Article 34 GDPR: Difference between revisions
(style consistency) |
|||
Line 206: | Line 206: | ||
==Commentary== | ==Commentary== | ||
Article 34 GDPR | Article 34 GDPR imposes an obligation on the controller to inform affected data subjects of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons. It is important to note that this obligation to notify data subjects exists independently from any obligation to notify the relevant supervisory authority under [[Article 33 GDPR]]. As with that provision, there was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Additionally, Article 17 thereof was the only comparable provision, requiring controllers to take adequate measures to protect personal data from breaches.<ref>''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).</ref> It is important to highlight that according to [[Article 23 GDPR]], Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR. As a result, several Member States have adopted their own rules on communicating a breach to affected data subjects.<ref>''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 658 (Oxford University Press 2020). Moreover, see the commentary on [https://gdprhub.eu/Article%2023%20GDPR Article 23 GDPR] for further guidance on conditions for restricting the scope of obligations and rights.</ref> Further, Recital 86 GDPR provides that the obligation imposed controllers to communicate the breach to data subjects may be affected by the guidance of a Member State’s law-enforcement authority. Recital 88 GDPR goes on to mention that rules and procedures on notification should “''take into account the legitimate interest of law enforcement authorities''” to ensure that disclosure does not hinder any ongoing investigation of the data breach. However, it should be noted that Recital 88 GDPR refers to “''notification''” and not “''communication''”. Certain authors do not make this distinction. For instance, ''Burton'' presumes that Recital 88 GDPR applies to Article 34 GDPR in the same manner as it does to [[Article 33 GDPR]].<ref>''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 662 (Oxford University Press 2020).</ref> Nonetheless, the lack of mention of “''communication''” should not be overlooked. Indeed, Recital 88 GDPR's wording suggests that it is only relevant to [[Article 33 GDPR]] (“''Notification''...”) and not Article 34 GDPR (“''Communication''...”). | ||
=== (1) Controller Action in the Event of a Personal Data Breach === | |||
Article 34(1) GDPR makes it clear that not all breaches must be communicated to data subjects. However, it is apparent from the provision’s wording that there is an obligation imposed on the controller to communicate the personal data breach to data subjects when it is likely to result in a high risk to the rights and freedoms of natural persons. | |||
=== (1) | |||
Article 34(1) GDPR makes it clear that not all breaches must be communicated to | |||
==== Personal Data Breach ==== | ==== Personal Data Breach ==== | ||
“''Personal data breach''” should be defined from the outset, before establishing the point at which a | “''Personal data breach''” should be defined from the outset, before establishing the point at which a controller has a duty to notify the competent supervisory authority of such a breach.<ref>On this point,see [[Article 33 GDPR]].</ref> | ||
==== Condition of a “High Risk” ==== | ==== Condition of a “High Risk” ==== | ||
Article 34(1) GDPR differs from [[Article 33 GDPR]]. Instead of having to notify the supervisor authority of a breach that leads to any kind of risk to | Article 34(1) GDPR differs from [[Article 33 GDPR]]. Instead of having to notify the supervisor authority of a breach that leads to any kind of risk to data subjects, the controller only has the obligation to communicate a breach to them where it may lead to a “''high'' ''risk to the rights and freedoms of natural persons''”. The threshold for communicating the breach to data subjects concerned is therefore higher than in Article 33 GDPR. This choice has been argued to be reasonable, as this higher threshold was deemed necessary to avoid data subjects to suffer from a “''fatigue''” caused by the receipt of warnings for every breach of the GDPR.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref> The controller has to assess the level of risk which may ensue to data subjects as a result of a breach. According to the WP29 Guidelines, whether a data breach creates a ‘high risk’ should be assessed in light of the specific circumstances in each case. As with [[Article 33 GDPR]], this is an objective assessment conducted on the basis of the likelihood and severity of a negative impact on the rights and freedoms of natural persons.<ref>WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 8 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref> Examples of ‘high risk’ situations include, inter alia, a cyberattack on an online marketplace where usernames, passwords and purchase history are made public; a cyberattack on a hospital resulting in medical records being made inaccessible; or where personal data was mistakenly sent to a wrong mailing list (with over a thousand recipients).<ref>WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, pp. 31-33 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref> However, Bensoussan correctly suggests that the enforcement of Article 34 GDPR is likely to be difficult as the controller is the entity making the assessment of the level of the risk.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref> | ||
