|||
FR NL EN
-
Regulations
26 January 2022

How to react in case of a personal data breach?

The European Data Protection Board ("EDPD") has recently published guidelines illustrating the obligations to be respected in case of personal data breach: theft or loss of documents, e-mail sent by mistake, etc. We analyse several practical cases from these guidelines.

What is a personal data breach?

Under the General Data Protection Regulation ("GDPR"), a personal data breach is defined as

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

In the event of a breach, the controller is obliged to :

1)   In any case: document the breach, the facts and the measures taken to remedy it, in an internal register;

2)   Possibly: notify the breach to the Data Protection Authority (DPA), within 72 hours of becoming aware of the breach, if there is "a risk to the rights and freedoms of individuals";

3)   Possibly: notify the data subject of the breach as soon as possible if there is a "high risk to the rights and freedoms of an individual".

In practice, it is up to the controller to assess whether the breach should be notified to the supervisory authority and the data subject. The responsibility lies with the controller. In order to facilitate this task, the EDPB has issued guidelines, which contain different practical cases from situations submitted to European supervisory authorities.

Case studies

i)         Theft of a worker's computer

During a burglary, a worker's computer is stolen. A lot of personal data is stored on it. The computer is protected by a "strong" password. The data is encrypted. Since an external backup was available, the employer was able to remotely delete the contents of the computer.

In view of the (adequate) measures taken by the employer, the EDPB considers that the employer is not obliged to notify the breach to the supervisory authority, nor to the data subjects.

ii)       Retention of confidential data after dismissal

An employee is dismissed. During his notice period, he makes a copy (on a personal USB stick) of customer data.

Given the risk to the rights and freedoms of the data subjects, the EDPB considers that the employer is obliged to notify the breach to the supervisory authority. On the other hand, the employer is not obliged to notify the data subjects of the breach, as long as no "sensitive" data are involved and the volume of the data is limited.

This violation could have been avoided by restricting access as much as possible and by prohibiting any downloading to external storage media.

iii)      Error when sending an e-mail

A worker sends an e-mail to jobseekers. By mistake, an attachment is included containing the contact details and national register number of all jobseekers (60,000 people).

Given the sensitivity of the data, the number of data subjects and the potential impact of the leak, the EDPB considers that the employer is obliged to notify the breach to the supervisory authority as well as to the data subjects.

This breach could have been avoided by adopting an appropriate policy for the use of e-mail boxes within the company.

What to remember?

In the event of a personal data breach, the data controller is obliged to react with urgency and to analyse the risks, in order to determine the actions to be taken (notification or not to the supervisory authority and the data subjects). This analysis is done on a case-by-case basis. The EDPB guidelines are a useful source in this context.

Source: EDPB, Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, 14 December 2021 (version 2.0), EDPS website.

 


We use cookies to track usage and preferences Legal terms I Understand