Lexicon > Data breach
IT Glossary
A personal data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data that is transmitted, stored or otherwise processed.
A personal data breach can cause physical, material or moral damage to the persons concerned.
The potential consequences are numerous:
- Loss of control over data;
- Limitation of data subjects’ rights;
- Discrimination,
- Identity theft or impersonation;
- Direct or indirect financial loss;
- Damage to reputation;
- Loss of confidentiality of data protected by professional secrecy…
Thus, any data breach for which the of the data controller must be notified to thecompetent supervisory authority as soon as possible, and in any event within seventy-two hours of its discovery, unless it can demonstrate that the breach is unlikely to give rise to a reasonable risk to the rights and freedoms of the natural persons concerned.
The supervisory authority may then have to intervene in accordance with its tasks and powers, in particular by requesting more information from the controller or by implementing a control procedure.
The data controller shall also communicate the data breach directly to the data subjects as soon as possible when it considers that the breach is reasonably likely to result in a high risk to their rights and freedoms.
Where appropriate, the supervisory authority has the power to order the controller to notify the data subject of a personal data breach.
The need to mitigate an immediate risk of harm might justify prompt communication to the individuals concerned, while the need to implement appropriate measures to prevent the continuation of the violation of personal data or the occurrence of similar breaches may justify a longer period for disclosure.
GDPR Point
“The notification referred to in paragraph 1 shall at least:
-
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”
Article 33(3) of the GDPR
Point of jurisprudence
The Dutch supervisory authority has fined BOOKING.COM BV €475,000 for late notification of a data breach. The authority states that ” an investigation into the exact scope and merits of a violation may take more than 72 hours. Since it is not always possible to obtain all the necessary information about a violation in order to make a notification that meets all the requirements of Article 33 […], the possibility of a phased notification is possible. ”
Autoriteit Persoonsgegevens, 10 December 2020
The Bouchara Law firm assists you in particular in :
- Making your organization GDPR compliant;
- The drafting of data protection policies (privacy policy, computer charter …);
- Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
- Obtaining certifications and adhering to codes of conduct;
- The study of the legal feasibility of the implementation of a new personal data processing;
- The drafting and transmission of your codes of conduct to the CNIL for approval;
- Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
- Drafting and negotiating your data processing agreements (DPA);
- Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
- Training and awareness of your employees.
We are also the external Data Protection Officer of many data processors and subcontractors.
