersonaldatashouldbe consideredasabreachand,ifso,onewhichneedstobenotified.Article32GDPR,securityof processing,explainsthatwhenimplementingtechnicalandorganisationalmeasurestoensurealevel ofsecurityappropriatetotherisk,considerationshouldbegiven,amongstotherthings,totheability toensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsand

16Itshouldbenotedthatasecurityincidentisnotlimitedtothreatmodelswhereanattackismadeonan organisationfromanexternalsource,butincludesincidentsfrominternalprocessingthatbreachsecurity principles.

17SeeWP29Opinion03/2014.

18Itiswellestablishedthataccessisfundamentallypartofavailability.See,forexample,NIST SP80053rev4,whichdefinesavailabilityas:"Ensuringtimelyandreliableaccesstoanduseofinformation," availableathttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80053r4.pdfCNSSI4009alsorefers to:Timely,reliableaccesstodataandinformationservicesforauthorizedusers.See https://rmf.org/wpcontent/uploads/2017/10/CNSSI4009.pdf.ISO/IEC27000:2016alsodefinesavailabilityas Propertyofbeingaccessibleandusableupondemandbyanauthorizedentity: https://www.iso.org/obp/ui/#iso:std:isoiec:27000:ed4:v1:en

services,andtheabilitytorestoretheavailabilityandaccesstopersonaldatainatimelymannerin theeventofaphysicalortechnicalincident.

21.Therefore,asecurityincidentresultinginpersonaldatabeingmadeunavailableforaperiodoftimeis alsoatypeofbreach,asthelackofaccesstothedatacanhaveasignificantimpactontherightsand freedomsofnaturalpersons.Tobeclear,wherepersonaldataisunavailableduetoplannedsystem maintenancebeingcarriedoutthisisnotabreachofsecurityasdefinedinArticle4(12)GDPR.

22.Aswithapermanentlossordestructionofpersonaldata(orindeedanyothertypeofbreach),abreach involvingthetemporarylossofavailabilityshouldbedocumentedinaccordancewithArticle33(5) GDPR.Thisassiststhecontrollerindemonstratingaccountabilitytothesupervisoryauthority,which mayasktoseethoserecords19.However,dependingonthecircumstancesofthebreach,itmayor maynotrequirenotificationtothesupervisoryauthorityandcommunicationtoaffectedindividuals. Thecontrollerwillneedtoassessthelikelihoodandseverityoftheimpactontherightsandfreedoms ofnaturalpersonsasaresultofthelackofavailabilityofpersonaldata.InaccordancewithArticle33 GDPR,thecontrollerwillneedtonotifyunlessthebreachisunlikelytoresultinarisktoindividuals rightsandfreedoms.Ofcourse,thiswillneedtobeassessedonacasebycasebasis.

Example

Inthecontextofahospital,ifcriticalmedicaldataaboutpatientsareunavailable,eventemporarily, thiscouldpresentarisktoindividualsrightsandfreedoms;forexample,operationsmaybecancelled andlivesputatrisk.

Conversely,inthecaseofamediacompanyssystemsbeingunavailableforseveralhours(e.g.dueto apoweroutage),ifthatcompanyisthenpreventedfromsendingnewsletterstoitssubscribers,thisis unlikelytopresentarisktoindividualsrightsandfreedoms.

23.Itshouldbenotedthatalthoughalossofavailabilityofacontrollerssystemsmightbeonlytemporary andmaynothaveanimpactonindividuals,itisimportantforthecontrollertoconsiderallpossible consequencesofabreach,asitmaystillrequirenotificationforotherreasons.

Example

Infectionbyransomware(malicioussoftwarewhichencryptsthecontrollersdatauntilaransomis paid)couldleadtoatemporarylossofavailabilityifthedatacanberestoredfrombackup.However, anetworkintrusionstilloccurred,andnotificationcouldberequirediftheincidentisqualifiedas confidentialitybreach(i.e.personaldataisaccessedbytheattacker)andthispresentsarisktothe rightsandfreedomsofindividuals.

3.Thepossibleconsequencesofapersonaldatabreach

24.Abreachcanpotentiallyhavearangeofsignificantadverseeffectsonindividuals,whichcanresultin physical,material,ornonmaterialdamage.TheGDPRexplainsthatthiscanincludelossofcontrol overtheirpersonaldata,limitationoftheirrights,discrimination,identitytheftorfraud,financialloss, unauthorisedreversalofpseudonymisation,damagetoreputation,andlossofconfidentialityof personaldataprotectedbyprofessionalsecrecy.Itcanalsoincludeanyothersignificanteconomicor socialdisadvantagetothoseindividuals20 .

25.Accordingly,theGDPRrequiresthecontrollertonotifyabreachtothecompetentsupervisory authority,unlessitisunlikelytoresultinariskofsuchadverseeffectstakingplace.Wherethereisa

likelyhighriskoftheseadverseeffectsoccurring,theGDPRrequiresthecontrollertocommunicate thebreachtotheaffectedindividualsassoonasisreasonablyfeasible21

26.Theimportanceofbeingabletoidentifyabreach,toassesstherisktoindividuals,andthennotifyif required,isemphasisedinRecital87oftheGDPR:

Itshouldbeascertainedwhetherallappropriatetechnologicalprotectionandorganisational measureshavebeenimplementedtoestablishimmediatelywhetherapersonaldatabreachhastaken placeandtoinformpromptlythesupervisoryauthorityandthedatasubject.Thefactthatthe notificationwasmadewithoutunduedelayshouldbeestablishedtakingintoaccountinparticularthe natureandgravityofthepersonaldatabreachanditsconsequencesandadverseeffectsforthedata subject.Suchnotificationmayresultinaninterventionofthesupervisoryauthorityinaccordancewith itstasksandpowerslaiddowninthisRegulation.

27.FurtherguidelinesonassessingtheriskofadverseeffectstoindividualsareconsideredinsectionIV.

28.Ifcontrollersfailtonotifyeitherthesupervisoryauthorityordatasubjectsofadatabreachorboth eventhoughtherequirementsofArticles33and/or34GDPRarefulfilled,thenthesupervisory authorityispresentedwithachoicethatmustincludeconsiderationofallofthecorrectivemeasures atitsdisposal,whichwouldincludeconsiderationoftheimpositionoftheappropriateadministrative fine22,eitheraccompanyingacorrectivemeasureunderArticle58(2)GDPRoronitsown.Wherean administrativefineischosen,itsvaluecanbeupto10,000,000EURorupto2%ifthetotalworldwide annualturnoverofanundertakingunderArticle83(4)(a)oftheGDPR.Itisalsoimportanttobearin mindthatinsomecases,thefailuretonotifyabreachcouldrevealeitheranabsenceofexisting securitymeasuresoraninadequacyoftheexistingsecuritymeasures.TheWP29Guidelineson administrativefinesstate:Theoccurrenceofseveraldifferentinfringementscommittedtogetherin anyparticularsinglecasemeansthatthesupervisoryauthorityisabletoapplytheadministrativefines atalevelwhichiseffective,proportionateanddissuasivewithinthelimitofthegravestinfringement. Inthatcase,thesupervisoryauthoritywillalsohavethepossibilitytoissuesanctionsforfailureto notifyorcommunicatethebreach(Articles33and34GDPR)ontheonehand,andabsenceof (adequate)securitymeasures(Article32GDPR)ontheotherhand,astheyaretwoseparate infringements.

II.ARTICLE33NOTIFICATIONTOTHESUPERVISORYAUTHORITY

A.Whentonotify

1.Article33requirements

29.Article33(1)GDPRprovidesthat:

Inthecaseofapersonaldatabreach,thecontrollershallwithoutunduedelayand,wherefeasible, notlaterthan72hoursafterhavingbecomeawareofit,notifythepersonaldatabreachtothe supervisoryauthoritycompetentinaccordancewithArticle55,unlessthepersonaldatabreachis unlikelytoresultinarisktotherightsandfreedomsofnaturalpersons.Wherethenotificationtothe supervisoryauthorityisnotmadewithin72hours,itshallbeaccompaniedbyreasonsforthedelay.

Itshouldbeascertainedwhetherallappropriatetechnologicalprotectionandorganisational measureshavebeenimplementedtoestablishimmediatelywhetherapersonaldatabreachhastaken placeandtoinformpromptlythesupervisoryauthorityandthedatasubject.Thefactthatthe notificationwasmadewithoutunduedelayshouldbeestablishedtakingintoaccountinparticularthe natureandgravityofthepersonaldatabreachanditsconsequencesandadverseeffectsforthedata subject.Suchnotificationmayresultinaninterventionofthesupervisoryauthorityinaccordancewith itstasksandpowerslaiddowninthisRegulation.

2.Whendoesacontrollerbecomeaware?

31.Asdetailedabove,theGDPRrequiresthat,inthecaseofabreach,thecontrollershallnotifythebreach withoutunduedelayand,wherefeasible,notlaterthan72hoursafterhavingbecomeawareofit.This mayraisethequestionofwhenacontrollercanbeconsideredtohavebecomeawareofabreach. TheEDPBconsidersthatacontrollershouldberegardedashavingbecomeawarewhenthat controllerhasareasonabledegreeofcertaintythatasecurityincidenthasoccurredthathasledto personaldatabeingcompromised.

32.However,asindicatedearlier,theGDPRrequiresthecontrollertoimplementallappropriatetechnical protectionandorganisationalmeasurestoestablishimmediatelywhetherabreachhastakenplace andtoinformpromptlythesupervisoryauthorityandthedatasubjects.Italsostatesthatthefactthat thenotificationwasmadewithoutunduedelayshouldbeestablishedtakingintoaccountinparticular thenatureandgravityofthebreachanditsconsequencesandadverseeffectsforthedatasubject24 . Thisputsanobligationonthecontrollertoensurethattheywillbeawareofanybreachesinatimely mannersothattheycantakeappropriateaction.

