The General Data Protection Regulation (Regulation n°2016/679, GDPR) imposes more stringent obligations on data controllers and data processors with the aim of rendering them more accountable. In this context, the new mechanism of personal data breach notification was introduced (article 33 of the GDPR). It must be underlined that the GDPR comes into effect on May 25th, 2018 which leaves only little time to data controllers and processors to prepare.
This mechanism should be seen as a tool to enhance compliance in relation to the protection of personal data. As will be explained bellow, the breach must be notified to the competent supervisory authority, which will then be able to advice the data controller, and, in some cases, the data subjects must be informed. Data controllers and processors should implement internal processes to promptly detect and contain a breach and asses the risk to data subjects. This can namely be done with a Data Protection Impact Assessment (DPIA).
The Article 29 Working Party (WP29) released guidelines on Personal data breach notification under Regulation 2016/679 on October 3rd, 2017. They will be open to public comment until November 28th, 2017. Mathias Avocats analyses the guidelines.
What is a data breach notification?
The data controller must “without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority” (article 33, 1° of the GDPR).
Following this rule, two questions must be answered: what is a personal data breach? And when does the data controller become aware?
It must be underlined that the explanations given below also apply to the processor who must notify the controller without undue delay after having become aware of a breach (article 33, 2° of the GDPR).
A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (article 4, 12° of the GDPR). The WP29 indicates that a temporary personal data breach may require notification. It also details the term “destruction” which entails that the data no longer exists, or no longer exists in a form that is if any use to the controller and “loss” which refers to the controller’s loss of control or access to the data, or to the fact that the data is no longer in his or her possession.
The WP29 considers that a controller should be regarded as having become “aware” when he or she has “a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised”. Thus, it depends on the circumstances of the breach. However, during the period of investigation, which must begin as soon as possible, and following the communication of the breach to the data controller, the latter is not “aware”.
It must be underlined that a personal data breach notification will not be required when the breach is unlikely to result in risk to the rights and freedoms of natural persons. This will be the case if the personal data is already publicly available or if the personal data was rendered unintelligible to third parties (ex: encryption).
Who must be notified and how?
Competent supervisory authority
Under article 33, 3° of the GDPR, the notification to the competent supervisory authority must at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Considering the relevant facts required, further investigation relating to the incident by the data controller may be necessary. This delay is an easily overcome hurdle seeing as the notification can be made in phases. The WP29 recommends that during the first notification, the data controller inform the supervisory authority whether he or she will provide information later on.
However, if multiple breaches occur, the controller may submit a “bundle” notification to avoid being overly burdensome. This option requires that the breaches concern the same type of personal data, breached in the same way and over a relatively brief period of time.
Another specific rule applies to personal data breaches in cross-border processing which may affect data subjects in more than one Member State. In this situation, the data controller must notify the lead supervisory authority. The latter is the supervisory authority in the Member State in which the controller has his or her main establishment or his or her single establishment (article 56 of the GDPR).
There are no indications as to the form this notification must take. In practice, data controllers should use the most efficient means and favour written forms so as to comply with their documentation obligation. This obligation applies throughout the notification process and applies to communications of the personal data breach to data subjects.
The data controller is required to communicate the personal data breach to the data subject without undue delay when the breach is “likely to result in a high risk to the rights and freedoms” of said data subject (article 34 of the GDPR). According to the WP29, the main objective of this communication is to provide specific information about steps the data subject should take to protect him or herself, such as resetting passwords.
The controller must at least provide the following information:
- a description of the nature of the breach;
- the name and contact details of the data protection officer or other contact point;
- a description of the likely consequences of the breach; and
- a description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
This information must be communicated in clear and plain language and addressed to the affected data subject directly. The WP29 considers that this implies accessible formats and using the data subject’s native language. Moreover, the WP29 deems the controller to be in the best position to determine the most appropriate contact channel to communicate a breach. It nonetheless recommends writing a dedicated message which should not be sent with other information such as newsletters or updates.
However, data controllers should keep in mind that a public communication is an option if direct communication to the data subject involves disproportionate efforts. Unfortunately, the WP29 does not give further guidance on what constitutes “disproportionate efforts” and data controllers should be cautious when deciding to make a public communication.
It must be underlined that failure to comply with the requirements of the personal data breach notification is subject to a substantial fine of up to 10.000.000 euros, or 2% of the data controller’s worldwide annual turnover (article83, 4°, a) of the GDPR).
The detailed instructions in the WP29 guidelines, as well as the flowchart showing notification requirements and examples of personal data breaches requiring notification, will be helpful for data controllers. The latter should also keep in mind any other notification breach requirements he or she may be subject to under other regulations.
Mathias Avocats will keep you informed of any further developments.