Article 34 GDPR: Difference between revisions

From GDPRhub
 
(28 intermediate revisions by 6 users not shown)
Line 185: Line 185:


==Legal Text==
==Legal Text==
<br /><center>'''Article 34 - Communication of a personal data breach to the data subject'''</center><br />
<br /><center>'''Article 34 - Communication of a personal data breach to the data subject'''</center>


<span id="1">1.  When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.</span>
<span id="1">1.  When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.</span>
Line 202: Line 202:


==Relevant Recitals==
==Relevant Recitals==
''You can help us fill this section!''
{{Recital/87 GDPR}}
{{Recital/88 GDPR}}


==Commentary==
==Commentary==
Article 34, paragraph 1, GDPR imposes a new<ref>As with that provision, there was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Additionally, Article 17 thereof was the only comparable provision, requiring controllers to take adequate measures to protect personal data from breaches.  ''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).</ref> obligation on the controller to inform affected data subjects of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons.<ref>This obligation to notify data subjects exists independently from any obligation to notify the relevant supervisory authority under [[Article 33 GDPR]].</ref> Paragraph 2 describes the linguistic requirements the information should have ("''clear and plain language''"), its purpose (describing the nature of the breach) and minimum content (contact points, consequences, actions taken or otherwise planned). Paragraph 3 rules out the information obligation under specific circumstances. For example, the controller has implemented appropriate technical and organisational measures to exclude any harm. Finally, paragraph 4 describes the powers of the supervisory authority which may force the controller to inform the data subjects or, alternatively, exempt it from such action if one of the requirements stated in paragraph 3 is met. 
=== (1) Communication of a personal data breach to the data subject ===
Under Article 34(1) GDPR, the controller, without undue delay, communicates the personal data breach to data subjects when it is likely to result in a high risk to the rights and freedoms of natural persons.<ref>Hence, not all breaches must be communicated.</ref> This provision carries both theoretical and practical importance. On one hand, it acknowledges the individual's subjective right to be informed about the security of their personal data. On the other hand, it enables data subjects to make strategic choices to safeguard their personal sphere. For example, they may choose to close their account with the data controller due to inadequate security measures or block their credit card if it has been compromised in the breach.


==== Overview ====
==== When the personal data breach ====
Article 34 GDPR relates to the obligation imposed on the data controller to inform an affected data subject of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons. Whilst it is very similar to Article 33 on notification of a data breach to the relevant supervisory authority, it differs in many aspects. It is important to note that the obligation to notify the data subject remains independent from any obligation to notify the relevant supervisory authority under Article 33.[[Article 34 GDPR#%20ftn1|[1]]]  
“''Personal data breach''” should be defined from the outset, before establishing the point at which a controller has a duty to notify the competent supervisory authority of such a breach.<ref>On this point,see [[Article 33 GDPR]].</ref>


As with Article 33, there was no equivalent to Article 34 in the Data Protection Directive 95/46/EC. Again, Article 17 Directive is the only related article, requiring the data controller to take adequate measures to protect personal data from breaches.[[Article 34 GDPR#%20ftn2|[2]]]
==== Is likely to result in a high risk to the rights and freedoms of natural persons ====
Article 34(1) GDPR differs from [[Article 33 GDPR]]. Instead of having to notify the supervisor authority of a breach that leads to any kind of risk to data subjects, the controller only has the obligation to communicate a breach to them where it may lead to a “''high'' ''risk to the rights and freedoms of natural persons''”. The threshold for communicating the breach to data subjects concerned is therefore higher than in Article 33 GDPR. This choice has been argued to be reasonable, both from the perspective of the controller and the data subject. On the one hand, no absolute and cumbersome report obligation is imposed on the controller, unless circumstances are particularly serious. On the other hand, this higher threshold was deemed necessary to avoid data subjects to suffer from a “''fatigue''” caused by the receipt of warnings for every breach of the GDPR.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref> The controller has therefore to assess the level of risk which may ensue to data subjects as a result of a breach. According to the EDPB, whether a data breach creates a "''high risk''" should be assessed in light of the specific circumstances in each case. As with [[Article 33 GDPR]], this is an objective assessment conducted on the basis of the likelihood and severity of a negative impact on the rights and freedoms of natural persons. Examples of "''high risk''" situations include, ''inter alia'', a cyberattack on an online marketplace where usernames, passwords and purchase history are made public; a cyberattack on a hospital resulting in medical records being made inaccessible; or where personal data was mistakenly sent to a wrong mailing list (with over a thousand recipients).<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 31 ff. (''Annex B'') (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> However, Bensoussan correctly suggests that the enforcement of Article 34 GDPR is likely to be difficult as the controller is the entity making the assessment of the level of the risk.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref>


==== Member State law ====
==== The controller ====
First, it is important to highlight that, according to Article 23 GDPR, Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR. As a result several Member States have adopted their own rules on communicating a breach to the affected data subject.[[Article 34 GDPR#%20ftn3|[3]]] The commentary on Article 23 is available for further guidance on conditions for restricting the scope of obligations and rights.  
The reporting obligation outlined in paragraph 1 applies to the data controller, encompassing both natural persons and public or non-public entities as defined in Article 4(7). In cases where multiple controllers jointly determine the purposes and means of processing as defined in Article 26 of the GDPR, each controller is responsible for reporting their own data breaches as well as those of the other controller(s). However, it is possible for the controllers to establish a different arrangement regarding the reporting obligations through an agreement on joint responsibility as required under Article 26(1) of the GDPR.


