Informing the data subject about data breaches in accordance with the law

What is meant by the obligation to notify the data subject, what is the function of the notification and what must be taken into account when implementing it?

Informing the data subject is always necessary if a data breach has occurred and this has resulted in a high risk for the persons affected by the data breach.

Such a high-risk data breach always exists if a breach of data security has occurred (e.g. hacker attack) and a high risk has arisen as a result, e.g. because the hacker has demonstrably accessed the exposed data and the data in question is data that allows a noticeable invasion of privacy (e.g. identity theft, blackmail, advertisement). In such a case, in addition to informing the data protection supervisory authority responsible for the company, the data subjects must also be immediately informed. The legally defined information categories that need to be provided to the data subject include:

name and contact details of the data protection officer or other contact point where more information can be obtained
likely consequences of personal data breach
description of measures taken or proposed to be taken by controller to address personal data breach (including measures to mitigate possible adverse effects).

In addition to the reporting requirements, the controller must document any personal data breach (including description, consequences of breach and remedial action taken).

The reporting of a data breach must be fulfilled by the controller. If the data breach takes place on the side of the processor, the latter is obliged to inform the controller. The deadline for such a processor notification is normally specified in a commissioned data processing agreement.

How should the obligation to notify the data subject and the associated obligations be handled in concrete terms?

1

Inform the department responsible for reporting (usually the data protection or legal department). A corresponding internal reporting obligation should be anchored in a data breach policy within the company.

2

Determination of the legally defined information together with the relevant department and identification of the persons concerned and their contact details.

3

Notification of the authority, receipt of assessments/orders from this authority if necessary.

4

Creation of a notification text.

5

Information of the data subjects.

6

Documentation of the data breach.

7

Check the applicable legislative text.

Check relevant court decisions.

What have the data protection supervisory authorities published on the subject of the obligation to notify the data subject?

Article-29-Working-Party: Guidelines on Personal data breach notification under Regulation 2016/679 (06.02.2018)

Guidelines 01/2021 on Examples regarding Personal Data Breach Notification (14.12.2021)

DSAB Hamburg: Data-Breach-Meldungen nach Art. 33 DSGVO (15.11.2018)

DSAB Hamburg: Datenschutzverletzungen: Melde- und Benachrichtigungspflicht unter der Datenschutz-Richtlinie für Polizei und Strafjustiz (Aktuelle Kurz-Information, 4 Seiten) (01.10.2018)

>> Find out which other data protection obligations have to be considered with respect to European data protection law.

your company

your forename*

your surname*

your email*

your phone

subject*

Question about one of our products?

your message

Reporting to data subject