Notification obligation of a personal data breach

The notification obligation is provided by the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”).

Unless the Belgian legislator would activate the notification obligation earlier, it will enter in to force together with the rest of the GDPR on 25 May 2018.

Personal data breaches, which can give rise to the obligation to notify, can be of all sorts. External hacking is the most common example, but also the loss of a USB-stick or a laptop containing personal information can constitute a breach. 

In the Netherlands, the notification obligation was already implemented on 1 January 2016. Until today, only a few notifications have been notified. This is most likely not because of the fact that companies in the Netherlands do not suffer from personal data breaches, but is probably due to the fact that a data breach is hold back out of fear of reputation damages or pecuniary consequences. 

However, the consequences of failing to respect to notification obligation can be quite severe. The victim, who does not know that his password, e-mail or other data have been breached, cannot take measures to prevent further damages, and the company will face large penalties if a data breach is kept quite. Hence every company has every interest to notify.

1. What entails the notification obligation?

Article 33 of the GDPR provides that in case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority (privacy commission). Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. 

The notification is not required if the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The company bears the responsibility for this analysis. It will not always be easy to determine whether or not such a risk exists. Most likely the privacy commission will provide clarity or guidelines in order to help companies to make the right decision.

Notification is not required if the data breach is unlikely to result in a risk to the rights and freedoms of natural persons

In case a notification is required, the GDPR stipulates that the following information has to be communicated:

• The nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.

• The name and contact details of the data protection officer or other contact point where more information can be obtained.

• The likely consequences of the personal data breach.

• The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. 

The GDPR allows that where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue delay.

Moreover, the controller is obligated to document any personal data breach, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with the notification obligation.

2. Communication of a personal data breach to the data subject

Next to obligation to notify to the privacy commission, it can be required in some cases that the data subjects are informed of the data breach. This obligation exists when the data breach is likely to result in a high risk to the rights and freedoms of natural persons. Again, additional guidelines that should help to estimate a potential high risk are expected. 

The notification has to contain a description of the nature of the breach in clear and plain language, as well as the contact information of the Data Protection officer or other contact point, the consequences of the data breach and the measures taken. 

In some cases, the notification to the data subject is not required:

• When the controller has implemented appropriate technical and organization protection measures, and those measures were applied to the personal data affected by the data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.

• When the controller has taken subsequent measures, which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.

• If it would involve disproportionate effort. In such as case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. 

3. Sanctions

Failure to comply with these provisions, can lead to large penalties. These penalties could rise to 10.000.000 euro, or in case of a company, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. 

The extent of the penalties should not give immediate reason to deter. The privacy commission has repeated several times that it has no intention to fine companies right away, but that it will first try to sensitize, advice, warn and guide companies.

Privacy commission will first try to sensitize, advice, warn and guide companies

When assessing a possible fine, the privacy commission will of course take the nature, gravity and duration of the infringement into account. In this regard, the privacy commission will look at a potential intentional or negligent character of the infringement, any action taken by the controller or processor to mitigate the damages, or the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement… 

4.  An internal privacy policy is recommended 

In order to react as adequately as possible in case of a data breach, it is recommended that companies implement a privacy policy or strategy, which contains the steps and measures to be taken in such scenarios.

As stated above, the privacy commission should in principle be notified within 72 hours of the measures taken to mitigate the damages. A good preparation and clear privacy policy could help to respond adequately to a potential data breach.