33.When,exactly,acontrollercanbeconsideredtobeawareofaparticularbreachwilldependonthe circumstancesofthespecificbreach.Insomecases,itwillberelativelyclearfromtheoutsetthatthere hasbeenabreach,whereasinothers,itmaytakesometimetoestablishifpersonaldatahavebeen compromised.However,theemphasisshouldbeonpromptactiontoinvestigateanincidentto determinewhetherpersonaldatahaveindeedbeenbreached,andifso,totakeremedialactionand notifyifrequired.

Examples

1. InthecaseofalossofaUSBkeywithunencryptedpersonaldataitisoftennotpossibleto ascertainwhetherunauthorisedpersonsgainedaccesstothatdata.Nevertheless,eventhoughthe controllermaynotbeabletoestablishifaconfidentialitybreachhastakenplace,suchacasehasto benotifiedasthereisareasonabledegreeofcertaintythatanavailabilitybreachhasoccurred;the controllerwouldbecomeawarewhenitrealisedtheUSBkeyhadbeenlost.

2. Athirdpartyinformsacontrollerthattheyhaveaccidentallyreceivedthepersonaldataof oneofitscustomersandprovidesevidenceoftheunauthoriseddisclosure.Asthecontrollerhasbeen presentedwithclearevidenceofaconfidentialitybreachthentherecanbenodoubtthatithas becomeaware.

3. Acontrollerdetectsthattherehasbeenapossibleintrusionintoitsnetwork.Thecontroller checksitssystemstoestablishwhetherpersonaldataheldonthatsystemhasbeencompromisedand confirmsthisisthecase.Onceagain,asthecontrollernowhasclearevidenceofabreachtherecan benodoubtthatithasbecomeaware.

4. Acybercriminalcontactsthecontrollerafterhavinghackeditssysteminordertoaskfora ransom.Inthatcase,aftercheckingitssystemtoconfirmithasbeenattackedthecontrollerhasclear evidencethatabreachhasoccurredandthereisnodoubtthatithasbecomeaware.

34.Afterfirstbeinginformedofapotentialbreachbyanindividual,amediaorganisation,oranother source,orwhenithasitselfdetectedasecurityincident,thecontrollermayundertakeashortperiod ofinvestigationinordertoestablishwhetherornotabreachhasinfactoccurred.Duringthisperiod ofinvestigationthecontrollermaynotberegardedasbeingaware.However,itisexpectedthatthe initialinvestigationshouldbeginassoonaspossibleandestablishwithareasonabledegreeofcertainty whetherabreachhastakenplace;amoredetailedinvestigationcanthenfollow.

35.Oncethecontrollerhasbecomeaware,anotifiablebreachmustbenotifiedwithoutunduedelay,and wherefeasible,notlaterthan72hours.Duringthisperiod,thecontrollershouldassessthelikelyrisk toindividualsinordertodeterminewhethertherequirementfornotificationhasbeentriggered,as wellastheaction(s)neededtoaddressthebreach.However,acontrollermayalreadyhaveaninitial assessmentofthepotentialriskthatcouldresultfromabreachaspartofadataprotectionimpact assessment(DPIA)25madepriortocarryingouttheprocessingoperationconcerned.However,the DPIAmaybemoregeneralisedincomparisontothespecificcircumstancesofanyactualbreach,and soinanyeventanadditionalassessmenttakingintoaccountthosecircumstanceswillneedtobemade. Formoredetailonassessingrisk,seesectionIV.

36.Inmostcasesthesepreliminaryactionsshouldbecompletedsoonaftertheinitialalert(i.e.whenthe controllerorprocessorsuspectstherehasbeenasecurityincidentwhichmayinvolvepersonaldata.) itshouldtakelongerthanthisonlyinexceptionalcases

Example

Anindividualinformsthecontrollerthattheyhavereceivedanemailimpersonatingthecontroller whichcontainspersonaldatarelatingtohis(actual)useofthecontrollersservice,suggestingthatthe securityofthecontrollerhasbeencompromised.Thecontrollerconductsashortperiodof investigationandidentifiesanintrusionintotheirnetworkandevidenceofunauthorisedaccessto personaldata.Thecontrollerwouldnowbeconsideredasawareandnotificationtothesupervisory authorityisrequiredunlessthisisunlikelytopresentarisktotherightsandfreedomsofindividuals. Thecontrollerwillneedtotakeappropriateremedialactiontoaddressthebreach.

37.Thecontrollershouldthereforehaveinternalprocessesinplacetobeabletodetectandaddressa breach.Forexample,forfindingsomeirregularitiesindataprocessingthecontrollerorprocessormay usecertaintechnicalmeasuressuchasdataflowandloganalysers,fromwhichispossibletodefine eventsandalertsbycorrelatinganylogdata26.Itisimportantthatwhenabreachisdetecteditis reportedupwardstotheappropriatelevelofmanagementsoitcanbeaddressedand,ifrequired, notifiedinaccordancewithArticle33and,ifnecessary,Article34.Suchmeasuresandreporting mechanismscouldbedetailedinthecontrollersincidentresponseplansand/orgovernance arrangements.Thesewillhelpthecontrollertoplaneffectivelyanddeterminewhohasoperational responsibilitywithintheorganisationformanagingabreachandhoworwhethertoescalatean incidentasappropriate.

38.Thecontrollershouldalsohaveinplacearrangementswithanyprocessorsthecontrolleruses,which themselveshaveanobligationtonotifythecontrollerintheeventofabreach(seebelow).

SeeWP29GuidelinesWP248onDPIAshere:http://ec.europa.eu/newsroom/document.cfm?doc_id=44137

Itshouldbenotedthatlogdatafacilitatingauditabilityof,e.g.,storage,modificationsorerasureofdatamay alsoqualifyaspersonaldatarelatingtothepersonwhoinitiatedtherespectiveprocessingoperation.

39.Whilstitistheresponsibilityofcontrollersandprocessorstoputinplacesuitablemeasurestobeable toprevent,reactandaddressabreach,therearesomepracticalstepsthatshouldbetakeninallcases.

• Informationconcerningallsecurityrelatedeventsshouldbedirectedtowardsaresponsible personorpersonswiththetaskofaddressingincidents,establishingtheexistenceofabreach andassessingrisk.

• Risktoindividualsasaresultofabreachshouldthenbeassessed(likelihoodofnorisk,riskor highrisk),withrelevantsectionsoftheorganisationbeinginformed.

• Notificationtothesupervisoryauthority,andpotentiallycommunicationofthebreachtothe affectedindividualsshouldbemade,ifrequired.

• Atthesametime,thecontrollershouldacttocontainandrecoverthebreach.Documentation ofthebreachshouldtakeplaceasitdevelops.

40.Accordingly,itshouldbeclearthatthereisanobligationonthecontrollertoactonanyinitialalertand establishwhetherornotabreachhas,infact,occurred.Thisbriefperiodallowsforsomeinvestigation, andforthecontrollertogatherevidenceandotherrelevantdetails.However,oncethecontrollerhas establishedwithareasonabledegreeofcertaintythatabreachhasoccurred,iftheconditionsinArticle 33(1)GDPRhavebeenmet,itmustthennotifythesupervisoryauthoritywithoutunduedelayand, wherefeasible,notlaterthan72hours27.Ifacontrollerfailstoactinatimelymanneranditbecomes apparentthatabreachdidoccur,thiscouldbeconsideredasafailuretonotifyinaccordancewith Article33GDPR.

41.Article32GDPRmakesclearthatthecontrollerandprocessorshouldhaveappropriatetechnicaland organisationalmeasuresinplacetoensureanappropriatelevelofsecurityofpersonaldata:theability todetect,address,andreportabreachinatimelymannershouldbeseenasessentialelementsof thesemeasures.

3.Jointcontrollers

42.Article26GDPRconcernsjointcontrollersandspecifiesthatjointcontrollersshalldeterminetheir respectiveresponsibilitiesforcompliancewiththeGDPR28.Thiswillincludedeterminingwhichparty willhaveresponsibilityforcomplyingwiththeobligationsunderArticles33and34GDPR.TheEDPB recommendsthatthecontractualarrangementsbetweenjointcontrollersincludeprovisionsthat determinewhichcontrollerwilltaketheleadon,orberesponsiblefor,compliancewiththeGDPRs breachnotificationobligations.

4.Processorobligations

43.Thecontrollerretainsoverallresponsibilityfortheprotectionofpersonaldata,buttheprocessorhas animportantroletoplaytoenablethecontrollertocomplywithitsobligations;andthisincludes breachnotification.Indeed,Article28(3)GDPRspecifiesthattheprocessingbyaprocessorshallbe governedbyacontractorotherlegalact.Article28(3)(f)statesthatthecontractorotherlegalactshall stipulatethattheprocessorassiststhecontrollerinensuringcompliancewiththeobligations pursuanttoArticles32to36takingintoaccountthenatureofprocessingandtheinformationavailable totheprocessor.

44.Article33(2)GDPRmakesitclearthatifaprocessorisusedbyacontrollerandtheprocessorbecomes awareofabreachofthepersonaldataitisprocessingonbehalfofthecontroller,itmustnotifythe controllerwithoutunduedelay.Itshouldbenotedthattheprocessordoesnotneedtofirstassess thelikelihoodofriskarisingfromabreachbeforenotifyingthecontroller;itisthecontrollerthatmust makethisassessmentonbecomingawareofthebreach.Theprocessorjustneedstoestablishwhether

SeeRegulationNo1182/71determiningtherulesapplicabletoperiods,datesandtimelimits,availableat: http://eurlex.europa.eu/legalcontent/EN/TXT/HTML/?uri=CELEX:31971R1182&from=EN

SeealsoRecital79GDPR.

abreachhasoccurredandthennotifythecontroller.Thecontrollerusestheprocessortoachieveits purposes;therefore,inprinciple,thecontrollershouldbeconsideredasawareoncetheprocessor hasinformeditofthebreach.Theobligationontheprocessortonotifyitscontrollerallowsthe controllertoaddressthebreachandtodeterminewhetherornotitisrequiredtonotifythe supervisoryauthorityinaccordancewithArticle33(1)andtheaffectedindividualsinaccordancewith Article34(1).Thecontrollermightalsowanttoinvestigatethebreach,astheprocessormightnotbe inapositiontoknowalltherelevantfactsrelatingtothematter,forexample,ifacopyorbackupof personaldatadestroyedorlostbytheprocessorisstillheldbythecontroller.Thismayaffectwhether thecontrollerwouldthenneedtonotify.

