The Article 29 Working Party recently launched a consultation on a set of guidelines concerning notification of personal data breaches.
The new EU General Data Protection Regulation contains a requirement that the competent supervisory authority (in Denmark, the Danish Data Protection Agency) must be notified of any personal data breaches. If, for example, personal data are unintentionally disclosed on the internet, the data controller must notify the breach to the Data Protection Agency "without undue delay" and no later than 72 hours after becoming aware of it. However, this requirement does not apply if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
In cases involving a high risk to the rights and freedoms of natural persons, the data subjects, too, must be notified without undue delay.
The Article 29 Working Party, which is composed of members from the individual national data protection authorities in Europe, have now considered the issue of what a personal data breach means, which information is to be submitted to the supervisory authority and what to do in relation to the data subjects. In addition, the Article 29 Working Party provides examples of personal data breaches, stating whether or not notification is required in each case.
Comments on the draft guidelines may be submitted until and including 28 November 2017.
The Article 29 Working Party has also launched a consultation on a set of guidelines concerning profiling.
The content of the above is not, and should not be a substitute for legal advice.