Article 33 GDPR: Difference between revisions

From GDPRhub
 
(16 intermediate revisions by 2 users not shown)
Line 184: Line 184:
|}
|}


==Legal TextC ==
==Legal Text ==
<center>Article 33 - Notification of a personal data breach to the supervisory authority</center>
<center>Article 33 - Notification of a personal data breach to the supervisory authority</center>


Line 217: Line 217:


==== In case of personal data breach ====
==== In case of personal data breach ====
It is important to define the notion of “''personal data breach''” before assessing when a controller’s duty to notify the competent supervisory authority. According to Article 4(12) GDPR, a personal data breach refers to “''a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed''”. This wording clearly establishes a link with Article 32(2) GDPR, to which we refer.  <blockquote><u>EDPB</u>: What is meant by “destruction” of personal data should be quite clear: this is where the data no longer exists, or no longer exists in a form that is of any use to the controller. “Damage” should also be relatively clear: this is where personal data has been altered, corrupted, or is no longer complete. In terms of “loss” of personal data, this should be interpreted as the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession. Finally, unauthorised or unlawful processing may include disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the GDPR.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 7 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref></blockquote>Article 4(12) of the GDPR clarifies that the regulation applies specifically in cases of personal data breaches. In such breaches, the controller becomes unable to guarantee compliance with the principles outlined in Article 5 GDPR regarding the processing of personal data. This distinction emphasizes that while all personal data breaches are considered security incidents, not all security incidents necessarily qualify as personal data breaches (because some of them may not affect personal data processing).<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 7-8 (available here).</ref><blockquote><u>Example</u>: XXX</blockquote>The EDPB outlines three distinct categories of personal data breaches. These include a “''confidentiality breach''”, where there is an unauthorised or accidental disclosure of, or access to, personal data; an “''integrity breach''”, where there is an unauthorised or accidental alteration of personal data; or an “''availability breach''”, where there is an accidental or unauthorised loss of access to, or destruction of, personal data.<ref>[[Article 4 GDPR|Article 4(12) GDPR]] outlines that there is a personal data breach where there is: (1) a “''breach of security''”; (2) leading to the “''accidental''”, “''unlawful''” or “''unauthorised''”; (3) “''destruction''”, “''loss''”, “''alteration''”, “''disclosure of''”, or “''access to''”; and (4) “''personal data transmitted, stored or otherwise processed''”. This division in four parts rather than three, emphasises that the breach can be accidental, unlawful or unauthorised and that it relates to previously processed personal data. See, ''Tosoni'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4(12) GDPR, p. 191 (Oxford University Press 2020).</ref> It is possible for a breach to be a combination of all three types.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 8 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
It is important to define the notion of “''personal data breach''” before assessing when a controller’s duty to notify the competent supervisory authority. According to Article 4(12) GDPR, a personal data breach refers to “''a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed''”. This wording clearly establishes a link with Article 32(2) GDPR, to which we refer.  <blockquote><u>EDPB</u>: What is meant by “destruction” of personal data should be quite clear: this is where the data no longer exists, or no longer exists in a form that is of any use to the controller. “Damage” should also be relatively clear: this is where personal data has been altered, corrupted, or is no longer complete. In terms of “loss” of personal data, this should be interpreted as the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession. Finally, unauthorised or unlawful processing may include disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the GDPR.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 7 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref></blockquote>Article 4(12) of the GDPR clarifies that the regulation applies specifically in cases of personal data breaches. In such breaches, the controller becomes unable to guarantee compliance with the principles outlined in Article 5 GDPR regarding the processing of personal data. This distinction emphasizes that while all personal data breaches are considered security incidents, not all security incidents necessarily qualify as personal data breaches (because some of them may not affect personal data processing).<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 7-8 (available here).</ref><blockquote><u>Example</u>: XXX</blockquote>The EDPB outlines three distinct categories of personal data breaches. These include a “''confidentiality breach''”, where there is an unlawful or accidental disclosure of, or access to, personal data; an “''integrity breach''”, where there is an unlawful or accidental alteration of personal data; or an “''availability breach''”, where there is an unauthorised loss of access to, or destruction of, personal data.<ref>[[Article 4 GDPR|Article 4(12) GDPR]] outlines that there is a personal data breach where there is: (1) a “''breach of security''”; (2) leading to the “''accidental''”, “''unlawful''” or “''unauthorised''”; (3) “''destruction''”, “''loss''”, “''alteration''”, “''disclosure of''”, or “''access to''”; and (4) “''personal data transmitted, stored or otherwise processed''”. This division in four parts rather than three, emphasises that the breach can be accidental, unlawful or unauthorised and that it relates to previously processed personal data. See, ''Tosoni'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4(12) GDPR, p. 191 (Oxford University Press 2020).</ref> It is possible for a breach to be a combination of all three types.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 8 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>


==== The controller ====
==== The controller ====
Line 230: Line 230:


==== Shall notify the breach to the supervisory authority ====
==== Shall notify the breach to the supervisory authority ====
Once the controller has become aware of a personal data breach likely to “''result in a risk to the rights and freedoms of natural persons''” (see below), it must notify the “''supervisory authority competent in accordance with Article 55''”.<ref>As per Recital 87 GDPR, the supervisory authority may then intervene “''in accordance with its tasks and powers''” under Articles 55 to 59 GDPR.</ref> However, where there is cross-border processing, under Article 56 GDPR, the competent supervisory authority for the notification is the one of the main establishment or of the single establishment of the controller or processor.<blockquote><u>EDPB</u>: This means that whenever a breach takes place in the context of cross-border processing and notification is required, the controller will need to notify the lead supervisory authority. Therefore, when drafting its breach response plan, a controller must make an assessment as to which supervisory authority is the lead supervisory authority that it will need to notify. This will allow the controller to respond promptly to a breach and to meet its obligations in respect of Article 33.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 8 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref></blockquote>If a controller, who is not established in the EU but falls under the scope of Article 3(2) or Article 3(3) of the GDPR, experiences a data breach, they are still obligated to fulfill the notification requirements outlined in Articles 33 and 34 of the GDPR. In such cases, the controller is required to notify each supervisory authority in the Member State where affected data subjects reside.<ref>Similarly, "''where a processor is subject to Article 3(2) GDPR, it will be bound by the obligations on processors, of particular relevance here, the duty to notify a breach to the controller under Article 33(2) GDPR.''" See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 18 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
Once the controller has become aware of a personal data breach likely to “''result in a risk to the rights and freedoms of natural persons''” (see below), it must notify the “''supervisory authority competent in accordance with Article 55''”.<ref>As per Recital 87 GDPR, the supervisory authority may then intervene “''in accordance with its tasks and powers''” under Articles 55 to 59 GDPR.</ref> However, where there is cross-border processing under Article 56 GDPR, the competent supervisory authority for the notification is the one of the main establishment or of the single establishment of the controller or processor.<blockquote><u>EDPB</u>: This means that whenever a breach takes place in the context of cross-border processing and notification is required, the controller will need to notify the lead supervisory authority. Therefore, when drafting its breach response plan, a controller must make an assessment as to which supervisory authority is the lead supervisory authority that it will need to notify. This will allow the controller to respond promptly to a breach and to meet its obligations in respect of Article 33.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 8 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref></blockquote>If a controller who is not established in the EU but falls under the scope of Article 3(2) or Article 3(3) of the GDPR experiences a data breach, they are still obligated to fulfill the notification requirements outlined in Articles 33 and 34 of the GDPR. In such cases, the controller is required to notify each supervisory authority in the Member State where affected data subjects reside.<ref>Similarly, "''where a processor is subject to Article 3(2) GDPR, it will be bound by the obligations on processors, of particular relevance here, the duty to notify a breach to the controller under Article 33(2) GDPR.''" See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 18 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>


