European Union - Data Breach Guide

European Union

The General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) applies across all EU member states since 25 May 2018. With its enactment, data protection law and thus notification obligations in the event of data breaches are widely harmonised. Apart from notification obligations under data protection law, sector specific legislation may impose additional data breach notification obligations, such as for example on telecommunication services providers. Such sector specific notification obligations may vary from member state to member state.

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

The GDPR obliges controllers to notify affected individuals and the competent national data protection authority in the event of a personal data breach (Articles 33 and 34 GDPR). In particular, the breach must likely result in a risk or high risk to the rights and freedoms of natural persons. If the breach has a cross-border impact, the controller must notify the lead authority within the meaning of Article 56 GDPR.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

1.2.1 Data Protection law

(a) Obligations of controllers

Pursuant to Article 33 (1) GDPR, controllers have to notify every personal data breach to the competent national data protection authority unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 4 no. 12 GDPR defines a "personal data breach" as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The GDPR's notification obligations only apply where there is a breach of personal data, however irrespective of the affected type of personal data.

In addition, the controller has to notify affected data subjects when the breach is likely to result in a high risk to the rights and freedoms of natural persons, Article 34 (1) GDPR. A communication to the affected data subjects is not required if any of the following conditions are met:

1. The controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
2. The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.
3. It would involve disproportionate effect. In such a case, there should instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

When assessing the risk for the rights and freedoms of natural persons, the controller should consider, inter alia, (i) the type of breach, (ii) the nature, sensitivity, and volume of personal data affected, (iii) the ease of identification of individuals, (iv) the severity of consequences for individuals, (v) potential special characteristics of the individual or the controller and (vi) the number of affected individuals.

For example, it is not necessary to notify the authority or the affected individuals of the loss of a securely encrypted mobile device or of the disclosure of data, if the data were already publicly available, and where such disclosure does not put the individual at further risk.

A high risk for the affected individuals exists if the breach may lead to physical, material or non-material damage. For example, such high risk is given in cases of discrimination, identity theft or fraud, or if the breach involves special categories of data, such as e.g. health data.

It should further be considered that pursuant to Article 34 (4) GDPR, the authority may also demand that the controller notifies the affected individuals.

In addition to the notification obligations, controllers are obliged to document breaches pursuant to Article 33 (5) GDPR, including facts relating to the breach, its effects and the remedial action taken.

(b) Obligations of processors

Pursuant to Article 33 (2) GDPR, processors have to notify the controller without undue delay after becoming aware of a personal data breach. The notification obligation also applies irrespective of the affected type of personal data. In addition to its own notification obligation towards the controller, and considering the mandatory conclusion of a data processing agreement between controller and processor, the processor is obliged to assist the controller with its notification obligations towards authorities and affected individuals, according to Article 28 (3) lit. f) GDPR.

1.2.2 Sector specific notification obligations

(a) Providers of publicly available electronic communications services

Pursuant to Directive 2002/58/EC ("ePrivacy Directive"), providers of publicly available electronic communications services are obliged to notify the competent national authorities of data breaches. In addition, providers also have to notify their subscribers or the affected individuals of a breach, if the breach is likely to adversely affect their personal data or privacy. The European Commission has adopted Commission Regulation (EU) No 611/2013 ("Regulation 611/2013") to harmonise the notification procedure both for notifications towards the competent authorities and the affected individuals.

(b) Trust service providers

Pursuant to Article 19 (2) of Regulation (EU) No 910/2014 ("eIDAS Regulation"), qualified and non-qualified trust service providers (such as e.g. providers of electronic signatures, seals, time stamps and authentication certificates) shall, without undue delay but in any event within 24 hours after having become aware of it, notify the supervisory body and, where applicable, other relevant bodies, such as the competent national body for information security or the data protection authority, of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein.

Where the breach of security or loss of integrity is likely to adversely affect a natural or legal person to whom the trusted service has been provided, the trust service provider shall also notify the natural or legal person of the breach of security or loss of integrity without undue delay.

(c) Operators of essential services and digital service providers

Pursuant to Article 14 (3) and 16 (3) of Directive (EU) 2016/1148 ("NIS Directive"), member states shall ensure that operators of essential services and digital service providers notify, without undue delay, the competent authority or the competent Computer Security Incident Response Team ("CSIRT") of incidents having a significant impact on the continuity of the essential services or the digital service they provide.

Essential services are certain services in the sectors energy, IT and telecommunications, transport and traffic, health, water, food, finance and insurance. Digital service providers comprise online marketplaces, online search engines and cloud computing providers.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

1.3.1 Notification under the GDPR

(a) Content of the notice

Pursuant to Article 33 (3) GDPR, the notification to the data protection authority shall include the following information:

• A description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• The name and contact details of the data protection officer or other contact point where more information can be obtained;
• The likely consequences of the personal data breach;
• The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible effects.

The notification to data subjects shall include the following information in clear and plain language according to Article 34 (2) GDPR:

• The name and contact details of the data protection officer or other contact point where more information ca be obtained;
• The likely consequences of the personal data breach;
• The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible effects.

(b) Time period for the notice

Article 33 (1) GDPR stipulates that the controller must notify the data protection authority without undue delay, not later than 72 hours after having become aware of the data breach. Where the notification to the authority is not made within 72 hours, it shall be accompanied by the reasons for the delay. The controller may also, if it is not possible to provide the information at the same time, provide the information in phases without undue further delay, Article 33 (4) GDPR.

In addition, the controller must communicate the data breach to the data subjects without undue delay, Article 34 (1) GDPR.

The processor shall notify the controller of a data breach without undue delay, Article 33 (2) GDPR.

