Data Breach Notification

  • Notification to supervisory authority by Controller¦New
    • Mandatory only if breach is likely to result in a risk to the rights and freedoms of data subject
    • Without undue delay / within 72 hours after being aware¦New
    • Notification shall include detailed information including incident consequences and measures
    • Processors shall notify the controller without undue delay of a personal data breach
  • Communication to data subject by Controller¦New
    • Mandatory only if breach is likely to result in a risk to the rights and freedoms of data subject
    • Without undue delay
    • Communication not required if
      • will be/are implemented appropriate measures (E.g encryption render data unintelligible)
      • It would require “disproportionate effort”