The data breach II (Communication of data breach to data subjects)
The GDPR defines the notion of data breach and contains rules on when it is mandatory for controllers to report a data breach to the competent supervisory authority and when they are obliged to communicate such breaches to the data subjects. Controllers are also required to document personal data breaches. In addition, processors are required to notify the controller without undue delay after becoming aware of a personal data breach.
The Article 29 Data Protection Working Party (WP29) issued guidelines on the personal data breach notification on 3 October 2017, which are being finalized, that interpret the respective provisions of the GDPR (Articles 33-34 and Recitals 75-76 and 85-88) and give some examples of possible data breaches.
Below, a Q&A will follow on the issues in relation to communicating the data breaches to data subjects and how to assess if the data breach is likely to result in a high risk to the rights and freedoms of natural persons. A separate post will analyse the obligation to document the data breaches.
1. When do controllers have to communicate the data breach to the data subjects?
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller is required to communicate the personal data breach to the data subject without undue delay.
It can be established that the threshold for notifying the data subjects of the data breaches is higher than for making a notification to the supervisory authorities since the supervisory authorities must be informed of the data breach unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
2. When is a data breach likely to result in a high risk to the rights and freedoms of natural persons?
The controller is required to assess each breach, i.e. an evaluation needs to be done on a case by case basis. When it comes to evaluating the breach, various factors need to be taken into account, such as e.g.
- the type of breach (confidentiality, integrity or availability);
- the nature, sensitivity and volume of personal data;
- the issue of how easy it is to identify the individuals affected by the data breach;
- the likelihood and severity of consequences for individuals;
- if vulnerable individuals are affected (e.g. children, the elderly, people with disease);
- the number of affected individuals;
- the characteristics of the data controller, its activities.
The WP29 provides examples of data breaches which trigger a notification obligation. For example, if
- personal data of individuals are stolen from a secure website;
- a controller experiences a ransomware attack resulting in personal data being encrypted;
- an individual calls the bank and reports that she has received a monthly statement for someone else;
- medical records in a hospital are unavailable for several hours due to a cyber attack;
- a webshop suffers a cyber-attack and usernames, passwords and purchase history are published online by the attacker;
- a direct marketing email is sent to recipients in the “to:” or “cc:” field so that the recipients can see the email address of other recipients.
However, if, for example, a laptop which contains encrypted data is stolen and the controller has a back up of the data, no notification is necessary (as long as the encryption key is not compromised), and if there is a power outage lasting for minutes at the controller’s call center, then, likewise, the availability breach is not reportable to the data subjects.
For further details on the assessment of risks, please see the response to question 4 in my previous post "The data breach I (Notifying the supervisory authority of the data breach)", where the recommendations of the European Union Agency for Network and Information Security (ENISA) for a methodology of the assessment of severity of personal data breaches are also addressed. For details, please click here.
3. What information must be provided to the data subjects?
The controller is required to provide to the data subjects at least the following information:
a) a description of the nature of the data breach;
b) the name and contact details of the data protection officer or other contact point where more information can be obtained;
c) a description of the likely consequences of the data breach;
d) a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
It is important that the controller also give the data subject information on how they can protect themselves from the potential negative consequences. For example, if passwords were stolen, the controller is required to inform the data subjects of the necessity to change the password. As many individuals use the same password for different online services, it is of utmost importance to change the password as soon as possible, since unauthorized persons can have access to several accounts by having one password.
4. How should the controller contact the data subjects?
In general, the data breach must be reported to the data subject directly. However, if the communication involved a disproportionate effort, there must be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
Communication may be sent, for example, via email or sms, on website banners, by post or in print media. Depending on the circumstances, it may be advisable to use more than one channel. Also, it is advisable to communicate the breach to the data subjects in their native language to ensure that they understand the breach and the protective measures they should take.
The WP29 says in the guidelines that the controllers “might…wish to contact and consult the supervisory authority not only to seek advice about informing data subjects about a breach, but also on the appropriate messages to be sent to, and the most appropriate way to contact, individuals.”
5. When is a communication of the breach to data subjects not required?
Communication to the data subject is not required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
c) it would involve disproportionate effort. In such a case, there must instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
The WP29 emphasizes in its guidelines that while notification may initially not be required, it may be that the level of risk will subsequently increase and, thus, communication of the data breach to the data subjects will be required.
It is also worth noting that the supervisory authority may require the controller to communicate the data breach to the data subjects.
6. How should controllers assess risk and high risk?
The controller has to take into account a number of factors when it comes to evaluating a breach and assessing the risks it may trigger. For details on the assessment of risks, please see the response to question 4 in my previous post "The data breach I (Notifying the supervisory authority of the data breach)". For details, please click here.
In my next post, I will address issues concerning the obligation to document data breaches.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.