Notification Requirements for Theft of Personal Data Categories

Question

There was a theft of a database containing the following categories of personal data: name, surname, e-mail address and delivery address.

Who do I have to inform about this event? What are the deciding factors in how we should respond?

Executive Summary

In the event of a database theft involving personal data, entrepreneurs must promptly assess the incident’s impact and take specific steps to comply with GDPR. Here’s a concise executive summary:

  • Notification Obligations: The data controller must notify the supervisory authority within 72 hours of becoming aware of the breach, especially since the stolen data (names, addresses, and email information) poses significant risks to individuals’ rights and freedoms.
  • Informing Data Subjects: Should the breach present a high risk, you’re required to also inform the affected individuals promptly about the incident.
  • DPO’s Role: Engage your Data Protection Officer (DPO) immediately in all aspects of the breach response, and the DPO will serve as a point of contact for data subjects.
  • Documentation: Keep detailed records of the breach, consequences, and remedial actions taken to both meet GDPR requirements and to aid in any further investigations or compliance verifications.
  • Exemptions to Consider: If the database is used for law enforcement purposes, GDPR’s breach notification requirements might not apply, and you’d follow a different set of directives for data processing.

These summarized steps highlight the immediate actions required under GDPR in response to a data breach.

Legal trace

Notification to the Supervisory Authority and Data Subjects

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 33(1)

For the controller, the paramount responsibility following the database theft is to assess the risk to individuals’ rights and freedoms. If risk is identified, notification to the supervisory authority is obligatory within 72 hours. The timing is crucial; in this case, given the sensitive nature of the stolen data, immediate action to notify is strongly indicated.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. Article 34(1)

When the data breach poses a high risk to the rights and freedoms of the persons affected, the controller has to promptly inform those individuals too. It’s essential to interpret this obligation in light of the type of data involved in the breach—names, surnames, emails, and addresses—which could be exploited, thus justifying direct communication with the data subjects.

Roles and Responsibilities Following a Breach

’data subject’ means an identified or identifiable natural person whose personal data is processed by a controller or processor; Article 4(1)

It’s important to note that the individuals whose data was in the stolen database are considered data subjects under GDPR. Their rights and freedoms are potentially endangered by this breach, bringing into effect the GDPR’s protection provisions which govern the steps the controller should take.

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Article 4(7)

The entity that decides the purposes and means of processing the stolen data is designated as the ‘controller’. In the context of the data breach, this entity bears the critical duties of notification, risk assessment, and subsequent communication to the individuals affected.

Cooperating With and Involving the Data Protection Officer (DPO)

The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. Article 38(1)

The DPO should be proactively involved in responding to and managing the breach. Their expertise is crucial for ensuring compliance with GDPR throughout the breach notification and response processes.

Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation. Article 38(4)

The DPO also acts as the point of contact for data subjects to address their concerns and rights. Following a breach, this role becomes particularly relevant as affected individuals may seek information directly from the DPO about the implications of the breach and their rights under GDPR.

Documentation and Record-Keeping

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. Article 33(5)

Detailed records of the breach must be maintained, including the nature, consequences, and remedial steps taken. This accountability measure is essential not only for internal review but also to demonstrate compliance with GDPR to supervisory authorities, if required.

Finally, if the stolen database was involved in law enforcement activities, the reach of GDPR diminishes as Article 2(2)(d) sets forth exceptions to its applicability. The pursuit of a legal response in such cases must align with specialized directives of law enforcement data processing, exempting the data controller from GDPR’s breach notification regulations.

PDF Repository

We have searched through the PDF repository of ECJ rulings, European Data Protection Board guidelines, and other documents to provide this supplemental answer.

Details

In the context of a personal data breach, such as the theft of a database containing names, surnames, email addresses, and delivery addresses, the implications and required actions are not only based on the legal text of the GDPR but also on the interpretation and guidance provided by relevant authorities. The following supplemental answer provides in-depth insights from the European Data Protection Board's guidelines on how to manage the notification of a data breach, considering factors that may influence the decision and the responsibilities both before and after becoming aware of such an event.

