If a personal data breach occurs, data controllers included within the scope of action of the Catalan Data Protection Authority (APDCAT) must notify that Authority without undue delay. If possible, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons, such notification should be made within no more than 72 hours of having become aware of it (Art. 33, GDPR).
The controller must document all data breaches, whether notification to the APDCAT is required or not. Specifically, a record must be made of all information relating to the event, its effects and the remedial action taken. This ocumentation must be available to the APDCAT (Article 33.5, GDPR).
Notification of the personal data breach must be submitted via the notification form. Once filled in and electronically signed, the form must be processed (together with any relevant documentation, where applicable) according to the following procedure:
- institutions registered with the EACAT platform must submit the form through the platform’s “Notifications of security violations” procedure;
- other institutions should submit it through this procedures page of the Authority’s online office;
- individuals and businesses not obliged to deal with public administrations electronically may also use any of the other means referred to in Article 16.4 of Law 30/2015, of 1 October, of the common administrative procedure for public administrations.
Communication of a personal data breach to the data subject (Article 34, GDPR)
Besides notifying the APDCAT, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to the data subject without undue delay and in clear and plain language, unless:
- the controller has implemented appropriate protection measures that render the personal data unintelligible to any person who is not authorised to access it;
- the controller has taken subsequent measures which ensure that the high risk is no longer likely to materialise;
- it would involve disproportionate effort; in such a case, the controller may decide to make a public communication or similar measure.
Minimum content of the notification of a personal data breach
The minimum content of the notification is stipulated in Article 33 of the GDPR, which requires the following information to be included:
- A description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- The name and contact details of the data protection officer or other contact point where more information can be obtained;
- Description of the likely consequences of the personal data breach;
- Description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where it is not possible to provide the APDCAT with all the information at the same time, it may be provided in phases without undue further delay. The number assigned to the first data breach notification must be indicated in these subsequent communications, for which the same model form must be used.
What can happen if a personal data breach is not notified?
Failure to notify the APDCAT of a personal data breach may represent an infringement of the GDPR unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Notifying the Authority of a personal data breach more than 72 hours after it occurred may also represent an infringement of the GDPR, unless reasons can be provided that justify the delay. These infringements may result in the exercise of powers of investigation, corrective powers and even the imposition of a fine, where applicable. No penalty will be imposed however if the APDCAT is notified of a security incident which is not eventually considered a personal data security breach whose notification is compulsory.
The Article 29 Data Protection Working Party has drawn up a working paper entitled Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01). The document conducts a detailed analysis of various aspects to be taken into account regarding personal data breaches, such as determining whether the requirement for notification to the supervisory authority and the affected individuals has been triggered. It also includes several examples that will prove useful for controllers in deciding whether they need to notify in different data breach scenarios. The Catalan translation of this document can be accessed here.