https://gdprhub.eu/index.php?title=Article_33_GDPR&feed=atom&action=historyArticle 33 GDPR - Revision history2024-03-29T10:25:56ZRevision history for this page on the wikiMediaWiki 1.39.6https://gdprhub.eu/index.php?title=Article_33_GDPR&diff=33559&oldid=prevMg: /* (5) Obligation to document the breach */2023-06-16T08:22:44Z<p><span dir="auto"><span class="autocomment">(5) Obligation to document the breach</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:22, 16 June 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l294">Line 294:</td>
<td colspan="2" class="diff-lineno">Line 294:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (5) Obligation to document the breach ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (5) Obligation to document the breach ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Article 33(5) GDPR requires controllers to always document personal data breaches they are aware of. The documentation must include: the facts of the breach; the effects it has; and the remedial action taken by the controller. It is important to note that this applies to “''all''” breaches, regardless of the potential risk to the rights and freedoms of natural persons. This obligation is linked to the accountability principle under Article 5(2) GDPR.<ref>''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 649 (Oxford University Press 2020).</ref> Whilst this documentation exists to help the supervisory authority in its duties, it can also benefit the controller itself. Indeed, it may rely on it to justify its decision not to notify the supervisory authority of a breach where it considers that there is no likely risk.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Article 33(5) GDPR requires controllers to always document personal data breaches they are aware of. The documentation must include: the facts of the breach; the effects it has; and the remedial action taken by the controller. It is important to note that this applies to “''all''” breaches, regardless of the potential risk to the rights and freedoms of natural persons. This obligation is linked to the accountability principle under Article 5(2) GDPR.<ref>''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 649 (Oxford University Press 2020).</ref> Whilst this documentation exists to help the supervisory authority in its duties, it can also benefit the controller itself. Indeed, it may rely on it to justify its decision not to notify the supervisory authority of a breach where it considers that there is no likely risk<ins style="font-weight: bold; text-decoration: none;">. Moreover, as the principle of accountability requires the controller not only to comply with, but also to be able to demonstrate compliance with the GDPR, keeping records about data breaches means that it will be easier for the controller to prove that they complied with the relevant security obligations, even if these were not sufficient to avoid the breach</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Decisions==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Decisions==</div></td></tr>
</table>Mghttps://gdprhub.eu/index.php?title=Article_33_GDPR&diff=33558&oldid=prevMg: /* (b) Point of contact */2023-06-16T08:13:16Z<p><span dir="auto"><span class="autocomment">(b) Point of contact</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:13, 16 June 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l280">Line 280:</td>
<td colspan="2" class="diff-lineno">Line 280:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The numbers should be as specific as possible. However, in situations where precise information is unavailable, such as the exact number of affected data subjects or records, it should not hinder the timely notification of a breach. The GDPR permits the use of approximations when determining the number of individuals impacted and the number of personal data records involved. The emphasis should be on addressing the negative consequences of the breach rather than solely providing precise figures. To guarantee both effectiveness and preciseness, the controller can carry out a notification in phases under Article 33(4) GDPR (see below).<ref>Recital 85 GDPR makes it clear that one of the purposes of notification is limiting damage to individuals. Accordingly, if the types of data subjects or the types of personal data indicate a risk of particular damage occurring as a result of a breach (e.g. identity theft, fraud, financial loss, threat to professional secrecy), then it is important the notification indicates these categories. In this way, it is linked to the requirement of describing the likely consequences of the breach. See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The numbers should be as specific as possible. However, in situations where precise information is unavailable, such as the exact number of affected data subjects or records, it should not hinder the timely notification of a breach. The GDPR permits the use of approximations when determining the number of individuals impacted and the number of personal data records involved. The emphasis should be on addressing the negative consequences of the breach rather than solely providing precise figures. To guarantee both effectiveness and preciseness, the controller can carry out a notification in phases under Article 33(4) GDPR (see below).