Additionally, Recital 86 provides that the obligation imposed on the data controller to communicate the breach to the data subject may be affected by the guidance of a Member State’s law-enforcement authority. Recital 88 goes on to mention that rules and procedures on notification should “''take into account the legitimate interest of law enforcement authorities''” so as to ensure that disclosure does not hinder any ongoing investigation of the data breach.  
===== Implications for a data processor =====
There are no specific obligations imposed on processors relating to the communication of the breach to data subjects. Under [[Article 33 GDPR|Article 33(2) GDPR]], processors have to notify controllers “''without undue delay''” where they identify a personal data breach.<ref>See Commentary on [https://gdprhub.eu/Article%2033%20GDPR Article 33 GDPR].</ref> However, any additional obligation to notify data subjects of a “''high risk''” to their rights and freedoms only falls upon the controller. [[Article 28 GDPR|Article 28(3) GDPR]] nonetheless explains the role of processors in such situations. According to the provision, services provided to a controller by a processor must be “''governed by a contract or other legal act''”. In addition, [[Article 28 GDPR|Article 28(3)(f) GDPR]] specifically requires that this contract or legal act stipulates that the processor “''shall''” support the controller in ensuring compliance with obligations found under [[Article 32 GDPR|Article 32 to 36 GDPR]]. Thus, a contract between these parties can specify how the processor can support the controller in respecting the latter’s obligation to communicate the breach as per Article 34 GDPR.  


However, it should be noted that Recital 88 refers to “''notification''” and not “''communication''”. Other authors, such as Burton, do not make this distinction: they presume that Recital 88 applies just as much to Article 34 as it does to Article 33.[[Article 34 GDPR#%20ftn4|[4]]] Nonetheless, it is argued here that the lack of mention of “''communication''” should not be overlooked. Instead, Recital 88’s wording (or lack thereof) suggests that it is only relevant to Article 33 GDPR (“''Notification''...”) and not Article 34 (“''Communication''...”).
==== Shall communicate the breach to the data subject ====
The affected data subjects should be directly notified of the relevant breach. When communicating a breach to data subjects, dedicated messages should be utilized, separate from regular updates, newsletters, or standard messages. This approach ensures clear and transparent communication of the breach. Transparent communication methods include direct messaging via email, SMS, or direct message, prominently displayed website banners or notifications, postal communications, and prominent advertisements in print media. It should be noted that issuing a notification solely through a press release or corporate blog would not effectively communicate the breach to individuals. Controllers are in the best position to determine the most suitable contact channel for communicating a breach to individuals, especially if they have regular interactions with their customers. However, it is crucial for controllers to exercise caution when selecting a contact channel, as using a channel compromised by the breach could potentially enable attackers to impersonate the controller.<ref>Controllers might therefore "''wish to contact and consult the supervisory authority not only to seek advice about informing data subjects about a breach in accordance with Article 34, but also on the appropriate messages to be sent to, and the most appropriate way to contact, individuals''." See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 21 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>


=== “Personal data breach” ===
==== Without undue delay ====
“''Personal data breach''” should be defined from the outset, before establishing the point at which a data controller has a duty to notify the competent supervisory authority of such a breach. On this point, see Article 33 section 4.1.
Another requirement established by Article 34(1) GDPR is that controllers must notify data subjects of a data breach “''without undue delay''” - in other words, given the likelyhood of high risks for the data subject (see above), as “''as soon as possible''”<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 20 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> or “''as soon as reasonably feasible''” (within the meaning Recital 86 GDPR). However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in [[Article 33 GDPR]]. Instead, timelines will be assessed depending on the nature and gravity of the breach itself, as well as the level of risk to natural persons.<ref>See Recital 85.</ref> This is apparent from Recital 86 GDPR, which provides an example of a scenario where the timeliness condition will be different: “''the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.''” Similarly, Recital 88 GDPR indicates that communication to data subjects may be delayed to preserve the integrity of an investigation led by a law-enforcement authority into the circumstances of the breach.  


==== Obligation for the data controller to communicate the breach to the data subject. ====
=== (2) Minimal requirements of the controller's communication to the data subject===
Article 34(1) makes it clear that not all breaches must be communicated to the data subject. However, it is apparent from the wording of Article 34(1)[[Article 34 GDPR#%20ftn5|[5]]] that there is an obligation imposed on the data controller to communicate the personal data breach to the affected individual.
The communication to the data subjects must enable them to take any steps to protect themselves.<ref>Recital 86 GDPR: “''The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions''”.</ref> and must contain a description in "''clear and plain language''" of the (a) “''nature''” of the breach<ref>Under Article 34(2) GDPR, controllers must use “''clear and plain language''” when explaining the "''nature''" of the breach to data subjects. At first look, this requirement does not seem to apply to the other elements included in the communication (contact points, consequences, actions taken or otherwise planned). Such conclusion must be rejected. First, it would not make much sense to explain the "''nature''" of the breach in "''clear and plain language''" and then rely on obscure and cryptic wording for describing, say, the mitigating measures taken or planned. Second, Article 12(1) GDPR expressly requires "''concise, transparent, intelligible and easily accessible form'', [as well as] ''clear and plain language''" for all communications to the data subject, including those foreseen in Article 34 GDPR. Hence, all the elements included in the communication must be expressed in clear and plain language, taking into account the other requirements set forth in Article 12 GDPR. ''Dix'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 8-9 (C.H. Beck 2019).</ref> as well as the other elements outlined in [[Article 33 GDPR|Article 33(3)(b)-(d) GDPR]]. Namely, (b) the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) the likely consequences of the data breach; and (d) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.  


==== Condition of a “high risk”. ====
==== (a) Nature of the personal breach ====
Article 34(1) differs from Article 33 GDPR. Instead of having to notify the supervisor authority of a breach that leads to '''any kind of risk''' to the data subject, the data controller only has the obligation to communicate a breach to the data subject where it may lead to a '''''high''''' ''risk to the rights and freedoms of natural persons''”.  
The communication must describe the type of data breach occurred.<ref>To this extent, the EDPB outlines three distinct categories of personal data breaches. These include a “''confidentiality breach''”, where there is an unauthorised or accidental disclosure of, or access to, personal data; an “''integrity breach''”, where there is an unauthorised or accidental alteration of personal data; or an “''availability breach''”, where there is an accidental or unauthorised loss of access to, or destruction of, personal data. This is, in essence, the "''nature''" of the personal data breach. See commentary under Article 33(3)(a) GDPR.</ref> It is interesting to note a distinction in relation to Article 33(3)(a) GDPR. Such provision requires the controller, in addition to describing the nature of the breach, to provide the SA with further details including the categories of data subjects, records involved, as well as their respective numbers. These additional elements are not required in the communication to the data subjects under Article 34(2) GDPR. This is a reasonable choice since, generally, data subjects do not need to know these specific details in order to make informed decisions regarding the breach.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition).</ref>


