Article 34 GDPR: Difference between revisions

← Article 34 - Communication of a personal data breach to the data subject →
Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Relevant Recitals

You can help us fill this section!

Commentary

Overview

Article 34 GDPR relates to the obligation imposed on the data controller to inform an affected data subject of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons. Whilst it is very similar to Article 33 on notification of a data breach to the relevant supervisory authority, it differs in many aspects. It is important to note that the obligation to notify the data subject remains independent from any obligation to notify the relevant supervisory authority under Article 33.[1]

As with Article 33, there was no equivalent to Article 34 in the Data Protection Directive 95/46/EC. Again, Article 17 Directive is the only related article, requiring the data controller to take adequate measures to protect personal data from breaches.[2]

Member State law

First, it is important to highlight that, according to Article 23 GDPR, Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR. As a result several Member States have adopted their own rules on communicating a breach to the affected data subject.[3] The commentary on Article 23 is available for further guidance on conditions for restricting the scope of obligations and rights.

Additionally, Recital 86 provides that the obligation imposed on the data controller to communicate the breach to the data subject may be affected by the guidance of a Member State’s law-enforcement authority. Recital 88 goes on to mention that rules and procedures on notification should “take into account the legitimate interest of law enforcement authorities” so as to ensure that disclosure does not hinder any ongoing investigation of the data breach.

However, it should be noted that Recital 88 refers to “notification” and not “communication”. Other authors, such as Burton, do not make this distinction: they presume that Recital 88 applies just as much to Article 34 as it does to Article 33.[4] Nonetheless, it is argued here that the lack of mention of “communication” should not be overlooked. Instead, Recital 88’s wording (or lack thereof) suggests that it is only relevant to Article 33 GDPR (“Notification...”) and not Article 34 (“Communication...”).

“Personal data breach”

“Personal data breach” should be defined from the outset, before establishing the point at which a data controller has a duty to notify the competent supervisory authority of such a breach. On this point, see Article 33 section 4.1.

Obligation for the data controller to communicate the breach to the data subject.

Article 34(1) makes it clear that not all breaches must be communicated to the data subject. However, it is apparent from the wording of Article 34(1)[5] that there is an obligation imposed on the data controller to communicate the personal data breach to the affected individual.

Condition of a “high risk”.

Article 34(1) differs from Article 33 GDPR. Instead of having to notify the supervisor authority of a breach that leads to any kind of risk to the data subject, the data controller only has the obligation to communicate a breach to the data subject where it may lead to a “high risk to the rights and freedoms of natural persons”.

Therefore, the threshold for communicating the breach to the data subject concerned is higher than in Article 33. Some seem to label this choice as reasonable: a higher threshold was deemed necessary to avoid “fatigue” amongst data subjects as would be the case if individuals concerned were warned for every breach of the GDPR.[6]

The data controller will have to assess the level of risk which may ensue to the data subject as a result of the breach. According to the Guidelines, a high risk resulting from the data breach is assessed on the basis of the circumstances at stake. As with Article 33, this is an objective assessment conducted on the basis of the likelihood and severity of a negative impact on the rights and freedoms of natural persons.[7] Examples include, amongst others:

-       the effects of a cyberattack on an online marketplace where usernames, passwords and purchase history are made public;

-       the effect of medical records in a hospital made inaccessible due to a cyberattack; or

-       the effect of personal data being mistakenly sent to a wrong mailing list (with over a thousand recipients).[8]

Bensoussan, however, correctly suggests that the enforcement of Article 34 is likely to be difficult as the data controller is the entity making the assessment of the level of the risk.[9]

Without undue delay.

Another condition outlined under Article 34(1) GDPR is that the data controller must notify the data subject of a data breach “without undue delay”. The WP29 Guidelines interpret this as “as soon as possible”[10] or “as soon as reasonably feasible” according to Recital 86. However, Article 34 does not provide a specific time condition of 72 hours as is the case in Article 33.