<ref>Recital 85 GDPR makes it clear that one of the purposes of notification is limiting damage to individuals. Accordingly, if the types of data subjects or the types of personal data indicate a risk of particular damage occurring as a result of a breach (e.g. identity theft, fraud, financial loss, threat to professional secrecy), then it is important the notification indicates these categories. In this way, it is linked to the requirement of describing the likely consequences of the breach. See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== (b) Point of contact ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== (b) Point of contact ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Under Article 33(3)(b) GDPR, the supervisory authority must be given the contact details of the data protection officer or other contact point where further information can be obtained. The name and contact details of the controller’s data protection officer are therefore required. <del style="font-weight: bold; text-decoration: none;">Alternatively</del>, the controller may provide details of a “''point of contact''” capable of sharing further information should the supervisory authority require it. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Under Article 33(3)(b) GDPR, the supervisory authority must be given the contact details of the data protection officer or other contact point where further information can be obtained. The name and contact details of the controller’s data protection officer are therefore required. <ins style="font-weight: bold; text-decoration: none;">In lack of a DPO</ins>, the controller may provide details of a “''point of contact''” capable of sharing further information should the supervisory authority require it. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== (c) Consequence of the breach ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== (c) Consequence of the breach ====</div></td></tr>
</table>Mghttps://gdprhub.eu/index.php?title=Article_33_GDPR&diff=33557&oldid=prevMg: /* (a) Nature of the breach, categories of data subjects and data, numbers */2023-06-16T08:10:31Z<p><span dir="auto"><span class="autocomment">(a) Nature of the breach, categories of data subjects and data, numbers</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:10, 16 June 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l266">Line 266:</td>
<td colspan="2" class="diff-lineno">Line 266:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== (a) Nature of the breach, categories of data subjects and data, numbers ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== (a) Nature of the breach, categories of data subjects and data, numbers ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>According to Article 33(3)(a) GDPR, the controller must describe (i) the nature of the personal data breach to the supervisory authority, including, where possible, the categories of (ii) data subjects and (iii) data records concerned, as well as their (iv) respective approximate numbers. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>According to Article 33(3)(a) GDPR, the controller must describe (i) the nature of the personal data breach to the supervisory authority, including, where possible, the categories of (ii) data subjects and (iii) data records concerned, as well as their (iv) respective approximate numbers<ins style="font-weight: bold; text-decoration: none;">. In other words, the notification should address qualitative (nature and categories) ''and'' quantitative aspect (numbers) of the data breach, with regard both to the objective (data) and the subjective element (data subjects)</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== (i) Nature of the personal breach =====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== (i) Nature of the personal breach =====</div></td></tr>
</table>Mghttps://gdprhub.eu/index.php?title=Article_33_GDPR&diff=33556&oldid=prevMg: /* (iv) Numbers of data subjects and records concerned */2023-06-16T08:07:04Z<p><span dir="auto"><span class="autocomment">(iv) Numbers of data subjects and records concerned</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:07, 16 June 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l278">Line 278:</td>
<td colspan="2" class="diff-lineno">Line 278:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== (iv) Numbers of data subjects and records concerned =====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== (iv) Numbers of data subjects and records concerned =====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The numbers should be as specific as possible. However, in situations where precise information is unavailable, such as the exact number of affected data subjects or records, it should not hinder the timely notification of a breach. The GDPR permits the use of approximations when determining the number of individuals impacted and the number of personal data records involved. The emphasis should be on addressing the negative consequences of the breach rather than solely providing precise figures. <del style="font-weight: bold; text-decoration: none;">Instead</del>, the controller can carry out a notification in phases under Article 33(4) GDPR (see below).<ref>Recital 85 GDPR makes it clear that one of the purposes of notification is limiting damage to individuals. Accordingly, if the types of data subjects or the types of personal data indicate a risk of particular damage occurring as a result of a breach (e.g. identity theft, fraud, financial loss, threat to professional secrecy), then it is important the notification indicates these categories. In this way, it is linked to the requirement of describing the likely consequences of the breach. See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The numbers should be as specific as possible. However, in situations where precise information is unavailable, such as the exact number of affected data subjects or records, it should not hinder the timely notification of a breach. The GDPR permits the use of approximations when determining the number of individuals impacted and the number of personal data records involved. The emphasis should be on addressing the negative consequences of the breach rather than solely providing precise figures. <ins style="font-weight: bold; text-decoration: none;">To guarantee both effectiveness and preciseness</ins>, the controller can carry out a notification in phases under Article 33(4) GDPR (see below).