Notifying data breaches to DPA (art. 33 #GDPR)
Every #databreach must be notified to the DPA –> no
Since data breaches can result in physical, material, or non-material damages, a breach must be notified only if it is likely to result in a risk to the rights and freedoms of DS
Factors to consider :
– type of breach: confidentiality, integrity or availability- nature, sensitivity, and volume of personal data: the more sensitive/larger volume, the higher the risk
– ease identification of DS: the easier to identify DS, the higher the risks
– severity of consequences for DS: e.g. where the breach could result in identity theft or fraud, physical harm, psychological distress, humiliation or damage to reputation
– special characteristics of DS: e.g. children or vulnerable DS
– special characteristics of the controller: the nature and role of C, or its activities (medical org)
– the number of affected DS: the higher the number, the greater the impact
In general: a combination of the severity of the potential impact on the rights and freedoms of individuals and the likelihood of these occurring
If in doubt, the controller should err on the side of caution and notify
EDPB, Guidelines on Personal data breach notification under Regulation 2016/679 (2018)
0 comentarios