45.TheGDPRdoesnotprovideanexplicittimelimitwithinwhichtheprocessormustalertthecontroller, exceptthatitmustdosowithoutunduedelay.Therefore,theEDPBrecommendstheprocessor promptlynotifiesthecontroller,withfurtherinformationaboutthebreachprovidedinphasesasmore detailsbecomeavailable.Thisisimportantinordertohelpthecontrollertomeettherequirementof notificationtothesupervisoryauthoritywithin72hours.

46.Asisexplainedabove,thecontractbetweenthecontrollerandprocessorshouldspecifyhowthe requirementsexpressedinArticle33(2)shouldbemetinadditiontootherprovisionsintheGDPR.This canincluderequirementsforearlynotificationbytheprocessorthatinturnsupportthecontrollers obligationstoreporttothesupervisoryauthoritywithin72hours.

47.Wheretheprocessorprovidesservicestomultiplecontrollersthatareallaffectedbythesame incident,theprocessorwillhavetoreportdetailsoftheincidenttoeachcontroller.

48.Aprocessorcouldmakeanotificationonbehalfofthecontroller,ifthecontrollerhasgiventhe processortheproperauthorisationandthisispartofthecontractualarrangementsbetweencontroller andprocessor.SuchnotificationmustbemadeinaccordancewithArticle33and34GDPR.However, itisimportanttonotethatthelegalresponsibilitytonotifyremainswiththecontroller.

B.Providinginformationtothesupervisoryauthority

1.Informationtobeprovided

49.Whenacontrollernotifiesabreachtothesupervisoryauthority,Article33(3)GDPRstatesthat,atthe minimum,itshould:

(a)describethenatureofthepersonaldatabreachincludingwherepossible,thecategoriesand approximatenumberofdatasubjectsconcernedandthecategoriesandapproximatenumberof personaldatarecordsconcerned;

(b)communicatethenameandcontactdetailsofthedataprotectionofficerorothercontactpoint wheremoreinformationcanbeobtained;

(c)describethelikelyconsequencesofthepersonaldatabreach;

(d)describethemeasurestakenorproposedtobetakenbythecontrollertoaddressthepersonaldata breach,including,whereappropriate,measurestomitigateitspossibleadverseeffects.

50.TheGDPRdoesnotdefinecategoriesofdatasubjectsorpersonaldatarecords.However,theEDPB suggestscategoriesofdatasubjectstorefertothevarioustypesofindividualswhosepersonaldata hasbeenaffectedbyabreach:dependingonthedescriptorsused,thiscouldinclude,amongstothers, childrenandothervulnerablegroups,peoplewithdisabilities,employeesorcustomers.Similarly, categoriesofpersonaldatarecordscanrefertothedifferenttypesofrecordsthatthecontrollermay process,suchashealthdata,educationalrecords,socialcareinformation,financialdetails,bank accountnumbers,passportnumbersandsoon.

51.Recital85GDPRmakesitclearthatoneofthepurposesofnotificationislimitingdamagetoindividuals. Accordingly,ifthetypesofdatasubjectsorthetypesofpersonaldataindicateariskofparticular damageoccurringasaresultofabreach(e.g.identitytheft,fraud,financialloss,threattoprofessional secrecy),thenitisimportantthenotificationindicatesthesecategories.Inthisway,itislinkedtothe requirementofdescribingthelikelyconsequencesofthebreach.

52.Wherepreciseinformationisnotavailable(e.g.exactnumberofdatasubjectsaffected)thisshould notbeabarriertotimelybreachnotification.TheGDPRallowsforapproximationstobemadeinthe numberofindividualsaffectedandthenumberofpersonaldatarecordsconcerned.Thefocusshould bedirectedtowardsaddressingtheadverseeffectsofthebreachratherthanprovidingprecisefigures.

53.Thus,whenithasbecomeclearthatherehasbeenabreach,buttheextentofitisnotyetknown,a notificationinphases(seebelow)isasafewaytomeetthenotificationobligations.

54.Article33(3)GDPRstatesthatthecontrollershallatleastprovidethisinformationwithanotification, soacontrollercan,ifnecessary,choosetoprovidefurtherdetails.Differenttypesofbreaches (confidentiality,integrityoravailability)mightrequirefurtherinformationtobeprovidedtofully explainthecircumstancesofeachcase.

Example

Aspartofitsnotificationtothesupervisoryauthority,acontrollermayfinditusefultonameits processorifitisattherootcauseofabreach,particularlyifthishasledtoanincidentaffectingthe personaldatarecordsofmanyothercontrollersthatusethesameprocessor.

55.Inanyevent,thesupervisoryauthoritymayrequestfurtherdetailsaspartofitsinvestigationintoa breach.

2.Notificationinphases

56.Dependingonthenatureofabreach,furtherinvestigationbythecontrollermaybenecessaryto establishalloftherelevantfactsrelatingtotheincident.Article33(4)GDPRthereforestates:

Where,andinsofaras,itisnotpossibletoprovidetheinformationatthesametime,theinformation maybeprovidedinphaseswithoutunduefurtherdelay.

57.ThismeansthattheGDPRrecognisesthatcontrollerswillnotalwayshaveallofthenecessary informationconcerningabreachwithin72hoursofbecomingawareofit,asfullandcomprehensive detailsoftheincidentmaynotalwaysbeavailableduringthisinitialperiod.Assuch,itallowsfora notificationinphases.Itismorelikelythiswillbethecaseformorecomplexbreaches,suchassome typesofcybersecurityincidentswhere,forexample,anindepthforensicinvestigationmaybe necessarytofullyestablishthenatureofthebreachandtheextenttowhichpersonaldatahavebeen compromised.Consequently,inmanycasesthecontrollerwillhavetodomoreinvestigationand followupwithadditionalinformationatalaterpoint.Thisispermissible,providingthecontrollergives reasonsforthedelay,inaccordancewithArticle33(1)GDPRTheEDPBrecommendsthatwhenthe controllerfirstnotifiesthesupervisoryauthority,thecontrollershouldalsoinformthesupervisory authorityifthecontrollerdoesnotyethavealltherequiredinformationandwillprovidemoredetails lateron.Thesupervisoryauthorityshouldagreehowandwhenadditionalinformationshouldbe provided.Thisdoesnotpreventthecontrollerfromprovidingfurtherinformationatanyotherstage, ifitbecomesawareofadditionalrelevantdetailsaboutthebreachthatneedtobeprovidedtothe supervisoryauthority.

58.Thefocusofthenotificationrequirementistoencouragecontrollerstoactpromptlyonabreach, containitand,ifpossible,recoverthecompromisedpersonaldata,andtoseekrelevantadvicefrom thesupervisoryauthority.Notifyingthesupervisoryauthoritywithinthefirst72hourscanallowthe controllertomakesurethatdecisionsaboutnotifyingornotnotifyingindividualsarecorrect.

59.However,thepurposeofnotifyingthesupervisoryauthorityisnotsolelytoobtainguidanceon whethertonotifytheaffectedindividuals.Itwillbeobviousinsomecasesthat,duetothenatureof thebreachandtheseverityoftherisk,thecontrollerwillneedtonotifytheaffectedindividuals withoutdelay.Forexample,ifthereisanimmediatethreatofidentitytheft,orifspecialcategoriesof personaldata29aredisclosedonline,thecontrollershouldactwithoutunduedelaytocontainthe breachandtocommunicateittotheindividualsconcerned(seesectionIII).Inexceptional circumstances,thismighteventakeplacebeforenotifyingthesupervisoryauthority.Moregenerally, notificationofthesupervisoryauthoritymaynotserveasajustificationforfailuretocommunicatethe breachtothedatasubjectwhereitisrequired.

60.Itshouldalsobeclearthataftermakinganinitialnotification,acontrollercouldupdatethesupervisory authorityifafollowupinvestigationuncoversevidencethatthesecurityincidentwascontainedand nobreachactuallyoccurred.Thisinformationcouldthenbeaddedtotheinformationalreadygivento thesupervisoryauthorityandtheincidentrecordedaccordinglyasnotbeingabreach.Thereisno penaltyforreportinganincidentthatultimatelytranspiresnottobeabreach.

Example

Acontrollernotifiesthesupervisoryauthoritywithin72hoursofdetectingabreachthatithaslosta USBkeycontainingacopyofthepersonaldataofsomeofitscustomers.TheUSBkeyislaterfound misfiledwithinthecontrollerspremisesandrecovered.Thecontrollerupdatesthesupervisory authorityandrequeststhenotificationbeamended.

61.Itshouldbenotedthataphasedapproachtonotificationisalreadythecaseundertheexisting obligationsofDirective2002/58/EC,Regulation611/2013andotherselfreportedincidents.

3.Delayednotifications

62.Article33(1)GDPRmakesitclearthatwherenotificationtothesupervisoryauthorityisnotmade within72hours,itshallbeaccompaniedbyreasonsforthedelay.This,alongwiththeconceptof notificationinphases,recognisesthatacontrollermaynotalwaysbeabletonotifyabreachwithin thattimeperiod,andthatadelayednotificationmaybepermissible.