<ref>Recital 85 GDPR makes it clear that one of the purposes of notification is limiting damage to individuals. Accordingly, if the types of data subjects or the types of personal data indicate a risk of particular damage occurring as a result of a breach (e.g. identity theft, fraud, financial loss, threat to professional secrecy), then it is important the notification indicates these categories. In this way, it is linked to the requirement of describing the likely consequences of the breach. See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== (b) Point of contact ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== (b) Point of contact ====</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Under Article 33(3)(b) GDPR, the supervisory authority must be given the contact details of the data protection officer or other contact point where further information can be obtained. The name and contact details of the controller’s data protection officer are therefore required. Alternatively, the controller may provide details of a “''point of contact''” capable of sharing further information should the supervisory authority require it. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Under Article 33(3)(b) GDPR, the supervisory authority must be given the contact details of the data protection officer or other contact point where further information can be obtained. The name and contact details of the controller’s data protection officer are therefore required. Alternatively, the controller may provide details of a “''point of contact''” capable of sharing further information should the supervisory authority require it. </div></td></tr>
</table>Mghttps://gdprhub.eu/index.php?title=Article_33_GDPR&diff=33555&oldid=prevMg: /* (i) Nature of the personal breach */2023-06-16T07:59:56Z<p><span dir="auto"><span class="autocomment">(i) Nature of the personal breach</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:59, 16 June 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l269">Line 269:</td>
<td colspan="2" class="diff-lineno">Line 269:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== (i) Nature of the personal breach =====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== (i) Nature of the personal breach =====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The </del>EDPB outlines three distinct categories of personal data breaches. These include a “''confidentiality breach''”, where there is an unauthorised or accidental disclosure of, or access to, personal data; an “''integrity breach''”, where there is an unauthorised or accidental alteration of personal data; or an “''availability breach''”, where there is an accidental or unauthorised loss of access to, or destruction of, personal data. This is, in essence, the "''nature''" of the personal data breach.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 8 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">As mentioned above, the </ins>EDPB outlines three distinct categories of personal data breaches. These include a “''confidentiality breach''”, where there is an unauthorised or accidental disclosure of, or access to, personal data; an “''integrity breach''”, where there is an unauthorised or accidental alteration of personal data; or an “''availability breach''”, where there is an accidental or unauthorised loss of access to, or destruction of, personal data. This is, in essence, the "''nature''" of the personal data breach.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 8 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== (ii) Categories of data subjects =====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== (ii) Categories of data subjects =====</div></td></tr>
</table>Mghttps://gdprhub.eu/index.php?title=Article_33_GDPR&diff=33554&oldid=prevMg: /* No risk assessment needed */2023-06-16T07:55:26Z<p><span dir="auto"><span class="autocomment">No risk assessment needed</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:55, 16 June 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l261">Line 261:</td>
<td colspan="2" class="diff-lineno">Line 261:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== No risk assessment needed =====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== No risk assessment needed =====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Article 33(2) GDPR does not require the processor to assess the likelihood of the risk to the rights and freedoms of natural persons. Instead,the processor must report any personal data breach to the controller. The latter will then assess the risk and, according to the criteria established in Article 33(1), possibly notify the supervisory authority should the required threshold be met. Again, the controller can impose a contractual obligation on the processor to assess the risk level pursuant to [[Article 28 GDPR|Article 28(3) GDPR]]. The legal responsibility will nonetheless ultimately remain with the controller. