A notification to the data protection supervisory authority is always required if a data breach has occurred and a risk has arisen for persons affected by the data breach. Such a data breach always occurs when there has been a breach of data security (e.g. hacker attack) and a risk has arisen as a result (e.g. because the hacker has demonstrably accessed the exposed data).

In such a case, the data protection supervisory authority responsible for the company must be notified within 72 hours and the information defined by law must be provided. This includes:

• Description of the nature of the breach: categories and approximate number of data subjects concerned, categories and approximate number of personal data records concerned
• Name and contact details of data protection officer or other contact point for more information
• Likely consequences of personal data breach
• Description of measures taken or proposed to be taken by controller to address personal data breach (including measures to mitigate possible adverse effects).

In addition to the reporting requirements, the controller must document any personal data breach (including description, effects of breach and remedial action taken).

The reporting of a data breach must be fulfilled by the controller. If the data breach takes place on the side of the processor (e.g. a service provider), the latter is obliged to inform the controller. The deadline for such a processor notification is normally specified in a commissioned data processing agreement.

The involvement of the authority enables an independent treatment of the data breach. The authority may instruct the controller on how the breach should be handled. The authority has e.g. the power to direct the controller to inform the data subjects of the breach (even if the controller is of the opinion that the breach does not pose a high risk that would make it legally necessary to notify the data subject).