63.Suchascenariomighttakeplacewhere,forexample,acontrollerexperiencesmultiple,similar confidentialitybreachesoverashortperiodoftime,affectinglargenumbersofdatasubjectsinthe sameway.Acontrollercouldbecomeawareofabreachand,whilstbeginningitsinvestigation,and beforenotification,detectfurthersimilarbreaches,whichhavedifferentcauses.Dependingonthe circumstances,itmaytakethecontrollersometimetoestablishtheextentofthebreachesand,rather thannotifyeachbreachindividually,thecontrollerinsteadorganisesameaningfulnotificationthat representsseveralverysimilarbreaches,withpossibledifferentcauses.Thiscouldleadtonotification tothesupervisoryauthoritybeingdelayedbymorethan72hoursafterthecontrollerfirstbecomes awareofthesebreaches.

64.Strictlyspeaking,eachindividualbreachisareportableincident.However,toavoidbeingoverly burdensome,thecontrollermaybeabletosubmitabundlednotificationrepresentingallthese breaches,providedthattheyconcernthesametypeofpersonaldatabreachedinthesameway,over arelativelyshortspaceoftime.Ifaseriesofbreachestakeplacethatconcerndifferenttypesof personaldata,breachedindifferentways,thennotificationshouldproceedinthenormalway,with eachbreachbeingreportedinaccordancewithArticle33.

65.WhilsttheGDPRallowsfordelayednotificationstoanextent,thisshouldnotbeseenassomething thatregularlytakesplace.Itisworthpointingoutthatbundlednotificationscanalsobemadefor multiplesimilarbreachesreportedwithin72hours.

C.CrossborderbreachesandbreachesatnonEUestablishments

1.Crossborderbreaches

66.Wherethereiscrossborderprocessing30ofpersonaldata,abreachmayaffectdatasubjectsinmore thanoneMemberState.Article33(1)GDPRmakesitclearthatwhenabreachhasoccurred,the controllershouldnotifythesupervisoryauthoritycompetentinaccordancewithArticle55ofthe GDPR31.Article55(1)GDPRsaysthat:

Eachsupervisoryauthorityshallbecompetentfortheperformanceofthetasksassignedtoandthe exerciseofthepowersconferredonitinaccordancewiththisRegulationontheterritoryofitsown MemberState.

67.However,Article56(1)GDPRstates:

WithoutprejudicetoArticle55,thesupervisoryauthorityofthemainestablishmentorofthesingle establishmentofthecontrollerorprocessorshallbecompetenttoactasleadsupervisoryauthorityfor thecrossborderprocessingcarriedoutbythatcontrollerorprocessorinaccordancewiththe procedureprovidedinArticle60.

68.Furthermore,Article56(6)GDPRstates:

Theleadsupervisoryauthorityshallbethesoleinterlocutorofthecontrollerorprocessorforthecross borderprocessingcarriedoutbythatcontrollerorprocessor.

69.Thismeansthatwheneverabreachtakesplaceinthecontextofcrossborderprocessingand notificationisrequired,thecontrollerwillneedtonotifytheleadsupervisoryauthority32.Therefore, whendraftingitsbreachresponseplan,acontrollermustmakeanassessmentastowhichsupervisory authorityistheleadsupervisoryauthoritythatitwillneedtonotify33Thiswillallowthecontrollerto respondpromptlytoabreachandtomeetitsobligationsinrespectofArticle33.Itshouldbeclear thatintheeventofabreachinvolvingcrossborderprocessing,notificationmustbemadetothelead supervisoryauthority,whichisnotnecessarilywheretheaffecteddatasubjectsarelocated,orindeed wherethebreachhastakenplace.Whennotifyingtheleadauthority,thecontrollershouldindicate, whereappropriate,whetherthebreachinvolvesestablishmentslocatedinotherMemberStates,and inwhichMemberStatesdatasubjectsarelikelytohavebeenaffectedbythebreach.Ifthecontroller hasanydoubtastotheidentityoftheleadsupervisoryauthoritythenitshould,ataminimum,notify thelocalsupervisoryauthoritywherethebreachhastakenplace.

ThisRegulationappliestotheprocessingofpersonaldataofdatasubjectswhoareintheUnionbya controllerorprocessornotestablishedintheUnion,wheretheprocessingactivitiesarerelatedto:

(a)theofferingofgoodsorservices,irrespectiveofwhetherapaymentofthedatasubjectisrequired, tosuchdatasubjectsintheUnion;or

(b)themonitoringoftheirbehaviourasfarastheirbehaviourtakesplacewithintheUnion.

71.Article3(3)GDPRisalsorelevantandstates35:

ThisRegulationappliestotheprocessingofpersonaldatabyacontrollernotestablishedintheUnion, butinaplacewhereMemberStatelawappliesbyvirtueofpublicinternationallaw.

72.WhereacontrollernotestablishedintheEUissubjecttoArticle3(2)orArticle3(3)GDPRand experiencesabreach,itisthereforestillboundbythenotificationobligationsunderArticles33and34 GDPRArticle27GDPRrequiresacontroller(andaprocessor)todesignatearepresentativeintheEU whereArticle3(2)GDPRapplies.

73.However,themerepresenceofarepresentativeinaMemberStatedoesnottriggertheonestop shopsystem36.Forthisreason,thebreachwillneedtobenotifiedtoeverysingleauthorityforwhich affecteddatasubjectsresideintheirMemberState.Thisnotificationshallbedoneincompliancewith themandategivenbythecontrollertoitsrepresentativeandundertheresponsibilityofthecontroller.

74.Similarly,whereaprocessorissubjecttoArticle3(2)GDPR,itwillbeboundbytheobligationson processors,ofparticularrelevancehere,thedutytonotifyabreachtothecontrollerunderArticle 33(2)GDPR

D.Conditionswherenotificationisnotrequired

75.Article33(1)GDPRmakesitclearthatbreachesthatareunlikelytoresultinarisktotherightsand freedomsofnaturalpersonsdonotrequirenotificationtothesupervisoryauthority.Anexample mightbewherepersonaldataarealreadypublicallyavailableandadisclosureofsuchdatadoesnot constitutealikelyrisktotheindividual.Thisisincontrasttoexistingbreachnotificationrequirements forprovidersofpublicallyavailableelectroniccommunicationsservicesinDirective2009/136/ECthat stateallrelevantbreacheshavetobenotifiedtothecompetentauthority.

76.InitsOpinion03/2014onbreachnotification37,WP29explainedthataconfidentialitybreachof personaldatathatwereencryptedwithastateoftheartalgorithmisstillapersonaldatabreach,and hastobenotified.However,iftheconfidentialityofthekeyisintact i.e.,thekeywasnot compromisedinanysecuritybreach,andwasgeneratedsothatitcannotbeascertainedbyavailable technicalmeansbyanypersonwhoisnotauthorisedtoaccessit thenthedataareinprinciple unintelligible.Thus,thebreachisunlikelytoadverselyaffectindividualsandthereforewouldnot requirecommunicationtothoseindividuals38.However,evenwheredataisencrypted,alossor alterationcanhavenegativeconsequencesfordatasubjectswherethecontrollerhasnoadequate backups.Inthatinstancecommunicationtodatasubjectswouldberequired,evenifthedataitself wassubjecttoadequateencryptionmeasures.

77.WP29alsoexplainedthiswouldsimilarlybethecaseifpersonaldata,suchaspasswords,weresecurely hashedandsalted,thehashedvaluewascalculatedwithastateoftheartcryptographickeyedhash

function,thekeyusedtohashthedatawasnotcompromisedinanybreach,andthekeyusedtohash thedatahasbeengeneratedinawaythatitcannotbeascertainedbyavailabletechnologicalmeans byanypersonwhoisnotauthorisedtoaccessit.

78.Consequently,ifpersonaldatahavebeenmadeessentiallyunintelligibletounauthorisedpartiesand wherethedataareacopyorabackupexists,aconfidentialitybreachinvolvingproperlyencrypted personaldatamaynotneedtobenotifiedtothesupervisoryauthority.Thisisbecausesuchabreach isunlikelytoposearisktoindividualsrightsandfreedoms.Thisofcoursemeansthattheindividual wouldnotneedtobeinformedeitherasthereislikelynohighrisk.However,itshouldbebornein mindthatwhilenotificationmayinitiallynotberequiredifthereisnolikelyrisktotherightsand freedomsofindividuals,thismaychangeovertimeandtheriskwouldhavetobereevaluated.For example,ifthekeyissubsequentlyfoundtobecompromised,oravulnerabilityintheencryption softwareisexposed,thennotificationmaystillberequired.

79.Furthermore,itshouldbenotedthatifthereisabreachwheretherearenobackupsoftheencrypted personaldatathentherewillhavebeenanavailabilitybreach,whichcouldposeriskstoindividuals andthereforemayrequirenotification.Similarly,whereabreachoccursinvolvingthelossofencrypted data,evenifabackupofthepersonaldataexiststhismaystillbeareportablebreach,dependingon thelengthoftimetakentorestorethedatafromthatbackupandtheeffectthatlackofavailability hasonindividuals.AsArticle32(1)(c)GDPRstates,animportantfactorofsecurityisthetheabilityto restoretheavailabilityandaccesstopersonaldatainatimelymannerintheeventofaphysicalor technicalincident.

Example

Abreachthatwouldnotrequirenotificationtothesupervisoryauthoritywouldbethelossofa securelyencryptedmobiledevice,utilisedbythecontrolleranditsstaff.Providedtheencryptionkey remainswithinthesecurepossessionofthecontrollerandthisisnotthesolecopyofthepersonal datathenthepersonaldatawouldbeinaccessibletoanattacker.Thismeansthebreachisunlikelyto resultinarisktotherightsandfreedomsofthedatasubjectsinquestion.Ifitlaterbecomesevident thattheencryptionkeywascompromisedorthattheencryptionsoftwareoralgorithmisvulnerable, thentherisktotherightsandfreedomsofnaturalpersonswillchangeandthusnotificationmaynow berequired.

