Personal data breach (GDPR 33, 34)

Iš Studento Vikis.

(Nukreipta iš Personal data breach)
Peršokti į: navigaciją, paiešką
LT: Asmens duomenų saugumo pažeidimas

Personal data breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. (GDPR 4.12)

Availability breach:

  • Destruction of personal data is where the data no longer exists, or no longer exists in a form that is of any use to the controller.
  • Loss of personal data - the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession.

Alteration (damage) - Integrity breach - of personal data is where personal data has been altered, corrupted, or is no longer complete.

Unauthorised processing - Confidentiality breach - disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the GDPR.

Unlawful processing - any form of processing which violates the GDPR.

Notification about personal data breach

Once the controller has become aware, a notifiable breach must be notified without undue delay, and where feasible, not later than 72 hours.

After first being informed of a potential breach by an individual, a media organisation, or another source, or when it has itself detected a security incident, the controller may undertake a short period of investigation in order to establish whether or not a breach has in fact occurred. During this period of investigation the controller may not be regarded as being “aware”. However, it is expected that the initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place; a more detailed investigation can then follow.

If a controller fails to act in a timely manner and it becomes apparent that a breach did occur, this could be considered as a failure to notify in accordance with Article 33.

The controller and processor should have appropriate technical and organisational measures in place to ensure an appropriate level of security of personal data: the ability to detect, address, and report a breach in a timely manner should be seen as essential elements of these measures. (GDPR 32)

WP29 recommends that the DPO is promptly informed about the existence of a breach and is involved throughout the breach management and notification process.


4(12). Definitions
33. Notification of a personal data breach to the supervisory authority
34. Communication of a personal data breach to the data subject


Asmeniniai įrankiai
Google AdSense