Skip to toolbar

Data Breaches

You are here:
Estimated reading time: 1 min

Data Breaches

In the case of a personal data breach, data controllers need to inform the supervisory authority “without undue delay” and within 72 hours unless the breach is “unlikely to result in a risk for the rights and freedoms of individuals”.


If the nature of the breach presents a high risk to the rights and freedoms of individuals, then the data controller need to inform the data subjects (individuals). This communication needs to be understandable. The data controller need not inform the individuals affected if:

  • The personal data was protected in such a way that it does not pose a threat – e.g. encrypted.
  • The data controller has taken subsequent measure that mean the breach will not impact on the rights and freedoms of individuals.
  • It would require disproportionate effort.

The breach notification needs to contain:

  • The nature of the breach.
  • Contact details of the DPO or other contact point in case further information is required.
  • Likely consequences of the breach.
  • Measure taken to deal with breach and its impacts.

Be prepared for 25 May 2018.

Was this article helpful?
Dislike 0
Views: 10


Not recently active