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Article 33(2) GDPR does not require the processor to assess the likelihood of the risk to the rights and freedoms of natural persons. Instead, the processor must report any personal data breach to the controller. The latter will then assess the risk and, according to the criteria established in Article 33(1), possibly notify the supervisory authority<ins style="font-weight: bold; text-decoration: none;">, </ins>should the required threshold be met. Again, the controller can impose a contractual obligation on the processor to assess the risk level pursuant to [[Article 28 GDPR|Article 28(3) GDPR]]. The legal responsibility will nonetheless ultimately remain with the controller. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (3) Minimal requirements of the controller's notification. ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (3) Minimal requirements of the controller's notification. ===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 33(3) GDPR provides a list of details that the controller must include in a notification to a supervisory authority. The phrase “''shall at least''” indicates that the notification must include the elements enumerated from Article 33(3)(a) to (d) GDPR, but the controller may provide further information. This list includes the following elements: </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 33(3) GDPR provides a list of details that the controller must include in a notification to a supervisory authority. The phrase “''shall at least''” indicates that the notification must include the elements enumerated from Article 33(3)(a) to (d) GDPR, but the controller may provide further information. This list includes the following elements: </div></td></tr>
</table>Mghttps://gdprhub.eu/index.php?title=Article_33_GDPR&diff=33553&oldid=prevMg: /* Shall notify the data controller */2023-06-16T07:53:11Z<p><span dir="auto"><span class="autocomment">Shall notify the data controller</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:53, 16 June 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l255">Line 255:</td>
<td colspan="2" class="diff-lineno">Line 255:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>According to Article 33(2) GDPR, the processor has the obligation to notify the controller, rather than the competent supervisory authority, of a data breach it is made aware of. This is an example of the assistance the processor is to give the controller under Article 28(3)(f) of the GDPR, "''in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor''." </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>According to Article 33(2) GDPR, the processor has the obligation to notify the controller, rather than the competent supervisory authority, of a data breach it is made aware of. This is an example of the assistance the processor is to give the controller under Article 28(3)(f) of the GDPR, "''in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor''." </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The contract between controller and processor will specify how the obligation under Article 33(2) GDPR must be complied with. It is possible for the controller to stipulate within its contract with the processor that the latter must notify the supervisory authority directly in the event of a breach. The contract between the controller and the processor pursuant to [[Article 28 GDPR|Article 28(3) GDPR]] may also stipulate a specific time frame in which the processor must notify the controller. However, the legal responsibility to notify the relevant DPA will remain with the controller regardless of such a contract.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 19 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The contract between controller and processor will specify how the obligation under Article 33(2) GDPR must be complied with. It is possible for the controller to stipulate within its contract with the processor that the latter must notify the supervisory authority directly in the event of a breach. The contract between the controller and the processor pursuant to [[Article 28 GDPR|Article 28(3) GDPR]] may also stipulate a specific time frame in which the processor must notify the controller. However, the legal responsibility to notify the relevant DPA will remain with the controller regardless of such a contract<ins style="font-weight: bold; text-decoration: none;">, which exclusively regulates obligations between private subjects</ins>.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 19 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Without undue delay ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Without undue delay ====</div></td></tr>
</table>Mghttps://gdprhub.eu/index.php?title=Article_33_GDPR&diff=33552&oldid=prevMg: /* After becoming aware of the breach */2023-06-16T07:49:38Z<p><span dir="auto"><span class="autocomment">After becoming aware of the breach</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:49, 16 June 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l250">Line 250:</td>
<td colspan="2" class="diff-lineno">Line 250:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== After becoming aware of the breach ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== After becoming aware of the breach ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Article 33(2) GDPR instructs processors to notify controllers once they become “''aware''” of a personal data breach. The GDPR does not elaborate much on this provision, but the definition of “''aware''” likely reflects its meaning under Article 33(1) GDPR (see above <del style="font-weight: bold; text-decoration: none;">under Article 33(1) GDPR</del>). </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Article 33(2) GDPR instructs processors to notify controllers once they become “''aware''” of a personal data breach. The GDPR does not elaborate much on this provision, but the definition of “''aware''” likely reflects its meaning under Article 33(1) GDPR (see above). </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Shall notify the data controller ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Shall notify the data controller ====</div></td></tr>
