There was a theft of a database containing the following categories of personal data: name, surname, e-mail address and delivery address.Who do I have to inform about this event? What are the deciding factors in how we should respond?
Understanding of the Legal Question
This question relates to a data breach involving personal data, including names, surnames, email addresses, and delivery addresses. The person asking the question seems to be seeking guidance on their legal obligations regarding notifying authorities and possibly data subjects about the breach. They also seem to seek an understanding of the criteria that influence the required actions in the event of such a breach. The inferred goal is to ensure compliance with the General Data Protection Regulation (GDPR) in the aftermath of a data breach.
Plan for the Junior Lawyer:
Note: The junior lawyer is what we call a subsystem of Hotseat that completes helper tasks
Review Relevant GDPR Articles:
Refer to Article 33 on the notification of a personal data breach to the supervisory authority. Assess the criteria and timelines detailed for the notification process.
Look to Article 34 for details on when to communicate a personal data breach to the data subject directly and study the exceptions provided.
Consult Article 4 for definitions related to ‘personal data breach,’ ‘data subject,’ ‘controller,’ and ‘processor.‘
Identify Decision Factors:
Assess the severity of the risk to the rights and freedoms of the data subjects using criteria from Article 33(1).
Examine the mitigating measures already taken or that can be taken promptly to curtail the data breach impact, as outlined in Article 33(1) and Recital 85.
Legal Obligations of Notification:
Determine if the controller must notify the supervisory authority based on the infringement risk level as outlined in Article 33(1).
Ascertain, with reference to Article 34(1), whether it’s necessary to communicate the breach to the data subjects, considering the likelihood of high risk.
Documentation and Cooperation:
Refer to Article 33(5) to understand the documentation requirements that a controller must keep post-breach and the role of the supervisory authority.
If the processor is aware of the data breach, determine cooperation and communication channels according to Article 33(2).
Timeline for Action:
Based on Article 33(1) and Article 34(1), establish timeframes for notification to both the supervisory authority and the data subject, including any deviations and reasons thereof.
Record Keeping:
Examine the details for record keeping after a data breach in Article 33(5) ensuring understanding of what information must be documented by the data controller.
Liaisons with Data Protection Officer (DPO):
If applicable, consult the DPO based on their role in data breach notification and response as suggested by Article 38(4).
Contextual References:
It isn’t explicitly stated, but if the database theft falls under the scope of processing data for law enforcement purposes, ascertain whether the directives of Article 2 apply.
Definitions and Terms from the General Data Protection Regulation:
Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Data subject: An identified or identifiable natural person whose personal data is processed by a controller or processor.
Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Note: There is an ambiguity concerning whether the question-asker is a data processor or a data controller, as their obligations might differ under the GDPR. The plan addresses both possibilities. The junior lawyer should distinguish the role of the question-asker to apply the relevant steps accurately.
Question Clarity Rating
Somewhat clear
Clarity Rating Explanation
The original question provides a clear scenario of a database theft involving personal data, which is a situation directly affected by the GDPR. However, it lacks specific details that are crucial for a GDPR-compliant response, such as the security measures that were in place, the actual or estimated number of affected individuals, if the data subjects or relevant authorities were informed, and the position of the DPO in the situation. These details significantly influence the necessary actions, such as the obligation to inform the supervisory authority within 72 hours and the need to communicate the breach to the data subjects. The answer must make assumptions on these important aspects, leading to a somewhat clear categorization.