Instead, timeliness will be assessed depending on the nature and gravity of the breach itself, as well as the level of (high) risk to natural persons.[11] This is apparent from Recital 86 which provides an example of a scenario where the timeliness condition will be different: “the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.” Similarly, Recital 88 indicates that communication to the data subject may be delayed to preserve the integrity of an investigation (by a law-enforcement authority) into the circumstances of the breach.

In this context, it is important to note that as there is not specific time condition of 72 hours, the question of when this time limit formally begins does not arise.[12]

Communication to the data subject.  

In addition to general details on the obligation to communicate to the data subject, Article 34(2) provides further specifications as to how this must be achieved.

Language to be used.

Article 34(2) provides an indication of how the data controller must communicate such a high risk breach to the data subject. It is outlined that the data controller must use “clear and plain language” when explaining the nature of the breach to the data subject.

However, it is worth noting that the requirement of using “clear and plain language” does not seem to apply to the remainder of the sentence in Article 34(2). As such, there is no specification as to the type of language to be used when outlining other “information and measures” that must also be provided to the data subject.[13]

Details to communicate.

Article 34(2) stipulates that the information that must be communicated to the data subject, in addition to a clear description of the “nature” of the breach, is outlined in Article 33(3), points (b), (c) and (d). The data controller must therefore:

-      “(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;”

-      “(c) describe the likely consequences of the personal data breach;”

-       “(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”[14]

This list of information to be provided to the data subject is non-exhaustive as indicated by the phrase “at least” found under Article 34(2). Recital 86 outlines that the data controller “should” provide “recommendations for the natural person concerned to mitigate potential adverse effects”. It is expected, according to that Recital, that the information given to the data subject would enable him or her to take any “necessary precautions”. As such, these could be included as additional information to be given by the data controller although not stipulated outright under Article 33(3)(b)-(d).

The information that must be given to the data subject following a high risk breach must enable that data subject to take any steps to protect themselves.[15] This position adopted by the WP29 is supported by the text in Recital 86: “The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions”. Therefore, Article 34 attempts to empower the data subject even in the event of a personal data breach that affects them.

Method of communicating.

Article 34 should be understood as requiring the data controller to communicate the data breach to the data subject directly.[16] According to the WP29 Guidelines, such “dedicated messages” must be clear and transparent. WP29 provides examples of ways in which data controllers can communicate transparently:

-       Direct messaging such as email, SMS or direct message; or

-       Website banner with draws the user’s attention; or

-       Communication via post; or

-       Print media.

The data controller may decide to rely on multiple communication methods depending on the gravity of the breach. Additionally, it may be necessary to make the communication available in a language relevant to the affected data subject. This language can be determined on the basis of previous communication between the data controller and the data subject or, where this is not applicable, according to the national language where the data subject resides.[17]

The requirement of transparency makes it clear that a communication of the breach should not be hidden within a regular or obscure communication channel. Such regular or obscure communication channels could include a newsletter or standard message or a corporate blog.[18]

Exemptions from the obligation to communicate to the data subject.

Article 34(3) provides a list of conditions which would exempt the data controller from its obligation to communicate the breach to the data subject concerned. The three exhaustive circumstances are as follows:

-      the data controller is not required to communicate a breach where it has “appropriate technical and organisational protection measures” in place. Such measures must be employed on the data concerned by the breach and make such personal data unintelligible to non-authorised persons. This includes, for example, measures taken to encrypt[19] the data (Article 34(3)(a)).

-      communicating the breach to the concerned data subject is not required where the controller takes “subsequent measures” that diminish the likelihood that a high risk to the rights and freedoms of the person concerned materialises (Article 34(3)(b)). According to the WP29 Guidelines, “subsequent” measures should be interpreted as immediate measures.[20]

-      the data controller is not required to communicate the breach to the affected data subject where this would demand a disproportionate effort from the controller. Article 34(3)(c) specifies that in such cases, a public communication to inform the data subjects is sufficient. The WP29 suggests that “technical arrangements” be taken to ensure that the data subject can have access to further information on demand.[21] 

According to Burton, the burden of proof falls on the data controller to demonstrate that any of the abovementionned conditions apply to exempt them from the requirement of communicating the breach to the affected data subject.[22]

Implications for a data processor.

