We are often asked which data protection breaches have to be reported to the supervisory authority. We have already summarised the most important points for you in our article "When must a data protection breach be reported?"we have already summarised the most important points.
The following applies in principle: notification of every data protection breach
Pursuant to Art. 33 I GDPR, in the event of a personal data breach (data breach / data protection violation), your company must notify the competent supervisory authority without undue delay and, if possible, within 72 hours of the breach becoming known to the company. Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
This means that you must always report any data protection breach / violation to the supervisory authority!
Does the exemption apply?
You only do not have to report a data breach if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (exemption of Art. 33 (1), 2nd half of the GDPR).
However, you should only have a sufficiently qualified lawyer check whether this exemption applies in the event of a data protection breach. If you erroneously assume that the exception applies, the incorrect assessment will be at your expense.
Help from the European Data Protection Supervision Authority (EDSA)
To help companies classify whether a data breach notification is required, the European Data Protection Board (EDSA) has published draft guidelines with examples.
The document provides guidance on when a data breach notification to the supervisory authority is required and when it is not, based on several examples.
The following examples are discussed:
- Ransomware attack with adequate backup and no data leakage
- Ransomware attack without adequate backup
- Ransomware attack with adequate backup and no data leakage at a hospital
- Ransomware attack without adequate backup and with data leakage
- Attack on a job application form of a website with data leakage
- Retrieving passwords in a "hashed" format from a website
- Credential stuffing attack on a bank website (mass login attempts with e.g. stolen or guessed login data)
- Data disclosure by former employees
- Unintentional data transmission to a trusted third party
- Stolen data carrier with encrypted data
- Stolen data carrier with unencrypted data
- Stolen papers containing special categories of personal data Incorrectly sent letter post
- Particularly sensitive data sent unintentionally by e-mail
- Personal data sent unintentionally by e-mail
- Identity theft
- Unauthorised access to (and outflow of) emails
The draft provides information on risk assessment for each example. The draft also contains assessments of whether, in addition to a report to the supervisory authority, it may also be necessary to inform those affected.
You can download the draft in English here.
A similar document has been published in German by the Hamburg Commissioner for Data Protection and Freedom of Information.
You can download this document here.
Please do not hesitate to contact us if you have any questions on the topic of "Reporting data protection breaches/data privacy violations" and on all issues of data protection law.
GoldbergUllrich Lawyers 2021
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist lawyer for industrial property protection
Specialist lawyer for information technology law