11 Nov European Data Protection Board publishes guidelines on personal data violation notifications under GDPR
By Fabio Vieira and Jhonata Candido
Early in October, the European Data Protection Board (“Board”) published Guideline nº 09/2022 (“Guideline”) regarding personal data violation notifications based on the General Data Protection Regulation (“GDPR”).
According to the Guideline, a personal data violation is identified whenever the personal data security is compromised or when there is accidental or unauthorized destruction, loss, alteration, unlawful disclosure of personal data that has been transmitted or stored.
In that sense, Opinion No. 3/2014 issued by the “Working Party for the Protection of Individuals regarding the Processing of Personal Data in Europe,” better known as “WP29,” defined that breaches can be categorized in the following way:
(i) confidentiality violation – unauthorized or accidental disclosure or access to personal data;
(ii) integrity violation – unauthorized or accidental alteration of personal data;
(iii) availability violation – accidental or unauthorized loss of access, or destruction of personal data.
A personal data violation can bring several significant adverse effects to the data subjects, which may result in physical, material, or non-material harm. The GDPR mentions that these effects can include: (a) loss of control over personal data; (b) limitation of rights; (c) discrimination; (d) identity theft or fraud; (e) financial loss; (f) unauthorized reversal of pseudonymization; (g) reputational damage; and (h) loss of professionally protected personal data confidentiality.
In this way, the Guideline defines that the notification must follow the procedure provided by Article 33 of the GDPR, which stipulates that in case of a personal data violation the data processing agent must, without undue delay and, when possible no later than 72 hours after it has become aware of it, notify the personal data violation to the competent supervisory authority.
The Board considers that the responsible authority should be reasonably certain that a security incident has occurred which has led to personal data being compromised.
The GDPR requires the controller to implement protection and organization measures to immediately determine whether a violation has occurred and promptly inform the authority and the people involved.
Article 26 of the GDPR addresses the controller and specifies that they will determine their respective responsibilities for compliance with the GDPR. This includes the determination that, in part, the controller will have the responsibility to comply with the obligations under Articles 33 and 34 of the GDPR.
The Board therefore recommends that the contractual arrangements between the controllers include provisions establishing that the controller will take the lead or be responsible for fulfilling the obligations of notification of violation of the GDPR
When a controller notifies a violation to the supervisory authority, Article 33 of the GDPR stipulates that it shall, at a minimum: (a) describe the nature of the personal data violation, including, when possible, the categories and approximate number of persons concerned and the categories and approximate number of records of personal data in question; (b) communicate the name and contact details of the data protection officer or other point of contact where further information can be obtained; (c) describe the likely consequences of the personal data violation; and (d) describe the measures taken or proposed by the controller to process the personal data violation, including, when appropriate, measures to mitigate their possible adverse effects.
In the case of a cross-border personal data violation, when the breach affects persons in more than one European Member State, the Article 33 of the GDPR makes it clear that, in such cases, the controller shall notify the competent authority of the Member States in the terms of Article 55 of the GDPR.
Article 33 of the GDPR makes it clear that violations that “hardly result in risk to the rights and freedoms of individuals” do not give to the supervisory authority. An example of this is when personal data is already publicly available, and the disclosure of such data does not result on a likely risk to the individual.
Although the GDPR introduces the obligation to notify data breaches to the competent supervisory authority, this is only necessary when the breach results in an imminent risk to the rights and freedoms of the holders. Therefore, it is necessary to assess the risk, considering both the probability and severity of the risk to the rights and freedoms of the data subjects.
Finally, the Directive establishes that records and data maintenance, regardless of whether a violation has occurred that will (or will not) need to be reported to the competent authority, must be kept documented by the controller, including all violations, as explained in Article 33 (5) of the GDPR.
In this way, the Guidelines will allow that, in cases of data violations or leaks, authorities follow a more formal and GDPR-compliant instruction. The Guideline can bring harmonization of practical results, being useful to understand which steps the supervisory authority should consider.
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KV Advogados in relation to the matters herein addressed. Copyrights are reserved to Kestener & Vieira Advogados.
No Comments