The Art. 29 Data Protection Working Party has published a draft guidance document on data breach notifications dated October 3, 2017 (“Guidelines on Personal data breach notification under Regulation 2016/679″ [PDF]). In it, she comments on the following topics, among others:
- Legal definition of “data breach”.
- RIsiko assessment: methodology, relevant risks and weighting (but relatively scarce).
- Triggering of the obligation to notify the competent authority (immediately after a violation is “known”; permissible preliminary clarifications before a notification is made)
- Obligations of the processor
- Subject of the reporting obligation; procedure; staggered and bundled reports; subsequent reports
- Responsibility of the authorities; lead authority
- Omission of a reporting requirement if risks are absent
- Notifications to data subjects; “high” risks; method of notification.
- Omission of the notification requirement
The guidance provides various examples, including the following, of “high risks” that may result in a duty to notify affected individuals:
- Theft of login data and purchase histories from an international online vendor
- As a result of a cyber attack, a hospital can no longer access health data for 30 hours
- Personal data about 5000 students is sent to the wrong mailing lists with 1000+ recipients
- Marketing emails are sent so that recipients can recognize all other recipients
The guidance then summarizes the data breach response as follows:
Pro memoria: The draft DPA also contains the obligation to report or notify data protection breaches (Art. 22 E‑DSG). Deviations from the GDPR exist in particular as follows:
- The obligation to notify the FDPIC only arises in the case of “high” risks (unlike the GDPR, there is therefore no obligation to notify every serious risk);
- there is no special obligation to give reasons if a report is made only after 72 hours since it became known;
- a duty to notify the data subjects is only triggered if there are high risks and the notification is additionally required to protect the data subjects;
- the exceptions to the notification requirement are regulated differently;
- there is no explicit requirement for documentation of injuries;
- no sanctions are provided in case of violation.