==== Without undue delay ====
==== Without undue delay ====
Notifying the relevant supervisory authority must occur “''without undue delay''” from the moment controllers become “''aware''” of a personal data breach with the relevant level of risk, and in any case not later than 72 hours. It is crucial that controllers comply with this deadline, as its core purpose is to limit the damage to natural persons affected by the data breach.<ref>See Recital 85.</ref> <blockquote><u>Case-law</u>: The speed at which a controller notified the supervisory authority of a breach was a factor considered by the French DPA (CNIL) when assessing the level of a fine it sought to impose on a controller for the data breach. As a result of this decision, it is arguable that a timely response may be used to mitigate a fine.<ref>CNIL Delieration SAN-2017-010, 18 July 2017 (available [https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000034899556/ here]).</ref></blockquote>According to Recital 87 GDPR, the assessment of whether the controller acted without undue delay “''should'' [take] ''into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects''”. Although this suggests that the qualifier “''without undue delay''” is circumstance-specific, Article 33(1) GDPR provides a general rule to satisfy this obligation: ''“where feasible''”, the controller must notify the relevant authority within a maximum of 72 hours. This suggests that, in some instances, they can take longer than 72 hours to do so.<blockquote><u>EDPB</u>: Such a scenario might take place where, for example, a controller experiences multiple, similar confidentiality breaches over a short period of time, affecting large numbers of data subjects in the same way. A controller could become aware of a breach and, whilst beginning its investigation, and before notification, detect further similar breaches, which have different causes. Depending on the circumstances, it may take the controller some time to establish the extent of the breaches and, rather than notify each breach individually, the controller instead organises a meaningful notification that represents several very similar breaches, with possible different causes. This could lead to notification to the supervisory authority being delayed by more than 72 hours after the controller first becomes aware of these breaches.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 16 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]). Recital 88 provides another example. Where a rapid notification would “''hamper''” an investigation conducted by law enforcement authorities, the controller has a valid reason for not complying with the general deadline in Article 33(1) GDPR. In particular, “[…] ''rules and procedures'' [concerning the format and procedures applicable to the notification of personal data breaches] ''should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach”''.</ref></blockquote>The final sentence of Article 33(1) GDPR stipulates that, regardless of whether the delayed notification is justified or not, if a controller fails to notify the supervisory authority within 72 hours, it shall provide “''reasons''”. In other words, the controller must provide an explanation outlining why notifying the relevant authorities within 72 hours was not feasible (Article 33(1) GDPR).<blockquote><u>EDPB</u>: Such a scenario might take place where, for example, a controller experiences multiple, similar confidentiality breaches over a short period of time, affecting large numbers of data subjects in the same way. A controller could become aware of a breach and, whilst beginning its investigation, and before notification, detect further similar breaches, which have different causes.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 16 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref></blockquote>
Notifying the relevant supervisory authority must occur “''without undue delay''” from the moment controllers become “''aware''” of a personal data breach with the relevant level of risk, and in any case not later than 72 hours. It is crucial that controllers comply with this deadline, as its core purpose is to limit the damage to natural persons affected by the data breach.<ref>See Recital 85.</ref> <blockquote><u>Case-law</u>: The speed at which a controller notified the supervisory authority of a breach was a factor considered by the French DPA (CNIL) when assessing the level of a fine it sought to impose on a controller for the data breach. As a result of this decision, it is arguable that a timely response may be used to mitigate a fine.<ref>CNIL Delieration SAN-2017-010, 18 July 2017 (available [https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000034899556/ here]).</ref></blockquote>According to Recital 87 GDPR, the assessment of whether the controller acted without undue delay “''should'' [take] ''into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects''”. Although this suggests that the qualifier “''without undue delay''” is circumstance-specific, Article 33(1) GDPR provides a general rule to satisfy this obligation: ''“where feasible''”, the controller must notify the relevant authority within a maximum of 72 hours. This suggests that, in some instances, they can take longer than 72 hours to do so.<blockquote><u>EDPB</u>: Such a scenario might take place where, for example, a controller experiences multiple, similar confidentiality breaches over a short period of time, affecting large numbers of data subjects in the same way. A controller could become aware of a breach and, whilst beginning its investigation, and before notification, detect further similar breaches, which have different causes. Depending on the circumstances, it may take the controller some time to establish the extent of the breaches and, rather than notify each breach individually, the controller instead organises a meaningful notification that represents several very similar breaches, with possible different causes. This could lead to notification to the supervisory authority being delayed by more than 72 hours after the controller first becomes aware of these breaches.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 16 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]). Recital 88 provides another example. Where a rapid notification would “''hamper''” an investigation conducted by law enforcement authorities, the controller has a valid reason for not complying with the general deadline in Article 33(1) GDPR. In particular, “[…] ''rules and procedures'' [concerning the format and procedures applicable to the notification of personal data breaches] ''should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach”''.</ref></blockquote>The final sentence of Article 33(1) GDPR stipulates that, regardless of whether the delayed notification is justified or not, if a controller fails to notify the supervisory authority within 72 hours, it shall provide “''reasons''”. In other words, the controller must provide an explanation outlining why notifying the relevant authorities within 72 hours was not feasible (Article 33(1) GDPR).


Notification of data breaches is sometimes disregarded by controllers, since it could trigger an investigation by the competent DPA, especially with regard to controller's duties pursuant to Article 32 GDPR. However, it must be considered that the controller's inactivity could also lead to sanctions, including fines pursuant to Article 83(4)(a) GDPR.
==== Unless the breach is unlikely to result in a risk ====
==== Unless the breach is unlikely to result in a risk ====
The obligation to notify the competent supervisory authority of a personal data breach is not triggered where the breach is "''unlikely to'' ''result in a risk to the rights and freedoms of natural persons''”. The GDPR does not define what constitutes a “''risk to the rights and freedoms of natural persons''”. Recital 75 GDPR only outlines potential situations where such a risk is likely to materialise, such as in cases of identity theft, data subjects’ loss of control over their personal data or where they are unable to exercise related rights amongst other situations.<ref>See Recital 75 above for more examples.</ref>  Some of these are reiterated in Recital 85 GDPR, which labels these as “''physical, material or non-material damage to natural persons''”.<ref>It is noteworthy that Article 33(1) GDPR stipulates that the controller must assess the risk to “''natural persons''” rather than just “''data subjects''”. This suggests that the meaning of “''risk''” must be interpreted broadly and as affecting natural persons generally rather than just specific data subjects.</ref>   
The obligation to notify the competent supervisory authority of a personal data breach is not triggered where the breach is "''unlikely to'' ''result in a risk to the rights and freedoms of natural persons''”. The GDPR does not define what constitutes a “''risk to the rights and freedoms of natural persons''”. Recital 75 GDPR only outlines potential situations where such a risk is likely to materialise, such as in cases of identity theft, data subjects’ loss of control over their personal data or where they are unable to exercise related rights, amongst other situations.<ref>See Recital 75 above for more examples.</ref>  Some of these are reiterated in Recital 85 GDPR, which labels these as “''physical, material or non-material damage to natural persons''”.<ref>It is noteworthy that Article 33(1) GDPR stipulates that the controller must assess the risk to “''natural persons''” rather than just “''data subjects''”. This suggests that the meaning of “''risk''” must be interpreted broadly and as affecting natural persons generally rather than just specific data subjects.</ref>   


