When must a data breach be reported?

Shortly before the General Data Protection Regulation (GDPR) came into force, many companies were afraid that the GDPR with its high fines would ruin many companies. The companies therefore wanted to adapt the processes in their company to the GDPR as quickly as possible.

Now, after one year of the GDPR, the momentum has waned for many companies.

This may have to do with the fact that no significant fines have been imposed on the masses in Germany so far. However, this will change.

Therefore, our first appeal is: Take the necessary measures to implement the GDPR and to introduce a data protection management system in your company. implementation of the GDPR and the introduction of a data protection management system in your in your company.

Avoid data protection violations!

We would like to draw your attention to a data protection issue that many companies are not aware of. is not known.

According to Art. 33 I GDPR, your company must in the event of a personal data breach without undue delay and, if possible and, if possible, within 72 hours of becoming aware of the breach the personal data breach to the competent supervisory authority, unless the personal data personal data breach is not likely to result in a risk to the rights and risk to the rights and freedoms of natural persons.

This means that, as a matter of principle, every data protection violation must be reported to the supervisory authority!

Unless the exception of Art. 33 Para. of Article 33 (1), second half of the GDPR.

If there is a data protection breach, you should only have a sufficiently qualified lawyer or your data protection officer check whether this exemption applies. If you erroneously assume that the exception applies, the incorrect assessment will be at your expense.

It should also be pointed out that failure to notify the supervisory authority may result in the imposition of fines of up to fines of up to €10 million or, in the case of companies, up to 2% of the total of the total worldwide annual turnover of the preceding business year, whichever is higher, whichever is higher.

Then there is the fine for the actual data protection for the actual data protection breach.

However, proper notification of a data protection breach does not mean that no fine will be imposed on your company for the data protection breach. By properly notifying a data protection breach, you can only avoid a fine being imposed on your company for a failure to notify.

Therefore, our second appeal is: Contact your data protection immediately to your data protection advisor if you discover a data protection data protection breach in your company. 72 hours is not long!

We will be happy to answer any questions you may have on this topic or in the event of data protection incidents.

GoldbergUllrich Lawyers 2020

Michael Ullrich, LL.M. (Information Law)
Specialist Lawyer for Information Technology Law