</table>Mghttps://gdprhub.eu/index.php?title=Article_33_GDPR&diff=33551&oldid=prevMg: /* Without undue delay */2023-06-16T07:46:59Z<p><span dir="auto"><span class="autocomment">Without undue delay</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:46, 16 June 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l235">Line 235:</td>
<td colspan="2" class="diff-lineno">Line 235:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Notifying the relevant supervisory authority must occur “''without undue delay''” from the moment controllers become “''aware''” of a personal data breach with the relevant level of risk, and in any case not later than 72 hours. It is crucial that controllers comply with this deadline, as its core purpose is to limit the damage to natural persons affected by the data breach.<ref>See Recital 85.</ref> <blockquote><u>Case-law</u>: The speed at which a controller notified the supervisory authority of a breach was a factor considered by the French DPA (CNIL) when assessing the level of a fine it sought to impose on a controller for the data breach. As a result of this decision, it is arguable that a timely response may be used to mitigate a fine.<ref>CNIL Delieration SAN-2017-010, 18 July 2017 (available [https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000034899556/ here]).</ref></blockquote>According to Recital 87 GDPR, the assessment of whether the controller acted without undue delay “''should'' [take] ''into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects''”. Although this suggests that the qualifier “''without undue delay''” is circumstance-specific, Article 33(1) GDPR provides a general rule to satisfy this obligation: ''“where feasible''”, the controller must notify the relevant authority within a maximum of 72 hours. This suggests that, in some instances, they can take longer than 72 hours to do so.<blockquote><u>EDPB</u>: Such a scenario might take place where, for example, a controller experiences multiple, similar confidentiality breaches over a short period of time, affecting large numbers of data subjects in the same way. A controller could become aware of a breach and, whilst beginning its investigation, and before notification, detect further similar breaches, which have different causes. Depending on the circumstances, it may take the controller some time to establish the extent of the breaches and, rather than notify each breach individually, the controller instead organises a meaningful notification that represents several very similar breaches, with possible different causes. This could lead to notification to the supervisory authority being delayed by more than 72 hours after the controller first becomes aware of these breaches.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 16 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]). Recital 88 provides another example. Where a rapid notification would “''hamper''” an investigation conducted by law enforcement authorities, the controller has a valid reason for not complying with the general deadline in Article 33(1) GDPR. In particular, “[…] ''rules and procedures'' [concerning the format and procedures applicable to the notification of personal data breaches] ''should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach”''.</ref></blockquote>The final sentence of Article 33(1) GDPR stipulates that, regardless of whether the delayed notification is justified or not, if a controller fails to notify the supervisory authority within 72 hours, it shall provide “''reasons''”. In other words, the controller must provide an explanation outlining why notifying the relevant authorities within 72 hours was not feasible (Article 33(1) GDPR).</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Notifying the relevant supervisory authority must occur “''without undue delay''” from the moment controllers become “''aware''” of a personal data breach with the relevant level of risk, and in any case not later than 72 hours. It is crucial that controllers comply with this deadline, as its core purpose is to limit the damage to natural persons affected by the data breach.<ref>See Recital 85.</ref> <blockquote><u>Case-law</u>: The speed at which a controller notified the supervisory authority of a breach was a factor considered by the French DPA (CNIL) when assessing the level of a fine it sought to impose on a controller for the data breach. As a result of this decision, it is arguable that a timely response may be used to mitigate a fine.<ref>CNIL Delieration SAN-2017-010, 18 July 2017 (available [https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000034899556/ here]).</ref></blockquote>According to Recital 87 GDPR, the assessment of whether the controller acted without undue delay “''should'' [take] ''into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects''”. Although this suggests that the qualifier “''without undue delay''” is circumstance-specific, Article 33(1) GDPR provides a general rule to satisfy this obligation: ''“where feasible''”, the controller must notify the relevant authority within a maximum of 72 hours. This suggests that, in some instances, they can take longer than 72 hours to do so.