That said, controllers must objectively consider the likelihood<ref>It is important to emphasise that only the likelihood of a risk is required to trigger the notification obligation. Thus, controllers do not need to be certain that a breach has occurred before taking further steps to comply with Article 33 GDPR.</ref> and severity of the impact of the breach on rights and freedoms by considering the following: (i) the category in which the breach falls; (ii) the quantity and sensitivity of personal data; (iii) how easily individuals can be identified; (iv) how serious the consequences of the breach are to individuals; (v) whether individuals affected are particularly vulnerable; (vi) whether the controller has a particular role that may entail a higher risk (e.g. a health-related controller); and (vii) the size of the breach in terms of numbers of individuals affected.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 24 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>  <blockquote>
That said, controllers must objectively consider the likelihood<ref>It is important to emphasise that only the likelihood of a risk is required to trigger the notification obligation. Thus, controllers do not need to be certain that a breach has occurred before taking further steps to comply with Article 33 GDPR.</ref> and severity of the impact of the breach on rights and freedoms by taking into account the following: (i) type of breach;<ref>For instance, a breach of confidentiality in which unauthorized parties gain access to medical information may have different consequences for an individual compared to a breach where an individual's medical details have been lost and are no longer accessible.</ref> (ii) nature, sensitivity, and volume of personal data;<ref>Typically, the level of risk to individuals affected increases with the sensitivity of the data involved. Breaches that involve health data, identity documents, or financial information like credit card details have the potential to cause harm individually. However, when these types of data are used together, they can increase the risk of identity theft. The combination of multiple personal data elements is generally more sensitive and poses a greater risk than a single piece of personal data. However, it is important to consider other personal data that may already be accessible about the data subject. For instance, the disclosure of an individual's name and address under normal circumstances is unlikely to result in significant harm. However, if the name and address of an adoptive parent are disclosed to a birth parent, the consequences could be extremely severe for both the adoptive parent and the child.</ref> (iii) how easily individuals can be identified;<ref>The breached data can potentially enable direct or indirect identification, although the likelihood may vary depending on the specific circumstances of the breach and the public availability of related personal information. This aspect becomes particularly significant in the context of breaches affecting confidentiality and availability of data.</ref> (iv) how serious the consequences of the breach are to individuals;<ref>When breaches involve certain categories of personal data, the potential harm to individuals can be particularly severe. This is especially true when the breach has the potential to lead to identity theft or fraud, physical harm, psychological distress, humiliation, or damage to reputation. Additionally, if the breached data pertains to vulnerable individuals, they may be at an even greater risk of experiencing harm.</ref> (v) whether individuals affected are particularly vulnerable; (vi) whether the controller has a particular role that may entail a higher risk;<ref>To illustrate, let's consider the scenario where a medical organization processes special categories of personal data. In such cases, if there is a breach of this sensitive information, the potential harm to individuals can be significantly higher compared to a breach involving a mailing list of a newspaper. The nature of the data being processed plays a crucial role in assessing the potential risks and consequences associated with a breach.</ref> and (vii) the size of the breach in terms of numbers of individuals affected.<ref>The impact of a breach can vary depending on the number of individuals affected, ranging from just a few to potentially thousands or more. While it is generally true that a larger number of affected individuals can lead to a greater overall impact, it is important to recognize that even a breach affecting a single individual can have severe consequences. The extent of the impact depends on factors such as the nature of the compromised personal data and the specific circumstances surrounding the breach. Assessing the likelihood and severity of the impact on those affected is crucial in evaluating the significance of a breach.</ref>         
 
Hence, when assessing the risk associated with a breach, the controller must consider both the potential severity of the impact on individuals' rights and freedoms and the likelihood of such impacts occurring. It is crucial to evaluate these factors together to determine the overall risk level. If the consequences of a breach are particularly severe, the risk level increases. Likewise, if the likelihood of those consequences happening is higher, the risk level is also elevated. In cases where there is uncertainty or doubt, it is recommended that the controller errs on the side of caution and proceeds with notification. Annex B of the Guidelines on data breach provides valuable examples of different breach scenarios that entail risks or high risks to individuals.<ref>On all the above, see EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 24-26 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>  <blockquote>
<u>EDPB</u>: A breach that would not require notification to the supervisory authority would be the loss of a securely encrypted mobile device, utilised by the controller and its staff. Provided the encryption key remains within the secure possession of the controller and this is not the sole copy of the personal data then the personal data would be inaccessible to an attacker. This means the breach is unlikely to result in a risk to the rights and freedoms of the data subjects in question. If it later becomes evident that the encryption key was compromised or that the encryption software or algorithm is vulnerable, then the risk to the rights and freedoms of natural persons will change and thus notification may now be required.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 19 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>  </blockquote>
<u>EDPB</u>: A breach that would not require notification to the supervisory authority would be the loss of a securely encrypted mobile device, utilised by the controller and its staff. Provided the encryption key remains within the secure possession of the controller and this is not the sole copy of the personal data then the personal data would be inaccessible to an attacker. This means the breach is unlikely to result in a risk to the rights and freedoms of the data subjects in question. If it later becomes evident that the encryption key was compromised or that the encryption software or algorithm is vulnerable, then the risk to the rights and freedoms of natural persons will change and thus notification may now be required.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 19 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>  </blockquote>
=== (2) Processor's notification in the event of a personal data breach ===
=== (2) Processor's notification in the event of a personal data breach ===
Line 247: Line 250:


==== After becoming aware of the breach ====
==== After becoming aware of the breach ====
Article 33(2) GDPR instructs processors to notify controllers once they become “''aware''” of a personal data breach. The GDPR does not elaborate much on this provision, but the definition of “''aware''” likely reflects its meaning under Article 33(1) GDPR (see above under Article 33(1) GDPR).   
Article 33(2) GDPR instructs processors to notify controllers once they become “''aware''” of a personal data breach. The GDPR does not elaborate much on this provision, but the definition of “''aware''” likely reflects its meaning under Article 33(1) GDPR (see above).   