Therefore, the threshold for communicating the breach to the data subject concerned is higher than in Article 33. Some seem to label this choice as reasonable: a higher threshold was deemed necessary to avoid “''fatigue''” amongst data subjects as would be the case if individuals concerned were warned for every breach of the GDPR.[[Article 34 GDPR#%20ftn6|[6]]]
==== (b) Point of contact ====
The communication must include the contact details of the data protection officer or other contact point where further information can be obtained. Alternatively, the controller may provide details of a “''point of contact''” capable of sharing further information should the supervisory authority require it. The urgent nature of the communication - considering that it is mandatory only in cases of "high risk" to the data subject - requires that the contact point can be easily and directly reached. Consequently, obstructive methods that, for example, require the requester to navigate complex online systems to establish contact are not permissible at this stage. In such cases, an email address seems more appropriate.


The data controller will have to assess the level of risk which may ensue to the data subject as a result of the breach. According to the Guidelines, a high risk resulting from the data breach is assessed on the basis of the circumstances at stake. As with Article 33, this is an objective assessment conducted on the basis of the likelihood and severity of a negative impact on the rights and freedoms of natural persons.[[Article 34 GDPR#%20ftn7|[7]]] Examples include, amongst others:
==== (c) Consequence of the breach ====
Generally, we refer to the comment made for Article 33(3)(c) of the GDPR. The communication shall use clear language and describe the likely consequences of the breach. The use of examples and accessible terminology allows the data subject to immediately understand the risks they are facing and the most appropriate actions to take.<blockquote><u>Example</u>: An e-commerce platform experences a cyber attack resulting in the disclosure of user passwords on the web. The communication under Article 34 GDPR should explain to the user, in clear and plain language, that, due to the breach, it will be necessary to change their service password and ensure that the same value is not used to access other services. In such case, the user should be advised to change those passwords as well to prevent further unauthorized access.</blockquote>


-       the effects of a cyberattack on an online marketplace where usernames, passwords and purchase history are made public;
==== (d) Measures taken or proposed ====
See comment under Article 33(3)(d) of the GDPR.


-       the effect of medical records in a hospital made inaccessible due to a cyberattack; or
==== Additional information ====
As indicated by the phrase “''at least''” found under Article 34(2) GDPR, this list of information to be provided to data subjects is non-exhaustive. Recital 86 GDPR outlines that the controller ''“should''” provide “''recommendations for the natural person concerned to mitigate potential adverse effects''”. The information given to data subjects should therefore enable them to take any “''necessary precautions''”, which, although not directly mentioned by [[Article 33 GDPR|Article 33(3)(b)-(d) GDPR]] could be shared as additional information by the controller


-       the effect of personal data being mistakenly sent to a wrong mailing list (with over a thousand recipients).[[Article 34 GDPR#%20ftn8|[8]]]
=== (3) Exemptions from the obligation to communicate to the data subject ===
Article 34(3) GDPR lists three exemptions from the controller’s obligation to communicate the breach to data subjects. As per the accountability principle, controllers are required to provide evidence to the supervisory authority to demonstrate their compliance with one or more of the specified conditions.<ref>In our translation: "''Data controllers will have to be able to demonstrate to DPAs that any of these conditions applies''". See, ''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 662 (Oxford University Press 2020).</ref> The EDPB also notes that, athough the communication may not be immediately necessary (if there is no risk to the rights and freedoms of individuals), the situation may evolve over time, and the risk assessment would need to be reassessed accordingly.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>


Bensoussan, however, correctly suggests that the enforcement of Article 34 is likely to be difficult as the data controller is the entity making the assessment of the level of the risk.[[Article 34 GDPR#%20ftn9|[9]]]
==== (a) The controller has applied “''appropriate technical and organisational protection measures''”. ====
''Prior to the breach'', the controller had implemented suitable technical and organizational measures to safeguard personal data. In particular, these measures aim to make the personal data incomprehensible to unauthorized individuals. One effective approach is the use of advanced encryption techniques or tokenization to protect the personal data. These security measures ensure that even if the data is accessed unlawfully, it remains unintelligible and therefore protected.<ref>The encryption must be "state-of-the-art". See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref><blockquote><u>Example</u>: An unauthorised person got access to a device where highly sensitive personal data are stored. However, the content of such a device in encrypted. Therefore, even if a data breach occurred theoretically entailing high risks for data subject, the obligation under Article 34(1) is not triggered, as the authorised party will not be able to make use of the data obtained. </blockquote>


==== Without undue delay. ====
==== (b) The controller takes “''subsequent measures''” that diminish the likelihood of a high risk ====
Another condition outlined under Article 34(1) GDPR is that the data controller must notify the data subject of a data breach “''without undue delay''”. The WP29 Guidelines interpret this as “''as soon as possible''”[[Article 34 GDPR#%20ftn10|[10]]] or “''as soon as reasonably feasible''” according to Recital 86. However, Article 34 does not provide a specific time condition of 72 hours as is the case in Article 33.  
“''Subsequent''” measures should be interpreted as measures, adopted immediately following a breach, which are able to mitigate the likelihood of the high risk to individuals' rights and freedoms from materializing. For instance, in certain situations, the controller may have promptly identified and addressed the unauthorized access to personal data, preventing any further misuse. However, it is essential to consider the potential consequences of a breach of confidentiality, taking into account the nature of the data involved.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>


Instead, timeliness will be assessed depending on the nature and gravity of the breach itself, as well as the level of (high) risk to natural persons.[[Article 34 GDPR#%20ftn11|[11]]] This is apparent from Recital 86 which provides an example of a scenario where the timeliness condition will be different: “''the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.''” Similarly, Recital 88 indicates that communication to the data subject may be delayed to preserve the integrity of an investigation (by a law-enforcement authority) into the circumstances of the breach.  
In addition, it must be stressed that after a risk actually materialised the controller can no longer invoke subsequent measures to avoid communication to the data subject. Even if subsequent measures could mitigate damages and reduce further risks, the controller is no longer in the position to evaluate what kind of negative consequences could stem from the original data breach. Therefore, a communication to the people concerned is the most effective way to prevent an even greater impact on their rights and freedoms.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 15 (C.H. Beck 2020, 3rd Edition).</ref>


