# ARTICLE 29 DATA PROTECTION WORKING PARTY

**17/EN** **WP250**

## Guidelines on Personal Data Breach Notification Under Regulation 2016/679

## Adopted on 3 October 2017

This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The secretariat is provided by Directorate C (Fundamental Rights and Union Citizenship) of the European Commission, Directorate General Justice, B-1049 Brussels, Belgium, Office No MO-59 03/075. Website: [http://ec.europa.eu/justice/data-protection/index_en.htm](http://ec.europa.eu/justice/data-protection/index_en.htm)

* * *

## THE WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE

## PROCESSING OF PERSONAL DATA

**HAS ADOPTED THE PRESENT GUIDELINES:**

* * *

### TABLE OF CONTENTS

I. PERSONAL DATA BREACH NOTIFICATION UNDER THE GDPR .....5

A. BASIC SECURITY CONSIDERATIONS .....5

B. WHAT IS A PERSONAL DATA BREACH? .....6

1. Definition .....6

2. Types of personal data breaches .....6

3. The possible consequences of a personal data breach .....8

II. ARTICLE 33 - NOTIFICATION TO THE SUPERVISORY AUTHORITY .....9

A. WHEN TO NOTIFY .....9

1. Article 33 requirements .....9

2. When does a controller become “aware”? .....9

3. Processor obligations .....11

B. PROVIDING INFORMATION TO THE SUPERVISORY AUTHORITY .....11

1. Information to be provided .....11

2. Notification in phases .....12

3. Delayed notifications .....14

C. BREACHES AFFECTING INDIVIDUALS IN MORE THAN ONE

* * *

### INTRODUCTION

The General Data Protection Regulation (the GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority and, in certain cases, communicate the breach to the individuals whose personal data have been affected by the breach.

Obligations to notify in cases of breaches presently exist for certain organisations, such as providers of publicly available electronic communications services. Some EU Member States already have their own national breach notification obligation. The GDPR makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors must also notify any breach to their controller.

### I. Personal Data Breach Notification Under the GDPR

#### A. Basic Security Considerations

The GDPR requires that, by using appropriate technical and organizational measures, personal data shall be processed in a manner that ensures appropriate security against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

**Example**: Loss of personal data can include where a device containing a copy of a controller’s customer database has been lost or stolen.

#### B. What is a Personal Data Breach?

1. **Definition** 
The GDPR defines a “personal data breach” as: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."

2. **Types of Personal Data Breaches** 
Breaches can be categorized according to the following principles:
   - **Confidentiality breach**: Unauthorized disclosure or access to personal data.
   - **Availability breach**: Loss of access to or destruction of personal data.
   - **Integrity breach**: Unauthorized alteration of personal data.

3. **The Possible Consequences of a Personal Data Breach** 
A breach can potentially have significant adverse effects on individuals, such as loss of control over their personal data, discrimination, identity theft, and financial loss. The GDPR requires the controller to notify a breach to the competent supervisory authority unless it is unlikely to result in such adverse effects.

### II. Article 33 - Notification to the Supervisory Authority

#### A. When to Notify

1. **Article 33 Requirements** 
The controller must notify the supervisory authority without undue delay and, where feasible, no later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

2. **When Does a Controller Become “Aware”?** 
A controller is regarded as having become “aware” when it has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.

3. **Processor Obligations** 
If a processor becomes aware of a breach, it must notify the controller without undue delay.

#### B. Providing Information to the Supervisory Authority

1. **Information to be Provided** 
When notifying a breach, the following information must be provided at a minimum:
   - Nature of the personal data breach.
   - The number of data subjects affected.
   - Name and contact details of the data protection officer.
   - Likely consequences of the breach.
   - Measures taken to address the breach.

2. **Notification in Phases** 
Further information may be provided in phases as it becomes available.

3. **Delayed Notifications** 
If a notification is not made within 72 hours, it must be accompanied by reasons for the delay.

#### C. Breaches Affecting Individuals in More Than One Member State 
When a breach affects individuals in multiple Member States, the controller must notify the lead supervisory authority.

### III. Article 34 – Communication to the Data Subject

#### A. Informing Individuals

When a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must communicate the breach to those individuals without undue delay.

#### B. Information to be Provided

When notifying individuals, the communication should include:
   - Name and contact details of the data protection officer.
   - Description of the likely consequences of the breach.
   - Description of measures taken or proposed to address the breach.

#### C. Contacting Individuals

The relevant breach should be communicated directly to the affected data subjects unless doing so would involve a disproportionate effort.

#### D. Conditions Where Notification is Not Required

Notification to individuals may not be required under certain conditions, such as when appropriate technical and organizational measures have been applied to protect personal data prior to the breach.

### IV. Assessing Risk and High Risk

Notification is only triggered when there is a likely risk to the rights and freedoms of individuals.

### V. Accountability and Record Keeping

#### A. Documenting Breaches

The controller must document any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action taken.

#### B. Role of the Data Protection Officer

The Data Protection Officer plays an important role in cooperating with the supervisory authority and acting as a contact point.

### VI. Notification Obligations Under Other Legal Instruments

Controllers should also be aware of any requirement to notify breaches under other associated legislation that may apply to them.

### VII. Annex

#### A. Flowchart showing notification requirements

**Controller detects a data breach and assesses risk.** 
Is the breach likely to result in risk to individuals’ rights? 
   - **No:** No requirement to notify.
   - **Yes:** Notify competent supervisory authority.

Is the breach likely to result in a high risk to individuals’ rights?
   - **No:** No requirement to notify individuals.
   - **Yes:** Notify affected individuals.

All breaches are recordable under Article 33(5).

#### B. Examples of Personal Data Breaches

| Example | Notify the supervisory authority? | Notify the data subject? | Notes/recommendations | 
| --- | --- | --- | --- | 
| i. A controller stored a backup of personal data encrypted on a CD which is stolen. | No. | No. | As long as the data are encrypted and not compromised, this may not be a reportable breach. | 
| ii. Personal data exfiltrated from a secure website during a cyber-attack. | Yes. | Yes. | Notify individuals depending on nature of the affected data. | 
| iii. A brief power outage at a controller's call centre. | No. | No. | Not a notifiable personal data breach but still a recordable incident. | 
| iv. A ransomware attack resulting in all data being encrypted with no backups. | Yes. | Yes. | Report to supervisory authority if potential consequences exist. | 
| v. An individual reports a data breach regarding a monthly statement for someone else. | Yes. | Only affected individuals if high risk. | Update supervisory authority if more individuals affected. | 
| vi. An online marketplace suffers a cyber-attack and personal data published online. | Yes. | Yes. | Take action to mitigate risks. | 
| vii. A website hosting company identifies a code error affecting user authorization. | Notify affected clients. | – | Affected controllers must notify supervisory authority accordingly. | 
| viii. Medical records in a hospital are unavailable due to a cyber-attack. | Yes. | Yes. | High-risk notification required. | 
| ix. Personal data of 5000 students mistakenly sent to wrong recipients. | Yes. | Yes. | Notify based on scope and type of personal data involved. | 
| x. A direct marketing email sent showing addresses of recipients. | Yes. | Yes. | Notification requirements depend on sensitive data exposure. |

* * *