==== Shall notify the data controller ====
==== Shall notify the data controller ====
According to Article 33(2) GDPR, the processor has the obligation to notify the controller, rather than the competent supervisory authority, of a data breach it is made aware of. This is an example of the assistance the processor is to give the controller under Article 28(3)(f) of the GDPR, "''in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor''."  
According to Article 33(2) GDPR, the processor has the obligation to notify the controller, rather than the competent supervisory authority, of a data breach it is made aware of. This is an example of the assistance the processor is to give the controller under Article 28(3)(f) of the GDPR, "''in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor''."  


The contract between controller and processor will specify how the obligation under Article 33(2) GDPR must be complied with. It is possible for the controller to stipulate within its contract with the processor that the latter must notify the supervisory authority directly in the event of a breach. The contract between the controller and the processor pursuant to [[Article 28 GDPR|Article 28(3) GDPR]] may also stipulate a specific time frame in which the processor must notify the controller. However, the legal responsibility to notify the relevant DPA will remain with the controller regardless of such a contract.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 19 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
The contract between controller and processor will specify how the obligation under Article 33(2) GDPR must be complied with. It is possible for the controller to stipulate within its contract with the processor that the latter must notify the supervisory authority directly in the event of a breach. The contract between the controller and the processor pursuant to [[Article 28 GDPR|Article 28(3) GDPR]] may also stipulate a specific time frame in which the processor must notify the controller. However, the legal responsibility to notify the relevant DPA will remain with the controller regardless of such a contract, which exclusively regulates obligations between private subjects.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 19 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>


==== Without undue delay ====
==== Without undue delay ====
Line 258: Line 261:


===== No risk assessment needed =====
===== No risk assessment needed =====
Article 33(2) GDPR does not require the processor to assess the likelihood of the risk to the rights and freedoms of natural persons. Instead,the processor must report any personal data breach to the controller. The latter will then assess the risk and, according to the criteria established in Article 33(1), possibly notify the supervisory authority should the required threshold be met. Again, the controller can impose a contractual obligation on the processor to assess the risk level pursuant to [[Article 28 GDPR|Article 28(3) GDPR]]. The legal responsibility will nonetheless ultimately remain with the controller.   
Article 33(2) GDPR does not require the processor to assess the likelihood of the risk to the rights and freedoms of natural persons. Instead, the processor must report any personal data breach to the controller. The latter will then assess the risk and, according to the criteria established in Article 33(1), possibly notify the supervisory authority, should the required threshold be met. Again, the controller can impose a contractual obligation on the processor to assess the risk level pursuant to [[Article 28 GDPR|Article 28(3) GDPR]]. The legal responsibility will nonetheless ultimately remain with the controller.   
=== (3) Minimal requirements of the controller's notification. ===
=== (3) Minimal requirements of the controller's notification. ===
Article 33(3) GDPR provides a list of details that the controller must include in a notification to a supervisory authority. The phrase “''shall at least''” indicates that the notification must include the elements enumerated from Article 33(3)(a) to (d) GDPR, but the controller may provide further information. This list includes the following elements:  
Article 33(3) GDPR provides a list of details that the controller must include in a notification to a supervisory authority. The phrase “''shall at least''” indicates that the notification must include the elements enumerated from Article 33(3)(a) to (d) GDPR, but the controller may provide further information. This list includes the following elements:  


==== (a) Nature of the breach, categories of data subjects and data, numbers ====
==== (a) Nature of the breach, categories of data subjects and data, numbers ====
According to Article 33(3)(a) GDPR, the controller must describe (i) the nature of the personal data breach to the supervisory authority, including, where possible, the categories of (ii) data subjects and (iii) data records concerned, as well as their (iv) respective approximate numbers.  
According to Article 33(3)(a) GDPR, the controller must describe (i) the nature of the personal data breach to the supervisory authority, including, where possible, the categories of (ii) data subjects and (iii) data records concerned, as well as their (iv) respective approximate numbers. In other words, the notification should address qualitative (nature and categories) ''and'' quantitative aspect (numbers) of the data breach, with regard both to the objective (data) and the subjective element (data subjects).  


===== (i) Nature of the personal breach =====
===== (i) Nature of the personal breach =====
The EDPB outlines three distinct categories of personal data breaches. These include a “''confidentiality breach''”, where there is an unauthorised or accidental disclosure of, or access to, personal data; an “''integrity breach''”, where there is an unauthorised or accidental alteration of personal data; or an “''availability breach''”, where there is an accidental or unauthorised loss of access to, or destruction of, personal data. This is, in essence, the "''nature''" of the personal data breach.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 8 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
As mentioned above, the EDPB outlines three distinct categories of personal data breaches. These include a “''confidentiality breach''”, where there is an unauthorised or accidental disclosure of, or access to, personal data; an “''integrity breach''”, where there is an unauthorised or accidental alteration of personal data; or an “''availability breach''”, where there is an accidental or unauthorised loss of access to, or destruction of, personal data. This is, in essence, the "''nature''" of the personal data breach.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 8 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>


===== (ii) Categories of data subjects =====
===== (ii) Categories of data subjects =====
Line 275: Line 278:


===== (iv) Numbers of data subjects and records concerned =====
===== (iv) Numbers of data subjects and records concerned =====
The numbers should be as specific as possible. However, in situations where precise information is unavailable, such as the exact number of affected data subjects or records, it should not hinder the timely notification of a breach. The GDPR permits the use of approximations when determining the number of individuals impacted and the number of personal data records involved. The emphasis should be on addressing the negative consequences of the breach rather than solely providing precise figures. Instead, the controller can carry out a notification in phases under Article 33(4) GDPR (see below).<ref>Recital 85 GDPR makes it clear that one of the purposes of notification is limiting damage to individuals. Accordingly, if the types of data subjects or the types of personal data indicate a risk of particular damage occurring as a result of a breach (e.g. identity theft, fraud, financial loss, threat to professional secrecy), then it is important the notification indicates these categories. In this way, it is linked to the requirement of describing the likely consequences of the breach. See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>  
The numbers should be as specific as possible. However, in situations where precise information is unavailable, such as the exact number of affected data subjects or records, it should not hinder the timely notification of a breach. The GDPR permits the use of approximations when determining the number of individuals impacted and the number of personal data records involved. The emphasis should be on addressing the negative consequences of the breach rather than solely providing precise figures. To guarantee both effectiveness and preciseness, the controller can carry out a notification in phases under Article 33(4) GDPR (see below).<ref>Recital 85 GDPR makes it clear that one of the purposes of notification is limiting damage to individuals. Accordingly, if the types of data subjects or the types of personal data indicate a risk of particular damage occurring as a result of a breach (e.g. identity theft, fraud, financial loss, threat to professional secrecy), then it is important the notification indicates these categories. In this way, it is linked to the requirement of describing the likely consequences of the breach. See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>  
==== (b) Point of contact ====
==== (b) Point of contact ====
Under Article 33(3)(b) GDPR, the supervisory authority must be given the contact details of the data protection officer or other contact point where further information can be obtained. The name and contact details of the controller’s data protection officer are therefore required. Alternatively, the controller may provide details of a “''point of contact''” capable of sharing further information should the supervisory authority require it.  
Under Article 33(3)(b) GDPR, the supervisory authority must be given the contact details of the data protection officer or other contact point where further information can be obtained. The name and contact details of the controller’s data protection officer are therefore required. In lack of a DPO, the controller may provide details of a “''point of contact''” capable of sharing further information should the supervisory authority require it.  


==== (c) Consequence of the breach ====
==== (c) Consequence of the breach ====
Line 291: Line 294:


=== (5) Obligation to document the breach ===
=== (5) Obligation to document the breach ===
Article 33(5) GDPR requires controllers to always document personal data breaches they are aware of. The documentation must include: the facts of the breach; the effects it has; and the remedial action taken by the controller. It is important to note that this applies to “''all''” breaches, regardless of the potential risk to the rights and freedoms of natural persons. This obligation is linked to the accountability principle under Article 5(2) GDPR.<ref>''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 649 (Oxford University Press 2020).</ref> Whilst this documentation exists to help the supervisory authority in its duties, it can also benefit the controller itself. Indeed, it may rely on it to justify its decision not to notify the supervisory authority of a breach where it considers that there is no likely risk.
Article 33(5) GDPR requires controllers to always document personal data breaches they are aware of. The documentation must include: the facts of the breach; the effects it has; and the remedial action taken by the controller. It is important to note that this applies to “''all''” breaches, regardless of the potential risk to the rights and freedoms of natural persons. This obligation is linked to the accountability principle under Article 5(2) GDPR.<ref>''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 649 (Oxford University Press 2020).</ref> Whilst this documentation exists to help the supervisory authority in its duties, it can also benefit the controller itself. Indeed, it may rely on it to justify its decision not to notify the supervisory authority of a breach where it considers that there is no likely risk. Moreover, as the principle of accountability requires the controller not only to comply with, but also to be able to demonstrate compliance with the GDPR, keeping records about data breaches means that it will be easier for the controller to prove that they complied with the relevant security obligations, even if these were not sufficient to avoid the breach.


==Decisions==
==Decisions==

Latest revision as of 13:52, 4 August 2024

Article 33 - Notification of a personal data breach to the supervisory authority
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 33 - Notification of a personal data breach to the supervisory authority

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

3. The notification referred to in paragraph 1 shall at least:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

Relevant Recitals

Recital 85: Notification Reasons and Timeframe
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.

Recital 88: Notification Rules and Procedures
In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.

Commentary

Article 33 GDPR regulates the controller and processor's obligations in case of data breach.[1] Pragraph 1 imposes an obligation on controllers to notify the competent supervisory authority of a personal data breach without undue delay where the breach is likely to result in a risk to the rights and freedoms of natural persons. Paragraph 2 imposes a corresponding obligation on the processor, with the only difference being that the recipient of the notification should be the controller. Paragraph 3 lays out a non-exhaustive list of information that must be provided to the supervisory authority. Paragraph 4 grants controllers the possibility of sharing details about the breach in different phases when all the information cannot be provided at the same time. Finally, under paragraph 5, and in line with the accountability principle, the controller must document any data breach including the facts, effects, and the remedial action taken.

(1) Controller's notification in the event of a personal data breach

The GDPR introduces an obligation to notify the supervisory authority and, in certain cases, the data subject in the event of a personal data breach. The notification of a data breach carries several benefits. By establishing contact with the supervisory authority, it allows controllers to identify potential solutions and, if necessary, receive instructions on how to inform the affected data subjects. The EDPB emphasizes that a data breach is ultimately a matter of data security directly affecting the data subjects' interests. Therefore, it is essentially a measure aimed at protecting individual interests.[2]

According to the GDPR, both controllers and processors are obligated to implement suitable technical and organizational measures to ensure an adequate level of security in relation to the risks associated with the processing of personal data. These measures should consider factors such as the current state of technology, the implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of individuals. Furthermore, the GDPR mandates the implementation of appropriate technological and organizational measures to promptly detect and determine whether a personal data breach has occurred. The occurrence of a breach triggers the notification obligation.[3]

In case of personal data breach

It is important to define the notion of “personal data breach” before assessing when a controller’s duty to notify the competent supervisory authority. According to Article 4(12) GDPR, a personal data breach refers to “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. This wording clearly establishes a link with Article 32(2) GDPR, to which we refer.

EDPB: What is meant by “destruction” of personal data should be quite clear: this is where the data no longer exists, or no longer exists in a form that is of any use to the controller. “Damage” should also be relatively clear: this is where personal data has been altered, corrupted, or is no longer complete. In terms of “loss” of personal data, this should be interpreted as the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession. Finally, unauthorised or unlawful processing may include disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the GDPR.[4]

Article 4(12) of the GDPR clarifies that the regulation applies specifically in cases of personal data breaches. In such breaches, the controller becomes unable to guarantee compliance with the principles outlined in Article 5 GDPR regarding the processing of personal data. This distinction emphasizes that while all personal data breaches are considered security incidents, not all security incidents necessarily qualify as personal data breaches (because some of them may not affect personal data processing).[5]

Example: XXX

The EDPB outlines three distinct categories of personal data breaches. These include a “confidentiality breach”, where there is an unlawful or accidental disclosure of, or access to, personal data; an “integrity breach”, where there is an unlawful or accidental alteration of personal data; or an “availability breach”, where there is an unauthorised loss of access to, or destruction of, personal data.[6] It is possible for a breach to be a combination of all three types.[7]

The controller

The reporting obligation outlined in paragraph 1 applies to the data controller, encompassing both natural persons and public or non-public entities as defined in Article 4(7). In cases where multiple controllers jointly determine the purposes and means of processing as defined in Article 26 of the GDPR, each controller is responsible for reporting their own data breaches as well as those of the other controller(s). However, it is possible for the controllers to establish a different arrangement regarding the reporting obligations through an agreement on joint responsibility as required under Article 26(1) of the GDPR.[8]

After having become aware

Article 33(1) GDPR outlines that controllers (as defined above) have an obligation to notify the competent supervisory authority of personal data breach once they have become "aware" of it.

The EDPB considers that "a controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised." In certain cases, this may be evident from the beginning, while in other instances, it may take some time. Nevertheless, the focus should be on promptly initiating an investigation into the incident to determine if there has been a breach of personal data. If a breach is confirmed, appropriate remedial actions should be taken, and if necessary, notifications should be provided without delay.[9]

EDPB: After first being informed of a potential breach by an individual, a media organisation, or another source, or when it has itself detected a security incident, the controller may undertake a short period of investigation in order to establish whether or not a breach has in fact occurred. During this period of investigation the controller may not be regarded as being “aware”. However, it is expected that the initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place; a more detailed investigation can then follow.