In this context, it is important to note that as there is not specific time condition of 72 hours, the question of when this time limit formally begins does not arise.[[Article 34 GDPR#%20ftn12|[12]]]
==== (c) The communication would demand a disproportionate effort from the controller. ====
Under Article 34(3)(c) GDPR, in cases where notifying the data subject would require a disproportionate effort, the controller is not obligated to inform the individual. The concept of "''disproportionate effort''" is not explicitly defined in the GDPR. However, it is understood that the effort involved in notifying data subjects relates to the scope of the breach, particularly the number of individuals affected. As the number of affected individuals increases, the communication process becomes more complex proportionally. Nevertheless, since this exception should be interpreted restrictively, the notion of disproportionate effort should be evaluated in relation to the size of the organization and the availability of technical tools for conducting notifications. In other words, a large-scale controller will be expected to allocate greater resources, including the adoption of electronic communication tools capable of handling the notification burden. In such cases, the effort required cannot be deemed "disproportionate".<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin number 16 (C.H. Beck 2019).</ref> If the effort is in fact "''disproportionate''", an alternative obligation exists, namely the requirement to publicly disclose the breach, which should be equally effective in ensuring transparency and accountability. The EDPB suggests that “''technical arrangements''” could nonetheless be taken to ensure that data subjects can access further information upon request.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>


==== Communication to the data subject.  ====
==== Other exemptions ====
In addition to general details on the obligation to communicate to the data subject, Article 34(2) provides further specifications as to how this must be achieved.
It is important to highlight that according to [[Article 23 GDPR]], Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR. As a result, several Member States have adopted their own rules on communicating a breach to affected data subjects. Further, Recital 86 GDPR provides that the obligation imposed controllers to communicate the breach to data subjects may be affected by the guidance of a Member State’s law-enforcement authority. Recital 88 GDPR goes on to mention that rules and procedures on notification should “''take into account the legitimate interest of law enforcement authorities''” to ensure that disclosure does not hinder any ongoing investigation of the data breach. However, it should be noted that Recital 88 GDPR refers to “''notification''” and not “''communication''”.
 
===== Language to be used. =====
Article 34(2) provides an indication of how the data controller must communicate such a high risk breach to the data subject. It is outlined that the data controller must use “''clear and plain language''” when explaining the '''nature''' of the breach to the data subject.
 
However, it is worth noting that the requirement of using “''clear and plain language''” does not seem to apply to the remainder of the sentence in Article 34(2). As such, there is no specification as to the type of language to be used when outlining other “''information and measures''” that must also be provided to the data subject.[[Article 34 GDPR#%20ftn13|[13]]]
 
===== Details to communicate. =====
Article 34(2) stipulates that the information that must be communicated to the data subject, in addition to a clear description of the “''nature''” of the breach, is outlined in Article 33(3), points (b), (c) and (d). The data controller must therefore:
 
-      ''“(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;”''
 
-      ''“(c) describe the likely consequences of the personal data breach;”''
 
-       ''“(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”''[[Article 34 GDPR#%20ftn14|[14]]]
 
This list of information to be provided to the data subject is non-exhaustive as indicated by the phrase “''at least''” found under Article 34(2). Recital 86 outlines that the data controller ''“should''” provide “''recommendations for the natural person concerned to mitigate potential adverse effects''”. It is expected, according to that Recital, that the information given to the data subject would enable him or her to take any “''necessary precautions''”. As such, these could be included as additional information to be given by the data controller although not stipulated outright under Article 33(3)(b)-(d).
 
The information that must be given to the data subject following a high risk breach must enable that data subject to take any steps to protect themselves.[[Article 34 GDPR#%20ftn15|[15]]] This position adopted by the WP29 is supported by the text in Recital 86: “''The controller should communicate to the data subject a personal data breach … in order to allow him or her to '''take the necessary precautions'''''”. Therefore, Article 34 attempts to empower the data subject even in the event of a personal data breach that affects them.
 
===== Method of communicating. =====
Article 34 should be understood as requiring the data controller to communicate the data breach to the data subject directly.[[Article 34 GDPR#%20ftn16|[16]]] According to the WP29 Guidelines, such “''dedicated messages''” must be clear and transparent. WP29 provides examples of ways in which data controllers can communicate transparently:
 
-       Direct messaging such as email, SMS or direct message; or
 
-       Website banner with draws the user’s attention; or
 
-       Communication via post; or
 
-       Print media.
 
The data controller may decide to rely on multiple communication methods depending on the gravity of the breach. Additionally, it may be necessary to make the communication available in a language relevant to the affected data subject. This language can be determined on the basis of previous communication between the data controller and the data subject or, where this is not applicable, according to the national language where the data subject resides.[[Article 34 GDPR#%20ftn17|[17]]]
 
The requirement of transparency makes it clear that a communication of the breach should not be hidden within a regular or obscure communication channel. Such regular or obscure communication channels could include a newsletter or standard message or a corporate blog.[[Article 34 GDPR#%20ftn18|[18]]]
 
==== Exemptions from the obligation to communicate to the data subject. ====
Article 34(3) provides a list of conditions which would exempt the data controller from its obligation to communicate the breach to the data subject concerned. The three exhaustive circumstances are as follows:
 
-      the data controller is not required to communicate a breach where it has “''appropriate technical and organisational protection measures''” in place. Such measures must be employed on the data concerned by the breach and make such personal data unintelligible to non-authorised persons. This includes, for example, measures taken to encrypt[[Article 34 GDPR#%20ftn19|[19]]] the data (Article 34(3)(a)).
 
