On November 15, 2018, the Hamburg Commissioner for Data Protection and Freedom of Information issued a Guidance on data breach notifications according to Art. 33 GDPR published, which provides some clarifications on a few points:
- not every data protection breach, but in principle only Data security breaches are covered (examples are “hacking and data theft as well as SQL gaps, bugs in the web server, lost USB sticks or laptops, unlawful transmission as well as the break-in into server rooms, which are accompanied by the loss or destruction of hardware or the reading out of data carriers”); nevertheless, also about accidental misdirection of an e‑mail is recorded;
- an infringement due to interruption of availability “presupposes a longer duration and can be caused, for example, by a power outage or a denial-of-service attack,” and “Only unintentional barriers to access [are] data breaches within the meaning of Article 33 GDPR.”
- there must be a Injury Success If no unauthorized access has occurred despite the existence of a security gap, there is no obligation to report it.
For the assessment of risk as a result of the breach and the question of when (the deadline-triggering) “knowledge” of the breach exists, the Commissioner refers to the European Data Protection Board paper on data breach notifications;