This definition suggests a high threshold to prove awareness, as it must be established that the controller has “reasonable certainty”. Accordingly, there is a distinction between awareness as defined by the EDPB and being informed of a potential breach. Whilst being informed of a potential breach does not amount to “awareness”, it does trigger an obligation on the controller to investigate further to determine (i.e., to gain "awareness") whether a breach of personal data has occurred.[10]

However, it is important to emphasize that once the controller has reasonably established that a breach has occurred and the conditions specified in Article 33(1) of the GDPR have been met, they must promptly notify the supervisory authority, preferably within 72 hours, unless there are exceptional circumstances. Failure to act in a timely manner and subsequently failing to notify the supervisory authority of a confirmed breach could be considered a violation of the notification requirement outlined in Article 33 of the GDPR.[11]

Shall notify the breach to the supervisory authority

Once the controller has become aware of a personal data breach likely to “result in a risk to the rights and freedoms of natural persons” (see below), it must notify the “supervisory authority competent in accordance with Article 55”.[12] However, where there is cross-border processing under Article 56 GDPR, the competent supervisory authority for the notification is the one of the main establishment or of the single establishment of the controller or processor.

EDPB: This means that whenever a breach takes place in the context of cross-border processing and notification is required, the controller will need to notify the lead supervisory authority. Therefore, when drafting its breach response plan, a controller must make an assessment as to which supervisory authority is the lead supervisory authority that it will need to notify. This will allow the controller to respond promptly to a breach and to meet its obligations in respect of Article 33.[13]

If a controller who is not established in the EU but falls under the scope of Article 3(2) or Article 3(3) of the GDPR experiences a data breach, they are still obligated to fulfill the notification requirements outlined in Articles 33 and 34 of the GDPR. In such cases, the controller is required to notify each supervisory authority in the Member State where affected data subjects reside.[14]

Without undue delay

Notifying the relevant supervisory authority must occur “without undue delay” from the moment controllers become “aware” of a personal data breach with the relevant level of risk, and in any case not later than 72 hours. It is crucial that controllers comply with this deadline, as its core purpose is to limit the damage to natural persons affected by the data breach.[15]

Case-law: The speed at which a controller notified the supervisory authority of a breach was a factor considered by the French DPA (CNIL) when assessing the level of a fine it sought to impose on a controller for the data breach. As a result of this decision, it is arguable that a timely response may be used to mitigate a fine.[16]

According to Recital 87 GDPR, the assessment of whether the controller acted without undue delay “should [take] into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects”. Although this suggests that the qualifier “without undue delay” is circumstance-specific, Article 33(1) GDPR provides a general rule to satisfy this obligation: “where feasible”, the controller must notify the relevant authority within a maximum of 72 hours. This suggests that, in some instances, they can take longer than 72 hours to do so.

EDPB: Such a scenario might take place where, for example, a controller experiences multiple, similar confidentiality breaches over a short period of time, affecting large numbers of data subjects in the same way. A controller could become aware of a breach and, whilst beginning its investigation, and before notification, detect further similar breaches, which have different causes. Depending on the circumstances, it may take the controller some time to establish the extent of the breaches and, rather than notify each breach individually, the controller instead organises a meaningful notification that represents several very similar breaches, with possible different causes. This could lead to notification to the supervisory authority being delayed by more than 72 hours after the controller first becomes aware of these breaches.[17]

The final sentence of Article 33(1) GDPR stipulates that, regardless of whether the delayed notification is justified or not, if a controller fails to notify the supervisory authority within 72 hours, it shall provide “reasons”. In other words, the controller must provide an explanation outlining why notifying the relevant authorities within 72 hours was not feasible (Article 33(1) GDPR).

Notification of data breaches is sometimes disregarded by controllers, since it could trigger an investigation by the competent DPA, especially with regard to controller's duties pursuant to Article 32 GDPR. However, it must be considered that the controller's inactivity could also lead to sanctions, including fines pursuant to Article 83(4)(a) GDPR.

Unless the breach is unlikely to result in a risk

The obligation to notify the competent supervisory authority of a personal data breach is not triggered where the breach is "unlikely to result in a risk to the rights and freedoms of natural persons”. The GDPR does not define what constitutes a “risk to the rights and freedoms of natural persons”. Recital 75 GDPR only outlines potential situations where such a risk is likely to materialise, such as in cases of identity theft, data subjects’ loss of control over their personal data or where they are unable to exercise related rights, amongst other situations.[18] Some of these are reiterated in Recital 85 GDPR, which labels these as “physical, material or non-material damage to natural persons”.[19]

That said, controllers must objectively consider the likelihood[20] and severity of the impact of the breach on rights and freedoms by taking into account the following: (i) type of breach;[21] (ii) nature, sensitivity, and volume of personal data;[22] (iii) how easily individuals can be identified;[23] (iv) how serious the consequences of the breach are to individuals;[24] (v) whether individuals affected are particularly vulnerable; (vi) whether the controller has a particular role that may entail a higher risk;[25] and (vii) the size of the breach in terms of numbers of individuals affected.[26]

Hence, when assessing the risk associated with a breach, the controller must consider both the potential severity of the impact on individuals' rights and freedoms and the likelihood of such impacts occurring. It is crucial to evaluate these factors together to determine the overall risk level. If the consequences of a breach are particularly severe, the risk level increases. Likewise, if the likelihood of those consequences happening is higher, the risk level is also elevated. In cases where there is uncertainty or doubt, it is recommended that the controller errs on the side of caution and proceeds with notification. Annex B of the Guidelines on data breach provides valuable examples of different breach scenarios that entail risks or high risks to individuals.[27]

EDPB: A breach that would not require notification to the supervisory authority would be the loss of a securely encrypted mobile device, utilised by the controller and its staff. Provided the encryption key remains within the secure possession of the controller and this is not the sole copy of the personal data then the personal data would be inaccessible to an attacker. This means the breach is unlikely to result in a risk to the rights and freedoms of the data subjects in question. If it later becomes evident that the encryption key was compromised or that the encryption software or algorithm is vulnerable, then the risk to the rights and freedoms of natural persons will change and thus notification may now be required.[28]

(2) Processor's notification in the event of a personal data breach

The controller bears the ultimate responsibility for safeguarding personal data, but the processor plays a crucial role in enabling the controller to fulfill its obligations. Regarding breach notification, Article 33(2) of the GDPR clarifies that when the processor becomes aware of a breach concerning the personal data it processes on behalf of the controller, it must promptly notify the latter. The processor shall not assess the likelihood of risk resulting from the breach. Its role is to simply determine whether a breach has occurred and promptly notify the controller.

The processor

The recipient of the provision is the processor appointed under Article 28 of the GDPR.

After becoming aware of the breach

Article 33(2) GDPR instructs processors to notify controllers once they become “aware” of a personal data breach. The GDPR does not elaborate much on this provision, but the definition of “aware” likely reflects its meaning under Article 33(1) GDPR (see above).

Shall notify the data controller

According to Article 33(2) GDPR, the processor has the obligation to notify the controller, rather than the competent supervisory authority, of a data breach it is made aware of. This is an example of the assistance the processor is to give the controller under Article 28(3)(f) of the GDPR, "in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor."

