Personal data breach (data breach)
Is the obligation of the notification of a personal data breach applicable to all controllers?
There is no exemption. The obligation applies to all controllers becoming aware of a personal data breach.
Is it mandatory to notify all data breaches to the supervisory authority?
Only personal data breaches which are likely to result in a risk to the rights and freedoms of individuals shall be notified. Not necessarily the risk must be high.
Is it always mandatory to communicate a data breach to data subjects?
Only personal data breaches which are likely to result in a high risk to the rights and freedoms of data subjects should be communicated, while the notification to the supervisory authority is required regardless of the severity of the risk. There are also conditions which, if met, do not require the communication of a data breach to the data subjects concerned.
Should processors notify a personal data breach to the supervisory authority?
Processors are not required to notify a personal data breach to the supervisory authority, though they play an important role to assist the controller to comply with the obligation. They must alert the controller for which they carry out data processing operations. They can notify the personal data breach to the supervisory authority on the controller’s behalf only if authorised by the controller and if this is part of the contractual agreements between the controller and the processor.