The | |||
Bensoussan | |||
==== Communication to the Data Subject ==== | ==== Communication to the Data Subject ==== | ||
Another | Another requirement established by Article 34(1) GDPR is that controllers must notify data subjects of a data breach “''without undue delay''”. The WP29 Guidelines interpret this as “''as soon as possible''”<ref>WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 20 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref> or “''as soon as reasonably feasible''” (within the meaning Recital 86 GDPR). However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in [[Article 33 GDPR]]. Instead, timelines will be assessed depending on the nature and gravity of the breach itself, as well as the level of risk to natural persons.<ref>See Recital 85.</ref> This is apparent from Recital 86 GDPR, which provides an example of a scenario where the timeliness condition will be different: “''the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.''” Similarly, Recital 88 GDPR indicates that communication to data subjects may be delayed to preserve the integrity of an investigation led by a law-enforcement authority into the circumstances of the breach. In this context, it is noteworthy that as there is not specific deadline of 72 hours, the question of when this time limit formally begins does not arise.<ref>See Article 33 for a discussion on the moment where a data controller becomes “''aware''” of a data breach, triggering the notification obligation.</ref> | ||
Instead, | |||
In this context, it is | |||
=== (2) Requirements of the Communication=== | === (2) Requirements of the Communication=== | ||
Article 34(2) GDPR sets out certain formal requirements on how controllers must communicate the data breach to data subjects. | |||
==== Language to be Used ==== | ==== Language to be Used ==== | ||
Article 34(2) GDPR | First, Article 34(2) GDPR states that controllers must use “''clear and plain language''” when explaining the nature of the breach to data subjects. This requirement nonetheless does not seem to apply to the remainder of the sentence in Article 34(2) GDPR. As such, it does not specify the type of language to be used when outlining other “''information and measures''” that must also be provided to data subjects. | ||
==== Details to Communicate ==== | ==== Details to Communicate ==== | ||
Article 34(2) GDPR stipulates that the information that must be communicated to | Article 34(2) GDPR stipulates that the information that must be communicated to data subjects, in addition to a clear description of the “''nature''” of the breach, is outlined in [[Article 33 GDPR|Article 33(3)(b)-(d) GDPR]]. Controller must therefore: (i) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (ii) describe the likely consequences of the personal data breach; and (iii) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects''.''<ref>The WP29 Guidelines provide examples of measures that can be taken to address the breach of mitigate the adverse effects. These notably include, letting the data subject know that it has received advice from the relevant supervisory authority. See WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 20 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref> | ||
As indicated by the phrase “''at least''” found under Article 34(2) GDPR, this list of information to be provided to data subjects is non-exhaustive. Recital 86 GDPR outlines that the controller ''“should''” provide “''recommendations for the natural person concerned to mitigate potential adverse effects''”. The information given to data subjects should therefore enable them to take any “''necessary precautions''”, which, although not directly mentioned by [[Article 33 GDPR|Article 33(3)(b)-(d) GDPR]] could be shared as additional information by the controller. | |||
The information that must be given to data subjects following a high risk breach must enable them to take any steps to protect themselves.<span lang="EN-GB">Article 34 GDPR imposes an obligation on the | |||
controller to inform affected data subjects of a data breach which is likely to | |||
result in a high risk to the rights and freedoms of natural persons. It is | |||
important to note that this obligation to notify data subjects exists | |||
independently from any obligation to notify the relevant supervisory authority | |||
under </span> This position adopted by the WP29 is supported by the text in Recital 86 GDPR: “''The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions''”. Thus, Article 34 GDPR attempts to empower data subjects even in the event of a personal data breach that affects them | |||
