Obligations for the controller and the processor set out by the GDPR

Data breach notification – general information

In accordance with the GDPR the controller must notify the personal data breach to the data protection authority without undue delay and, where feasible, within 72 hours of the moment he/she becomes aware of the breach. As an organisation it is vital to implement appropriate technical and organisational measures to avoid possible data breaches.

The obligation to notify data breaches to the supervisory authorities and data subjects is addressed to controllers. However, processors are also required to notify breaches to the controller without undue delay.

What is a data breach?

Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. A data breach occurs when the data for which controller is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity.
If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, breach has to be notified the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach.

Communication to the data subject

If the data breach poses a high risk to those individuals affected then they should all also be informed. The controller shall communicate the personal data breach to the data subject without undue delay unless there are effective technical and organisational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialise.