Contact
A data security breach is an incident, whether intentional or unintentional, that compromises the security of personal data. If the incident does not affect personal data, it is not a data security breach.
There is no defined list, but some examples are:
- Transfer of personal data to the wrong recipient.
- Sending emails without using blind carbon copy.
- Theft/loss of mobile devices (laptops, memory sticks, etc.).
- Data encryption (ransomware).
- Theft of email credentials.
- System failure that causes data unavailability.
- Public disclosure of data due to system configuration error.
- Unauthorised access to a patient's medical record.
- Theft of paper documentation.
- Public disclosure of data due to inadequate destruction of paper documentation.
When the breach may cause harm (physical, material or immaterial damage) to the affected data subjects. For example: loss of control over data, restriction of data subjects' rights, discrimination, impersonation, financial loss, reputational damage, unauthorised reversal of pseudonymisation or loss of confidentiality of data subject to professional secrecy.
Reporting such breaches will allow the Authority to inform the controller whether they have managed the breach correctly and, if they have not, request that they take the steps required to do so.
Failure to report implies breach of an obligation established by the GDPR. Therefore, it may lead to an investigation and, where appropriate, a penalty, in addition to damage to the controller's reputation.
If the delay is justified, there will be no consequences. If the delay is not justified, it may constitute an infringement of the regulations and, where appropriate, result in a penalty.
It can still be reported. The report is processed and, once it is concluded that there has been no breach that it is mandatory to report, the file is closed. In fact, in case of doubt it is preferable to report the breach.
The regulations oblige the controller to report breaches. If the breach is suffered by the processor, the processor must immediately inform the controller so that it can fulfil its obligations. Where appropriate, this includes reporting the breach to the APDCAT.
A processor may also report a breach on behalf of the controller, and even notify the data subjects, if this is part of the contractual agreement. However, the legal responsibility for reporting breaches and notifying the data subjects always lies with the controller.
They should be notified when there is a high risk to their rights and freedoms (likelihood that the security breach will cause significant harm to the data subjects). This means assessing the likelihood and severity of the consequences of the breach for the affected data subjects. For example, it can be borne in mind whether the breach:
- might cause economic loss
- involves sensitive data
- could lead to impersonation
- allows access to more personal data belonging to the data subjects (for example if passwords have been obtained)
- affects vulnerable groups
A public announcement can be made, for example on the entity's website or in the media. This announcement must also contain all the mandatory information.
So that the people affected can take steps to protect themselves from the harmful consequences of the breach.
An initial report is submitted within 72 hours. Once all the inquiries have been made and more information is available, an additional report must be submitted without further delay.