Contact
A data security breach is any security incident that leads to the destruction, loss, alteration, unauthorised access or disclosure of personal data, whether of employees or of the people you provide services to, such as citizens, patients, students, etc. If you are a data controller and you have a security breach, you must notify the APDCAT without undue delay and, in any case, within a maximum period of 72 hours after you became aware of it, unless it is unlikely that the breach constitutes a risk (damage) to the rights and freedoms of the data subjects owning the compromised data.
When must it be notified?
A security breach is considered to be recorded when there is certainty that it has occurred and there is sufficient knowledge of its nature and scope. The mere suspicion that there has been a failure or the finding that some type of incident has occurred without the slightest knowledge of the circumstances should not give rise to the notification. In most cases, under these conditions it is not possible to determine to what extent there may be a risk to the rights and freedoms of the data subjects.
However, in cases of violations that, due to their characteristics, can have a great impact, it is recommended to contact the APDCAT as soon as there is evidence that an irregular situation has occurred with respect to the security of the data, regardless of whether these initial contacts are later complemented by a formal notification within the legally provided period.
There may be cases where the notification of any of the required aspects cannot be done within 72 hours, for example, due to the complexity of fully determining the scope. In these cases, the notification of these aspects can be made later, accompanied by an explanation of the reasons that have caused the delay.
What is the content of the notification of a security breach to the control authority?
The notification must include a minimum content that the GDPR itself establishes and that includes elements such as the nature of the violation, the categories of data and the data subjects, the measures taken by the data controller to handle the violation and, if applicable, the measures applied to alleviate the possible negative effects on the persons concerned. The information can also be provided in stages, when it cannot be done at the same time of the notification.
When should it be documented and how?
Regardless of the notification to the control authorities, data controllers must also document all security breaches. Thus, they must carry out an internal record of the security incidents they have.
When should the data subjects be notified?
In addition to notifying the security breach to the APDCAT when it is likely that the breach will entail a high risk (significant or serious damage) to the rights of the data subject, the data controller must also communicate it without undue delay to the data subjects, with clear and simple language.
When is a security breach likely to pose a high risk to the rights of data subjects?
High risk exists when the security breach is likely to cause significant harm to the data subjects. This can happen, for example, if confidential information is revealed, such as passwords, participation in certain activities; if confidential data is disseminated on a mass scale or if economic damages can occur for the data subjects.
The purpose of this communication is to allow the data subjects to take measures to protect themselves from the consequences of the security breach. The aim is so the data subject can react as soon as possible. Therefore, it will be necessary to include the recommendations on the measures that the data subjects can take to deal with the consequences of the violation.
It will not be necessary to carry out this communication to the data subjects if:
- The data controller has adopted appropriate protection measures, such as making the data unintelligible to unauthorised persons.
- The data controller has applied subsequent measures that ensure that the high risk is no longer likely to materialise.
- It involves a disproportionate effort. In this case, they can opt for a public statement or an equivalent measure.
What is the role of the data processor?
If the data controller uses a data processor and the latter suffers a security breach, this party must inform the data controller without undue delay, as soon as becoming aware of it, so that the data controller can comply with its notification obligations. The contract that regulates the processing must stipulate that the data processor must help the data controller to ensure compliance with the notification obligations.
Documents restacadi