Guidelines on personal data breach notification

The Article 29 Working Party recently launched a consultation on a set of guidelines concerning ‎notification of personal data breaches.

The new EU General Data Protection Regulation contains a requirement that the competent supervisory ‎authority (in Denmark, the Danish Data Protection Agency) must be notified of any personal data ‎breaches. If, for example, personal data are unintentionally disclosed on the internet, the data ‎controller must notify the breach to the Data Protection Agency "without undue delay" and no later than ‎‎72 hours after becoming aware of it. However, this requirement does not apply if the personal data ‎breach is unlikely to result in a risk to the rights and freedoms of natural persons.‎

In cases involving a high risk to the rights and freedoms of natural persons, the data subjects, too, must ‎be notified without undue delay.‎

The Article 29 Working Party, which is composed of members from the individual national data ‎protection authorities in Europe, have now considered the issue of what a personal data breach means, ‎which information is to be submitted to the supervisory authority and what to do in relation to the data ‎subjects. In addition, the Article 29 Working Party provides examples of personal data breaches, stating ‎whether or not notification is required in each case.‎

Comments on the draft guidelines may be submitted until and including 28 ‎November 2017.

The Article 29 Working Party has also launched a consultation on a set of guidelines concerning profiling.

The content of the above is not, and should not be a substitute for legal advice.

More about the subject