2 MINUTE READ
According to Art. 4 (12) GDPR, a personal data breach is a breach of security leading to the destruction, loss or alteration, whether accidental or unlawful, or to the unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. Based on this broad definition, processing of personal data that occurs in the daily course of business regularly qualifies as such a breach. For example, the final deletion of an email containing customer data, the sending of an email to the wrong recipient or the incorrect entry in systems containing personal data are covered.
As a first step, it is therefore important to document these processes in an incident register. In most cases, however, simple violations do not trigger an obligation to notify the data protection authorities or the data subject. The decisive factor for the obligation to notify is the risks for the data subjects as specified in Art. 22. If the breach is not likely to result in a risk to the rights and freedoms of natural persons, notification is not necessary. In other cases, a notification must be made immediately, but no later than within 72 hours.
The challenge for Swiss companies is to identify the authority for the notification. As a rule, this should be all data protection authorities in whose jurisdiction the data subjects are located. The competence results from Art. 55 GDPR and Recital 122, which describes the competence for processing activities that have an impact on data subjects in the territory of the supervisory authority.
In most cases, the notification can be made in a standardized manner via the websites of the respective data protection authorities. It must contain at least the following information (if available):
- A description of the nature of the personal data breach, including, to the extent possible, the categories and approximate number of individuals affected, the categories affected, and the approximate number of personal data records affected;
- the name and contact details of the data protection officer or other point of contact for further information;
- a description of the likely consequences of the personal data breach;
- A description of the measures taken or proposed by the data controller to address the personal data breach and, where appropriate, measures to mitigate its potential adverse effects.
As soon as the reasons for the breach are known, the company concerned must take remedial action based on the risk-based approach of the GDPR. In practice, this means taking risk-adequate measures based on the severity of the possible infringement of the rights and freedoms of the data subjects and taking into account the state of the art and the implementation costs.