<blockquote><u>EDPB</u>: Such a scenario might take place where, for example, a controller experiences multiple, similar confidentiality breaches over a short period of time, affecting large numbers of data subjects in the same way. A controller could become aware of a breach and, whilst beginning its investigation, and before notification, detect further similar breaches, which have different causes. Depending on the circumstances, it may take the controller some time to establish the extent of the breaches and, rather than notify each breach individually, the controller instead organises a meaningful notification that represents several very similar breaches, with possible different causes. This could lead to notification to the supervisory authority being delayed by more than 72 hours after the controller first becomes aware of these breaches.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 16 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]). Recital 88 provides another example. Where a rapid notification would “''hamper''” an investigation conducted by law enforcement authorities, the controller has a valid reason for not complying with the general deadline in Article 33(1) GDPR. In particular, “[…] ''rules and procedures'' [concerning the format and procedures applicable to the notification of personal data breaches] ''should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach”''.</ref></blockquote>The final sentence of Article 33(1) GDPR stipulates that, regardless of whether the delayed notification is justified or not, if a controller fails to notify the supervisory authority within 72 hours, it shall provide “''reasons''”. In other words, the controller must provide an explanation outlining why notifying the relevant authorities within 72 hours was not feasible (Article 33(1) GDPR).</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Notification of data breaches is sometimes disregarded by controllers, since it could trigger an investigation by the competent DPA, especially with regard to controller's <del style="font-weight: bold; text-decoration: none;">duty </del>pursuant to Article 32 GDPR. However, it must be considered that the controller's inactivity could also lead to sanctions, including fines pursuant to Article 83(4)(a) GDPR.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Notification of data breaches is sometimes disregarded by controllers, since it could trigger an investigation by the competent DPA, especially with regard to controller's <ins style="font-weight: bold; text-decoration: none;">duties </ins>pursuant to Article 32 GDPR. However, it must be considered that the controller's inactivity could also lead to sanctions, including fines pursuant to Article 83(4)(a) GDPR.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Unless the breach is unlikely to result in a risk ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Unless the breach is unlikely to result in a risk ====</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The obligation to notify the competent supervisory authority of a personal data breach is not triggered where the breach is "''unlikely to'' ''result in a risk to the rights and freedoms of natural persons''”. The GDPR does not define what constitutes a “''risk to the rights and freedoms of natural persons''”. Recital 75 GDPR only outlines potential situations where such a risk is likely to materialise, such as in cases of identity theft, data subjects’ loss of control over their personal data or where they are unable to exercise related rights, amongst other situations.<ref>See Recital 75 above for more examples.</ref> Some of these are reiterated in Recital 85 GDPR, which labels these as “''physical, material or non-material damage to natural persons''”.<ref>It is noteworthy that Article 33(1) GDPR stipulates that the controller must assess the risk to “''natural persons''” rather than just “''data subjects''”. This suggests that the meaning of “''risk''” must be interpreted broadly and as affecting natural persons generally rather than just specific data subjects.</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The obligation to notify the competent supervisory authority of a personal data breach is not triggered where the breach is "''unlikely to'' ''result in a risk to the rights and freedoms of natural persons''”. The GDPR does not define what constitutes a “''risk to the rights and freedoms of natural persons''”. Recital 75 GDPR only outlines potential situations where such a risk is likely to materialise, such as in cases of identity theft, data subjects’ loss of control over their personal data or where they are unable to exercise related rights, amongst other situations.<ref>See Recital 75 above for more examples.</ref> Some of these are reiterated in Recital 85 GDPR, which labels these as “''physical, material or non-material damage to natural persons''”.<ref>It is noteworthy that Article 33(1) GDPR stipulates that the controller must assess the risk to “''natural persons''” rather than just “''data subjects''”. This suggests that the meaning of “''risk''” must be interpreted broadly and as affecting natural persons generally rather than just specific data subjects.</ref> </div></td></tr>
</table>Mghttps://gdprhub.eu/index.php?title=Article_33_GDPR&diff=33550&oldid=prevSR: /* Unless the breach is unlikely to result in a risk */2023-06-16T07:11:30Z<p><span dir="auto"><span class="autocomment">Unless the breach is unlikely to result in a risk</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:11, 16 June 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l241">Line 241:</td>