There is no specific obligation imposed on a data processor in relation to communication of the breach to the data subject. In compliance with Article 33(2), the data processor will have to notify the data controller “without undue delay” where they identify a personal data breach.[23] However, any additional obligation to notify the data subject of a “high risk” to their rights and freedoms only falls upon the data controller.

Nonetheless, Article 28(3) GDPR helps to understand the role of a data processor in relation to the data controller. Services provided to a data controller by a data processor must be “governed by a contract or other legal act […]” according to Article 28(3). In addition, Article 28(3)(f) GDPR specifically requires that this contract or legal act stipulate that the data processor “shall” support the data controller in ensuring compliance with obligations found under Article 32 to 36 GDPR.

Therefore, a contract between the data controller and processor can specify how the processor can support the data controller in respecting the latter’s obligation to communicate the breach as per Article 34.

Involvement of the supervisory authority.

As mentioned previously, the threshold of risk to trigger Article 34 is higher than in Article 33. It is possible to deduce from this condition that wherever the controller has the obligation to communicate the data breach to the data subject under Article 34, the data controller will also have notified the relevant supervisory authority in accordance with Article 33(1).[24] Therefore, as the supervisory authority will be aware of the data breach, it can also be involved in the data controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1).

Accordingly, Article 34(4) suggests that the supervisory authority can play a determinative role in indicating that there is a “high risk” to the rights and freedoms of natural persons. As specifically outlined in this paragraph, the notified[25] supervisory authority can instruct the data controller to communicate the breach to the affected data subjects. The supervisory authority can also decide whether any of the Article 34(3) exceptions are met, exempting the data controller from its obligation to communicate the personal data breach to affected individuals. Finally, involvement of the supervisory authority can include providing advice to the data controller. This advice can relate to the assessment of the risk to the data subjects. For example, the French data protection authority (CNIL) provides a tool to help data controllers assess the gravity of personal data breaches.[26] The relevant supervisory authority can also provide advice on the method of communicating the breach to the data subject, such as how to identify an adequate channel to communicate to the data subject, the language to communicate in and/or what kind of message to send.[27]

[1] Cedric Burton, “Article 34. Communication of a personal data breach to the data subject” in Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and and Laura Dreachsler (eds), The EU General Data Protection Regulation (GDPR) – A Commentary (Oxford University Press 2020) 656.

[2] Ibid 656.

[3] For example, Belgium, France, Austria, Ireland, Luxembourg and the UK have specificities such as online forms, information notes and/or codes of practices. See ibid 658.

[4] See Burton (n1) 662.

[5] The data controller “shall” communicate.

[6] Alain Bensoussan, Reglement europeen sur la protection des donnees (2^nd edn, Bruylant 2017) 255.

[7] WP29 (n5) 8.

[8] See Annex B, WP29 (n5).

[9] Bensoussan (n9) 255.

[10] WP29 (n5) 20.

[11] See Recital 87.

[12] See Article 33 for a discussion on the moment where a data controller becomes “aware” of a data breach, triggering

[13] See section below for further detail on what must be communicated.

[14] The WP29 Guidelines provide examples of measures that can be taken to address the breach of mitigate the adverse effects. These notably include, letting the data subject know that it has received advice from the relevant supervisory authority. See WP29 (n5) 20.

[15] Ibid 20.

[16] Ibid 21.

[17] Ibid 21.

[18] Ibid 21.

[19] Encryption must be “state-of-the-art”. See ibid 22.

[20] Ibid 22.

[21] Ibid 22.

[22] Burton (n1) 659.

[23] See Commentary on Article 33.

[24] As notifying the relevant supervisory is an obligation under Article 33 GDPR wherever there is a “risk” rather than just a “high risk”.

[25] In accordance with Article 33 GDPR.

[26] Bensoussan (n9) 255.

[27] WP29 (n5) 21.

Decisions

→ You can find all related decisions in Category:Article 34 GDPR

References