Personal Data Controllers must report certain personal data breaches to a Supervisory Authority according to the GDPR. Moreover, the report must be made without undue delay and, where feasible, within 72 hoursfrom the time it has been discovered. In addition, the Controller must report the breach to the police, if it is a crime. However, the Controller do not need to report all personal data breaches according to the GDPR.
Article 4 (12) of the GDPR states the definition of a personal data breach. A personal data breach means a breach of security leading to the accidental or unlawful destruction of personal data. Unauthorised disclosure of, or access to, personal data that is being processed is also considered as a personal data breach.
An example of a breach is if a company sends an email containing personal data to the wrong person. Another example is if the Controller has shared personal data with unauthorized persons.
Report personal data breaches to Supervisory Authority
GDPR came into force in May 2018. And the GDPR sets high requirements when it comes to the processing and storage of personal data. Article 33 of the GDPR states that a Controller must report breaches to the Supervisory Authority. The Controller must submit the report within 72 hours of discovery of the breach.
If a Processor becomes aware of a breach, the Processor must without undue delay notify the Controller thereof. The notification must describe the nature of the breach.Article 33 of the GDPR states what the notification at least must include. For example, the notification must include a description of the likely consequences of the breach.
GDPR Agreements for companies
Companies need to have several different agreements and documents to comply with the GDPR.