<td colspan="2" class="diff-lineno">Line 241:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>That said, controllers must objectively consider the likelihood<ref>It is important to emphasise that only the likelihood of a risk is required to trigger the notification obligation. Thus, controllers do not need to be certain that a breach has occurred before taking further steps to comply with Article 33 GDPR.</ref> and severity of the impact of the breach on rights and freedoms by taking into account the following: (i) type of breach;<ref>For instance, a breach of confidentiality in which unauthorized parties gain access to medical information may have different consequences for an individual compared to a breach where an individual's medical details have been lost and are no longer accessible.</ref> (ii) nature, sensitivity, and volume of personal data;<ref>Typically, the level of risk to individuals affected increases with the sensitivity of the data involved. Breaches that involve health data, identity documents, or financial information like credit card details have the potential to cause harm individually. However, when these types of data are used together, they can increase the risk of identity theft. The combination of multiple personal data elements is generally more sensitive and poses a greater risk than a single piece of personal data. However, it is important to consider other personal data that may already be accessible about the data subject. For instance, the disclosure of an individual's name and address under normal circumstances is unlikely to result in significant harm. However, if the name and address of an adoptive parent are disclosed to a birth parent, the consequences could be extremely severe for both the adoptive parent and the child.</ref> (iii) how easily individuals can be identified;<ref>The breached data can potentially enable direct or indirect identification, although the likelihood may vary depending on the specific circumstances of the breach and the public availability of related personal information. This aspect becomes particularly significant in the context of breaches affecting confidentiality and availability of data.</ref> (iv) how serious the consequences of the breach are to individuals;<ref>When breaches involve certain categories of personal data, the potential harm to individuals can be particularly severe. This is especially true when the breach has the potential to lead to identity theft or fraud, physical harm, psychological distress, humiliation, or damage to reputation. Additionally, if the breached data pertains to vulnerable individuals, they may be at an even greater risk of experiencing harm.</ref> (v) whether individuals affected are particularly vulnerable; (vi) whether the controller has a particular role that may entail a higher risk;<ref>To illustrate, let's consider the scenario where a medical organization processes special categories of personal data. In such cases, if there is a breach of this sensitive information, the potential harm to individuals can be significantly higher compared to a breach involving a mailing list of a newspaper. The nature of the data being processed plays a crucial role in assessing the potential risks and consequences associated with a breach.</ref> and (vii) the size of the breach in terms of numbers of individuals affected.<ref>The impact of a breach can vary depending on the number of individuals affected, ranging from just a few to potentially thousands or more. While it is generally true that a larger number of affected individuals can lead to a greater overall impact, it is important to recognize that even a breach affecting a single individual can have severe consequences. The extent of the impact depends on factors such as the nature of the compromised personal data and the specific circumstances surrounding the breach. Assessing the likelihood and severity of the impact on those affected is crucial in evaluating the significance of a breach.</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>That said, controllers must objectively consider the likelihood<ref>It is important to emphasise that only the likelihood of a risk is required to trigger the notification obligation. Thus, controllers do not need to be certain that a breach has occurred before taking further steps to comply with Article 33 GDPR.</ref> and severity of the impact of the breach on rights and freedoms by taking into account the following: (i) type of breach;<ref>For instance, a breach of confidentiality in which unauthorized parties gain access to medical information may have different consequences for an individual compared to a breach where an individual's medical details have been lost and are no longer accessible.</ref> (ii) nature, sensitivity, and volume of personal data;<ref>Typically, the level of risk to individuals affected increases with the sensitivity of the data involved. Breaches that involve health data, identity documents, or financial information like credit card details have the potential to cause harm individually. However, when these types of data are used together, they can increase the risk of identity theft. The combination of multiple personal data elements is generally more sensitive and poses a greater risk than a single piece of personal data. However, it is important to consider other personal data that may already be accessible about the data subject. For instance, the disclosure of an individual's name and address under normal circumstances is unlikely to result in significant harm. However, if the name and address of an adoptive parent are disclosed to a birth parent, the consequences could be extremely severe for both the adoptive parent and the child.