EU issues draft guidance on data breach handling
11/01/2018

There has been a lot to do about the changes that are to be implemented by companies processing personal data due to the GDPR. One of those changes is the obligation to notify national data protection authorities (“DPA”) of personal data breaches. 
 

Fortunately, the Article 29 Working Party (“WP29”), the EU data protection advisory body, provided guidance on 3 October 2017 clarifying the extent of such notification obligation.

A data breach is a breach of security leading to any accidental or unlawful destruction/loss/disclosure of or access to any personal data, possibly requiring notification to the DPA or the affected data subjects.

Notification to the DPA is not required when the data breach is unlikely to result in a risk for the rights and freedoms of natural persons. For example, if the breached personal data is already publicly available,  the disclosure of such data will probably not constitute a risk to the data subject.

If notification is required, the data controller must inform the DPA without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Data controllers are allowed a short leeway period to undertake investigations, but the period within which the notification must be made starts as soon as there is a reasonable degree of certainty of the occurrence of the data breach or once its data processor has become aware of it. Notification in phases is allowed when the exact information (e.g. the exact number of affected data subjects) is not known at the first notification, but becomes available after further investigations.

Further, except under particular circumstances, the data controller needs to inform data subjects whether the breach is likely to constitute a high risk for their rights and freedoms.

Non-compliance with the obligation to notify personal data breaches may be punished with a fine of up to EUR 20,000,000 or 4% of the total worldwide annual turnover of the data controller, whichever is higher.

Therefore, the following three action points are crucial for any data controller:

1. Bind your data processors contractually (i.e. in the data processing/transfer agreement) to inform you of a data breach immediately (e.g. within 12 hours) after they have become aware of it.

2. Take into account the criteria set out by ENISA when assessing the severity of a data breach (and the obligation to make a notification).

3. Roll out the appropriate policies to handle data security/data breaches (e.g. data breach policy, data breach handling procedure, setting up a data security incident response team) and raise awareness among employees (e.g. through training). 

 

AnneMichèle Goris

Junior Associate, Brussels

annemichele.goris@cms-db.com

Tom De Cordier

Partner, Brussels

tom.decordier@cms-db.com

Voir aussi : CMS Belgium


Click here to see the ad(s)
Tous les articles Droit Européen

Derniers articles Droit Européen

Status of Uber as Transport Services Company: ECJ Confirmation
09/07/2018

On 10 April 2018, the Grand Chamber of the Court of Justice of the European Union (the “ECJ”) delivered a judg...

Status of Uber as Transport Services Company: ECJ Confirmation Read more

Un coup de pouce anormal des pouvoirs publics pour votre concurrent…Que faire ?
04/07/2018

Depuis quelques mois, les temps sont durs. Non seulement le prix des matières première n’arrête ...

Un coup de pouce anormal des pouvoirs publics pour votre concurrent…Que faire ? Read more

“New Deal for Consumers”: European Commission Proposal
03/07/2018

On 11 April 2018, the European Commission (the “Commission”) issued a new package of proposals designed to inc...

“New Deal for Consumers”: European Commission Proposal Read more

Les règlements d'urbanisme sont-ils désormais couverts par la directive relative à l'évaluation d...
02/07/2018

Dans un récent arrêt de la Cour de justice du 7 juin 2018 (n ° C-671/16), il a été consid&e...

Les règlements d'urbanisme sont-ils désormais couverts par la directive relative à l'évaluation des incidences de certains plans et programmes sur l'environnement ? Read more

LexGO Network