Under the GDPR, a personal data breach has to be notified to the relevant supervisory authority in most circumstances, most notably when there is a risk for the rights and freedoms of the data subject because of the occurrence of the breach. What is a breach, and which supervisory authority does it have to be notified to? In this blog post, we briefly discuss the answers to these questions.
What is a data breach?
First, it is important tonote that a data breach in terms of the GDPR might also include situations your security officer might not regard as breaches. For instance, under art. 4 GDPR, a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
From other parts, e.g. art. 32 GDPR about security of personal data processing and recital 49, we can derive that unavailability of systems is also construed as a data breach – whereas a security officer might claim that unavailability is the best guarantee not to have a breach. In this scenario, the security officer’s argument will not hold. Situations in which personal data are being read, copied, altered, deleted or disclosed without authorisation, will also often be considered as breaches. As such, security officers should ensure reliability of all software in use for processing personal data.
Where should you report a GDPR data breach?
A data breach has to be notified to a supervisory authority. Each EU country has its own supervisory authority; Germany has one for each of its states (‘Länder’). If your organisation is based (only) in France, and you have only data of French data subjects, then the French supervisory authority will be the one to notify. However, the situation becomes more complex if you have several countries of establishment, or if you work from outside the European Union.
Now, for organisations with establishments in different EU countries and serving data subjects from different countries, the situation is more complex.
In this case, the breach should be notified to the ‘lead supervisory authority’ or LSA. If data subjects from different countries are concerned in a processing activity, the supervisory authority acting as the LSA is determined (with some exceptions) by the sole or main establishment of the controller carrying out cross-border processing activities (art. 56 par. 1 GDPR).
In case your organisation is established outside the European Union, it should have a representative within the European Union. That is where things start to get really interesting: formally, the GDPR should protect against so-called ‘forum shopping’; the possibility to choose the ‘mildest’ supervisory authority.
Because your organisation is free to choose the country where the representative is established (not at the time of a breach, obviously, but way before that), that would allow forum shopping after all.
What should a data breach report to the LSA contain?
LSAs might have their own forms, but the general guidelines for notifications are found in article 33 GDPR. The notification should contain:
- the nature of the breach, including – where possible – the categories of personal data and the number of personal data records concerned, and the number of data subjects concerned;
- the name and contact details of the data protection officer or other contact person;
- a description of the likely consequences of the breach for the data subject;
- measures taken to address the consequences of the data breach, including mitigating measures.
According to art. 33(5) GDPR, controllers should keep a register of breaches, including the ones that did not need to be notified to the supervisory authority (or the data subject, a different topic not addressed in this post). Software tooling can support the maintenance of this register for any supervisory authority’s investigation and verification.