</ref> (iii) how easily individuals can be identified;<ref>The breached data can potentially enable direct or indirect identification, although the likelihood may vary depending on the specific circumstances of the breach and the public availability of related personal information. This aspect becomes particularly significant in the context of breaches affecting confidentiality and availability of data.</ref> (iv) how serious the consequences of the breach are to individuals;<ref>When breaches involve certain categories of personal data, the potential harm to individuals can be particularly severe. This is especially true when the breach has the potential to lead to identity theft or fraud, physical harm, psychological distress, humiliation, or damage to reputation. Additionally, if the breached data pertains to vulnerable individuals, they may be at an even greater risk of experiencing harm.</ref> (v) whether individuals affected are particularly vulnerable; (vi) whether the controller has a particular role that may entail a higher risk;<ref>To illustrate, let's consider the scenario where a medical organization processes special categories of personal data. In such cases, if there is a breach of this sensitive information, the potential harm to individuals can be significantly higher compared to a breach involving a mailing list of a newspaper. The nature of the data being processed plays a crucial role in assessing the potential risks and consequences associated with a breach.</ref> and (vii) the size of the breach in terms of numbers of individuals affected.<ref>The impact of a breach can vary depending on the number of individuals affected, ranging from just a few to potentially thousands or more. While it is generally true that a larger number of affected individuals can lead to a greater overall impact, it is important to recognize that even a breach affecting a single individual can have severe consequences. The extent of the impact depends on factors such as the nature of the compromised personal data and the specific circumstances surrounding the breach. Assessing the likelihood and severity of the impact on those affected is crucial in evaluating the significance of a breach.</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>On all the above, see EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 24-26 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]). <blockquote></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Hence, when assessing the risk associated with a breach, the controller must consider both the potential severity of the impact on individuals' rights and freedoms and the likelihood of such impacts occurring. It is crucial to evaluate these factors together to determine the overall risk level. If the consequences of a breach are particularly severe, the risk level increases. Likewise, if the likelihood of those consequences happening is higher, the risk level is also elevated. In cases where there is uncertainty or doubt, it is recommended that the controller errs on the side of caution and proceeds with notification. Annex B of the Guidelines on data breach provides valuable examples of different breach scenarios that entail risks or high risks to individuals.<ref></ins>On all the above, see EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 24-26 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).<ins style="font-weight: bold; text-decoration: none;"></ref> </ins> <blockquote></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>EDPB</u>: A breach that would not require notification to the supervisory authority would be the loss of a securely encrypted mobile device, utilised by the controller and its staff. Provided the encryption key remains within the secure possession of the controller and this is not the sole copy of the personal data then the personal data would be inaccessible to an attacker. This means the breach is unlikely to result in a risk to the rights and freedoms of the data subjects in question. If it later becomes evident that the encryption key was compromised or that the encryption software or algorithm is vulnerable, then the risk to the rights and freedoms of natural persons will change and thus notification may now be required.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 19 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> </blockquote></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>EDPB</u>: A breach that would not require notification to the supervisory authority would be the loss of a securely encrypted mobile device, utilised by the controller and its staff. Provided the encryption key remains within the secure possession of the controller and this is not the sole copy of the personal data then the personal data would be inaccessible to an attacker. This means the breach is unlikely to result in a risk to the rights and freedoms of the data subjects in question. If it later becomes evident that the encryption key was compromised or that the encryption software or algorithm is vulnerable, then the risk to the rights and freedoms of natural persons will change and thus notification may now be required.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 19 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> </blockquote></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (2) Processor's notification in the event of a personal data breach ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (2) Processor's notification in the event of a personal data breach ===</div></td></tr>
</table>SR