-      communicating the breach to the concerned data subject is not required where the controller takes “''subsequent measures''” that diminish the likelihood that a high risk to the rights and freedoms of the person concerned materialises (Article 34(3)(b)). According to the WP29 Guidelines, “''subsequent''” measures should be interpreted as immediate measures.[[Article 34 GDPR#%20ftn20|[20]]]
 
-      the data controller is not required to communicate the breach to the affected data subject where this would demand a disproportionate effort from the controller. Article 34(3)(c) specifies that in such cases, a public communication to inform the data subjects is sufficient. The WP29 suggests that “''technical arrangements''” be taken to ensure that the data subject can have access to further information on demand.[[Article 34 GDPR#%20ftn21|[21]]] 
 
According to Burton, the burden of proof falls on the data controller to demonstrate that any of the abovementionned conditions apply to exempt them from the requirement of communicating the breach to the affected data subject.[[Article 34 GDPR#%20ftn22|[22]]]
 
==== Implications for a data processor. ====
There is no specific obligation imposed on a data processor in relation to communication of the breach to the data subject. In compliance with Article 33(2), the data processor will have to notify the data controller “''without undue delay''” where they identify a personal data breach.[[Article 34 GDPR#%20ftn23|[23]]] However, any additional obligation to notify the data subject of a “''high risk''” to their rights and freedoms only falls upon the data controller.
 
Nonetheless, Article 28(3) GDPR helps to understand the role of a data processor in relation to the data controller. Services provided to a data controller by a data processor must be “''governed by a contract or other legal act'' […]” according to Article 28(3). In addition, Article 28(3)(f) GDPR specifically requires that this contract or legal act stipulate that the data processor “''shall''” support the data controller in ensuring compliance with obligations found under Article 32 to 36 GDPR.
 
Therefore, a contract between the data controller and processor can specify how the processor can support the data controller in respecting the latter’s obligation to communicate the breach as per Article 34.
 
==== Involvement of the supervisory authority. ====
As mentioned previously, the threshold of risk to trigger Article 34 is higher than in Article 33. It is possible to deduce from this condition that wherever the controller has the obligation to communicate the data breach to the data subject under Article 34, the data controller will also have notified the relevant supervisory authority in accordance with Article 33(1).[[Article 34 GDPR#%20ftn24|[24]]] Therefore, as the supervisory authority will be aware of the data breach, it can also be involved in the data controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1).
 
Accordingly, Article 34(4) suggests that the supervisory authority can play a determinative role in indicating that there is a “''high risk''” to the rights and freedoms of natural persons. As specifically outlined in this paragraph, the notified[[Article 34 GDPR#%20ftn25|[25]]] supervisory authority can instruct the data controller to communicate the breach to the affected data subjects. The supervisory authority can also decide whether any of the Article 34(3) exceptions are met, exempting the data controller from its obligation to communicate the personal data breach to affected individuals.
Finally, involvement of the supervisory authority can include providing advice to the data controller. This advice can relate to the assessment of the risk to the data subjects. For example, the French data protection authority (CNIL) provides a tool to help data controllers assess the gravity of personal data breaches.[[Article 34 GDPR#%20ftn26|[26]]] The relevant supervisory authority can also provide advice on the method of communicating the breach to the data subject, such as how to identify an adequate channel to communicate to the data subject, the language to communicate in and/or what kind of message to send.[[Article 34 GDPR#%20ftn27|[27]]]
----[[Article 34 GDPR#%20ftnref1|[1]]] Cedric Burton, “Article 34. Communication of a personal data breach to the data subject” in Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and and Laura Dreachsler (eds), ''The EU General Data Protection Regulation (GDPR) – A Commentary'' (Oxford University Press 2020) 656.
 
[[Article 34 GDPR#%20ftnref2|[2]]] Ibid 656.
 
[[Article 34 GDPR#%20ftnref3|[3]]] For example, Belgium, France, Austria, Ireland, Luxembourg and the UK have specificities such as online forms, information notes and/or codes of practices. See ibid 658.
 
[[Article 34 GDPR#%20ftnref4|[4]]] See Burton (n1) 662.
 
[[Article 34 GDPR#%20ftnref5|[5]]] The data controller “'''''shall'''''” communicate.
 
[[Article 34 GDPR#%20ftnref6|[6]]] Alain Bensoussan, ''Reglement europeen sur la protection des donnees'' (2<sup>nd</sup> edn, Bruylant 2017) 255.
 
[[Article 34 GDPR#%20ftnref7|[7]]] WP29 (n5) 8.
 
[[Article 34 GDPR#%20ftnref8|[8]]] See Annex B, WP29 (n5).
 
[[Article 34 GDPR#%20ftnref9|[9]]] Bensoussan (n9) 255.
 
[[Article 34 GDPR#%20ftnref10|[10]]] WP29 (n5) 20.
 
[[Article 34 GDPR#%20ftnref11|[11]]] See Recital 87.
 
[[Article 34 GDPR#%20ftnref12|[12]]] See Article 33 for a discussion on the moment where a data controller becomes “''aware''” of a data breach, triggering
 
[[Article 34 GDPR#%20ftnref13|[13]]] See section below for further detail on what must be communicated.
 
[[Article 34 GDPR#%20ftnref14|[14]]] The WP29 Guidelines provide examples of measures that can be taken to address the breach of mitigate the adverse effects. These notably include, letting the data subject know that it has received advice from the relevant supervisory authority. See WP29 (n5) 20.
 
[[Article 34 GDPR#%20ftnref15|[15]]] Ibid 20.
 
[[Article 34 GDPR#%20ftnref16|[16]]] Ibid 21.
 
[[Article 34 GDPR#%20ftnref17|[17]]] Ibid 21.
 
[[Article 34 GDPR#%20ftnref18|[18]]] Ibid 21.
 
[[Article 34 GDPR#%20ftnref19|[19]]] Encryption must be “state-of-the-art”. See ibid 22.
 
[[Article 34 GDPR#%20ftnref20|[20]]] Ibid 22.
 
[[Article 34 GDPR#%20ftnref21|[21]]] Ibid 22.
 
[[Article 34 GDPR#%20ftnref22|[22]]] Burton (n1) 659.
 
