Data protection notification to the supervisory authority
According to the GDPR, all personal data breaches must be reported to the competent supervisory authority without delay. This is called a data protection notification.
Examples of data protection risks:
- An unencrypted mobile device (laptop, mobile phone, tablet, USB stick) has been lost / forgotten / stolen;
- Hacker attack in which personal data was stolen;
- Unintentional data leaks;
- Personal data of the data subjects were sent to the wrong recipients;
- Wage and salary data is visible to all employees due to a software error.
Deadline for a data protection notification
The data protection breach must be reported to the supervisory authority without undue delay, if possible within 72 hours after the breach became known.
The obligation to notify lies with the controller of the processing. The following information must be included in the data protection notification:
- Description of the nature of the breach. The categories and approximate number of data subjects, the categories concerned and the approximate number of personal data sets concerned must be indicated, as far as possible;
- The name and contact details of the data protection officer for further information;
- The likely consequences of the injury;
- The measures taken or proposed to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects.
If the controller cannot meet the 72-hour deadline, he must justify why the supervisory authority was informed so late.
Impact on those affected
Data protection and security breaches, if not responded to in a timely and appropriate manner, can have a major impact on the individuals concerned:
When is no notification necessary?
The controller does not have to make a data protection notification to the supervisory authority if the breach is not likely to result in a risk to the rights and freedoms of natural persons.
Whether or not the data breach has been reported, personal data breaches must be documented, including all related facts, their impact and the remedial action taken.
Notification to the parties concerned
If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must notify the data subjects of the breach without undue delay.
The notification must be made in clear and simple language and include the following points:
- Name and contact details of the data protection officer or other point of contact;
- Description of the type of injury and the presumed consequences;
- Directed recommendations to mitigate the negative impacts of this violation;
- Measures taken / planned to rectify the data breach.
Such notifications would also have to be made as soon as reasonably practicable, in close consultation with the supervisory authority and in accordance with the instructions of the supervisory authority or other competent authorities (such as law enforcement authorities). For example, to mitigate the risk of immediate harm, data subjects would need to be notified immediately. A longer notification period may be justified in order to take appropriate measures against ongoing or similar personal data breaches.
When is no notification necessary
Notification of the data subjects is not required if one of the following conditions is met:
- The controller has taken sufficient technical and organisational measures to ensure that the risk to the rights and freedoms of the data subjects no longer exists (e.g. where sufficient encryption is in place for the lost data);
- The controller has taken the following measures to ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to exist;
- The notification involves a disproportionate effort. In that case, the controller must carry out a public notice or a similar measure by which the data subjects are informed in a comparably effective manner.
Summary: Message or no message?
In the event of security incidents and data breaches, we recommend that you contact your DPO who can assist you in resolving the incident.
DS supervisors:
Below you will find the links to the forms of the supervisory authorities to which you can report the data protection breach.
Supervisory authority: | Link: |
Baden-Württemberg | https://www.baden-wuerttemberg.datenschutz.de/meldung-von-datenpannen/ |
Bavaria | |
Berlin | |
Brandenburg | |
Bremen | https://www.datenschutz.bremen.de/wir-ueber-uns/online-meldungen/datenschutzverletzung-melden-15665 |
Hamburg | |
Hesse | |
Mecklenburg-Western Pomerania | https://www.datenschutz-mv.de/kontakt/meldung-einer-datenpanne/
|
https://www.navo.niedersachsen.de/navo2/portal/csend/8916/fileget/artikel_33.html | |
North Rhine-Westphalia | |
Saarland | https://www.datenschutz.saarland.de/online-dienste/meldung-datenpanne |
Saxony | |
Saxony-Anhalt | https://datenschutz.sachsen-anhalt.de/service/online-formulare/datenschutzverletzung/ |
| https://www.ihk-schleswig-holstein.de/recht/aktuelle-rechtsthemen/eu-datenschutz-grundverordnung-nr11-3844548 | |
Thuringia |
If you have not yet analysed your security level with our free application, register here!
