Personal data breach (GDPR 33, 34)
Iš Studento Vikis.
Personal data breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. (GDPR 4.12)
- Destruction of personal data is where the data no longer exists, or no longer exists in a form that is of any use to the controller.
- Loss of personal data - the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession.
Alteration (damage) - Integrity breach - of personal data is where personal data has been altered, corrupted, or is no longer complete.
Unauthorised processing - Confidentiality breach - disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the GDPR.
Unlawful processing - any form of processing which violates the GDPR.
Notification about personal data breach
Once the controller has become aware, a notifiable breach must be notified without undue delay, and where feasible, not later than 72 hours.
After first being informed of a potential breach by an individual, a media organisation, or another source, or when it has itself detected a security incident, the controller may undertake a short period of investigation in order to establish whether or not a breach has in fact occurred. During this period of investigation the controller may not be regarded as being “aware”. However, it is expected that the initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place; a more detailed investigation can then follow.
If a controller fails to act in a timely manner and it becomes apparent that a breach did occur, this could be considered as a failure to notify in accordance with Article 33.
The controller and processor should have appropriate technical and organisational measures in place to ensure an appropriate level of security of personal data: the ability to detect, address, and report a breach in a timely manner should be seen as essential elements of these measures. (GDPR 32)
WP29 recommends that the DPO is promptly informed about the existence of a breach and is involved throughout the breach management and notification process.
- 4(12). Definitions
- 33. Notification of a personal data breach to the supervisory authority
- 34. Communication of a personal data breach to the data subject
- Personal data breaches, ICO (the UK's independent body set up to uphold information rights).