A data breach: sooner or later, your company will probably have to deal with it as well. This is because a data breach in the sense of the AVG is a broad term. Not only a hack or a 'leak' in the literal sense of the word constitutes a data breach, but any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, transmitted, stored or otherwise processed data," as the law defines it. Thus, a data breach also occurs if your intern accidentally permanently deletes part of the customer database, which contains your customers' contact information.
If there is indeed a data breach, then it must often be reported to the Personal Data Authority (AP). The exception to this rule is when the data breach is not likely to pose a risk to the rights and freedoms of natural persons. This may be the case, for example, when a working backup is available of the information that the aforementioned intern deleted. However, there is no quick exception to the obligation to report to the AP. In the event of an incident, you would therefore be wise to assume a duty to report, as this notification to the AP must be made within 72 hours.
In addition to the obligation to report to the regulator (the AP), the General Data Protection Regulation (AVG) also has an obligation to report a data breach to the individuals whose personal data is affected by the incident (the data subjects). The bar for reporting to data subjects is higher than the bar for reporting to the AP. This is because the data breach must be reported to the data subject if it is likely to pose a high risk to the rights and freedoms of the data subjects. This is in any case the case if there is a leak of special personal data, but other factors, the number of persons whose personal data has been leaked, may also make notification to data subjects necessary. A textbook example of the latter criterion is when a hack has occurred on a social media platform, in which the e-mail addresses and passwords of a large number of users have been stolen.
If a data breach does not need to be reported to the AP because it is not likely to pose a risk to rights and freedoms of individuals, then it also does not need to be reported to data subjects. Incidentally, this does not prevent organizations from voluntarily reporting the incident to data subjects, for the sake of transparency to their customers/users, or because they feel it is the right thing to do.
Besides the fact that a company may have to deal with the assessment of whether there is a data breach and whether notification to the AP / parties involved is necessary, an organization may also have to deal with the perils surrounding the IT / forensic investigation, possibly speaking to the press, the communication with the AP and possibly filing a report against the perpetrator of the data breach. Experience shows that this must be handled with care. After all, a data breach not only has internal consequences, but can also have consequences for existing and future (customer) relations and the image of the company.
The Data Breach for Corporate Lawyers course on December 3 will cover all topics necessary to assess the consequences of a real (potential) data breach in practice and determine the appropriate follow-up steps. Part of the course is a data breach simulation, where the knowledge is directly applied to a case. Click here for more information.
More articles by Kennedy Van der Laan