80.However,afailuretocomplywithArticle33GDPRwillexistwhereacontrollerdoesnotnotifythe supervisoryauthorityinasituationwherethedatahasnotactuallybeensecurelyencrypted. Therefore,whenselectingencryptionsoftwarecontrollersshouldcarefullyweighthequalityandthe properimplementationoftheencryptionoffered,understandwhatlevelofprotectionitactually providesandwhetherthisisappropriatetotheriskspresented.Controllersshouldalsobefamiliar withthespecificsofhowtheirencryptionproductfunctions.Forinstance,adevicemaybeencrypted onceitisswitchedoff,butnotwhileitisinstandbymode.Someproductsusingencryptionhave defaultkeysthatneedtobechangedbyeachcustomertobeeffective.Theencryptionmayalsobe consideredcurrentlyadequatebysecurityexperts,butmaybecomeoutdatedinafewyearstime, meaningitisquestionablewhetherthedatawouldbesufficientlyencryptedbythatproductand provideanappropriatelevelofprotection.

III.ARTICLE34 COMMUNICATIONTOTHEDATASUBJECT

A.Informingindividuals

81.Incertaincases,aswellasnotifyingthesupervisoryauthority,thecontrollerisalsorequiredto communicateabreachtotheaffectedindividuals.

Article34(1)GDPRstates:

Whenthepersonaldatabreachislikelytoresultinahighrisktotherightsandfreedomsofnatural persons,thecontrollershallcommunicatethepersonaldatabreachtothedatasubjectwithoutundue delay.

82.Controllersshouldrecallthatnotificationtothesupervisoryauthorityismandatoryunlessthereis unlikelytobearisktotherightsandfreedomsofindividualsasaresultofabreach.Inaddition,where thereislikelyahighrisktotherightsandfreedomsofindividualsastheresultofabreach,individuals mustalsobeinformed.Thethresholdforcommunicatingabreachtoindividualsisthereforehigher thanfornotifyingsupervisoryauthoritiesandnotallbreacheswillthereforeberequiredtobe communicatedtoindividuals,thusprotectingthemfromunnecessarynotificationfatigue.

83.TheGDPRstatesthatcommunicationofabreachtoindividualsshouldbemadewithoutunduedelay, whichmeansassoonaspossible.Themainobjectiveofnotificationtoindividualsistoprovidespecific informationaboutstepstheyshouldtaketoprotectthemselves39.Asnotedabove,dependingonthe natureofthebreachandtheriskposed,timelycommunicationwillhelpindividualstotakestepsto protectthemselvesfromanynegativeconsequencesofthebreach.

84.AnnexBoftheseGuidelinesprovidesanonexhaustivelistofexamplesofwhenabreachmaybelikely toresultinhighrisktoindividualsandconsequentlyinstanceswhenacontrollerwillhavetonotifya breachtothoseaffected.

B.Informationtobeprovided

85.Whennotifyingindividuals,Article34(2)GDPRspecifiesthat:

Thecommunicationtothedatasubjectreferredtoinparagraph1ofthisArticleshalldescribeinclear andplainlanguagethenatureofthepersonaldatabreachandcontainatleasttheinformationand measuresreferredtoinpoints(b),(c)and(d)ofArticle33(3).

86.Accordingtothisprovision,thecontrollershouldatleastprovidethefollowinginformation:

• adescriptionofthenatureofthebreach;

• thenameandcontactdetailsofthedataprotectionofficerorothercontactpoint;

• adescriptionofthelikelyconsequencesofthebreach;and

• adescriptionofthemeasurestakenorproposedtobetakenbythecontrollertoaddressthe breach,including,whereappropriate,measurestomitigateitspossibleadverseeffects.

87.Asanexampleofthemeasurestakentoaddressthebreachandtomitigateitspossibleadverseeffects, thecontrollercouldstatethat,afterhavingnotifiedthebreachtotherelevantsupervisoryauthority, thecontrollerhasreceivedadviceonmanagingthebreachandlesseningitsimpact.Thecontroller shouldalso,whereappropriate,providespecificadvicetoindividualstoprotectthemselvesfrom possibleadverseconsequencesofthebreach,suchasresettingpasswordsinthecasewheretheir accesscredentialshavebeencompromised.Again,acontrollercanchoosetoprovideinformationin additiontowhatisrequiredhere.

C.Contactingindividuals

88.Inprinciple,therelevantbreachshouldbecommunicatedtotheaffecteddatasubjectsdirectly,unless doingsowouldinvolveadisproportionateeffort.Insuchacase,thereshallinsteadbeapublic communicationorsimilarmeasurewherebythedatasubjectsareinformedinanequallyeffective manner(Article34(3)(c)GDPR).

89.Dedicatedmessagesshouldbeusedwhencommunicatingabreachtodatasubjectsandtheyshould notbesentwithotherinformation,suchasregularupdates,newsletters,orstandardmessages.This helpstomakethecommunicationofthebreachtobeclearandtransparent.

90.Examplesoftransparentcommunicationmethodsincludedirectmessaging(e.g.email,SMS,direct message),prominentwebsitebannersornotification,postalcommunicationsandprominent advertisementsinprintmedia.Anotificationsolelyconfinedwithinapressreleaseorcorporateblog wouldnotbeaneffectivemeansofcommunicatingabreachtoanindividual.TheEDPBrecommends thatcontrollersshouldchooseameansthatmaximizesthechanceofproperlycommunicating informationtoallaffectedindividuals.Dependingonthecircumstances,thismaymeanthecontroller employsseveralmethodsofcommunication,asopposedtousingasinglecontactchannel.

91.Controllersmayalsoneedtoensurethatthecommunicationisaccessibleinappropriatealternative formatsandrelevantlanguagestoensureindividualsareabletounderstandtheinformationbeing providedtothem.Forexample,whencommunicatingabreachtoanindividual,thelanguageused duringthepreviousnormalcourseofbusinesswiththerecipientwillgenerallybeappropriate. However,ifthebreachaffectsdatasubjectswhothecontrollerhasnotpreviouslyinteractedwith,or particularlythosewhoresideinadifferentMemberStateorothernonEUcountryfromwherethe controllerisestablished,communicationinthelocalnationallanguagecouldbeacceptable,takinginto accounttheresourcerequired.Thekeyistohelpdatasubjectsunderstandthenatureofthebreach andstepstheycantaketoprotectthemselves.

92.Controllersarebestplacedtodeterminethemostappropriatecontactchanneltocommunicatea breachtoindividuals,particularlyiftheyinteractwiththeircustomersonafrequentbasis.However, clearlyacontrollershouldbewaryofusingacontactchannelcompromisedbythebreachasthis channelcouldalsobeusedbyattackersimpersonatingthecontroller.

93.Atthesametime,Recital86GDPRexplainsthat:

Suchcommunicationstodatasubjectsshouldbemadeassoonasreasonablyfeasibleandinclose cooperationwiththesupervisoryauthority,respectingguidanceprovidedbyitorbyotherrelevant authoritiessuchaslawenforcementauthorities.Forexample,theneedtomitigateanimmediaterisk ofdamagewouldcallforpromptcommunicationwithdatasubjectswhereastheneedtoimplement appropriatemeasuresagainstcontinuingorsimilarpersonaldatabreachesmayjustifymoretimefor communication.

94.Controllersmightthereforewishtocontactandconsultthesupervisoryauthoritynotonlytoseek adviceaboutinformingdatasubjectsaboutabreachinaccordancewithArticle34,butalsoonthe appropriatemessagestobesentto,andthemostappropriatewaytocontact,individuals.

95.LinkedtothisistheadvicegiveninRecital88GDPRthatnotificationofabreachshouldtakeinto accountthelegitimateinterestsoflawenforcementauthoritieswhereearlydisclosurecould unnecessarilyhampertheinvestigationofthecircumstancesofapersonaldatabreach.Thismay meanthatincertaincircumstances,wherejustified,andontheadviceoflawenforcementauthorities, thecontrollermaydelaycommunicatingthebreachtotheaffectedindividualsuntilsuchtimeasit wouldnotprejudicesuchinvestigations.However,datasubjectswouldstillneedtobepromptly informedafterthistime.

96.Wheneveritisnotpossibleforthecontrollertocommunicateabreachtoanindividualbecausethere isinsufficientdatastoredtocontacttheindividual,inthatparticularcircumstancethecontrollershould informtheindividualassoonasitisreasonablyfeasibletodoso(e.g.whenanindividualexercises theirArticle15righttoaccesspersonaldataandprovidesthecontrollerwithnecessaryadditional informationtocontactthem).

D.Conditionswherecommunicationisnotrequired

97.Article34(3)GDPRstatesthreeconditionsthat,ifmet,donotrequirenotificationtoindividualsinthe eventofabreach.Theseare:

• Thecontrollerhasappliedappropriatetechnicalandorganisationalmeasurestoprotect personaldatapriortothebreach,inparticularthosemeasuresthatrenderpersonaldata unintelligibletoanypersonwhoisnotauthorisedtoaccessit.Thiscould,forexample,include protectingpersonaldatawithstateoftheartencryption,orbytokenization.

• Immediatelyfollowingabreach,thecontrollerhastakenstepstoensurethatthehighrisk posedtoindividualsrightsandfreedomsisnolongerlikelytomaterialise.Forexample, dependingonthecircumstancesofthecase,thecontrollermayhaveimmediatelyidentified andtakenactionagainsttheindividualwhohasaccessedpersonaldatabeforetheywereable todoanythingwithit.Dueregardstillneedstobegiventothepossibleconsequencesofany breachofconfidentiality,again,dependingonthenatureofthedataconcerned.

• Itwouldinvolvedisproportionateeffort40tocontactindividuals,perhapswheretheircontact detailshavebeenlostasaresultofthebreachorarenotknowninthefirstplace.Forexample, thewarehouseofastatisticalofficehasfloodedandthedocumentscontainingpersonaldata werestoredonlyinpaperform.Instead,thecontrollermustmakeapubliccommunicationor takeasimilarmeasure,wherebytheindividualsareinformedinanequallyeffectivemanner Inthecaseofdisproportionateeffort,technicalarrangementscouldalsobeenvisagedto makeinformationaboutthebreachavailableondemand,whichcouldproveusefultothose individualswhomaybeaffectedbyabreach,butthecontrollercannototherwisecontact.