The contract between controller and processor will specify how the obligation under Article 33(2) GDPR must be complied with. It is possible for the controller to stipulate within its contract with the processor that the latter must notify the supervisory authority directly in the event of a breach. The contract between the controller and the processor pursuant to Article 28(3) GDPR may also stipulate a specific time frame in which the processor must notify the controller. However, the legal responsibility to notify the relevant DPA will remain with the controller regardless of such a contract, which exclusively regulates obligations between private subjects.[29]

Without undue delay

The contribution of the processor is essential for the controller to fulfill its responsibility for the notification procedure to the DPA, as stipulated in Article 33(1) GDPR. The longer the processor delays the notification, the shorter the time the controller has to comply with its notification duties under Article 33(1) GDPR.[30] The breach notification by the processor must occur "without undue delay". In other words, the controller must be immediately informed, without any specific maximum time limit of 72 hours in this situation.[31]

EDPB: The GDPR does not provide an explicit time limit within which the processor must alert the controller, except that it must do so “without undue delay”. Therefore, the EDPB recommends the processor promptly notifies the controller, with further information about the breach provided in phases as more details become available. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours.[32]

No risk assessment needed

Article 33(2) GDPR does not require the processor to assess the likelihood of the risk to the rights and freedoms of natural persons. Instead, the processor must report any personal data breach to the controller. The latter will then assess the risk and, according to the criteria established in Article 33(1), possibly notify the supervisory authority, should the required threshold be met. Again, the controller can impose a contractual obligation on the processor to assess the risk level pursuant to Article 28(3) GDPR. The legal responsibility will nonetheless ultimately remain with the controller.

(3) Minimal requirements of the controller's notification.

Article 33(3) GDPR provides a list of details that the controller must include in a notification to a supervisory authority. The phrase “shall at least” indicates that the notification must include the elements enumerated from Article 33(3)(a) to (d) GDPR, but the controller may provide further information. This list includes the following elements:

(a) Nature of the breach, categories of data subjects and data, numbers

According to Article 33(3)(a) GDPR, the controller must describe (i) the nature of the personal data breach to the supervisory authority, including, where possible, the categories of (ii) data subjects and (iii) data records concerned, as well as their (iv) respective approximate numbers. In other words, the notification should address qualitative (nature and categories) and quantitative aspect (numbers) of the data breach, with regard both to the objective (data) and the subjective element (data subjects).

(i) Nature of the personal breach

As mentioned above, the EDPB outlines three distinct categories of personal data breaches. These include a “confidentiality breach”, where there is an unauthorised or accidental disclosure of, or access to, personal data; an “integrity breach”, where there is an unauthorised or accidental alteration of personal data; or an “availability breach”, where there is an accidental or unauthorised loss of access to, or destruction of, personal data. This is, in essence, the "nature" of the personal data breach.[33]

(ii) Categories of data subjects

The GDPR does not provide additional information as to what “categories of data subjects” mean in this context. The EDPB suggests a flexible approach, inspired by the actual objective of the notification, which is primarily to mitigate harm to the rights of the individuals affected. In other words, this information should describe the type of individuals involved such as children, vulnerable groups, people with disabilities, employees or customers. A data breach involving personal data related to the health of underage users, for instance, necessitates significantly different actions compared to the disclosure of email addresses.[34]

(iii) Categories of data records

This refers to the different types of records that the controller may process, such as health data, educational records, social care information, financial details, bank account numbers, passport numbers and so on.

(iv) Numbers of data subjects and records concerned

The numbers should be as specific as possible. However, in situations where precise information is unavailable, such as the exact number of affected data subjects or records, it should not hinder the timely notification of a breach. The GDPR permits the use of approximations when determining the number of individuals impacted and the number of personal data records involved. The emphasis should be on addressing the negative consequences of the breach rather than solely providing precise figures. To guarantee both effectiveness and preciseness, the controller can carry out a notification in phases under Article 33(4) GDPR (see below).[35]

(b) Point of contact

Under Article 33(3)(b) GDPR, the supervisory authority must be given the contact details of the data protection officer or other contact point where further information can be obtained. The name and contact details of the controller’s data protection officer are therefore required. In lack of a DPO, the controller may provide details of a “point of contact” capable of sharing further information should the supervisory authority require it.

(c) Consequence of the breach

Article 33(3)(c) GDPR requires the controller to describe the “likely consequences” of the data breach in its notification to the supervisory authority. It is important to note that such consequences do not need to have materialised at that point. Thus, controllers should consider the potential adverse effects listed in Recital 85 GDPR, which enumerates various examples of “physical, material or non-material damage to natural persons” caused by a personal data breach.[36] This requirement is likely to be a challenge for companies in practice, as these consequences are usually difficult to assess and usually depend on a number of factors.[37]

(d) Measures taken or proposed

Finally, Article 33(3)(d) GDPR stipulates that the controller must outline any measures it has taken or plans to take to remedy the personal data breach. The controller must also describe the measures taken or planned to mitigate possible adverse effects. The controller is not required to wait for feedback from the supervisory authority regarding the implementation of the "planned" measures.[38]

Additional details

As mentioned, the controller can provide further information than that required pursuant to Article 33(3)(a) to (d) GDPR. It is important to note that Recital 88 GDPR indicates that the “rules concerning format and procedures applicable to the notification of personal data breaches” depend on the particular circumstances of each breach.[39] Any additional information that should be provided will therefore differ according to each breach. For example, the controller can name the processor responsible for the personal data breach. This may help other controllers, which rely on services provided by the same processor, to take necessary measures against additional personal data breaches.

(4) Notification in phases

There are also circumstances where the controller can only notify the competent authority in phases. This option, outlined in Article 33(4) GDPR, is only permissible “in so far as, it is not possible to provide the information at the same time”. This indicates that the GDPR acknowledges that controllers may not always possess all the required information about a breach within 72 hours of becoming aware of it, as complete and comprehensive details of the incident may not be immediately accessible during this initial timeframe.[40] Consequently, it permits a phased approach to notification.

EDPB: The EDPB recommends that when the controller first notifies the supervisory authority, the controller should also inform the supervisory authority if the controller does not yet have all the required information and will provide more details later on. The supervisory authority should agree how and when additional information should be provided. This does not prevent the controller from providing further information at any other stage, if it becomes aware of additional relevant details about the breach that need to be provided to the supervisory authority.[41]

Again, this should occur “without undue further delay”. The controller should also provide reasons as to why it had notified the supervisory authority in phases. In any case, the possibility of notifying the supervisory authority in phases should not become common practice for controllers.[42]

(5) Obligation to document the breach

Article 33(5) GDPR requires controllers to always document personal data breaches they are aware of. The documentation must include: the facts of the breach; the effects it has; and the remedial action taken by the controller. It is important to note that this applies to “all” breaches, regardless of the potential risk to the rights and freedoms of natural persons. This obligation is linked to the accountability principle under Article 5(2) GDPR.[43] Whilst this documentation exists to help the supervisory authority in its duties, it can also benefit the controller itself. Indeed, it may rely on it to justify its decision not to notify the supervisory authority of a breach where it considers that there is no likely risk. Moreover, as the principle of accountability requires the controller not only to comply with, but also to be able to demonstrate compliance with the GDPR, keeping records about data breaches means that it will be easier for the controller to prove that they complied with the relevant security obligations, even if these were not sufficient to avoid the breach.

