Take-Aways (AI)
- It primarily covers data security breaches (e.g. hacking, data theft, lost devices), not every data protection breach.
- Accidental misaddressing of emails can also be considered a reportable data breach.
- Interruption of availability must have a longer duration; only unintentional obstacles to access are considered data breaches.
- Notification obligation only exists in the event of an actual breach (e.g. unauthorized data access); no obligation without access.
On November 15, 2018, the Hamburg Commissioner for Data Protection and Freedom of Information issued a Guidance on data breach notifications according to Art. 33 GDPR published, which provides some clarifications on a few points:
- not every data protection breach, but in principle only Data security breaches are covered (examples are “hacking and data theft as well as SQL gaps, bugs in the web server, lost USB sticks or laptops, unlawful transmission as well as the break-in into server rooms, which are accompanied by the loss or destruction of hardware or the reading out of data carriers”); nevertheless, also about accidental misdirection of an e‑mail is recorded;
- an infringement due to interruption of availability “presupposes a longer duration and can be caused, for example, by a power outage or a denial-of-service attack,” and “Only unintentional barriers to access [are] data breaches within the meaning of Article 33 GDPR.”
- there must be a Injury Success If no unauthorized access has occurred despite the existence of a security gap, there is no obligation to report it.
For the assessment of risk as a result of the breach and the question of when (the deadline-triggering) “knowledge” of the breach exists, the Commissioner refers to the European Data Protection Board paper on data breach notifications;