Adopted on 14 December 2021 - Version 2.0 - Go to official PDF version

Version history

THE EUROPEAN DATA PROTECTION BOARD Having regard to Article 70 (1e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, Having regard to Article 12 and Article 22 of its Rules of Procedure, Having regard to the Communication from the Commission to the European Parliament and the Council titled Data Protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation,

HAS ADOPTED THE FOLLOWING GUIDELINES

1. INTRODUCTION

1. The GDPR introduces, in certain cases, the requirement for a personal data breach to be notified to the competent national supervisory authority (hereinafter “SA”) and to communicate the breach to the individuals whose personal data have been affected by the breach (Articles 33 and 34).
2. The Article 29 Working Party already produced a general guidance on data breach notification in October 2017, analysing the relevant Sections of the GDPR (Guidelines on Personal data breach notification under Regulation 2016/679, WP 250) (hereinafter “Guidelines WP250”). However, due to its nature and timing, this guideline did not address all practical issues in sufficient detail. Therefore, the need has arisen for a practice-oriented, case-based guidance, that utilizes the experiences gained by SAs since the GDPR is applicable.
3. This document is intended to complement the Guidelines WP 250 and it reflects the common experiences of the SAs of the EEA since the GDPR became applicable. Its aim is to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.
4. As part of any attempt to address a breach the controller and processor should first be able to recognize one. The GDPR defines a “personal data breach” in Article 4(12) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
5. In its Opinion 03/2014 on breach notification and in its Guidelines WP 250, WP29 explained that breaches can be categorised according to the following three well-known information security principles:

• “Confidentiality breach” - where there is an unauthorised or accidental disclosure of, or access to, personal data;
• “Integrity breach” - where there is an unauthorised or accidental alteration of personal data; and
• “Availability breach” - where there is an accidental or unauthorised loss of access to, or destruction of, personal data.

1. A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals. One of the most important obligation of the data controller is to evaluate these risks to the rights and freedoms of data subjects and to implement appropriate technical and organizational measures to address them.
2. Accordingly, the GDPR requires the controller to:

• document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken;
• notify the personal data breach to the supervisory authority, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
• communicate the personal data breach to the data subject when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

1. Data breaches are problems in and of themselves, but they may be also symptoms of a vulnerable, possibly outdated data security regime, they may also indicate system weaknesses to be addressed. As a general truth, it is always better to prevent data breaches by preparing in advance, since several consequences of them are by nature irreversible. Before a controller can fully assess the risk arising from a breach caused by some form of attack, the root cause of the issue should be identified, in order to identify whether any vulnerabilities that gave rise to the incident are still present, and are still therefore exploitable. In many cases the controller is able to identify that the incident is likely to result in a risk, and is therefore to be notified. In other cases the notification does not need to be postponed until the risk and impact surrounding the breach has been fully assessed, since the full risk assessment can happen in parallel to notification, and the information thus gained may be provided to the SA in phases without undue further delay.