(c) Method of giving notice

For the specifics of the notification methods to the respective competent national authorities, please refer to the chapters of the relevant EU member states.

If the breach has a cross-border impact, the controller must notify the lead authority, which has to be determined in accordance with Article 56 GDPR. In the respective notification, the controller should indicate whether the breach involves establishments located in other member states, and in which member states data subjects are likely to have been affected by the breach. If doubts remain about the identity of the competent lead authority, the controller should at least notify the local authority where the breach has taken place.

For the notification of the affected individuals, the controller must notify them in clear and plain language. As regards the communication channel, the controller may for example use means of (i) direct messaging (e.g. email or SMS), (ii) prominent website banners, (iii) postal communications or (iv) prominent advertisements in print media.

1.3.2 Notification under sector specific legislation

(a) Providers of publicly available electronic communications services

(i) Content of the notice

In particular, the notification must contain details of the incident, such as e.g. date and time of the incident, and of the detection of the incident, as well as the circumstances of the personal data breach (e.g. loss, theft, copying). The notification to the affected individuals must be expressed in a clear and easily understandable language, Article 3 (4) of Regulation 611/2013.

Regulation 611/2013 and its annexes 1 and 2 contain specifications on the contents of the notice. Annex 1 refers to the contents of the notice to the authorities and annex 2 specifies the contents for the notification of affected persons.

(ii) Time period for the notice

Pursuant to Article 2 (2) of Regulation 611/2013, the provider shall notify the authority within 24 hours. In accordance with Article 2 (3) of Regulation 611/2013, it may be permissible for the provider to make a first notification within 24 hours and a second notification within three days following the initial notification, if not all information are immediately available and further investigation of the breach is necessary.

The notification to the subscribers or affected individuals shall be made without undue delay after the detection of the personal data breach, Article 3 (2) of Regulation 611/2013. Pursuant to Article 3 (5) of Regulation 611/2013, in exceptional circumstances, where the notification to the subscriber or individual may put at risk the proper investigation of the personal data breach, the provider shall be permitted, after having obtained the agreement of the competent national authority, to delay the notification to the subscriber or individual until such time as the competent national authority deems it possible to notify the personal data breach in accordance with Article 3 of Regulation 611/2013.

(iii) Method of giving notice

The providers must notify the competent authorities of their member states. Please refer to the chapters of the respective EU member states.

Pursuant to Article 3 (6) of Regulation 611/2013, the provider shall notify to the subscriber or individual the personal data breach by means of communication that ensure prompt receipt of information and that are appropriately secured according to the state of the art. The information about the breach shall be dedicated to the breach and not associated with information about another topic. If the provider is unable to identify all individuals who are likely to be adversely affected by the personal data breach, the provider may notify those individuals through advertisements in major national or regional media.

(b) Trust service providers

(i) Content of the notice

Article 19 of the eIDAS Regulation does not specify the requirements for the breach notifications. It is recommendable to include at least the following information:

• a description of the incident;
• how long the incident lasted for;
• what percentage of subscribers were / are affected; and
• the point in time it took place.

(ii) Time period for the notice

The providers must notify the authorities without undue delay but in any event within 24 hours after having become aware of the breach, Article 19 (2) eIDAS Regulation. The notification to affected subscribers or individuals must be made without undue delay.

(iii) Method of giving notice

Trust service providers must notify the competent national authorities. Please refer to the chapters of the respective EU member states.

(c) Operators of essential services and trust service providers

(i) Content of the notice

Articles 14 and 16 of the NIS Directive do not specify the contents of the notice. Pursuant to Articles 14 (3) and 16 (3) NIS Directive, notifications shall include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident.

In the case of operators of essential services, the notification should at least include the following information:

• the number of users affected by the disruption of the essential service;
• the duration of the incident; and
• the geographical spread with regard to the area affected by the incident.

In the case of digital service providers, the notification should at least include the following information:

• the number of users affected by the incident, in particular users relying on the service for the provision of their own services;
• the duration of the incident;
• the geographical spread with regard to the area affected by the incident;
• the extent of the disruption of the functioning of the service; and
• the extent of the impact on economic and societal activities.

(ii) Time period for the notice

The notification must be made without undue delay, Article 14 (3) and Article 16 (3) NIS Directive.

(iii) Method of giving notice

Operators of essential services and digital service providers must notify the competent national authorities or the CSIRT. Please refer to the chapters of the respective EU member states.

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

1.4.1 Penalties and risks under the GDPR

The data protection authorities may levy administrative fines of up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83 (4) lit. a) GDPR). According to Article 58 (2) GDPR, the authorities may additionally impose other sanctions such as for example a ban of processing. Both controller and processor may be fined in the event that they violate their notification obligations.

In addition, affected data subjects may claim compensation for material or non-material damages because of the data breach, in accordance with Article 82 (1) GDPR.

1.4.2 Penalties under sector specific law

The EU legislation on sector specific notification obligations does not provide for penalties or fines. Please refer to the relevant chapters on the respective EU member states.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

Not applicable.

1.6 What are the applicable (data protection) laws or guidelines within your country?

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR)
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, ePrivacy Directive)
• Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (Regulation 611/2013)
• Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Regulation)
• Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive)
• Article 29 Data Protection Working Party, WP 250, "Guidelines on Personal data breach notification under Regulation 2016/679", adopted on 3 October 2017, as last revised and adopted on 6 February 2018.

In addition, please refer to the relevant legislation of the member states, in particular for legislation which transposes the mentioned EU legislation into domestic law.

1.7 Contact information for the local Data Protection Authority:

The competent authorities are the data protection and cyber security authorities of the respective European member states.

For more information, contact: