Personal data breach notification and communication duties under the GDPR

As mentioned on our General Data Protection Regulation (GDPR) page there are strict rules concerning personal data breach notifications in the EU’s personal data protection regulation for the age of big data. These duties are covered in several GDPR Articles of the final GDPR text and also come back several times in the recitals.

Obviously a personal data breach is one of the worst things that can happen to all of us: consumers or data subjects, to use the official GDPR language, and organizations/companies (both data processors and data controllers) alike.

We probably don’t have to expand too much on that. Data breaches are always bad, if they include personal data they are often even worse and when the ‘bad guys’ also have access to special types of personal data which need to be taken extra care off (sensitive personal data, personal data of children and so forth) the typical consequences of any serious (personal) data breach such as reputation damage, direct costs, indirect costs and much more become even more significant.

GDPR personal data breach notification and communication duties rules conditions and roles of processors controllers supervisory authorities and data subjects

Personal data breach notification duties of controllers and processors

This is of course also the case from a GDPR fine perspective. If a personal data breach concerns the theft of or access to personal data that can pose risks to the data subject whose data are involved and when there are issues on the front of GDPR compliance (which, strictly speaking doesn’t need to be the case when there is a breach, everyone knows that there is no such thing as perfect cybersecurity and that the bad guys increasingly are very smart and often even a bit ahead), it’s THE moment of truth regarding GDPR compliance and the liability game between controllers and processors can begin.

There are several shared responsibilities for data controllers and data processors under GDPR. Liability in case of personal data breaches is an obvious one and so is the personal data breach notification duty.

In the GDPR text a personal data breach is defined as a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The personal data breach notification isn’t really defined but indeed means a duty to notify the proper instances when a personal data breach has occurred and the involved data controllers and data processors are aware of it.

Controller notification and communication duties in case of a personal data breach

Although not being part of data subject rights in the very strict sense, the right to be informed and the consequences of the several duties regarding personal data breach notification and communication also form a data subject right under GDPR in a broader sense.

Taking measures to minimize impact and risk in case of a breach most obviously can’t wait until after notification of it…

And there is indeed a duty to inform data subjects too in case of a personal data breach, under certain conditions. The latter is the duty of the controller who has a personal data breach notification towards the supervisory authority.

The rules regarding that piece of the bigger personal data breach notification duty are relatively well known:

  • The personal data breach notification towards the (proper) supervisory authority needs to happen without unnecessary delay after the data controller became aware of the breach,
  • Within 72 hours unless there are very good reasons that the controller needs to add to his notification for a potential notification past that time limit,
  • When the personal data breach is likely to lead to risks for rights and freedoms of data subjects, not just in the scope of the GDPR but also beyond.

Obviously a personal data breach notification needs to come with a bunch of information regarding the breach, the people to get in touch with (e.g. the data protection officer or DPO), the types of data affected, the number of data subjects affected, what has been done ever since the breach and more.

The personal data notification breach duty of the data processor

As said, the processor also has a breach notification duty. How else could it be?

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned (GDPR Recital 85)

In the first place the data processor who becomes aware of a personal data breach must notify the instance that asked to do the data processing: the controller. That’s not just a matter of liability but still…

The data processor has a lot of responsibilities and duties towards controllers and this is one of them. Data processors are bound to not just assist controllers, controllers are also bound to choose processors they can rely upon from, among others, a GDPR risk and compliance perspective.

It’s clear that in case of a personal data breach on the level of the processor a lot goes on between both and processors need to notify controllers. And they don’t have 72 hours: it’s ASAP (meaning no unnecessary delay).

The “rights” of data subjects in the scope of personal data breach communications

The GDPR doesn’t care too much about all the costs, hassle, potential discussions and other consequences for the controller or processor, certainly not in the first place (but it does care the controller too as you’ll read below).

The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject (GDPR Recital 87)

It’s there for personal data protection and the protection of rights and freedoms of data subjects in relation with personal data and privacy – and it is a legal framework.

That’s why the risk of the breach for the data subject takes center stage in all the above. And it’s also why there is a personal data breach notification duty (officially communication duty) from the controller to the data subject.

This duty again only goes when the personal data breach will likely result in high risks to freedoms and rights of the data subject and it needs to happen ASAP as well. Of course it’s a duty of the controller and, totally in the spirit of the GDPR, it needs to happen in a transparent, understandable way with clear and plain language.

However, there are more exceptions regarding the breach notification duty of controller towards data subject than regarding the breach notification towards supervisory authorities (and from processors to controllers).

It is, for instance, not needed when

  • Encryption has been used, again showing the love of the GDPR for encryption, although other technical and organizational measures could also be a reason for an exception to that communication duty towards data subjects,
  • Since the personal data breach happened the data controller has done what needed to be done in order to stop that likely risk to happen,
  • The effort to make all affected data subjects would be too high or, let’s say, disproportionate. However, then there must be some other form of communication so that data subjects get informed in an ‘equally effective manner’. That could be a public communication, for instance. Indeed not the kind of thing we like to do when bad things happened.

Last but not least do note that the supervisory authority has the last say in the personal data breach communication duty towards the data subject and can tell the controller to move faster and do it or, the other way around, decide that the controller has met any of the just mentioned exceptions in case of discussion. As you can read between the lines of these exceptions (and in the related GDPR Articles) there is indeed room for potential discussions (e.g. regarding those sufficient technical and organizational measures, defining what disproportionate would mean as that is a very relative notion that no doubt also needs to be seen in the scope of how bad the breach is and in gauging when really enough has happened to stop that risk from happening).

In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach (GDPR Recital 88)

Similar discussions can of course occur on other levels of the personal data breach notification duty as well as the quote from GDPR Recital on the relativity and context of the notion of ‘undue delay’ in notifications showed.

Following the rules regarding personal data breach notifications and communications obviously doesn’t mean that other consequences won’t take place. Look at it as one of many steps to take and undoing the risk in case of a personal data breach is most probably your first job as in “right here and right now”.

Damage control and taking measures to minimize impact and risk in case of a breach most obviously can’t wait until after notification of it…

Personal data breach notification and communication in an infographic

By way of resuming it all in a more visual way below is a small infographic showing the essence of the mentioned rules.

GDPR - notification and communication personal data breaches infographic

Next in regulations and compliance: EU DORA Digital Operational Resilience Act

Top image: Shutterstock – Copyright: Rawpixel.com – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.