Legal trace

likely high risk of these adverse effects occurring, the GDPR requires the controller to communicate the breach to the affected individuals as soon as is reasonably feasible.

The importance of being able to identify a breach, to assess the risk to individuals, and then notify if required, is emphasised in Recital 87 of the GDPR:

“It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.”

Further guidelines on assessing the risk of adverse effects to individuals are considered in section IV.

If controllers fail to notify either the supervisory authority or data subjects of a data breach or both even though the requirements of Articles 33 and/or 34 GDPR are fulfilled, then the supervisory authority is presented with a choice that must include consideration of all of the corrective measures at its disposal, which would include consideration of the imposition of the appropriate administrative fine, either accompanying a corrective measure under Article 58(2) GDPR or on its own. Where an administrative fine is chosen, its value can be up to 10,000,000 EUR or up to 2 % if the total worldwide annual turnover of an undertaking under Article 83(4)(a) of the GDPR. It is also important to bear in mind that in some cases, the failure to notify a breach could reveal either an absence of existing security measures or an inadequacy of the existing security measures. Guidelines 9/2022 on personal data breach notification under GDPR, page 10

This excerpt emphasizes the importance of swift and accurate risk assessment following a data breach, as well as the potential consequences (including significant administrative fines) for failing to notify the supervisory authority or data subjects when required. The stress on the risk to the rights and freedoms of natural persons reinforces the responsibility to assess the severity of the breach, which is highly relevant to the user’s question concerning the deciding factors in how one should respond to a database theft.

  1. As detailed above, the GDPR requires that, in the case of a breach, the controller shall notify the breach without undue delay and, where feasible, not later than 72 hours after having become aware of it. This may raise the question of when a controller can be considered to have become “aware” of a breach. The EDPB considers that a controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.

  2. However, as indicated earlier, the GDPR requires the controller to implement all appropriate technical protection and organisational measures to establish immediately whether a breach has taken place and to inform promptly the supervisory authority and the data subjects. It also states that the fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the breach and its consequences and adverse effects for the data subject. This puts an obligation on the controller to ensure that they will be “aware” of any breaches in a timely manner so that they can take appropriate action.

  3. When, exactly, a controller can be considered to be “aware” of a particular breach will depend on the circumstances of the specific breach. In some cases, it will be relatively clear from the outset that there has been a breach, whereas in others, it may take some time to establish if personal data have been compromised. Guidelines 9/2022 on personal data breach notification under GDPR, page 11

Awareness is a key factor determining the deadline for notifying authorities and data subjects. Controllers have an obligation to quickly determine the likelihood of a security incident being a data breach. Once “aware,” they must notify without undue delay and not later than 72 hours. This has direct implications for the user, as it guides the timely manner in which they should respond to the theft of the database containing personal data.

  1. When a controller notifies a breach to the supervisory authority, Article 33(3) GDPR states that, at the minimum, it should:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c) describe the likely consequences of the personal data breach;

(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”

  1. The GDPR does not define categories of data subjects or personal data records. However, the EDPB suggests categories of data subjects to refer to the various types of individuals whose personal data has been affected by a breach: depending on the descriptors used, this could include, amongst others, children and other vulnerable groups, people with disabilities, employees or customers. Similarly, categories of personal data records can refer to the different types of records that the controller may process, such as health data, educational records, social care information, financial details, bank account numbers, passport numbers and so on. Guidelines 9/2022 on personal data breach notification under GDPR, page 14

This excerpt outlines the specific information that must be included when notifying a supervisory authority of a data breach. This includes the nature of the breach, categories and numbers of data subjects and records involved, likely consequences, and remedial action taken. Given that the stolen database includes various categories of personal data, the level of detail required in the notification is of high relevance to the user’s question regarding the necessary steps to take after becoming aware of the theft.