[[Article 34 GDPR#%20ftnref23|[23]]] See Commentary on Article 33.
 
[[Article 34 GDPR#%20ftnref24|[24]]] As notifying the relevant supervisory is an obligation under Article 33 GDPR wherever there is a “''risk''” rather than just a “''high risk''”.
 
[[Article 34 GDPR#%20ftnref25|[25]]] In accordance with Article 33 GDPR.
 
[[Article 34 GDPR#%20ftnref26|[26]]] Bensoussan (n9) 255.
 
[[Article 34 GDPR#%20ftnref27|[27]]] WP29 (n5) 21.


=== (4) Involvement of the supervisory authority ===
As mentioned previously, the threshold of risk to trigger Article 34 GDPR is higher than in [[Article 33 GDPR]]. It is possible to deduce from this condition that wherever controllers have an obligation to communicate a data breach to data subjects under Article 34 GDPR, they will already have notified the relevant supervisory authority in accordance with [[Article 33 GDPR|Article 33(1) GDPR]].<ref>Notifying the relevant supervisory is an obligation under Article 33 GDPR in cases of a “''risk''”, not just in cases of a “''high risk''”.</ref> Thus, since the supervisory authority should be aware of the data breach, it can also be involved in the controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1) GDPR. Accordingly, Article 34(4) GDPR suggests that the SA can play a determinative role in indicating that there is a “''high risk''” to the rights and freedoms of natural persons. In such case, the authority can instruct the controller to communicate the breach to the affected data subjects. The supervisory authority can also decide whether any of the exemptions under Article 34(3) GDPR apply, relieving the controller from its obligation to communicate the personal data breach to affected individuals. Finally, the supervisory authority’s involvement can include the provision of advice to the controller. This advice can relate to the assessment of the risk to the data subjects. For example, the French DPA (CNIL) provides a tool to help controllers assess the gravity of personal data breaches.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref> The relevant supervisory authority can also provide advice on the method of communicating the breach to data subjects, such as how to identify an adequate channel to notify them, the language to communicate in, and what kind of message to send.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 21 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
==Decisions==
==Decisions==
→ You can find all related decisions in [[:Category:Article 34 GDPR]]
→ You can find all related decisions in [[:Category:Article 34 GDPR]]

Latest revision as of 15:20, 16 June 2023

Article 34 - Communication of a personal data breach to the data subject
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 34 - Communication of a personal data breach to the data subject

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Relevant Recitals

Recital 87: Timing and Result of Notification
It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.

Recital 88: Notification Rules and Procedures
In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.

Commentary

Article 34, paragraph 1, GDPR imposes a new[1] obligation on the controller to inform affected data subjects of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons.[2] Paragraph 2 describes the linguistic requirements the information should have ("clear and plain language"), its purpose (describing the nature of the breach) and minimum content (contact points, consequences, actions taken or otherwise planned). Paragraph 3 rules out the information obligation under specific circumstances. For example, the controller has implemented appropriate technical and organisational measures to exclude any harm. Finally, paragraph 4 describes the powers of the supervisory authority which may force the controller to inform the data subjects or, alternatively, exempt it from such action if one of the requirements stated in paragraph 3 is met.

(1) Communication of a personal data breach to the data subject

Under Article 34(1) GDPR, the controller, without undue delay, communicates the personal data breach to data subjects when it is likely to result in a high risk to the rights and freedoms of natural persons.[3] This provision carries both theoretical and practical importance. On one hand, it acknowledges the individual's subjective right to be informed about the security of their personal data. On the other hand, it enables data subjects to make strategic choices to safeguard their personal sphere. For example, they may choose to close their account with the data controller due to inadequate security measures or block their credit card if it has been compromised in the breach.

When the personal data breach

Personal data breach” should be defined from the outset, before establishing the point at which a controller has a duty to notify the competent supervisory authority of such a breach.[4]

Is likely to result in a high risk to the rights and freedoms of natural persons

Article 34(1) GDPR differs from Article 33 GDPR. Instead of having to notify the supervisor authority of a breach that leads to any kind of risk to data subjects, the controller only has the obligation to communicate a breach to them where it may lead to a “high risk to the rights and freedoms of natural persons”. The threshold for communicating the breach to data subjects concerned is therefore higher than in Article 33 GDPR. This choice has been argued to be reasonable, both from the perspective of the controller and the data subject. On the one hand, no absolute and cumbersome report obligation is imposed on the controller, unless circumstances are particularly serious. On the other hand, this higher threshold was deemed necessary to avoid data subjects to suffer from a “fatigue” caused by the receipt of warnings for every breach of the GDPR.[5] The controller has therefore to assess the level of risk which may ensue to data subjects as a result of a breach. According to the EDPB, whether a data breach creates a "high risk" should be assessed in light of the specific circumstances in each case. As with Article 33 GDPR, this is an objective assessment conducted on the basis of the likelihood and severity of a negative impact on the rights and freedoms of natural persons. Examples of "high risk" situations include, inter alia, a cyberattack on an online marketplace where usernames, passwords and purchase history are made public; a cyberattack on a hospital resulting in medical records being made inaccessible; or where personal data was mistakenly sent to a wrong mailing list (with over a thousand recipients).[6] However, Bensoussan correctly suggests that the enforcement of Article 34 GDPR is likely to be difficult as the controller is the entity making the assessment of the level of the risk.[7]

The controller

The reporting obligation outlined in paragraph 1 applies to the data controller, encompassing both natural persons and public or non-public entities as defined in Article 4(7). In cases where multiple controllers jointly determine the purposes and means of processing as defined in Article 26 of the GDPR, each controller is responsible for reporting their own data breaches as well as those of the other controller(s). However, it is possible for the controllers to establish a different arrangement regarding the reporting obligations through an agreement on joint responsibility as required under Article 26(1) of the GDPR.