==== Method of Communicating ==== | ==== Method of Communicating ==== | ||
Article 34 GDPR should be understood as requiring the | Article 34 GDPR should be understood as requiring the controller to communicate the data breach to data subjects directly. According to the WP29 Guidelines, such “''dedicated messages''” must be clear and transparent. The WP29 explains controllers can communicate transparently through methods such as direct messaging (e.g. email, SMS or direct message), a website banner which draws the user’s attention, postal communication, or print media. Moreover, controllers can decide to rely on multiple communication methods depending on the gravity of the breach. It may additionally be necessary to make the communication available in the affected data subjects’ language. This language can be determined on the basis of previous communication between the controllers and data subjects or, where this is not applicable, according to the national language where the data subjects reside. The requirement of transparency makes it clear that a communication of the breach should not be hidden within a regular or obscure communication channel, such as a newsletter, standard message, or corporate blog.<ref>WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 21 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref> | ||
The requirement of transparency makes it clear that a communication of the breach should not be hidden within a regular or obscure communication channel | |||
=== (3) Exemptions from the Obligation to Communicate to the Data Subject === | === (3) Exemptions from the Obligation to Communicate to the Data Subject === | ||
Article 34(3) GDPR | Article 34(3) GDPR lists certain exemptions from the controller’s obligation to communicate the breach to data subjects concerned. The three exhaustive circumstances in which the controller is not required to communicate a breach are where: (a) it has “''appropriate technical and organisational protection measures''” in place. Such measures must be triggered and make the data concerned by the breach unintelligible to non-authorised persons. For example, this includes measures taken to encrypt the data (Article 34(3)(a) GDPR);<ref>The encryption must be "state-of-the-art".</ref> (b) it takes “''subsequent measures''” that diminish the likelihood that a high risk to the rights and freedoms of the person concerned materialises (Article 34(3)(b) GDPR). According to the WP29 Guidelines, “''subsequent''” measures should be interpreted as immediate measures; (c) this would demand a disproportionate effort from the controller. Article 34(3)(c) GDPR specifies that in such cases, a public communication to inform the data subjects is sufficient. The WP29 suggests that “''technical arrangements''” must nonetheless be taken to ensure that data subjects can access further information upon request.<ref>See WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 22 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).]</ref> According to Burton, the burden of proof falls on the controller to demonstrate that any of the aforementioned exemptions apply.<ref>In our translation: "''Data controllers will have to be able to demonstrate to DPAs that any of these conditions applies''". See, ''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 662 (Oxford University Press 2020).</ref> | ||
(b) | |||
(c) | |||
According to Burton, the burden of proof falls on the | |||
==== Implications for a Data Processor ==== | ==== Implications for a Data Processor ==== | ||
There | There are no specific obligations imposed on processors relating to the communication of the breach to data subjects. Under [[Article 33 GDPR|Article 33(2) GDPR]], processors have to notify controllers “''without undue delay''” where they identify a personal data breach.<ref>See Commentary on [https://gdprhub.eu/Article%2033%20GDPR Article 33 GDPR].</ref> However, any additional obligation to notify data subjects of a “''high risk''” to their rights and freedoms only falls upon the controller. [[Article 28 GDPR|Article 28(3) GDPR]] nonetheless explains the role of processors in such situations. According to the provision, services provided to a controller by a processor must be “''governed by a contract or other legal act''”. In addition, [[Article 28 GDPR|Article 28(3)(f) GDPR]] specifically requires that this contract or legal act stipulate that the processor “''shall''” support the controller in ensuring compliance with obligations found under [[Article 32 GDPR|Article 32 to 36 GDPR]]. Thus, a contract between these parties can specify how the processor can support the controller in respecting the latter’s obligation to communicate the breach as per Article 34 GDPR. | ||
=== (4) Involvement of the Supervisory Authority === | === (4) Involvement of the Supervisory Authority === | ||