98.Inaccordancewiththeaccountabilityprinciplecontrollersshouldbeabletodemonstratetothe supervisoryauthoritythattheymeetoneormoreoftheseconditions41.Itshouldbeborneinmind thatwhilenotificationmayinitiallynotberequiredifthereisnorisktotherightsandfreedomsof naturalpersons,thismaychangeovertimeandtheriskwouldhavetobereevaluated.

99.Ifacontrollerdecidesnottocommunicateabreachtotheindividual,Article34(4)GDPRexplainsthat thesupervisoryauthoritycanrequireittodoso,ifitconsidersthebreachislikelytoresultinahigh risktoindividuals.Alternatively,itmayconsiderthattheconditionsinArticle34(3)GDPRhavebeen metinwhichcasenotificationtoindividualsisnotrequired.Ifthesupervisoryauthoritydetermines thatthedecisionnottonotifydatasubjectsisnotwellfounded,itmayconsideremployingitsavailable powersandsanctions.

IV.ASSESSINGRISKANDHIGHRISK

A.Riskasatriggerfornotification

100. AlthoughtheGDPRintroducestheobligationtonotifyabreach,itisnotarequirementtodo soinallcircumstances:

Notificationtothecompetentsupervisoryauthorityisrequiredunlessabreachisunlikelyto resultinarisktotherightsandfreedomsofindividuals.

• Communicationofabreachtotheindividualisonlytriggeredwhereitislikelytoresultina highrisktotheirrightsandfreedoms.

101. Thismeansthatimmediatelyuponbecomingawareofabreach,itisvitallyimportantthatthe controllershouldnotonlyseektocontaintheincidentbutitshouldalsoassesstheriskthatcould

resultfromit.Therearetwoimportantreasonsforthis:firstly,knowingthelikelihoodandthepotential severityoftheimpactontheindividualwillhelpthecontrollertotakeeffectivestepstocontainand addressthebreach;secondly,itwillhelpittodeterminewhethernotificationisrequiredtothe supervisoryauthorityand,ifnecessary,totheindividualsconcerned.

102. Asexplainedabove,notificationofabreachisrequiredunlessitisunlikelytoresultinariskto therightsandfreedomsofindividuals,andthekeytriggerrequiringcommunicationofabreachtodata subjectsiswhereitislikelytoresultinahighrisktotherightsandfreedomsofindividuals.Thisrisk existswhenthebreachmayleadtophysical,materialornonmaterialdamagefortheindividuals whosedatahavebeenbreached.Examplesofsuchdamagearediscrimination,identitytheftorfraud, financiallossanddamagetoreputation.Whenthebreachinvolvespersonaldatathatrevealsracialor ethnicorigin,politicalopinion,religionorphilosophicalbeliefs,ortradeunionmembership,orincludes geneticdata,dataconcerninghealthordataconcerningsexlife,orcriminalconvictionsandoffences orrelatedsecuritymeasures,suchdamageshouldbeconsideredlikelytooccur42 .

B.Factorstoconsiderwhenassessingrisk

103. Recitals75and76oftheGDPRsuggestthatgenerallywhenassessingrisk,considerationshould begiventoboththelikelihoodandseverityoftherisktotherightsandfreedomsofdatasubjects.It furtherstatesthatriskshouldbeevaluatedonthebasisofanobjectiveassessment.

104. Itshouldbenotedthatassessingtherisktopeoplesrightsandfreedomsasaresultofabreach hasadifferentfocustotheriskconsideredinaDPIA)43.TheDPIAconsidersboththerisksofthedata processingbeingcarriedoutasplanned,andtherisksincaseofabreach.Whenconsideringapotential breach,itlooksingeneraltermsatthelikelihoodofthisoccurring,andthedamagetothedatasubject thatmightensue;inotherwords,itisanassessmentofahypotheticalevent.Withanactualbreach, theeventhasalreadyoccurred,andsothefocusiswhollyabouttheresultingriskoftheimpactofthe breachonindividuals.

Example

ADPIAsuggeststhattheproposeduseofaparticularsecuritysoftwareproducttoprotectpersonal dataisasuitablemeasuretoensurealevelofsecurityappropriatetotherisktheprocessingwould otherwisepresenttoindividuals.However,ifavulnerabilitybecomessubsequentlyknown,thiswould changethesoftwaressuitabilitytocontaintherisktothepersonaldataprotectedandsoitwould needtobereassessedaspartofanongoingDPIA.Avulnerabilityintheproductislaterexploitedand abreachoccurs.Thecontrollershouldassessthespecificcircumstancesofthebreach,thedata affected,andthepotentiallevelofimpactonindividuals,aswellashowlikelythisriskwillmaterialise.

105. Accordingly,whenassessingtherisktoindividualsasaresultofabreach,thecontrollershould considerthespecificcircumstancesofthebreach,includingtheseverityofthepotentialimpactand thelikelihoodofthisoccurring.TheEDPBthereforerecommendstheassessmentshouldtakeinto accountthefollowingcriteria44

Thetypeofbreach

106. Thetypeofbreachthathasoccurredmayaffectthelevelofriskpresentedtoindividuals.For example,aconfidentialitybreachwherebymedicalinformationhasbeendisclosedtounauthorised

relationtothenotificationofbreachesintheelectroniccommunicationservicessector,whichmaybeusefulin thecontextofnotificationundertheGDPR.Seehttp://eur lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:173:0002:0008:en:PDF

partiesmayhaveadifferentsetofconsequencesforanindividualtoabreachwhereanindividuals medicaldetailshavebeenlost,andarenolongeravailable.

• Thenature,sensitivity,andvolumeofpersonaldata

107. Ofcourse,whenassessingrisk,akeyfactoristhetypeandsensitivityofpersonaldatathathas beencompromisedbythebreach.Usually,themoresensitivethedata,thehighertheriskofharm willbetothepeopleaffected,butconsiderationshouldalsobegiventootherpersonaldatathatmay alreadybeavailableaboutthedatasubject.Forexample,thedisclosureofthenameandaddressof anindividualinordinarycircumstancesisunlikelytocausesubstantialdamage.However,ifthename andaddressofanadoptiveparentisdisclosedtoabirthparent,theconsequencescouldbeverysevere forboththeadoptiveparentandchild.

108. Breachesinvolvinghealthdata,identitydocuments,orfinancialdatasuchascreditcard details,canallcauseharmontheirown,butifusedtogethertheycouldbeusedforidentitytheft.A combinationofpersonaldataistypicallymoresensitivethanasinglepieceofpersonaldata.

109. Sometypesofpersonaldatamayseematfirstrelativelyinnocuous,however,whatthatdata mayrevealabouttheaffectedindividualshouldbecarefullyconsidered.Alistofcustomersaccepting regulardeliveriesmaynotbeparticularlysensitive,butthesamedataaboutcustomerswhohave requestedthattheirdeliveriesbestoppedwhileonholidaywouldbeusefulinformationtocriminals.

110. Similarly,asmallamountofhighlysensitivepersonaldatacanhaveahighimpactonan individual,andalargerangeofdetailscanrevealagreaterrangeofinformationaboutthatindividual. Also,abreachaffectinglargevolumesofpersonaldataaboutmanydatasubjectscanhaveaneffect onacorrespondinglargenumberofindividuals.

• Easeofidentificationofindividuals

111. Animportantfactortoconsiderishoweasyitwillbeforapartywhohasaccessto compromisedpersonaldatatoidentifyspecificindividuals,ormatchthedatawithotherinformation toidentifyindividuals.Dependingonthecircumstances,identificationcouldbepossibledirectlyfrom thepersonaldatabreachedwithnospecialresearchneededtodiscovertheindividualsidentity,orit maybeextremelydifficulttomatchpersonaldatatoaparticularindividual,butitcouldstillbepossible undercertainconditions.Identificationmaybedirectlyorindirectlypossiblefromthebreacheddata, butitmayalsodependonthespecificcontextofthebreach,andpublicavailabilityofrelatedpersonal details.Thismaybemorerelevantforconfidentialityandavailabilitybreaches.

112. Asstatedabove,personaldataprotectedbyanappropriatelevelofencryptionwillbe unintelligibletounauthorisedpersonswithoutthedecryptionkey.Additionally,appropriately implementedpseudonymisation(definedinArticle4(5)GDPRastheprocessingofpersonaldatain suchamannerthatthepersonaldatacannolongerbeattributedtoaspecificdatasubjectwithoutthe useofadditionalinformation,providedthatsuchadditionalinformationiskeptseparatelyandis subjecttotechnicalandorganisationalmeasurestoensurethatthepersonaldataarenotattributed toanidentifiedoridentifiablenaturalperson)canalsoreducethelikelihoodofindividualsbeing identifiedintheeventofabreach.However,pseudonymisationtechniquesalonecannotberegarded asmakingthedataunintelligible.

• Severityofconsequencesforindividuals

113. Dependingonthenatureofthepersonaldatainvolvedinabreach,forexample,special categoriesofdata,thepotentialdamagetoindividualsthatcouldresultcanbeespeciallysevere,in particularwherethebreachcouldresultinidentitytheftorfraud,physicalharm,psychologicaldistress, humiliationordamagetoreputation.Ifthebreachconcernspersonaldataaboutvulnerable individuals,theycouldbeplacedatgreaterriskofharm.