Implications for a data processor

There are no specific obligations imposed on processors relating to the communication of the breach to data subjects. Under Article 33(2) GDPR, processors have to notify controllers “without undue delay” where they identify a personal data breach.[8] However, any additional obligation to notify data subjects of a “high risk” to their rights and freedoms only falls upon the controller. Article 28(3) GDPR nonetheless explains the role of processors in such situations. According to the provision, services provided to a controller by a processor must be “governed by a contract or other legal act”. In addition, Article 28(3)(f) GDPR specifically requires that this contract or legal act stipulates that the processor “shall” support the controller in ensuring compliance with obligations found under Article 32 to 36 GDPR. Thus, a contract between these parties can specify how the processor can support the controller in respecting the latter’s obligation to communicate the breach as per Article 34 GDPR.

Shall communicate the breach to the data subject

The affected data subjects should be directly notified of the relevant breach. When communicating a breach to data subjects, dedicated messages should be utilized, separate from regular updates, newsletters, or standard messages. This approach ensures clear and transparent communication of the breach. Transparent communication methods include direct messaging via email, SMS, or direct message, prominently displayed website banners or notifications, postal communications, and prominent advertisements in print media. It should be noted that issuing a notification solely through a press release or corporate blog would not effectively communicate the breach to individuals. Controllers are in the best position to determine the most suitable contact channel for communicating a breach to individuals, especially if they have regular interactions with their customers. However, it is crucial for controllers to exercise caution when selecting a contact channel, as using a channel compromised by the breach could potentially enable attackers to impersonate the controller.[9]

Without undue delay

Another requirement established by Article 34(1) GDPR is that controllers must notify data subjects of a data breach “without undue delay” - in other words, given the likelyhood of high risks for the data subject (see above), as “as soon as possible[10] or “as soon as reasonably feasible” (within the meaning Recital 86 GDPR). However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in Article 33 GDPR. Instead, timelines will be assessed depending on the nature and gravity of the breach itself, as well as the level of risk to natural persons.[11] This is apparent from Recital 86 GDPR, which provides an example of a scenario where the timeliness condition will be different: “the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.” Similarly, Recital 88 GDPR indicates that communication to data subjects may be delayed to preserve the integrity of an investigation led by a law-enforcement authority into the circumstances of the breach.

(2) Minimal requirements of the controller's communication to the data subject

The communication to the data subjects must enable them to take any steps to protect themselves.[12] and must contain a description in "clear and plain language" of the (a) “nature” of the breach[13] as well as the other elements outlined in Article 33(3)(b)-(d) GDPR. Namely, (b) the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) the likely consequences of the data breach; and (d) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(a) Nature of the personal breach

The communication must describe the type of data breach occurred.[14] It is interesting to note a distinction in relation to Article 33(3)(a) GDPR. Such provision requires the controller, in addition to describing the nature of the breach, to provide the SA with further details including the categories of data subjects, records involved, as well as their respective numbers. These additional elements are not required in the communication to the data subjects under Article 34(2) GDPR. This is a reasonable choice since, generally, data subjects do not need to know these specific details in order to make informed decisions regarding the breach.[15]

(b) Point of contact

The communication must include the contact details of the data protection officer or other contact point where further information can be obtained. Alternatively, the controller may provide details of a “point of contact” capable of sharing further information should the supervisory authority require it. The urgent nature of the communication - considering that it is mandatory only in cases of "high risk" to the data subject - requires that the contact point can be easily and directly reached. Consequently, obstructive methods that, for example, require the requester to navigate complex online systems to establish contact are not permissible at this stage. In such cases, an email address seems more appropriate.

(c) Consequence of the breach

Generally, we refer to the comment made for Article 33(3)(c) of the GDPR. The communication shall use clear language and describe the likely consequences of the breach. The use of examples and accessible terminology allows the data subject to immediately understand the risks they are facing and the most appropriate actions to take.

Example: An e-commerce platform experences a cyber attack resulting in the disclosure of user passwords on the web. The communication under Article 34 GDPR should explain to the user, in clear and plain language, that, due to the breach, it will be necessary to change their service password and ensure that the same value is not used to access other services. In such case, the user should be advised to change those passwords as well to prevent further unauthorized access.

(d) Measures taken or proposed

See comment under Article 33(3)(d) of the GDPR.

Additional information

As indicated by the phrase “at least” found under Article 34(2) GDPR, this list of information to be provided to data subjects is non-exhaustive. Recital 86 GDPR outlines that the controller “should” provide “recommendations for the natural person concerned to mitigate potential adverse effects”. The information given to data subjects should therefore enable them to take any “necessary precautions”, which, although not directly mentioned by Article 33(3)(b)-(d) GDPR could be shared as additional information by the controller

(3) Exemptions from the obligation to communicate to the data subject

Article 34(3) GDPR lists three exemptions from the controller’s obligation to communicate the breach to data subjects. As per the accountability principle, controllers are required to provide evidence to the supervisory authority to demonstrate their compliance with one or more of the specified conditions.[16] The EDPB also notes that, athough the communication may not be immediately necessary (if there is no risk to the rights and freedoms of individuals), the situation may evolve over time, and the risk assessment would need to be reassessed accordingly.[17]

(a) The controller has applied “appropriate technical and organisational protection measures”.

Prior to the breach, the controller had implemented suitable technical and organizational measures to safeguard personal data. In particular, these measures aim to make the personal data incomprehensible to unauthorized individuals. One effective approach is the use of advanced encryption techniques or tokenization to protect the personal data. These security measures ensure that even if the data is accessed unlawfully, it remains unintelligible and therefore protected.[18]

Example: An unauthorised person got access to a device where highly sensitive personal data are stored. However, the content of such a device in encrypted. Therefore, even if a data breach occurred theoretically entailing high risks for data subject, the obligation under Article 34(1) is not triggered, as the authorised party will not be able to make use of the data obtained.