As mentioned previously, the threshold of risk to trigger Article 34 GDPR is higher than in [[Article 33 GDPR]]. It is possible to deduce from this condition that wherever | As mentioned previously, the threshold of risk to trigger Article 34 GDPR is higher than in [[Article 33 GDPR]]. It is possible to deduce from this condition that wherever controllers have an obligation to communicate a data breach to data subjects under Article 34 GDPR, they will already have notified the relevant supervisory authority in accordance with [[Article 33 GDPR|Article 33(1) GDPR]].<ref>Notifying the relevant supervisory is an obligation under Article 33 GDPR in cases of a “''risk''”, not just in cases of a “''high risk''”.</ref> Thus, since the supervisory authority should be aware of the data breach, it can also be involved in the controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1) GDPR. Accordingly, Article 34(4) GDPR suggests that the supervisory authority can play a determinative role in indicating that there is a “''high risk''” to the rights and freedoms of natural persons. As highlighted in this paragraph, the notified supervisory authority can instruct the controller to communicate the breach to the affected data subjects.<ref>In accordance with [https://gdprhub.eu/Article%2033%20GDPR Article 33 GDPR].</ref> The supervisory authority can also decide whether any of the exemptions under Article 34(3) GDPR apply, relieving the controller from its obligation to communicate the personal data breach to affected individuals. Finally, the supervisory authority’s involvement can include the provision of advice to the controller. This advice can relate to the assessment of the risk to the data subjects. For example, the French DPA (CNIL) provides a tool to help controllers assess the gravity of personal data breaches.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref> The relevant supervisory authority can also provide advice on the method of communicating the breach to data subjects, such as how to identify an adequate channel to notify them, the language to communicate in, and what kind of message to send.<ref>WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 21 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref> | ||
Accordingly, Article 34(4) GDPR suggests that the supervisory authority can play a determinative role in indicating that there is a “''high risk''” to the rights and freedoms of natural persons. As | |||
Finally, | |||
==Decisions== | ==Decisions== | ||
→ You can find all related decisions in [[:Category:Article 34 GDPR]] | → You can find all related decisions in [[:Category:Article 34 GDPR]] |
Revision as of 10:12, 28 April 2022
Legal Text
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
- (a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- (b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
- (c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
Relevant Recitals
Commentary
Article 34 GDPR imposes an obligation on the controller to inform affected data subjects of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons. It is important to note that this obligation to notify data subjects exists independently from any obligation to notify the relevant supervisory authority under Article 33 GDPR. As with that provision, there was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Additionally, Article 17 thereof was the only comparable provision, requiring controllers to take adequate measures to protect personal data from breaches.[1] It is important to highlight that according to Article 23 GDPR, Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR. As a result, several Member States have adopted their own rules on communicating a breach to affected data subjects.[2] Further, Recital 86 GDPR provides that the obligation imposed controllers to communicate the breach to data subjects may be affected by the guidance of a Member State’s law-enforcement authority. Recital 88 GDPR goes on to mention that rules and procedures on notification should “take into account the legitimate interest of law enforcement authorities” to ensure that disclosure does not hinder any ongoing investigation of the data breach. However, it should be noted that Recital 88 GDPR refers to “notification” and not “communication”. Certain authors do not make this distinction. For instance, Burton presumes that Recital 88 GDPR applies to Article 34 GDPR in the same manner as it does to Article 33 GDPR.[3] Nonetheless, the lack of mention of “communication” should not be overlooked. Indeed, Recital 88 GDPR's wording suggests that it is only relevant to Article 33 GDPR (“Notification...”) and not Article 34 GDPR (“Communication...”).
(1) Controller Action in the Event of a Personal Data Breach
Article 34(1) GDPR makes it clear that not all breaches must be communicated to data subjects. However, it is apparent from the provision’s wording that there is an obligation imposed on the controller to communicate the personal data breach to data subjects when it is likely to result in a high risk to the rights and freedoms of natural persons.