114. Whetherthecontrollerisawarethatpersonaldataisinthehandsofpeoplewhoseintentions areunknownorpossiblymaliciouscanhaveabearingonthelevelofpotentialrisk.Theremaybea confidentialitybreach,wherebypersonaldataisdisclosedtoathirdparty,asdefinedinArticle4(10), orotherrecipientinerror.Thismayoccur,forexample,wherepersonaldataissentaccidentallytothe wrongdepartmentofanorganisation,ortoacommonlyusedsupplierorganisation.Thecontroller mayrequesttherecipienttoeitherreturnorsecurelydestroythedataithasreceived.Inbothcases, giventhatthecontrollerhasanongoingrelationshipwiththem,anditmaybeawareoftheir procedures,historyandotherrelevantdetails,therecipientmaybeconsideredtrusted.Inother words,thecontrollermayhavealevelofassurancewiththerecipientsothatitcanreasonablyexpect thatpartynottoreadoraccessthedatasentinerror,andtocomplywithitsinstructionstoreturnit. Evenifthedatahasbeenaccessed,thecontrollercouldstillpossiblytrusttherecipientnottotakeany furtheractionwithitandtoreturnthedatatothecontrollerpromptlyandtocooperatewithits recovery.Insuchcases,thismaybefactoredintotheriskassessmentthecontrollercarriesout followingthebreach thefactthattherecipientistrustedmayeradicatetheseverityofthe consequencesofthebreachbutdoesnotmeanthatabreachhasnotoccurred.However,thisinturn mayremovethelikelihoodofrisktoindividuals,thusnolongerrequiringnotificationtothesupervisory authority,ortotheaffectedindividuals.Again,thiswilldependoncasebycasebasis.Nevertheless, thecontrollerstillhastokeepinformationconcerningthebreachaspartofthegeneraldutyto maintainrecordsofbreaches(seesectionV,below).

115. Considerationshouldalsobegiventothepermanenceoftheconsequencesforindividuals, wheretheimpactmaybeviewedasgreateriftheeffectsarelongterm.

• Specialcharacteristicsoftheindividual

116. Abreachmayaffectpersonaldataconcerningchildrenorothervulnerableindividuals,who maybeplacedatgreaterriskofdangerasaresult.Theremaybeotherfactorsabouttheindividual thatmayaffectthelevelofimpactofthebreachonthem.

• Specialcharacteristicsofthedatacontroller

117. Thenatureandroleofthecontrolleranditsactivitiesmayaffectthelevelofrisktoindividuals asaresultofabreach.Forexample,amedicalorganisationwillprocessspecialcategoriesofpersonal data,meaningthatthereisagreaterthreattoindividualsiftheirpersonaldataisbreached,compared withamailinglistofanewspaper.

• Thenumberofaffectedindividuals

118. Abreachmayaffectonlyoneorafewindividualsorseveralthousand,ifnotmanymore. Generally,thehigherthenumberofindividualsaffected,thegreatertheimpactofabreachcanhave. However,abreachcanhaveasevereimpactonevenoneindividual,dependingonthenatureofthe personaldataandthecontextinwhichithasbeencompromised.Again,thekeyistoconsiderthe likelihoodandseverityoftheimpactonthoseaffected.

Generalpoints

119. Therefore,whenassessingtheriskthatislikelytoresultfromabreach,thecontrollershould consideracombinationoftheseverityofthepotentialimpactontherightsandfreedomsofindividuals andthelikelihoodoftheseoccurring.Clearly,wheretheconsequencesofabreacharemoresevere, theriskishigherandsimilarlywherethelikelihoodoftheseoccurringisgreater,theriskisalso heightened.Ifindoubt,thecontrollershoulderronthesideofcautionandnotify.AnnexBprovides someusefulexamplesofdifferenttypesofbreachesinvolvingriskorhighrisktoindividuals.

120. TheEuropeanUnionAgencyforNetworkandInformationSecurity(ENISA)hasproduced recommendationsforamethodologyofassessingtheseverityofabreach,whichcontrollersand processorsmayfindusefulwhendesigningtheirbreachmanagementresponseplan45

V.ACCOUNTABILITYANDRECORDKEEPING

A.Documentingbreaches

121. Regardlessofwhetherornotabreachneedstobenotifiedtothesupervisoryauthority,the controllermustkeepdocumentationofallbreaches,asArticle33(5)GDPRexplains:

Thecontrollershalldocumentanypersonaldatabreaches,comprisingthefactsrelatingtothe personaldatabreach,itseffectsandtheremedialactiontaken.Thatdocumentationshallenablethe supervisoryauthoritytoverifycompliancewiththisArticle.

122. ThisislinkedtotheaccountabilityprincipleoftheGDPR,containedinArticle5(2)GDPR.The purposeofrecordingnonnotifiablebreaches,aswellnotifiablebreaches,alsorelatestothe controllersobligationsunderArticle24GDPR,andthesupervisoryauthoritycanrequesttoseethese records.Controllersarethereforeencouragedtoestablishaninternalregisterofbreaches,regardless ofwhethertheyarerequiredtonotifyornot46

123. Whilstitisuptothecontrollertodeterminewhatmethodandstructuretousewhen documentingabreach,intermsofrecordableinformationtherearekeyelementsthatshouldbe includedinallcases.AsisrequiredbyArticle33(5)GDPR,thecontrollerneedstorecorddetails concerningthebreach,whichshouldincludeitscauses,whattookplaceandthepersonaldata affected.Itshouldalsoincludetheeffectsandconsequencesofthebreach,alongwiththeremedial actiontakenbythecontroller.

124. TheGDPRdoesnotspecifyaretentionperiodforsuchdocumentation.Wheresuchrecords containpersonaldata,itwillbeincumbentonthecontrollertodeterminetheappropriateperiodof retentioninaccordancewiththeprinciplesinrelationtotheprocessingofpersonaldata47andtomeet alawfulbasisforprocessing48.ItwillneedtoretaindocumentationinaccordancewithArticle33(5) GDPRinsofarasitmaybecalledtoprovideevidenceofcompliancewiththatArticle,orwiththe accountabilityprinciplemoregenerally,tothesupervisoryauthority.Clearly,iftherecordsthemselves containnopersonaldatathenthestoragelimitationprinciple49oftheGDPRdoesnotapply.

125. Inadditiontothesedetails,theEDPBrecommendsthatthecontrolleralsodocumentits reasoningforthedecisionstakeninresponsetoabreach.Inparticular,ifabreachisnotnotified,a justificationforthatdecisionshouldbedocumented.Thisshouldincludereasonswhythecontroller considersthebreachisunlikelytoresultinarisktotherightsandfreedomsofindividuals50 . Alternatively,ifthecontrollerconsidersthatanyoftheconditionsinArticle34(3)GDPRaremet,then itshouldbeabletoprovideappropriateevidencethatthisisthecase.

Thecontrollermaychoosetodocumentbreachesaspartofifitsrecordofprocessingactivitieswhichis maintainedpursuanttoArticle30GDPR.Aseparateregisterisnotrequired,providedtheinformationrelevant tothebreachisclearlyidentifiableassuchandcanbeextracteduponrequest.

126.

Wherethecontrollerdoesnotifyabreachtothesupervisoryauthority,butthenotificationis delayed,thecontrollermustbeabletoprovidereasonsforthatdelay;documentationrelatingtothis couldhelptodemonstratethatthedelayinreportingisjustifiedandnotexcessive.

127.

Wherethecontrollercommunicatesabreachtotheaffectedindividuals,itshouldbe transparentaboutthebreachandcommunicateinaneffectiveandtimelymanner.Accordingly,it wouldhelpthecontrollertodemonstrateaccountabilityandcompliancebyretainingevidenceofsuch communication.

128.

ToaidcompliancewithArticles33and34GDPR,itwouldbeadvantageoustobothcontrollers andprocessorstohaveadocumentednotificationprocedureinplace,settingouttheprocesstofollow onceabreachhasbeendetected,includinghowtocontain,manageandrecovertheincident,aswell asassessingrisk,andnotifyingthebreach.Inthisregard,toshowcompliancewithGDPRitmightalso beusefultodemonstratethatemployeeshavebeeninformedabouttheexistenceofsuchprocedures andmechanismsandthattheyknowhowtoreacttobreaches.

129.

Itshouldbenotedthatfailuretoproperlydocumentabreachcanleadtothesupervisory authorityexercisingitspowersunderArticle58GDPRand,orimposinganadministrativefinein accordancewithArticle83GDPR

B.RoleoftheDataProtectionOfficer

130. AcontrollerorprocessormayhaveaDataProtectionOfficer(DPO)51,eitherasrequiredby Article37GDPR,orvoluntarilyasamatterofgoodpractice.Article39oftheGDPRsetsanumberof mandatorytasksfortheDPO,butdoesnotpreventfurthertasksbeingallocatedbythecontroller,if appropriate.

131. Ofparticularrelevancetobreachnotification,themandatorytasksoftheDPOincludes, amongstotherduties,providingdataprotectionadviceandinformationtothecontrollerorprocessor, monitoringcompliancewiththeGDPR,andprovidingadviceinrelationtoDPIAs.TheDPOmustalso cooperatewiththesupervisoryauthorityandactasacontactpointforthesupervisoryauthorityand fordatasubjects.Itshouldalsobenotedthat,whennotifyingthebreachtothesupervisoryauthority, Article33(3)(b)GDPRrequiresthecontrollertoprovidethenameandcontactdetailsofitsDPO,or othercontactpoint.

132. Intermsofdocumentingbreaches,thecontrollerorprocessormaywishtoobtaintheopinion ofitsDPOastothestructure,thesettingupandtheadministrationofthisdocumentation.TheDPO couldalsobeadditionallytaskedwithmaintainingsuchrecords.

133. ThesefactorsmeanthattheDPOshouldplayankeyroleinassistingthepreventionofor preparationforabreachbyprovidingadviceandmonitoringcompliance,aswellasduringabreach (i.e.whennotifyingthesupervisoryauthority),andduringanysubsequentinvestigationbythe supervisoryauthority.Inthislight,theEDPBrecommendsthattheDPOispromptlyinformedabout theexistenceofabreachandisinvolvedthroughoutthebreachmanagementandnotificationprocess.