(b) The controller takes “subsequent measures” that diminish the likelihood of a high risk

Subsequent” measures should be interpreted as measures, adopted immediately following a breach, which are able to mitigate the likelihood of the high risk to individuals' rights and freedoms from materializing. For instance, in certain situations, the controller may have promptly identified and addressed the unauthorized access to personal data, preventing any further misuse. However, it is essential to consider the potential consequences of a breach of confidentiality, taking into account the nature of the data involved.[19]

In addition, it must be stressed that after a risk actually materialised the controller can no longer invoke subsequent measures to avoid communication to the data subject. Even if subsequent measures could mitigate damages and reduce further risks, the controller is no longer in the position to evaluate what kind of negative consequences could stem from the original data breach. Therefore, a communication to the people concerned is the most effective way to prevent an even greater impact on their rights and freedoms.[20]

(c) The communication would demand a disproportionate effort from the controller.

Under Article 34(3)(c) GDPR, in cases where notifying the data subject would require a disproportionate effort, the controller is not obligated to inform the individual. The concept of "disproportionate effort" is not explicitly defined in the GDPR. However, it is understood that the effort involved in notifying data subjects relates to the scope of the breach, particularly the number of individuals affected. As the number of affected individuals increases, the communication process becomes more complex proportionally. Nevertheless, since this exception should be interpreted restrictively, the notion of disproportionate effort should be evaluated in relation to the size of the organization and the availability of technical tools for conducting notifications. In other words, a large-scale controller will be expected to allocate greater resources, including the adoption of electronic communication tools capable of handling the notification burden. In such cases, the effort required cannot be deemed "disproportionate".[21] If the effort is in fact "disproportionate", an alternative obligation exists, namely the requirement to publicly disclose the breach, which should be equally effective in ensuring transparency and accountability. The EDPB suggests that “technical arrangements” could nonetheless be taken to ensure that data subjects can access further information upon request.[22]

Other exemptions

It is important to highlight that according to Article 23 GDPR, Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR. As a result, several Member States have adopted their own rules on communicating a breach to affected data subjects. Further, Recital 86 GDPR provides that the obligation imposed controllers to communicate the breach to data subjects may be affected by the guidance of a Member State’s law-enforcement authority. Recital 88 GDPR goes on to mention that rules and procedures on notification should “take into account the legitimate interest of law enforcement authorities” to ensure that disclosure does not hinder any ongoing investigation of the data breach. However, it should be noted that Recital 88 GDPR refers to “notification” and not “communication”.

(4) Involvement of the supervisory authority

As mentioned previously, the threshold of risk to trigger Article 34 GDPR is higher than in Article 33 GDPR. It is possible to deduce from this condition that wherever controllers have an obligation to communicate a data breach to data subjects under Article 34 GDPR, they will already have notified the relevant supervisory authority in accordance with Article 33(1) GDPR.[23] Thus, since the supervisory authority should be aware of the data breach, it can also be involved in the controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1) GDPR. Accordingly, Article 34(4) GDPR suggests that the SA can play a determinative role in indicating that there is a “high risk” to the rights and freedoms of natural persons. In such case, the authority can instruct the controller to communicate the breach to the affected data subjects. The supervisory authority can also decide whether any of the exemptions under Article 34(3) GDPR apply, relieving the controller from its obligation to communicate the personal data breach to affected individuals. Finally, the supervisory authority’s involvement can include the provision of advice to the controller. This advice can relate to the assessment of the risk to the data subjects. For example, the French DPA (CNIL) provides a tool to help controllers assess the gravity of personal data breaches.[24] The relevant supervisory authority can also provide advice on the method of communicating the breach to data subjects, such as how to identify an adequate channel to notify them, the language to communicate in, and what kind of message to send.[25]

Decisions

→ You can find all related decisions in Category:Article 34 GDPR

References

  1. As with that provision, there was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Additionally, Article 17 thereof was the only comparable provision, requiring controllers to take adequate measures to protect personal data from breaches. Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).
  2. This obligation to notify data subjects exists independently from any obligation to notify the relevant supervisory authority under Article 33 GDPR.
  3. Hence, not all breaches must be communicated.
  4. On this point,see Article 33 GDPR.
  5. Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).
  6. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 31 ff. (Annex B) (available here).
  7. Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).
  8. See Commentary on Article 33 GDPR.
  9. Controllers might therefore "wish to contact and consult the supervisory authority not only to seek advice about informing data subjects about a breach in accordance with Article 34, but also on the appropriate messages to be sent to, and the most appropriate way to contact, individuals." See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 21 (available here).
  10. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 20 (available here).
  11. See Recital 85.
  12. Recital 86 GDPR: “The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions”.
  13. Under Article 34(2) GDPR, controllers must use “clear and plain language” when explaining the "nature" of the breach to data subjects. At first look, this requirement does not seem to apply to the other elements included in the communication (contact points, consequences, actions taken or otherwise planned). Such conclusion must be rejected. First, it would not make much sense to explain the "nature" of the breach in "clear and plain language" and then rely on obscure and cryptic wording for describing, say, the mitigating measures taken or planned. Second, Article 12(1) GDPR expressly requires "concise, transparent, intelligible and easily accessible form, [as well as] clear and plain language" for all communications to the data subject, including those foreseen in Article 34 GDPR. Hence, all the elements included in the communication must be expressed in clear and plain language, taking into account the other requirements set forth in Article 12 GDPR. Dix in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 8-9 (C.H. Beck 2019).
  14. To this extent, the EDPB outlines three distinct categories of personal data breaches. These include a “confidentiality breach”, where there is an unauthorised or accidental disclosure of, or access to, personal data; an “integrity breach”, where there is an unauthorised or accidental alteration of personal data; or an “availability breach”, where there is an accidental or unauthorised loss of access to, or destruction of, personal data. This is, in essence, the "nature" of the personal data breach. See commentary under Article 33(3)(a) GDPR.
  15. Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition).
  16. In our translation: "Data controllers will have to be able to demonstrate to DPAs that any of these conditions applies". See, Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 662 (Oxford University Press 2020).
  17. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available here).
  18. The encryption must be "state-of-the-art". See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available here).
  19. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available here).
  20. Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 15 (C.H. Beck 2020, 3rd Edition).
  21. Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin number 16 (C.H. Beck 2019).
  22. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available here).
  23. Notifying the relevant supervisory is an obligation under Article 33 GDPR in cases of a “risk”, not just in cases of a “high risk”.
  24. Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).
  25. EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 21 (available here).