Personal Data Breach
“Personal data breach” should be defined from the outset, before establishing the point at which a controller has a duty to notify the competent supervisory authority of such a breach.[4]
Condition of a “High Risk”
Article 34(1) GDPR differs from Article 33 GDPR. Instead of having to notify the supervisor authority of a breach that leads to any kind of risk to data subjects, the controller only has the obligation to communicate a breach to them where it may lead to a “high risk to the rights and freedoms of natural persons”. The threshold for communicating the breach to data subjects concerned is therefore higher than in Article 33 GDPR. This choice has been argued to be reasonable, as this higher threshold was deemed necessary to avoid data subjects to suffer from a “fatigue” caused by the receipt of warnings for every breach of the GDPR.[5] The controller has to assess the level of risk which may ensue to data subjects as a result of a breach. According to the WP29 Guidelines, whether a data breach creates a ‘high risk’ should be assessed in light of the specific circumstances in each case. As with Article 33 GDPR, this is an objective assessment conducted on the basis of the likelihood and severity of a negative impact on the rights and freedoms of natural persons.[6] Examples of ‘high risk’ situations include, inter alia, a cyberattack on an online marketplace where usernames, passwords and purchase history are made public; a cyberattack on a hospital resulting in medical records being made inaccessible; or where personal data was mistakenly sent to a wrong mailing list (with over a thousand recipients).[7] However, Bensoussan correctly suggests that the enforcement of Article 34 GDPR is likely to be difficult as the controller is the entity making the assessment of the level of the risk.[8]
Communication to the Data Subject
Another requirement established by Article 34(1) GDPR is that controllers must notify data subjects of a data breach “without undue delay”. The WP29 Guidelines interpret this as “as soon as possible”[9] or “as soon as reasonably feasible” (within the meaning Recital 86 GDPR). However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in Article 33 GDPR. Instead, timelines will be assessed depending on the nature and gravity of the breach itself, as well as the level of risk to natural persons.[10] This is apparent from Recital 86 GDPR, which provides an example of a scenario where the timeliness condition will be different: “the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.” Similarly, Recital 88 GDPR indicates that communication to data subjects may be delayed to preserve the integrity of an investigation led by a law-enforcement authority into the circumstances of the breach. In this context, it is noteworthy that as there is not specific deadline of 72 hours, the question of when this time limit formally begins does not arise.[11]
(2) Requirements of the Communication
Article 34(2) GDPR sets out certain formal requirements on how controllers must communicate the data breach to data subjects.
Language to be Used
First, Article 34(2) GDPR states that controllers must use “clear and plain language” when explaining the nature of the breach to data subjects. This requirement nonetheless does not seem to apply to the remainder of the sentence in Article 34(2) GDPR. As such, it does not specify the type of language to be used when outlining other “information and measures” that must also be provided to data subjects.
Details to Communicate
Article 34(2) GDPR stipulates that the information that must be communicated to data subjects, in addition to a clear description of the “nature” of the breach, is outlined in Article 33(3)(b)-(d) GDPR. Controller must therefore: (i) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (ii) describe the likely consequences of the personal data breach; and (iii) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.[12]
As indicated by the phrase “at least” found under Article 34(2) GDPR, this list of information to be provided to data subjects is non-exhaustive. Recital 86 GDPR outlines that the controller “should” provide “recommendations for the natural person concerned to mitigate potential adverse effects”. The information given to data subjects should therefore enable them to take any “necessary precautions”, which, although not directly mentioned by Article 33(3)(b)-(d) GDPR could be shared as additional information by the controller.
The information that must be given to data subjects following a high risk breach must enable them to take any steps to protect themselves.Article 34 GDPR imposes an obligation on the controller to inform affected data subjects of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons. It is important to note that this obligation to notify data subjects exists independently from any obligation to notify the relevant supervisory authority under This position adopted by the WP29 is supported by the text in Recital 86 GDPR: “The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions”. Thus, Article 34 GDPR attempts to empower data subjects even in the event of a personal data breach that affects them
Method of Communicating
Article 34 GDPR should be understood as requiring the controller to communicate the data breach to data subjects directly. According to the WP29 Guidelines, such “dedicated messages” must be clear and transparent. The WP29 explains controllers can communicate transparently through methods such as direct messaging (e.g. email, SMS or direct message), a website banner which draws the user’s attention, postal communication, or print media. Moreover, controllers can decide to rely on multiple communication methods depending on the gravity of the breach. It may additionally be necessary to make the communication available in the affected data subjects’ language. This language can be determined on the basis of previous communication between the controllers and data subjects or, where this is not applicable, according to the national language where the data subjects reside. The requirement of transparency makes it clear that a communication of the breach should not be hidden within a regular or obscure communication channel, such as a newsletter, standard message, or corporate blog.[13]
