Art. 29 Data Pro­tec­tion Working Par­ty: Gui­dance on Breach Notification

The Art. 29 Data Pro­tec­tion Working Par­ty has published a draft gui­dance docu­ment on data breach noti­fi­ca­ti­ons dated Octo­ber 3, 2017 (“Gui­de­lines on Per­so­nal data breach noti­fi­ca­ti­on under Regu­la­ti­on 2016/679″ [PDF]). In it, she comm­ents on the fol­lo­wing topics, among others:

• Legal defi­ni­ti­on of “data breach”.
• RIsi­ko assess­ment: metho­do­lo­gy, rele­vant risks and weight­ing (but rela­tively scarce).
• Trig­ge­ring of the obli­ga­ti­on to noti­fy the com­pe­tent aut­ho­ri­ty (imme­dia­te­ly after a vio­la­ti­on is “known”; per­mis­si­ble preli­mi­na­ry cla­ri­fi­ca­ti­ons befo­re a noti­fi­ca­ti­on is made)
• Obli­ga­ti­ons of the processor
• Sub­ject of the report­ing obli­ga­ti­on; pro­ce­du­re; stag­ge­red and bund­led reports; sub­se­quent reports
• Respon­si­bi­li­ty of the aut­ho­ri­ties; lead authority
• Omis­si­on of a report­ing requi­re­ment if risks are absent
• Noti­fi­ca­ti­ons to data sub­jects; “high” risks; method of notification.
• Omis­si­on of the noti­fi­ca­ti­on requirement

The gui­dance pro­vi­des various examp­les, inclu­ding the fol­lo­wing, of “high risks” that may result in a duty to noti­fy affec­ted individuals:

• Theft of log­in data and purcha­se histo­ries from an inter­na­tio­nal online vendor
• As a result of a cyber attack, a hos­pi­tal can no lon­ger access health data for 30 hours
• Per­so­nal data about 5000 stu­dents is sent to the wrong mai­ling lists with 1000+ recipients
• Mar­ke­ting emails are sent so that reci­pi­en­ts can reco­gnize all other recipients

The gui­dance then sum­ma­ri­zes the data breach respon­se as follows:

Pro memo­ria: The draft DPA also con­ta­ins the obli­ga­ti­on to report or noti­fy data pro­tec­tion brea­ches (Art. 22 E‑DSG). Devia­ti­ons from the GDPR exist in par­ti­cu­lar as follows:

• The obli­ga­ti­on to noti­fy the FDPIC only ari­ses in the case of “high” risks (unli­ke the GDPR, the­re is the­r­e­fo­re no obli­ga­ti­on to noti­fy every serious risk);
• the­re is no spe­cial obli­ga­ti­on to give rea­sons if a report is made only after 72 hours sin­ce it beca­me known;
• a duty to noti­fy the data sub­jects is only trig­ge­red if the­re are high risks and the noti­fi­ca­ti­on is addi­tio­nal­ly requi­red to pro­tect the data subjects;
• the excep­ti­ons to the noti­fi­ca­ti­on requi­re­ment are regu­la­ted differently;
• the­re is no expli­cit requi­re­ment for docu­men­ta­ti­on of injuries;
• no sanc­tions are pro­vi­ded in case of violation.