VI.NOTIFICATIONOBLIGATIONSUNDEROTHERLEGALINSTRUMENTS

134. Inadditionto,andseparatefrom,thenotificationandcommunicationofbreachesunderthe GDPR,controllersshouldalsobeawareofanyrequirementtonotifysecurityincidentsunderother associatedlegislationthatmayapplytothemandwhetherthismayalsorequirethemtonotifythe supervisoryauthorityofapersonaldatabreachatthesametime.Suchrequirementscanvarybetween MemberStates,butexamplesofnotificationrequirementsinotherlegalinstruments,andhowthese interrelatewiththeGDPR,includethefollowing:

• Regulation(EU)910/2014onelectronicidentificationandtrustservicesforelectronic transactionsintheinternalmarket(eIDASRegulation)52

135. Article19(2)oftheeIDASRegulationrequirestrustserviceproviderstonotifytheirsupervisory bodyofabreachofsecurityorlossofintegritythathasasignificantimpactonthetrustservice providedoronthepersonaldatamaintainedtherein.Whereapplicablei.e.,wheresuchabreachor lossisalsoapersonaldatabreachundertheGDPRthetrustserviceprovidershouldalsonotifythe supervisoryauthority.

• Directive(EU)2016/1148concerningmeasuresforahighcommonlevelofsecurityofnetwork andinformationsystemsacrosstheUnion(NISDirective)53 .

136. Articles14and16oftheNISDirectiverequireoperatorsofessentialservicesanddigitalservice providerstonotifysecurityincidentstotheircompetentauthority.AsrecognisedbyRecital63ofNIS54 , securityincidentscanoftenincludeacompromiseofpersonaldata.WhilstNISrequirescompetent authoritiesandsupervisoryauthoritiestocooperateandexchangeinformationthatcontext,it remainsthecasethatwheresuchincidentsare,orbecome,personaldatabreachesundertheGDPR, thoseoperatorsand/orproviderswouldberequiredtonotifythesupervisoryauthorityseparately fromtheincidentnotificationrequirementsofNIS.

Example

AcloudserviceprovidernotifyingabreachundertheNISDirectivemayalsoneedtonotifyacontroller, ifthisincludesapersonaldatabreach.Similarly,atrustserviceprovidernotifyingundereIDASmay alsoberequiredtonotifytherelevantdataprotectionauthorityintheeventofabreach.

Directive2009/136/EC(theCitizensRightsDirective)andRegulation611/2013(theBreach NotificationRegulation).

137. Providersofpubliclyavailableelectroniccommunicationserviceswithinthecontextof Directive2002/58/EC55mustnotifybreachestothecompetentnationalauthorities.

138. Controllersshouldalsobeawareofanyadditionallegal,medical,orprofessionalnotification dutiesunderotherapplicableregimes.

Seehttp://eurlex.europa.eu/legalcontent/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG

Seehttp://eurlex.europa.eu/legalcontent/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG

Recital63:Personaldataareinmanycasescompromisedasaresultofincidents.Inthiscontext,competent authoritiesanddataprotectionauthoritiesshouldcooperateandexchangeinformationonallrelevantmatters totackleanypersonaldatabreachesresultingfromincidents.

On10January2017,theEuropeanCommissionproposedaRegulationonPrivacyandElectronic CommunicationswhichwillreplaceDirective2009/136/ECandremovenotificationrequirements.However, untilthisproposalisapprovedbytheEuropeanParliamenttheexistingnotificationrequirementremainsin force, see https://ec.europa.eu/digitalsinglemarket/en/news/proposalregulationprivacyand electroniccommunications

A.Flowchartshowingnotificationrequirements

Controllerdetects/ismadeawareofa securityincidentandestablishesif personaldatabeachhasoccurred

Isthebreachlikely toresultinariskto individuals’rights? andfreedoms?

Yes

No

Thecontrollerbecomes“aware”ofa personaldatabreachandassessesrisk toindividuals.

Norequirementtonotifysupervisoryauthority orindividuals.

Notifycompetentsupervisoryauthority.

Ifthebreachaffectsindividualsinmorethan oneMemberState,notifytheleadsupervisory authority.

Isthebreachlikelyto resultinahighriskto individuals’rightsand freedoms?

Norequirementtonotify individuals.

Yes No

Notifyaffectedindividualsand,whererequired,provide informationonstepstheycantaketoprotectthemselvesfrom consequencesofthebreach.

AllbreachesrecordableunderArticle33(5).Breachshouldbedocumentedand recordmaintainedbythecontroller.

B.Examplesofpersonaldatabreachesandwhotonotify

Thefollowingnonexhaustiveexampleswillassistcontrollersindeterminingwhethertheyneedto notifyindifferentpersonaldatabreachscenarios.Theseexamplesmayalsohelptodistinguish betweenriskandhighrisktotherightsandfreedomsofindividuals.

Example Notifythesupervisory authority

i Acontrollerstoreda backupofanarchive ofpersonaldata encryptedonaUSB key.Thekeyis stolenduringa breakin.

No.

ii Acontroller maintainsanonline service.Asaresult ofacyberattackon thatservice, personaldataof individualsare exfiltrated.

Thecontrollerhas customersina singleMember State.

iii Abriefpower outagelasting severalminutesata controllerscall centremeaning customersare unabletocallthe controllerand accesstheirrecords.

iv Acontrollersuffers aransomware attackwhichresults inalldatabeing encrypted.Noback upsareavailable andthedatacannot berestored.On investigation,it becomesclearthat theransomwares onlyfunctionality

Yes,reporttothe supervisoryauthorityif therearelikely consequencesto individuals.

Notifythedata subject

No.

Yes,reporttoindividuals dependingonthenature ofthepersonaldata affectedandifthe severityofthelikely consequencesto individualsishigh.

Notes/recommendations

Aslongasthedataare encryptedwithastateof theartalgorithm,backups ofthedataexisttheunique keyisnotcompromised, andthedatacanbe restoredingoodtime,this maynotbeareportable breach.Howeverifitislater compromised,notification isrequired.

No. No.

Thisisnotanotifiable breach,butstillarecordable incidentunderArticle33(5).

Appropriaterecordsshould bemaintainedbythe controller.

Yes, report to the supervisoryauthority, iftherearelikely consequencesto individualsasthisisaloss ofavailability.

Yes,reportto individuals,depending onthenatureofthe personaldataaffected andthepossibleeffect ofthelackofavailability ofthedata,aswellas otherlikely consequences.

Iftherewasabackup availableanddatacouldbe restoredingoodtime,this wouldnotneedtobe reportedtothesupervisory authorityortoindividualsas therewouldhavebeenno permanentlossof availabilityor confidentiality.However,if thesupervisoryauthority becameawareofthe

wastoencryptthe data,andthatthere wasnoother malwarepresentin thesystem.

v Anindividual phonesabankscall centretoreporta databreach.The individualhas receivedamonthly statementfor someoneelse.

Thecontroller undertakesashort investigation(i.e. completedwithin 24hours)and establisheswitha reasonable confidencethata personaldata breachhasoccurred andwhetherithasa systemicflawthat maymeanother individualsareor mightbeaffected.

vi Acontroller operatesanonline marketplaceand hascustomersin multipleMember States.The marketplacesuffers acyberattackand usernames, passwordsand purchasehistoryare publishedonlineby theattacker.

viiAwebsitehosting companyactingasa dataprocessor identifiesanerrorin thecodewhich controlsuser authorisation.The effectoftheflaw meansthatanyuser

Yes.

Yes,reporttolead supervisoryauthorityif involvescrossborder processing.

Onlytheindividuals affectedarenotifiedif thereishighriskanditis clearthatotherswere notaffected.

incidentbyothermeans,it mayconsideran investigationtoassess compliancewiththe broadersecurity requirementsofArticle32.

Astheprocessor,the websitehostingcompany mustnotify itsaffectedclients(the controllers)without unduedelay.

Assumingthatthe websitehosting

Yes,ascouldleadto highrisk.

If,afterfurther investigation,itisidentified thatmoreindividualsare affected,anupdatetothe supervisoryauthoritymust bemadeandthecontroller takestheadditionalstepof notifyingotherindividualsif thereishighrisktothem.

Ifthereislikelynohigh risktotheindividuals theydonotneedtobe notified.

Thecontrollershouldtake action,e.g.byforcing passwordresetsofthe affectedaccounts,aswellas otherstepstomitigatethe risk.

Thecontrollershouldalso consideranyother notificationobligations,e.g. undertheNISDirectiveasa digitalserviceprovider.

Thewebsitehosting company(processor)must consideranyother notificationobligations(e.g. undertheNISDirectiveasa digitalserviceprovider).

Ifthereisnoevidenceof thisvulnerabilitybeing

canaccessthe accountdetailsof anyotheruser

companyhasconducted itsowninvestigationthe affectedcontrollers shouldbereasonably confidentastowhether eachhassuffereda breachandthereforeis likelytobeconsideredas havingbecomeaware oncetheyhavebeen notifiedbythehosting company(theprocessor). Thecontrollerthenmust notifythesupervisory authority

viiiMedicalrecordsina hospital are unavailableforthe periodof30hours duetoacyber attack.

ix Personaldataofa largenumberof studentsare mistakenlysentto thewrongmailing listwith1000+ recipients.

x Adirectmarketing emailissentto recipientsinthe to:orcc:fields, therebyenabling eachrecipientto seetheemail addressofother recipients.

Yes,thehospitalis obligedtonotifyashigh risktopatientswell beingandprivacymay occur.

Yes,reporttosupervisory authority.

Yes,reporttothe affectedindividuals.

exploitedwithanyofits controllersanotifiable breachmaynothave occurredbutitislikelytobe recordableorbeamatterof noncomplianceunder Article32.

Yes,notifyingthe supervisoryauthority maybeobligatoryifa largenumberof individualsareaffected, ifsensitivedataare revealed(e.g.amailing listofapsychotherapist) orifotherfactors presenthighrisks(e.g. themailcontainsthe initialpasswords).

Yes,reporttoindividuals dependingonthescope andtypeofpersonal datainvolvedandthe severityofpossible consequences.

Yes,reporttoindividuals dependingonthescope andtypeofpersonal datainvolvedandthe severityofpossible consequences.

Notificationmaynotbe necessaryifnosensitive dataisrevealedandifonlya minornumberofemail addressesarerevealed.