(3) Exemptions from the Obligation to Communicate to the Data Subject
Article 34(3) GDPR lists certain exemptions from the controller’s obligation to communicate the breach to data subjects concerned. The three exhaustive circumstances in which the controller is not required to communicate a breach are where: (a) it has “appropriate technical and organisational protection measures” in place. Such measures must be triggered and make the data concerned by the breach unintelligible to non-authorised persons. For example, this includes measures taken to encrypt the data (Article 34(3)(a) GDPR);[14] (b) it takes “subsequent measures” that diminish the likelihood that a high risk to the rights and freedoms of the person concerned materialises (Article 34(3)(b) GDPR). According to the WP29 Guidelines, “subsequent” measures should be interpreted as immediate measures; (c) this would demand a disproportionate effort from the controller. Article 34(3)(c) GDPR specifies that in such cases, a public communication to inform the data subjects is sufficient. The WP29 suggests that “technical arrangements” must nonetheless be taken to ensure that data subjects can access further information upon request.[15] According to Burton, the burden of proof falls on the controller to demonstrate that any of the aforementioned exemptions apply.[16]
Implications for a Data Processor
There are no specific obligations imposed on processors relating to the communication of the breach to data subjects. Under Article 33(2) GDPR, processors have to notify controllers “without undue delay” where they identify a personal data breach.[17] However, any additional obligation to notify data subjects of a “high risk” to their rights and freedoms only falls upon the controller. Article 28(3) GDPR nonetheless explains the role of processors in such situations. According to the provision, services provided to a controller by a processor must be “governed by a contract or other legal act”. In addition, Article 28(3)(f) GDPR specifically requires that this contract or legal act stipulate that the processor “shall” support the controller in ensuring compliance with obligations found under Article 32 to 36 GDPR. Thus, a contract between these parties can specify how the processor can support the controller in respecting the latter’s obligation to communicate the breach as per Article 34 GDPR.
(4) Involvement of the Supervisory Authority
As mentioned previously, the threshold of risk to trigger Article 34 GDPR is higher than in Article 33 GDPR. It is possible to deduce from this condition that wherever controllers have an obligation to communicate a data breach to data subjects under Article 34 GDPR, they will already have notified the relevant supervisory authority in accordance with Article 33(1) GDPR.[18] Thus, since the supervisory authority should be aware of the data breach, it can also be involved in the controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1) GDPR. Accordingly, Article 34(4) GDPR suggests that the supervisory authority can play a determinative role in indicating that there is a “high risk” to the rights and freedoms of natural persons. As highlighted in this paragraph, the notified supervisory authority can instruct the controller to communicate the breach to the affected data subjects.[19] The supervisory authority can also decide whether any of the exemptions under Article 34(3) GDPR apply, relieving the controller from its obligation to communicate the personal data breach to affected individuals. Finally, the supervisory authority’s involvement can include the provision of advice to the controller. This advice can relate to the assessment of the risk to the data subjects. For example, the French DPA (CNIL) provides a tool to help controllers assess the gravity of personal data breaches.[20] The relevant supervisory authority can also provide advice on the method of communicating the breach to data subjects, such as how to identify an adequate channel to notify them, the language to communicate in, and what kind of message to send.[21]
Decisions
→ You can find all related decisions in Category:Article 34 GDPR
References
- ↑ Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).
- ↑ Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 658 (Oxford University Press 2020). Moreover, see the commentary on Article 23 GDPR for further guidance on conditions for restricting the scope of obligations and rights.
- ↑ Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 662 (Oxford University Press 2020).
- ↑ On this point,see Article 33 GDPR.
- ↑ Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 8 (available here).
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, pp. 31-33 (available here).
- ↑ Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 20 (available here).
- ↑ See Recital 85.
- ↑ See Article 33 for a discussion on the moment where a data controller becomes “aware” of a data breach, triggering the notification obligation.
- ↑ The WP29 Guidelines provide examples of measures that can be taken to address the breach of mitigate the adverse effects. These notably include, letting the data subject know that it has received advice from the relevant supervisory authority. See WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 20 (available here).
- ↑ WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 21 (available here).
- ↑ The encryption must be "state-of-the-art".
- ↑ See WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 22 (available here).]
- ↑ In our translation: "Data controllers will have to be able to demonstrate to DPAs that any of these conditions applies". See, Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 662 (Oxford University Press 2020).
- ↑ See Commentary on Article 33 GDPR.
- ↑ Notifying the relevant supervisory is an obligation under Article 33 GDPR in cases of a “risk”, not just in cases of a “high risk”.
- ↑ In accordance with Article 33 GDPR.
- ↑ Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 21 (available here).