Decisions

→ You can find all related decisions in Category:Article 33 GDPR

References

  1. There was no equivalent to Article 33 GDPR under the Data Protection Directive 95/46/EC. Indeed, Article 17 of the Directive only required controllers to take adequate measures to protect personal data from breaches. However, Member States such as Germany (Section 42(a) German Federal Data Protection Act 2017) as well as Spain (Article 88 Spanish Data Protection Law 2007 provided for a similar obligation under their national law. See, Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 642-643 (Oxford University Press 2020). According to Bensoussan, the drafting of Article 33 GDPR drew inspiration from Article 4 ePrivacy Directive 2002/58/EC. The latter imposes a notification obligation on providers of electronic communication services. However, unlike Article 33 GDPR, the ePrivacy Directive imposes a broader obligation on electronic communication services as they must notify authorities of all breaches rather than only those which pose a risk to natural persons. See, Bensoussan, Reglement europeen sur la protection des donnees, p. 250 (Bruylant 2017).
  2. At the same time, "it should be noted that failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 GDPR a possible sanction is applicable to the controller." See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 6 (available here).
  3. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 7 (available here).
  4. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 7 (available here).
  5. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 7-8 (available here).
  6. Article 4(12) GDPR outlines that there is a personal data breach where there is: (1) a “breach of security”; (2) leading to the “accidental”, “unlawful” or “unauthorised”; (3) “destruction”, “loss”, “alteration”, “disclosure of”, or “access to”; and (4) “personal data transmitted, stored or otherwise processed”. This division in four parts rather than three, emphasises that the breach can be accidental, unlawful or unauthorised and that it relates to previously processed personal data. See, Tosoni, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4(12) GDPR, p. 191 (Oxford University Press 2020).
  7. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 8 (available here).
  8. Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 6 (C.H. Beck 2020, 3rd Edition)
  9. The GDPR requires the controller to implement all appropriate technical protection and organisational measures to establish immediately whether a breach has taken place and to inform promptly the supervisory authority and the data subjects.
  10. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 12 (available here).
  11. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 12 (available here).
  12. As per Recital 87 GDPR, the supervisory authority may then intervene “in accordance with its tasks and powers” under Articles 55 to 59 GDPR.
  13. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 8 (available here).
  14. Similarly, "where a processor is subject to Article 3(2) GDPR, it will be bound by the obligations on processors, of particular relevance here, the duty to notify a breach to the controller under Article 33(2) GDPR." See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 18 (available here).
  15. See Recital 85.
  16. CNIL Delieration SAN-2017-010, 18 July 2017 (available here).
  17. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 16 (available here). Recital 88 provides another example. Where a rapid notification would “hamper” an investigation conducted by law enforcement authorities, the controller has a valid reason for not complying with the general deadline in Article 33(1) GDPR. In particular, “[…] rules and procedures [concerning the format and procedures applicable to the notification of personal data breaches] should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach”.
  18. See Recital 75 above for more examples.
  19. It is noteworthy that Article 33(1) GDPR stipulates that the controller must assess the risk to “natural persons” rather than just “data subjects”. This suggests that the meaning of “risk” must be interpreted broadly and as affecting natural persons generally rather than just specific data subjects.
  20. It is important to emphasise that only the likelihood of a risk is required to trigger the notification obligation. Thus, controllers do not need to be certain that a breach has occurred before taking further steps to comply with Article 33 GDPR.
  21. For instance, a breach of confidentiality in which unauthorized parties gain access to medical information may have different consequences for an individual compared to a breach where an individual's medical details have been lost and are no longer accessible.
  22. Typically, the level of risk to individuals affected increases with the sensitivity of the data involved. Breaches that involve health data, identity documents, or financial information like credit card details have the potential to cause harm individually. However, when these types of data are used together, they can increase the risk of identity theft. The combination of multiple personal data elements is generally more sensitive and poses a greater risk than a single piece of personal data. However, it is important to consider other personal data that may already be accessible about the data subject. For instance, the disclosure of an individual's name and address under normal circumstances is unlikely to result in significant harm. However, if the name and address of an adoptive parent are disclosed to a birth parent, the consequences could be extremely severe for both the adoptive parent and the child.
  23. The breached data can potentially enable direct or indirect identification, although the likelihood may vary depending on the specific circumstances of the breach and the public availability of related personal information. This aspect becomes particularly significant in the context of breaches affecting confidentiality and availability of data.
  24. When breaches involve certain categories of personal data, the potential harm to individuals can be particularly severe. This is especially true when the breach has the potential to lead to identity theft or fraud, physical harm, psychological distress, humiliation, or damage to reputation. Additionally, if the breached data pertains to vulnerable individuals, they may be at an even greater risk of experiencing harm.
  25. To illustrate, let's consider the scenario where a medical organization processes special categories of personal data. In such cases, if there is a breach of this sensitive information, the potential harm to individuals can be significantly higher compared to a breach involving a mailing list of a newspaper. The nature of the data being processed plays a crucial role in assessing the potential risks and consequences associated with a breach.
  26. The impact of a breach can vary depending on the number of individuals affected, ranging from just a few to potentially thousands or more. While it is generally true that a larger number of affected individuals can lead to a greater overall impact, it is important to recognize that even a breach affecting a single individual can have severe consequences. The extent of the impact depends on factors such as the nature of the compromised personal data and the specific circumstances surrounding the breach. Assessing the likelihood and severity of the impact on those affected is crucial in evaluating the significance of a breach.
  27. On all the above, see EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 24-26 (available here).
  28. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 19 (available here).
  29. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 19 (available here).
  30. It is relevant to note that the responsibility for the notification to the SA under Article 33(1) GDPR stays with controller who, in turn, will only become “aware” of the breach as soon as the processor notifies it. Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 647 (Oxford University Press 2020).
  31. Dix in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin number 18 (C.H. Beck 2019).
  32. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 19 (available here).
  33. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 8 (available here).
  34. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 14 (available here).
  35. Recital 85 GDPR makes it clear that one of the purposes of notification is limiting damage to individuals. Accordingly, if the types of data subjects or the types of personal data indicate a risk of particular damage occurring as a result of a breach (e.g. identity theft, fraud, financial loss, threat to professional secrecy), then it is important the notification indicates these categories. In this way, it is linked to the requirement of describing the likely consequences of the breach. See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 15 (available here).
  36. “[…] loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage […]”
  37. Hladjk, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 33 GDPR, margin number 15 (C.H. Beck 2018, 2nd edition).
  38. König, Schaupp, in Knyrim, Der Datkomm, Article 79 GDPR, margin number 58/1 (rdb.at 2018).
  39. See Recital 88 “In setting detailed rules concerning format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. […].”
  40. This scenario is more likely to occur in the case of complex breaches, such as certain types of cybersecurity incidents, where conducting an in-depth forensic investigation may be necessary to accurately determine the nature of the breach and the extent of personal data compromise. As a result, in many instances, the controller will need to conduct further investigations and provide additional information at a later stage.
  41. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 15 (available here).
  42. WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 16 (available here).
  43. Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 649 (Oxford University Press 2020).