A new set of guidelines from the Danish Data Protection Agency offers guidance in relation to the understanding of the duty under the General Data Protection Regulation to report personal data breaches.
The GDPR introduces a duty on data controllers to report personal data breaches to the Danish Data Protection Agency. This requirement applies to all personal data breaches, unless it is unlikely that the breach in question results in ”a risk to the rights and freedoms of natural persons”. The breach must be reported ”without undue delay” and, where feasible, within 72 hours of the data controller becoming aware of it.
Under the GDPR, the data controller must also inform the affected individuals of the personal data breach. This duty already exists according to the practice of the Danish Data Protection Agency and good data processing practice, but now the requirement is expressly laid down in the GDPR. The personal data breach must be reported without undue delay after the data controller has become aware of it.
The guidelines contain a checklist which may help in the assessment of whether a personal data breach must be reported. Further, the guidelines describe the content requirements for reports to the Danish Data Protection Agency and notifications to the affected individuals.
In the guidelines, the Danish Data Protection Agency also states that work is being done to establish a digital tool to be used for reporting personal data breaches.
The guidelines can be read here (in Danish).
The content of the above is not, and should not be a substitute for legal advice.