Actionable Takeaways From New Irish and Polish Data Protection Authorities’ Guidance on Personal Data Breach Notification Under GDPR

August 19, 2019Alerts

The Irish Data Protection Commission and the Polish Data Protection Authority both recently issued guidance on the notification requirements under GDPR in the event of a Personal Data Breach.

Some key takeaways:

What is a Personal Data Breach and when do you notify?

  • A personal data breach is a security incident that negatively impacts the confidentiality, integrity, or availability of personal data; meaning that the controller is unable to ensure compliance with the principles relating to the processing of personal data as outlined in Article 5 of GDPR.
  • The default position for controllers is that all data breaches should be reported/notified to the DPC, except for those where the controller has assessed the breach as unlikely to present any risk to data subjects, and the controller can show why they reached this conclusion.
  • For all breaches – even those that are not reported/notified to the data protection authority, on the basis that they have been assessed as being unlikely to result in a risk – data controllers should record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response, as required by Article 33(5) of GDPR.

What is "become aware"?

  • A controller should be regarded as having become ‘aware’ when they have a reasonable degree of certainty that a security incident has occurred and compromised personal data.
  • Controllers should have a system in place for recording how and when they become aware of personal data breaches and how they assessed the potential risk posed by the breach.

What should a data breach notification include?

  • Controllers should include, in their initial notification, information on how and when they become aware of the personal data breach, along with an explanation for any delay, if applicable. This will assist the DPC in assessing compliance with the requirement to notify ‘without undue delay,' as well as the principle of accountability.

The notification should be written in a clear, understandable language.

  • The message must be clear, consistent and logical and contain a description of the possible effects tailored to the specific situation and corresponding recommendations for the natural person (e.g. if the violation involves the risk of incurring financial obligations in non-bank institutions, it is worth pointing out the possibility of assuming accounts in the credit information system to monitor credit activity).

How should the notification be provided?

  • Consider separating the description and the nature of the breach from the possible consequences, remedies or contact details of the data protection officer or other contact point from which more information can be obtained.
  • The notification should be in a form that allows the data subject to read the content repeatedly.
  • Transparent notification methods include:
  • direct communication (e.g. direct email or SMS)
  • eye-catching banners
  • notifications on websites or advertisements in printed media
  • The administrator should choose the method of notification that will ensure the best chance of proper transmission of information to all natural persons affected by this violation. In some cases, this may mean that the administrator should use different communication methods, not just one information channel.
  • If the administrator intends to invoke an exception to the general principle of individual notification of violations, it is advisable to conduct a thorough analysis of all the circumstances of the case.
  • Use dedicated messages; do not include other information (like service messages).
  • Notifications limited to a press release or a company blog are not considered effective to inform a natural person of an infringement.
  • Communications to individuals should be made without delay, where appropriate in close cooperation with the data protection authority, and in line with guidance provided by the data protection authority or by other relevant authorities such as law-enforcement authorities.

When is notification not required?

  • There are circumstances where controllers may not be required to communicate information relating to a data breach to data subjects, even where the breach may be likely to result in a high risk to the rights and freedoms of the natural person. These circumstances are where any of the following conditions are met include:

(a) The controller has implemented appropriate technical and organizational protection measures...in particular measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.

(b) The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.

(c) It would involve disproportionate effort. In such a case, however, controllers must still ensure, by way of a public communication or similar measure, that the data subjects are informed in an equally effective manner.

  • While there is no obligation on controllers to communicate a personal data breach to affected data subjects where it is not likely to result in a high risk to them, controllers are nevertheless free to communicate a breach to data subjects where it may still be in their interests or appropriate to do so anyway, in the context of that particular breach.

Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.

Further Reading:

EDPB Opinion Provides Guidance on Controller-Processor Agreements Under GDPR

French Privacy Regulator Releases Long-Awaited Rules for Use of Cookies

How To Determine If Europe’s GDPR Law Applies to a U.S.-based Retail Business

European Regulator Provides Guidance on Conducting Clinical Trials Under the GDPR