Report personal data breaches to Supervisory Authority

Personal Data Controllers must report certain personal data breaches to a Supervisory Authority according to the GDPR. Moreover, the report must be made without undue delay and, where feasible, within 72 hoursfrom the time it has been discovered. In addition, the Controller must report the breach to the police, if it is a crime. However, the Controller do not need to report all personal data breaches according to the GDPR.

Article 4 (12) of the GDPR states the definition of a personal data breach. A personal data breach means a breach of security leading to the accidental or unlawful destruction of personal data. Unauthorised disclosure of, or access to, personal data that is being processed is also considered as a personal data breach.

An example of a breach is if a company sends an email containing personal data to the wrong person. Another example is if the Controller has shared personal data with unauthorized persons.

Report personal data breaches to Supervisory Authority

GDPR came into force in May 2018. And the GDPR sets high requirements when it comes to the processing and storage of personal data. Article 33 of the GDPR states that a Controller must report breaches to the Supervisory Authority. The Controller must submit the report within 72 hours of discovery of the breach.

If a Processor becomes aware of a breach, the Processor must without undue delay notify the Controller thereof. The notification must describe the nature of the breach.Article 33 of the GDPR states what the notification at least must include. For example, the notification must include a description of the likely consequences of the breach.

GDPR Agreements for companies

Companies need to have several different agreements and documents to comply with the GDPR.
Some common agreements and documents within the GDPR are: Privacy Policy, Data Processing Agreement, Records of processing activities and Logbooks.

More information

Guide from the EDPB concerning Controllers and Processors.

A natural and legal person can be a Personal Data Controller.

What does the principle of storage limitation and erasure of data mean?

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_137823009_5	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Report personal data breaches to Supervisory Authority

Report personal data breaches to Supervisory Authority

GDPR Agreements for companies

More information

Anonymised information is not covered by the GDPR

A natural and legal person can be a Personal Data Controller

What does the principle of storage limitation and erasure of data mean?

Links

Popular Subjects

Report personal data breaches to Supervisory Authority

GDPR Agreements for companies

More information

Similar Posts

Links

Popular Subjects